Skip to main content
Skip table of contents

User ID Messages

Vendor Documentation

Classification

Rule NameRule TypeClassificationCommon Event
User ID MessagesBase RuleOther AuditGeneral Authentication Event

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

N/AN/AN/AdeviceVendor
N/AN/AN/AdeviceProduct
N/AN/AN/AVersion
N/A<vmid>Text/StringLogType
N/A<action>Text/StringSubType
N/A<severity>NumberdeviceSeverity
ProfileTokenN/AN/AN/A
dtzN/AN/AN/A
rtN/AN/ATime the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId<serialnumber>Text/String/NumberID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
PanOSConfigVersionN/AN/AVersion number of the firewall operating system that wrote this log record.
dntdom<domainimpacted>Text/StringDomain to which the user who is being authenticated belongs.
duser<account>Text/StringName of the user who is being authenticated.
duidN/AN/AUnique identifier assigned to the user who is being authenticated.
PanOSCortexDataLakeTenantIDN/AN/AThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSIsDuplicateLogN/AN/AIndicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsDuplicateUserN/AN/AIndicates whether duplicate users were found in a user group.
PanOSIsPrismaNetworksN/AN/AInternal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsersN/AN/AInternal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSLogExportedN/AN/AIndicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwardedN/AN/AInternal-use field that indicates if the log is being forwarded.
PanOSLogSourceN/AN/AIdentifies the origin of the data. That is, the system that produced the data.
PanOSLogSourceTimeZoneOffsetN/AN/ATime Zone offset from GMT of the source of the log.
PanOSUserGroupFoundN/AN/AIndicates whether the user could be mapped to a group.
startN/AN/ATime when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
cs3N/AN/AString representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3LabelN/AN/AN/A
src<sip>IP AddressOriginal source IP address.
dst<dip>IP AddressOriginal destination IP address.
duser0N/AN/AEnd user being authenticated.
cs4<object>Text/StringUser-ID source that sends the IP (Port)-User Mapping.
cs4LabelN/AN/AN/A
catN/AN/AThe event's unique identifier.
cntN/AN/ANumber of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
cn3N/AN/ATimeout interval after which the IP/User Mappings are cleared.
cn3LabelN/AN/AN/A
spt<sport>NumberSource port utilized by the session.
dpt<dport>NumberNetwork traffic's destination port. If this value is 0, then the app is using its standard port.
cs5<subject>Text/StringSource from which mapping information is collected.
cs5LabelN/AN/AN/A
cs6N/AN/AMechanism used to identify the IP/User mappings within a data source.
cs6LabelN/AN/AN/A
externalIdN/AN/AThe log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSDGHierarchyLevel1N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemNameN/AN/AThe name of the virtual system associated with the network traffic.
dvchostN/AN/AName of the source of the log. That is, the hostname of the firewall that logged the network traffic.
cn2N/AN/AA unique identifier for a virtual system on a Palo Alto Networks firewall.
cn2LabelN/AN/AN/A
cs1N/AN/AThe vendor used to authenticate a user when multi-factor authentication is present.
cs1LabelN/AN/AN/A
endN/AN/ATime when the authentication was completed. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
cn1N/AN/AIndicates the use of primary authentication (1) or additional factors (2, 3).
cn1LabelN/AN/AN/A
PanOSUGFlagsN/AN/ABit field used to indicate the status of user and group information when the next-generation firewall is performing an IP-to-username mapping.
PanOSUserIdentifiedBySourceN/AN/AThe user name as sent by the data source.
PanOSTagN/AN/AThe tag mapped to the user.
PanOSTimeGeneratedHighResolutionN/AN/ATime the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.