Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
User ID Messages |
Base Rule |
Other Audit |
General Authentication Event |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
<vmid> |
Text/String |
LogType |
|
N/A |
<action> |
Text/String |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
deviceExternalId |
<serialnumber> |
Text/String/Number |
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
|
PanOSConfigVersion |
N/A |
N/A |
Version number of the firewall operating system that wrote this log record. |
|
dntdom |
<domainimpacted> |
Text/String |
Domain to which the user who is being authenticated belongs. |
|
dusername |
<account> |
Text/String |
Name of the user who is being authenticated. |
|
duid |
N/A |
N/A |
Unique identifier assigned to the user who is being authenticated. |
|
PanOSCortexDataLakeTenantID |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
|
PanOSIsDuplicateUser |
N/A |
N/A |
Indicates whether duplicate users were found in a user group. |
|
PanOSIsPrismaNetworks |
N/A |
N/A |
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
|
PanOSIsPrismaUsers |
N/A |
N/A |
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function. |
|
PanOSLogForwarded |
N/A |
N/A |
Internal-use field that indicates if the log is being forwarded. |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data. That is, the system that produced the data. |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log. |
|
PanOSUserGroupFound |
N/A |
N/A |
Indicates whether the user could be mapped to a group. |
|
start |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
cs3 |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cs3Label |
N/A |
N/A |
N/A |
|
src |
<sip> |
IP Address |
Original source IP address. |
|
dst |
<dip> |
IP Address |
Original destination IP address. |
|
dusername0 |
N/A |
N/A |
End user being authenticated. |
|
cs4 |
<object> |
Text/String |
User-ID source that sends the IP (Port)-User Mapping. |
|
cs4Label |
N/A |
N/A |
N/A |
|
cat |
N/A |
N/A |
The event's unique identifier. |
|
cnt |
N/A |
N/A |
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
|
cn3 |
N/A |
N/A |
Timeout interval after which the IP/User Mappings are cleared. |
|
cn3Label |
N/A |
N/A |
N/A |
|
spt |
<sport> |
Number |
Source port utilized by the session. |
|
dpt |
<dport> |
Number |
Network traffic's destination port. If this value is 0, then the app is using its standard port. |
|
cs5 |
<subject> |
Text/String |
Source from which mapping information is collected. |
|
cs5Label |
N/A |
N/A |
N/A |
|
cs6 |
N/A |
N/A |
Mechanism used to identify the IP/User mappings within a data source. |
|
cs6Label |
N/A |
N/A |
N/A |
|
externalId |
N/A |
N/A |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSVirtualSystemName |
N/A |
N/A |
The name of the virtual system associated with the network traffic. |
|
dvchost |
N/A |
N/A |
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
|
cn2 |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cn2Label |
N/A |
N/A |
N/A |
|
cs1 |
N/A |
N/A |
The vendor used to authenticate a user when multi-factor authentication is present. |
|
cs1Label |
N/A |
N/A |
N/A |
|
end |
N/A |
N/A |
Time when the authentication was completed. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
cn1 |
N/A |
N/A |
Indicates the use of primary authentication (1) or additional factors (2, 3). |
|
cn1Label |
N/A |
N/A |
N/A |
|
PanOSUGFlags |
N/A |
N/A |
Bit field used to indicate the status of user and group information when the next-generation firewall is performing an IP-to-username mapping. |
|
PanOSUserIdentifiedBySource |
N/A |
N/A |
The user name as sent by the data source. |
|
PanOSTag |
N/A |
N/A |
The tag mapped to the user. |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |