V 2.0 General GlobalProtect Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 General GlobalProtect Messages | Base Rule | General System Message | Information |
V 2.0 GlobalProtect Gateway : Remote Logon Failure | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 GlobalProtect Portal : Remote Logon Failure | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 GlobalProtect Gateway : Remote Logon Success | Sub Rule | User Logon | Authentication Success |
| V 2.0 GlobalProtect Portal : Remote Logon Success | Sub Rule | User Logon | Authentication Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; value is SYSTEM. |
| Content/Threat Type (subtype) | <vendorinfo> | Text/String | Subtype of the system log; refers to the system daemon generating the log |
| Event ID (eventid) | <action> <tag1> | Text/String | String showing the name of the event. |
| Object (object) | <object> | Text/String | Name of the object associated with the system event. |
| Severity (severity) | <severity> | Text/String | Severity associated with the event; values are informational, low, medium, high, critical. |
| Description (opaque) | <subject> | Text/String | Detailed description of the event, up to a maximum of 512 bytes. |
| <sip> | IP Address | ||
| <login> | Text/String | ||
| <reason> | Text/String | ||
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged |