User ID Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| User ID Messages | Base Rule | Other Audit | General Authentication Event |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | <vmid> | Text/String | LogType |
| N/A | <action> | Text/String | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
| PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
| dntdom | <domainimpacted> | Text/String | Domain to which the user who is being authenticated belongs. |
| dusername | <account> | Text/String | Name of the user who is being authenticated. |
| duid | N/A | N/A | Unique identifier assigned to the user who is being authenticated. |
| PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
| PanOSIsDuplicateUser | N/A | N/A | Indicates whether duplicate users were found in a user group. |
| PanOSIsPrismaNetworks | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| PanOSUserGroupFound | N/A | N/A | Indicates whether the user could be mapped to a group. |
| start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cs3Label | N/A | N/A | N/A |
| src | <sip> | IP Address | Original source IP address. |
| dst | <dip> | IP Address | Original destination IP address. |
| dusername0 | N/A | N/A | End user being authenticated. |
| cs4 | <object> | Text/String | User-ID source that sends the IP (Port)-User Mapping. |
| cs4Label | N/A | N/A | N/A |
| cat | N/A | N/A | The event's unique identifier. |
| cnt | N/A | N/A | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
| cn3 | N/A | N/A | Timeout interval after which the IP/User Mappings are cleared. |
| cn3Label | N/A | N/A | N/A |
| spt | <sport> | Number | Source port utilized by the session. |
| dpt | <dport> | Number | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
| cs5 | <subject> | Text/String | Source from which mapping information is collected. |
| cs5Label | N/A | N/A | N/A |
| cs6 | N/A | N/A | Mechanism used to identify the IP/User mappings within a data source. |
| cs6Label | N/A | N/A | N/A |
| externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
| dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
| cn2 | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cn2Label | N/A | N/A | N/A |
| cs1 | N/A | N/A | The vendor used to authenticate a user when multi-factor authentication is present. |
| cs1Label | N/A | N/A | N/A |
| end | N/A | N/A | Time when the authentication was completed. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| cn1 | N/A | N/A | Indicates the use of primary authentication (1) or additional factors (2, 3). |
| cn1Label | N/A | N/A | N/A |
| PanOSUGFlags | N/A | N/A | Bit field used to indicate the status of user and group information when the next-generation firewall is performing an IP-to-username mapping. |
| PanOSUserIdentifiedBySource | N/A | N/A | The user name as sent by the data source. |
| PanOSTag | N/A | N/A | The tag mapped to the user. |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |