Authentication EMAIL Fields

Example Authentication log in EMAIL:
TimeReceived=2021-02-22T03:55:30.000000Z DeviceSN=xxxxxxxxxxxxx LogType=AUTH Subtype=Unknown ConfigVersion=10.0 TimeGenerated=2021-02-22T03:55:21.000000Z VirtualLocation=vsys1 SourceIP=xxxxxxxxxxxx User="paloaltonetwork\xxxxx" NormalizeUser="paloaltonetwork\xxxxx" Object=Authentication object3 AuthenticationPolicy=DC CountOfRepeats=16777216 MFAAuthenticationID=-1725441607236321280 MFAVendor=Duo LogSetting=rs-logging AuthServerProfile=allow-all-employees AuthenticationDescription=www.something ClientType=Unknown AuthEvent=User Password Failure AuthFactorNo=2 SequenceNo=476277 DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx VirtualSystemID=1 AuthenticationProtocol=PEAP-MSCHAPv2 RuleMatchedUUID= TimeGeneratedHighResolution=2021-02-22T03:55:21.963000Z SourceDeviceCategory=src_category_list-2 SourceDeviceProfile=src_profile_list-1 SourceDeviceModel=src_model_list-1 SourceDeviceVendor=src_vendor_list-1 SourceDeviceOSFamily=src_osfamily_list-2 SourceDeviceOSVersion=src_osversion_list-1 SourceDeviceHost=src_host_list-1 SourceDeviceMac=src_mac_list-1 AuthCacheServiceRegion= UserAgentString= SessionID=
The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.
EMAIL Name
Query Name
AuthenticationDescription
AuthEvent
AuthFactorNo
AuthenticationPolicy
AuthenticationProtocol
AuthServerProfile
AuthenticatedUserDomain
AuthenticatedUserName
AuthenticatedUserUUID
ClientType
ClientTypeName
ConfigVersion
CountOfRepeats
CortexDataLakeTenantID
DGHierarchyLevel1
DGHierarchyLevel2
DGHierarchyLevel3
DGHierarchyLevel4
IsDuplicateLog
LogExported
LogForwarded
IsPrismaNetworks
IsPrismaUsers
Location
LogSetting
LogSource
DeviceSN
DeviceName
LogSourceTimeZoneOffset
TimeReceived
LogType
MFAAuthenticationID
MFAVendor
NormalizeUser
Object
RuleMatched
RuleMatchedUUID
SequenceNo
AuthCacheServiceRegion
SessionID
SourceDeviceCategory
SourceDeviceHost
SourceDeviceMac
SourceDeviceModel
SourceDeviceOSFamily
SourceDeviceOSVersion
SourceDeviceProfile
SourceDeviceVendor
SourceIP
Subtype
TimeGenerated
TimeGeneratedHighResolution
User
UserAgentString
VendorName
VirtualLocation
VirtualSystemID
VirtualSystemName

Recommended For You