IP Tag Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| IP Tag Messages | Base Rule | Information | General Profile Detection |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | <vmid> | Text/String | LogType |
| N/A | N/A | N/A | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
| PanOSCortexDataLakeTenantlD | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
| PanOSIsPrismaNetworks | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
| PanOSLogSetting | N/A | N/A | Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| PanOSRule | N/A | N/A | Name of the security policy rule that the network traffic matched. |
| PanOSRuleUUID | N/A | N/A | Unique identifier for the security policy rule that the network traffic matched. |
| PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
| start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cs3Label | N/A | N/A | N/A |
| src | <sip> | IP Address | Original source IP address. |
| dst | <dip> | IP Address | Original source IP address. |
| PanOSTagName | <subject> | Text/String | The tag mapped to the source IP address. |
| PanOSEventID | <action> | Text/String | Identifies the event. |
| cnt | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
| PanOSMappingTimeout | N/A | N/A | Time interval before the IP-to-tag mapping expires for the source IP address. |
| PanOSMappingDataSource | <object> | Text/String | Name of the source from which the mapping information was collected. |
| PanOSMappingDataSourceType | <objecttype> | Text/String | Source from which mapping information is collected. |
| PanOSMappingDataSourceSubType | N/A | N/A | Mechanism used to identify the IP/User mappings within a data source. |
| externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
| dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
| cn2 | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cn2Label | N/A | N/A | N/A |
| PanOSIPSubnetRange | N/A | N/A | IP subnet range. |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |