Authentication
Table of Contents
Authentication
Auth logs contain information about authentication events seen by the next-generation
firewall. These occur when users access network resources which are controlled by
authentication policy rules. Authentication Logs will never appear in Cortex Data Lake if
the associated firewalls are not configured with authentication policies.
Authentication logs are most frequently written when the next-generation firewall is
configured as a
Multi-Factor Authentication gateway,
and an end-user is using it to perform authentication.
See the following for information related to supported log formats:
AUTHENTICATION Field
(Display Name)
|
Description
|
|---|---|
auth_description
(AUTHENTICATION DESCRIPTION)
|
Additional authentication information.
Syslog field name: Syslog Field Order CEF field name: PanOSAuthenticationDescription EMAIL field name: AuthenticationDescription HTTPS field name: AuthenticationDescription LEEF field name: AuthenticationDescription |
auth_event_name.value
(AUTH EVENT)
|
The authentication event that caused the firewall to create this log record.
Syslog field name: Syslog Field Order CEF field name: msg EMAIL field name: AuthEvent HTTPS field name: AuthEvent LEEF field name: EventID |
auth_factor_num
(AUTH FACTOR NO)
|
Indicates the use of primary authentication (1) or additional factors (2, 3).
Syslog field name: Syslog Field Order CEF field name: cn1 EMAIL field name: AuthFactorNo HTTPS field name: AuthFactorNo LEEF field name: AuthFactorNo |
auth_policy
(AUTHENTICATION POLICY)
|
Policy invoked for authentication before allowing access to a protected resource.
Syslog field name: Syslog Field Order CEF field name: cs4 EMAIL field name: AuthenticationPolicy HTTPS field name: AuthenticationPolicy LEEF field name: AuthenticationPolicy |
auth_proto
(AUTHENTICATION PROTOCOL)
|
Indicates the authentication protocol used by the server. For example, PEAP with GTC.
Syslog field name: Syslog Field Order CEF field name: PanOSAuthenticationProtocol EMAIL field name: AuthenticationProtocol HTTPS field name: AuthenticationProtocol LEEF field name: AuthenticationProtocol |
auth_server_profile
(AUTH SERVER PROFILE)
|
Authentication server used for authentication.
Syslog field name: Syslog Field Order CEF field name: cs1 EMAIL field name: AuthServerProfile HTTPS field name: AuthServerProfile LEEF field name: AuthServerProfile |
authenticated_user_info.domain
(AUTHENTICATED USER DOMAIN)
|
Domain to which the user who is being authenticated belongs.
CEF field name: PanOSAuthenticatedUserDomain EMAIL field name: AuthenticatedUserDomain HTTPS field name: AuthenticatedUserDomain LEEF field name: AuthenticatedUserDomain |
authenticated_user_info.name
(AUTHENTICATED USER NAME)
|
Name of the user who is being authenticated.
CEF field name: PanOSAuthenticatedUserName EMAIL field name: AuthenticatedUserName HTTPS field name: AuthenticatedUserName LEEF field name: AuthenticatedUserName |
authenticated_user_info.uuid
(AUTHENTICATED USER UUID)
|
Unique identifier assigned to the user who is being authenticated.
CEF field name: PanOSAuthenticatedUserUUID EMAIL field name: AuthenticatedUserUUID HTTPS field name: AuthenticatedUserUUID LEEF field name: AuthenticatedUserUUID |
client_type
(CLIENT TYPE)
|
Type of client used to complete authentication (such as authentication portal).
Syslog field name: Syslog Field Order CEF field name: cs5 EMAIL field name: ClientType HTTPS field name: ClientType LEEF field name: ClientType |
client_type_name.value
(CLIENT TYPE NAME)
|
Type of client used to complete authentication.
CEF field name: PanOSClientTypeName EMAIL field name: ClientTypeName HTTPS field name: ClientTypeName LEEF field name: ClientTypeName |
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
count_of_repeats
(REPEAT COUNT)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order CEF field name: cnt EMAIL field name: All of the following: RepeatCount, CountOfRepeats HTTPS field name: All of the following: RepeatCount, CountOfRepeats LEEF field name: CountOfRepeats |
customer_id
(CORTEX DATA LAKE TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantID HTTPS field name: CortexDataLakeTenantID LEEF field name: CortexDataLakeTenantID |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from the Logging Service and also from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_prisma_branch
(IS PRISMA NETWORKS)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks EMAIL field name: IsPrismaNetworks HTTPS field name: IsPrismaNetworks LEEF field name: IsPrismaNetworks |
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
location
(PRISMA ACCESS LOCATION)
|
Prisma Access Region/Location.
