IP Tag Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
IP Tag Messages | Base Rule | Information | General Profile Detection |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
N/A | N/A | N/A | deviceVendor |
N/A | N/A | N/A | deviceProduct |
N/A | N/A | N/A | Version |
N/A | <vmid> | Text/String | LogType |
N/A | N/A | N/A | SubType |
N/A | <severity> | Number | deviceSeverity |
ProfileToken | N/A | N/A | N/A |
dtz | N/A | N/A | N/A |
rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
PanOSCortexDataLakeTenantlD | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
PanOSIsPrismaNetworks | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
PanOSLogSetting | N/A | N/A | Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
PanOSRule | N/A | N/A | Name of the security policy rule that the network traffic matched. |
PanOSRuleUUID | N/A | N/A | Unique identifier for the security policy rule that the network traffic matched. |
PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
cs3Label | N/A | N/A | N/A |
src | <sip> | IP Address | Original source IP address. |
dst | <dip> | IP Address | Original source IP address. |
PanOSTagName | <subject> | Text/String | The tag mapped to the source IP address. |
PanOSEventID | <action> | Text/String | Identifies the event. |
cnt | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
PanOSMappingTimeout | N/A | N/A | Time interval before the IP-to-tag mapping expires for the source IP address. |
PanOSMappingDataSource | <object> | Text/String | Name of the source from which the mapping information was collected. |
PanOSMappingDataSourceType | <objecttype> | Text/String | Source from which mapping information is collected. |
PanOSMappingDataSourceSubType | N/A | N/A | Mechanism used to identify the IP/User mappings within a data source. |
externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
cn2 | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
cn2Label | N/A | N/A | N/A |
PanOSIPSubnetRange | N/A | N/A | IP subnet range. |
PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |