V 2.0 Correlated Event Messages

Vendor Documentation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Correlated Event Messages	Base Rule	Suspicious Activity	Suspicious

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Type (type)	<vmid>	Text/String	Specifies the type of log; value is CORRELATION.
Content/Threat Type (subtype)	<vendorinfo>	Text/String	Subtype of the correlation log; unused.
Source Address (src)	<sip>	IP Address	IP address of the user who initiated the event.
Source User (srcuser)	<domainorigin> <login>	Text/String	Username of the user who initiated the event.
Category (category)	<subject>	Text/String	A summary of the kind of threat or harm posed to the network, user, or host.
Severity (severity)	<severity>	Text/String	Severity associated with the event; values are informational, low, medium, high, critical.
Device Name (device_name)	<objectname>	Number	The hostname of the firewall on which the session was logged
Object Name (objectname)	<threatname>	Text/String	Name of the correlation object that was matched on.
Object ID (object_id)	<threatid>	Number	Name of the object associated with the system event.
Evidence (evidence)	<reason>	Text/String	A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times).