Host Profile Messages

Vendor Documentation

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-hip-match-log/network-hip-match-cef-fields.html

Classification

Rule Name	Rule Type	Classification	Common Event
Host Profile Messages	Base Rule	Information	General Profile Detection

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	deviceVendor
N/A	N/A	N/A	deviceProduct
N/A	N/A	N/A	Version
N/A	<vmid>	Text/String	LogType
N/A	N/A	N/A	SubType
N/A	<severity>	Number	deviceSeverity
ProfileToken	N/A	N/A	N/A
dtz	N/A	N/A	N/A
rt	N/A	N/A	Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId	<serialnumber>	Text/String/Number	ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
PanOSIsDuplicateLog	N/A	N/A	Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsPrismaNetworks	N/A	N/A	Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsers	N/A	N/A	Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSLogExported	N/A	N/A	Indicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwarded	N/A	N/A	Internal-use field that indicates if the log is being forwarded.
PanOSLogSource	N/A	N/A	Identifies the origin of the data. That is, the system that produced the data.
PanOSLogSourceTimeZoneOffset	N/A	N/A	Time Zone offset from GMT of the source of the log.
PanOSSourceDeviceClass	N/A	N/A	Source device class.
PanOSSourceDeviceOS	N/A	N/A	Source device OS type.
sntdom	<domainorigin>	Text/String	Domain to which the Source User belongs.
dntdom	<domainimpacted>	Text/String	Domain to which the Destination User belongs.
suser	<login>	Text/String	The Source User. That is, the username that initiated the network traffic.
duser	<account>	Text/String	The Destination User. That is, the username that initiated the network traffic.
suid	N/A	N/A	Unique identifier assigned to the Source User.
duid	N/A	N/A	Unique identifier assigned to the Source User.
PanOSTenantID	N/A	N/A	The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSUUID	N/A	N/A	UUID.
PanOSConfigVersion	N/A	N/A	Version number of the firewall operating system that wrote this log record.
start	N/A	N/A	Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSSourceUser	N/A	N/A	The username that initiated the network traffic.
cs3	N/A	N/A	String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3Label	N/A	N/A	N/A
shost	<sname>	Text/String	Name of the user’s machine.
dhost	<dname>	Text/String	N/A
cs2	N/A	N/A	The operating system installed on the user’s machine or device (or on the client system).
cs2Label	N/A	N/A	N/A
src	<sip>	IP Address	Original source IP address.
dst	<dip>	IP Address	N/A
cat	<object>	Text/String	Name of the HIP object or profile.
cnt	<quantity>	Number	Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
PanOSHipMatchType	<objecttype>	Text/String	Identifies whether the hip field represents a HIP object or a HIP profile.
externalId	N/A	N/A	The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSDGHierarchyLevel1	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemName	N/A	N/A	The name of the virtual system associated with the network traffic.
dvchost	N/A	N/A	Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
cn2	N/A	N/A	A unique identifier for a virtual system on a Palo Alto Networks firewall.
cn2Label	N/A	N/A	N/A
c6a1	N/A	N/A	Source from which mapping information is collected.
c6a1Label	N/A	N/A	N/A
PanOSHostID	N/A	N/A	Unique identifier GlobalProtect has assigned to the host.
PanOSEndpointSerialNumber	N/A	N/A	Serial number of the host on which GlobalProtect is installed.
PanOSSourceDeviceCategory	N/A	N/A	Category of the device from which the session originated.
PanOSSourceDeviceProfile	N/A	N/A	Profile of the device from which the session originated.
PanOSSourceDeviceModel	N/A	N/A	Model of the device from which the session originated.
PanOSSourceDeviceVendor	N/A	N/A	Vendor of the device from which the session originated.
PanOSSourceDeviceOSFamily	N/A	N/A	OS family of the device from which the session originated.
PanOSSourceDeviceOSVersion	N/A	N/A	OS version of the device from which the session originated.
PanOSSourceDeviceMac	<smac>	Text/String	MAC Address of the device from which the session originated.
PanOSSourceDeviceHost	N/A	N/A	Hostname of the device from which the session originated.
PanOSSource	N/A	N/A	Source.
PanOSTimestampDeviceIdentification	N/A	N/A	Time the device was identified in format YYYY-MM-DDTHH.
PanOSTimeGeneratedHighResolution	N/A	N/A	Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH.