Authentication EMAIL Fields

Table of Contents

Authentication EMAIL Fields

Example Authentication log in EMAIL:

TimeReceived=2021-02-22T03:55:30.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=AUTH
Subtype=Unknown
ConfigVersion=10.0
TimeGenerated=2021-02-22T03:55:21.000000Z
VirtualLocation=vsys1
SourceIP=xxxxxxxxxxxx
User="paloaltonetwork\xxxxx"
NormalizeUser="paloaltonetwork\xxxxx"
Object=Authentication object3
AuthenticationPolicy=DC
CountOfRepeats=16777216
MFAAuthenticationID=-1725441607236321280
MFAVendor=Duo
LogSetting=rs-logging
AuthServerProfile=allow-all-employees
AuthenticationDescription=www.something
ClientType=Unknown
AuthEvent=User Password Failure
AuthFactorNo=2
SequenceNo=476277
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
VirtualSystemID=1
AuthenticationProtocol=PEAP-MSCHAPv2
RuleMatchedUUID=
TimeGeneratedHighResolution=2021-02-22T03:55:21.963000Z
SourceDeviceCategory=src_category_list-2
SourceDeviceProfile=src_profile_list-1
SourceDeviceModel=src_model_list-1
SourceDeviceVendor=src_vendor_list-1
SourceDeviceOSFamily=src_osfamily_list-2
SourceDeviceOSVersion=src_osversion_list-1
SourceDeviceHost=src_host_list-1
SourceDeviceMac=src_mac_list-1
AuthCacheServiceRegion=
UserAgentString=
SessionID=

The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.

EMAIL Name	Query Name
AuthenticationDescription	auth_description
AuthEvent	auth_event_name.value
AuthFactorNo	auth_factor_num
AuthenticationPolicy	auth_policy
AuthenticationProtocol	auth_proto
AuthServerProfile	auth_server_profile
AuthenticatedUserDomain	authenticated_user_info.domain
AuthenticatedUserName	authenticated_user_info.name
AuthenticatedUserUUID	authenticated_user_info.uuid
ClientType	client_type
ClientTypeName	client_type_name.value
ConfigVersion	config_version.value
CountOfRepeats	count_of_repeats
CortexDataLakeTenantID	customer_id
DGHierarchyLevel1	dg_hier_level_1
DGHierarchyLevel2	dg_hier_level_2
DGHierarchyLevel3	dg_hier_level_3
DGHierarchyLevel4	dg_hier_level_4
IsDuplicateLog	is_dup_log
LogExported	is_exported
LogForwarded	is_forwarded
IsPrismaNetworks	is_prisma_branch
IsPrismaUsers	is_prisma_mobile
Location	location
LogSetting	log_set
LogSource	log_source
LogSourceGroupID	log_source_group_id
DeviceSN	log_source_id
DeviceName	log_source_name
LogSourceTimeZoneOffset	log_source_tz_offset
TimeReceived	log_time
LogType	log_type.value
MFAAuthenticationID	mfa_auth_id
MFAVendor	mfa_vendor
NormalizeUser	normalize_user
Object	object
PanoramaSN	panorama_serial
PlatformType	platform_type
RuleMatched	rule_matched
RuleMatchedUUID	rule_matched_uuid
SequenceNo	sequence_no
AuthCacheServiceRegion	service_region
SessionID	session_id
SourceDeviceCategory	source_device_category
SourceDeviceHost	source_device_host
SourceDeviceMac	source_device_mac
SourceDeviceModel	source_device_model
SourceDeviceOSFamily	source_device_osfamily
SourceDeviceOSVersion	source_device_osversion
SourceDeviceProfile	source_device_profile
SourceDeviceVendor	source_device_vendor
SourceIP	source_ip.value
Subtype	sub_type.value
TimeGenerated	time_generated
TimeGeneratedHighResolution	time_generated_high_res
User	user
UserAgentString	user_agent
VendorName	vendor_name
VirtualLocation	vsys
VirtualSystemID	vsys_id
VirtualSystemName	vsys_name

Authentication CEF Fields

Authentication HTTPS Fields

Strata Logging Service Docs

Authentication EMAIL Fields

Strata Logging Service Docs

Authentication EMAIL Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner