V 2.0 GlobalProtect Status Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 GlobalProtect Status Messages | Base Rule | General Authentication Event | Other Audit |
V 2.0 Remote Authentication Success | Sub Rule | User Logon | Authentication Success |
| V 2.0 Remote Authentication Failure | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 Remote Session Logoff | Sub Rule | User Logoff | Authentication Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; value is GLOBALPROTECT. |
| Threat/Content Type (subtype) | <vendorinfo> | Number | |
| Event ID (eventid) | <action> | Text/String | A string showing the name of the event. |
| Stage (stage) | <status> <tag1> | Text/String | A string showing the stage of the connection (for example, before-login, login, or tunnel). |
| Source User (srcuser) | <domainorigin> <login> | Text/String | The username of the user who initiated the session. |
| Machine Name (machinename) | <sname> | Text/String | The name of the user’s machine. |
| Public IP (public_ip) | <sip> | IP Address | The public IP address for the user who initiated the session. |
| Private IP (private_ip) | <snatip> | IP Address | The private IP address for the user who initiated the session. |
| Serial Number (serialnumber) | <serialnumber> | Text/String | The serial number of the user’s machine or device. |
| Client Version (client_ver) | <version> | Text/String | The client’s GlobalProtect app version. |
| Repeat Count (repeatcnt) | <quantity> | Number | The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds. |
| Reason (reason) | <reason> | Text/String | A string that shows the reason for the quarantine. |
| Error (error) | <responsecode> | Text/String | A string showing that error that has occurred in any event. |
| Description (opaque) | <subject> | Text/String | Additional information for any event that has occurred. |
| Status (status) | <result> <tag2> | Text/String | The status (success or failure) of the event. |
| Login Duration (login_duration) | <seconds> | Number | The length of time, in seconds, the user is connected to the GlobalProtect gateway from logging in to logging out. |
| Device Name (device_name)** | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |