User ID Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
User ID Messages | Base Rule | Other Audit | General Authentication Event |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
N/A | N/A | N/A | deviceVendor |
N/A | N/A | N/A | deviceProduct |
N/A | N/A | N/A | Version |
N/A | <vmid> | Text/String | LogType |
N/A | <action> | Text/String | SubType |
N/A | <severity> | Number | deviceSeverity |
ProfileToken | N/A | N/A | N/A |
dtz | N/A | N/A | N/A |
rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
dntdom | <domainimpacted> | Text/String | Domain to which the user who is being authenticated belongs. |
dusername | <account> | Text/String | Name of the user who is being authenticated. |
duid | N/A | N/A | Unique identifier assigned to the user who is being authenticated. |
PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
PanOSIsDuplicateUser | N/A | N/A | Indicates whether duplicate users were found in a user group. |
PanOSIsPrismaNetworks | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
PanOSUserGroupFound | N/A | N/A | Indicates whether the user could be mapped to a group. |
start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
cs3Label | N/A | N/A | N/A |
src | <sip> | IP Address | Original source IP address. |
dst | <dip> | IP Address | Original destination IP address. |
dusername0 | N/A | N/A | End user being authenticated. |
cs4 | <object> | Text/String | User-ID source that sends the IP (Port)-User Mapping. |
cs4Label | N/A | N/A | N/A |
cat | N/A | N/A | The event's unique identifier. |
cnt | N/A | N/A | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
cn3 | N/A | N/A | Timeout interval after which the IP/User Mappings are cleared. |
cn3Label | N/A | N/A | N/A |
spt | <sport> | Number | Source port utilized by the session. |
dpt | <dport> | Number | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
cs5 | <subject> | Text/String | Source from which mapping information is collected. |
cs5Label | N/A | N/A | N/A |
cs6 | N/A | N/A | Mechanism used to identify the IP/User mappings within a data source. |
cs6Label | N/A | N/A | N/A |
externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
cn2 | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
cn2Label | N/A | N/A | N/A |
cs1 | N/A | N/A | The vendor used to authenticate a user when multi-factor authentication is present. |
cs1Label | N/A | N/A | N/A |
end | N/A | N/A | Time when the authentication was completed. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
cn1 | N/A | N/A | Indicates the use of primary authentication (1) or additional factors (2, 3). |
cn1Label | N/A | N/A | N/A |
PanOSUGFlags | N/A | N/A | Bit field used to indicate the status of user and group information when the next-generation firewall is performing an IP-to-username mapping. |
PanOSUserIdentifiedBySource | N/A | N/A | The user name as sent by the data source. |
PanOSTag | N/A | N/A | The tag mapped to the user. |
PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |