Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
GlobalProtect Status Messages |
Base Rule |
Other Audit |
General Authentication Event |
|
Remote Authentication Failure |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
Remote Authentication Success |
Sub Rule |
Authentication Success |
User Logon |
|
Remote Session Logoff |
Sub Rule |
Authentication Success |
User Logoff |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
<vmid> |
Text/String |
LogType |
|
N/A |
N/A |
N/A |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
PanOSDeviceSN |
N/A |
N/A |
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
|
PanOSConfigVersion |
N/A |
N/A |
Version number of the firewall operating system that wrote this log record. |
|
start |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
PanOSVirtualSystem |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
PanOSEventIDValue |
N/A |
N/A |
The name of the event. |
|
PanOSStage |
<status>
|
Text/String |
Name of the stage in the GlobalProtect connection workflow. |
|
PanOSAuthMethod |
N/A |
N/A |
Authentication method used for the GlobalProtect connection. |
|
PanOSTunnelType |
N/A |
N/A |
Tunnel Type i.e. SSL or VPN. |
|
PanOSSourceUserName |
<login> |
Text/String |
The username that connected. |
|
PanOSSourceRegion |
N/A |
N/A |
Region of the Gateway (or User) that connected. |
|
PanOSEndpointDeviceName |
<sname> |
Text/String |
Name of the device that the user used for the connection. |
|
PanOSPublicIPv4 |
<sip> |
IP Address |
Public IP address (v4) of the user that connected. |
|
PanOSPublicIPv6 |
<sip> |
IP Address |
Public IP address (v6) of the user that connected. |
|
PanOSPrivateIPv4 |
<snatip> |
IP Address |
Private IP address (v4) of the user that connected. |
|
PanOSPrivateIPv6 |
<snatip> |
IP Address |
Private IP address (v6) of the user that connected. |
|
PanOSHostID |
N/A |
N/A |
Unique identifier GlobalProtect has assigned to the host. |
|
PanOSEndpointSN |
N/A |
N/A |
ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed. |
|
PanOSGlobalProtectClientVersion |
<version> |
Text/String |
GlobalProtect client version number. |
|
PanOSEndpointOSType |
N/A |
N/A |
OS type of the endpoint on which the GlobalProtect client is deployed. |
|
PanOSEndpointOSVersion |
N/A |
N/A |
OS version of the endpoint on which the GlobalProtect client is deployed. |
|
PanOSRepeatCount |
N/A |
N/A |
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
|
PanOSQuarantineReason |
<reason> |
Text/String |
Quarantine reason. |
|
PanOSConnectionError |
N/A |
N/A |
Error information for unsuccessful connection. |
|
PanOSDescription |
<vendorinfo> |
Text/String |
Additional information regarding the event. |
|
PanOSEventStatus |
<result>
|
Text/String |
The status (success or failure) of the event. |
|
PanOSGlobalProtectGatewayLocation |
N/A |
N/A |
Location of the Global Protect Gateway. |
|
PanOSLoginDuration |
<seconds> |
Number |
Duration for which the connected user was logged on. |
|
PanOSConnectionMethod |
N/A |
N/A |
Identifies how the GlobalProtect app connected to the the Gateway. For example, on-demand or user-logon. |
|
PanOSConnectionErrorID |
N/A |
N/A |
Enumeration integer assigned to the connection_error field value. |
|
PanOSPortal |
N/A |
N/A |
Global Protect Portal or Gateway that the user connected to. |
|
PanOSSequenceNo |
<serialnumber> |
Number |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH |
|
PanOSGatewaySelectionType |
N/A |
N/A |
Gateway Selection Method i.e automatic, preferred or manual. |
|
PanOSSSLResponseTime |
N/A |
N/A |
SSL Response Time in milliseconds. |
|
PanOSGatewayPriority |
N/A |
N/A |
Priority of gateway, retrieved from portal configuration. |
|
PanOSAttemptedGateways |
N/A |
N/A |
String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon. |
|
PanOSGateway |
N/A |
N/A |
Selected Gateway for the connection. |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSVirtualSystemName |
N/A |
N/A |
The name of the virtual system associated with the network traffic. |
|
PanOSDeviceName |
N/A |
N/A |
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
|
PanOSVirtualSystemID |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
PanOSCortexDataLakeTenantID |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function. |
|
PanOSLogForwarded |
N/A |
N/A |
Internal-use field that indicates if the log is being forwarded. |
|
PanOSIsPrismaNetworks |
N/A |
N/A |
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
|
PanOSIsPrismaUsers |
N/A |
N/A |
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data. That is, the system that produced the data. |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log. |
|
sntdom |
<domainorigin> |
Text/String |
Domain to which the Source User belongs. |
|
suser/susername |
<login> |
Text/String |
The Source User. That is, the username that initiated the network traffic. |
|
suid, duid |
N/A |
N/A |
Unique identifier assigned to the Source User. |
|
dntdom |
<domainimpacted> |
Text/String |
Domain to which the destination User belongs. |
|
dusername |
<account> |
Text/String |
The Destination User. That is, the username to which the network traffic was destined. |
|
shost |
<sname> |
Text/String |
Name of the device that the user used for the connection. |