CEF field name: PanOSLocation EMAIL field name: Location HTTPS field name: Location LEEF field name: Location |
log_set
(LOG SETTING)
|
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order CEF field name: cs6 EMAIL field name: LogSetting HTTPS field name: LogSetting LEEF field name: LogSetting |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: DeviceEventClassId EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
mfa_auth_id
(MFA AUTHENTICATION ID)
|
Unique ID given across primary authentication and additional (multi-factor) authentication.
Syslog field name: Syslog Field Order CEF field name: cn2 EMAIL field name: MFAAuthenticationID HTTPS field name: MFAAuthenticationID LEEF field name: MFAAuthenticationID |
mfa_vendor
(MFA VENDOR)
|
Vendor providing additional factor authentication.
Syslog field name: Syslog Field Order CEF field name: PanOSMFAVendor EMAIL field name: MFAVendor HTTPS field name: MFAVendor LEEF field name: MFAVendor |
normalize_user
(NORMALIZE USER)
|
Normalized version of the username being authenticated (such as appending a domain name to the username).
Syslog field name: Syslog Field Order CEF field name: cs2 EMAIL field name: NormalizeUser HTTPS field name: NormalizeUser LEEF field name: usrName |
object
(OBJECT)
|
Name of the object associated with the system event.
Syslog field name: Syslog Field Order CEF field name: fname EMAIL field name: Object HTTPS field name: Object LEEF field name: Object |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType |
rule_matched
(RULE)
|
Name of the security policy rule that the network traffic matched.
CEF field name: PanOSRuleMatched EMAIL field name: All of the following: Rule, RuleMatched HTTPS field name: All of the following: Rule, RuleMatched LEEF field name: RuleMatched |
rule_matched_uuid
(RULE UUID)
|
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order CEF field name: PanOSRuleMatchedUUID EMAIL field name: All of the following: RuleUUID, RuleMatchedUUID HTTPS field name: All of the following: RuleUUID, RuleMatchedUUID LEEF field name: RuleMatchedUUID |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
service_region
(AUTH CACHE SERVICE REGION)
|
Region where the service is deployed.
Syslog field name: Syslog Field Order CEF field name: PanOSAuthCacheServiceRegion EMAIL field name: AuthCacheServiceRegion HTTPS field name: AuthCacheServiceRegion LEEF field name: AuthCacheServiceRegion |
session_id
(SESSION ID)
|
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order CEF field name: PanOSSessionID EMAIL field name: SessionID HTTPS field name: SessionID LEEF field name: SessionID |
source_device_category
(SOURCE DEVICE CATEGORY)
|
Category of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceCategory EMAIL field name: SourceDeviceCategory HTTPS field name: SourceDeviceCategory LEEF field name: SourceDeviceCategory |
source_device_host
(SOURCE DEVICE HOST)
|
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceHost EMAIL field name: SourceDeviceHost HTTPS field name: SourceDeviceHost LEEF field name: SourceDeviceHost |
source_device_mac
(SOURCE DEVICE MAC)
|
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceMac EMAIL field name: SourceDeviceMac HTTPS field name: SourceDeviceMac LEEF field name: SourceDeviceMac |
source_device_model
(SOURCE DEVICE MODEL)
|
Model of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceModel EMAIL field name: SourceDeviceModel HTTPS field name: SourceDeviceModel LEEF field name: SourceDeviceModel |
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
|
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSFamily EMAIL field name: SourceDeviceOSFamily HTTPS field name: SourceDeviceOSFamily LEEF field name: SourceDeviceOSFamily |
source_device_osversion
(SOURCE DEVICE OS VERSION)
|
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSVersion EMAIL field name: SourceDeviceOSVersion HTTPS field name: SourceDeviceOSVersion LEEF field name: SourceDeviceOSVersion |
source_device_profile
(SOURCE DEVICE PROFILE)
|
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceProfile EMAIL field name: SourceDeviceProfile HTTPS field name: SourceDeviceProfile LEEF field name: SourceDeviceProfile |
source_device_vendor
(SOURCE DEVICE VENDOR)
|
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceVendor EMAIL field name: SourceDeviceVendor HTTPS field name: SourceDeviceVendor LEEF field name: SourceDeviceVendor |
sub_type.value
(SUBTYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: Subtype HTTPS field name: Subtype LEEF field name: SubType |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
user
(USER)
|
End user being authenticated.
Syslog field name: Syslog Field Order CEF field name: duser EMAIL field name: User HTTPS field name: User LEEF field name: User |
user_agent
(USER AGENT STRING)
|
The User Agent field specifies the web browser that the user used to access the URL.
Syslog field name: Syslog Field Order CEF field name: PanOSUserAgentString EMAIL field name: UserAgentString HTTPS field name: UserAgentString LEEF field name: UserAgentString |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemID EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |