Table of Contents
Audit
Audit logs are written to Cortex Data Lake by specific products, applications, or
services. These are used to record changes made to the service writing the logs.
The products, applications, or services that write audit logs are:
- Prisma Access Integration with Cisco Meraki SD-WAN
See the following for information related to supported log formats:
AUDIT Field
(Display Name)
|
Description
|
|---|---|
event_category
(EVENT CATEGORY)
| The category of the event.
CEF field name: Event Category EMAIL field name: Event Category HTTPS field name: Event Category LEEF field name: Event Category |
event_description
(EVENT DESCRIPTION)
| A description of the event.
CEF field name: Event Description EMAIL field name: Event Description HTTPS field name: Event Description LEEF field name: Event Description |
event_dest_url
(EVENT DESTINATION URL)
|
The URL related to the destination.
CEF field name: Event Destination URL EMAIL field name: Event Destination URL HTTPS field name: Event Destination URL LEEF field name: Event Destination URL |
event_dest_vendor
(DESTINATION VENDOR)
| Name of the service that sent the log to Cortex Data Lake. CEF field name: Destination Vendor EMAIL field name: Destination Vendor HTTPS field name: Destination Vendor LEEF field name: Destination Vendor |
event_detail
(EVENT DETAILS)
| Details about the event.
CEF field name: Event Details EMAIL field name: Event Details HTTPS field name: Event Details LEEF field name: Event Details |
event_name
(EVENT NAME)
| The name associated with an event
CEF field name: Event Name EMAIL field name: Event Name HTTPS field name: Event Name LEEF field name: Event Name |
event_result
(EVENT RESULT)
| The result of an event.
CEF field name: Event Result EMAIL field name: Event Result HTTPS field name: Event Result LEEF field name: Event Result |
event_time
(EVENT TIME)
| Time when the log was generated.
CEF field name: Event Time EMAIL field name: Event Time HTTPS field name: Event Time LEEF field name: Event Time |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: Log Source EMAIL field name: Log Source HTTPS field name: Log Source LEEF field name: Log Source |
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log source Id of the group.
CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(LOG SOURCE ID)
| Unique identifier of the log source. For example, if a firewall generated the log, this
would be the serial number of the firewall. CEF field name: Log Source ID EMAIL field name: Log Source ID HTTPS field name: Log Source ID LEEF field name: Log Source ID |
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Vendor Name EMAIL field name: Vendor Name HTTPS field name: Vendor Name LEEF field name: Vendor Name |
vendor_severity.value
(VENDOR SEVERITY)
|
Severity associated with the event.
CEF field name: Vendor Severity EMAIL field name: Vendor Severity HTTPS field name: Vendor Severity LEEF field name: Vendor Severity |