Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
IP Tag Messages |
Base Rule |
Information |
General Profile Detection |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
<vmid> |
Text/String |
LogType |
|
N/A |
N/A |
N/A |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
deviceExternalId |
<serialnumber> |
Text/String/Number |
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
|
PanOSCortexDataLakeTenantlD |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
|
PanOSIsPrismaNetworks |
N/A |
N/A |
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
|
PanOSIsPrismaUsers |
N/A |
N/A |
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function. |
|
PanOSLogForwarded |
N/A |
N/A |
Internal-use field that indicates if the log is being forwarded. |
|
PanOSLogSetting |
N/A |
N/A |
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data. That is, the system that produced the data. |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log. |
|
PanOSRule |
N/A |
N/A |
Name of the security policy rule that the network traffic matched. |
|
PanOSRuleUUID |
N/A |
N/A |
Unique identifier for the security policy rule that the network traffic matched. |
|
PanOSConfigVersion |
N/A |
N/A |
Version number of the firewall operating system that wrote this log record. |
|
start |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
cs3 |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cs3Label |
N/A |
N/A |
N/A |
|
src |
<sip> |
IP Address |
Original source IP address. |
|
dst |
<dip> |
IP Address |
Original source IP address. |
|
PanOSTagName |
<subject> |
Text/String |
The tag mapped to the source IP address. |
|
PanOSEventID |
<action> |
Text/String |
Identifies the event. |
|
cnt |
<quantity> |
Number |
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
|
PanOSMappingTimeout |
N/A |
N/A |
Time interval before the IP-to-tag mapping expires for the source IP address. |
|
PanOSMappingDataSource |
<object> |
Text/String |
Name of the source from which the mapping information was collected. |
|
PanOSMappingDataSourceType |
<objecttype> |
Text/String |
Source from which mapping information is collected. |
|
PanOSMappingDataSourceSubType |
N/A |
N/A |
Mechanism used to identify the IP/User mappings within a data source. |
|
externalId |
N/A |
N/A |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSVirtualSystemName |
N/A |
N/A |
The name of the virtual system associated with the network traffic. |
|
dvchost |
N/A |
N/A |
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
|
cn2 |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cn2Label |
N/A |
N/A |
N/A |
|
PanOSIPSubnetRange |
N/A |
N/A |
IP subnet range. |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |