Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 GlobalProtect Status Messages |
Base Rule |
General Authentication Event |
Other Audit |
|
V 2.0 Remote Authentication Success |
Sub Rule |
User Logon |
Authentication Success |
|
V 2.0 Remote Authentication Failure |
Sub Rule |
User Logon Failure
|
Authentication Failure |
|
V 2.0 Remote Session Logoff |
Sub Rule |
User Logoff |
Authentication Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Type (type) |
<vmid> |
Text/String |
Specifies the type of log; value is GLOBALPROTECT. |
|
Threat/Content Type (subtype) |
<vendorinfo> |
Number |
|
|
Event ID (eventid) |
<action> |
Text/String |
A string showing the name of the event. |
|
Stage (stage) |
<status>
|
Text/String |
A string showing the stage of the connection (for example, before-login, login, or tunnel). |
|
Source User (srcuser) |
<domainorigin>
|
Text/String |
The username of the user who initiated the session. |
|
Machine Name (machinename) |
<sname> |
Text/String |
The name of the user’s machine. |
|
Public IP (public_ip) |
<sip> |
IP Address |
The public IP address for the user who initiated the session. |
|
Private IP (private_ip) |
<snatip> |
IP Address |
The private IP address for the user who initiated the session. |
|
Serial Number (serialnumber) |
<serialnumber> |
Text/String |
The serial number of the user’s machine or device. |
|
Client Version (client_ver) |
<version> |
Text/String |
The client’s GlobalProtect app version. |
|
Repeat Count (repeatcnt) |
<quantity> |
Number |
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds. |
|
Reason (reason) |
<reason> |
Text/String |
A string that shows the reason for the quarantine. |
|
Error (error) |
<responsecode> |
Text/String |
A string showing that error that has occurred in any event. |
|
Description (opaque) |
<subject> |
Text/String |
Additional information for any event that has occurred. |
|
Status (status) |
<result>
|
Text/String |
The status (success or failure) of the event. |
|
Login Duration (login_duration) |
<seconds> |
Number |
The length of time, in seconds, the user is connected to the GlobalProtect gateway from logging in to logging out. |
|
Device Name (device_name)** |
<objectname> |
Text/String |
The hostname of the firewall on which the session was logged. |