HIP Match
Hipmatch logs are generated by the Palo Alto Networks GlobalProtect Host Information Profile
(HIP) matching feature. These capture information about the security status of the endpoints
accessing a network (such as whether they have disk encryption enabled).
Hipmatch logs are generated whenever an endpoint connects to the GlobalProtect portal on
the next-generation firewall. These logs contain only the information used to match the
firewall's HIP-based security rules.
See the following for information related to supported log formats:
HIP MATCH Field
(Display Name)
|
Description
|
|---|---|
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
count_of_repeats
(COUNT OF REPEATS)
| Number of times the HIP profile matched. Syslog field name: Syslog Field Order CEF field name: cnt EMAIL field name: CountOfRepeats HTTPS field name: CountOfRepeats LEEF field name: CountOfRepeats |
customer_id
(TENANT ID)
| The ID that uniquely identifies the Cortex Data Lake instance which received this log record. CEF field name: PanOSTenantID EMAIL field name: TenantID HTTPS field name: TenantID LEEF field name: TenantID |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
| A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
| A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
| A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
| A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
endpoint_device_name
(ENDPOINT DEVICE NAME)
| Name of the user’s machine. Syslog field name: Syslog Field Order EMAIL field name: EndpointDeviceName HTTPS field name: EndpointDeviceName LEEF field name: identHostName |
endpoint_os_type
(ENDPOINT OS TYPE)
| The operating system installed on the user’s machine or device (or on the client system). Syslog field name: Syslog Field Order CEF field name: cs2 EMAIL field name: EndpointOSType HTTPS field name: EndpointOSType LEEF field name: EndpointOSType |
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
| Serial number of the host on which GlobalProtect is installed. Syslog field name: Syslog Field Order CEF field name: PanOSEndpointSerialNumber EMAIL field name: EndpointSerialNumber HTTPS field name: EndpointSerialNumber LEEF field name: EndpointSerialNumber |
hip_match_name
(HIP MATCH NAME)
| Name of the HIP object or profile. Syslog field name: Syslog Field Order CEF field name: cat EMAIL field name: HipMatchName HTTPS field name: HipMatchName LEEF field name: EventID |
hip_match_type.value
(HIP MATCH TYPE)
| Identifies whether the hip field represents a HIP object or a HIP profile. Syslog field name: Syslog Field Order CEF field name: PanOSHipMatchType EMAIL field name: HipMatchType HTTPS field name: HipMatchType LEEF field name: EventID |
host_id
(HOST ID)
|
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order CEF field name: PanOSHostID EMAIL field name: HostID HTTPS field name: HostID LEEF field name: HostID |
is_dup_log
(IS DUPLICATE LOG)
| Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_exported
(LOG EXPORTED)
| Indicates if this log was exported from the firewall using the firewall's log export function. CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
| Internal-use field that indicates if the log is being forwarded. CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_prisma_branch
(IS PRISMA NETWORKS)
| Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. CEF field name: PanOSIsPrismaNetworks EMAIL field name: IsPrismaNetworks HTTPS field name: IsPrismaNetworks LEEF field name: IsPrismaNetworks |
is_prisma_mobile
(IS PRISMA USERS)
| Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
log_source
(LOG SOURCE)
| Identifies the origin of the data. That is, the system that produced the data. CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_id
(DEVICE SN)
| ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
| Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
| Time Zone offset from GMT of the source of the log. CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
| Identifies the log type. Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
sequence_no
(SEQUENCE NO)
| The log entry identifier, which is incremented sequentially. Each log type has a unique number space. Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
source
(SOURCE)
| Source. Syslog field name: Syslog Field Order CEF field name: PanOSSource EMAIL field name: Source HTTPS field name: Source LEEF field name: Source |
source_device_category
(SOURCE DEVICE CATEGORY)
| Category of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceCategory EMAIL field name: SourceDeviceCategory HTTPS field name: SourceDeviceCategory LEEF field name: SourceDeviceCategory |
source_device_class
(SOURCE DEVICE CLASS)
| Source device class. CEF field name: PanOSSourceDeviceClass EMAIL field name: SourceDeviceClass HTTPS field name: SourceDeviceClass LEEF field name: SourceDeviceClass |
source_device_host
(SOURCE DEVICE HOST)
| Hostname of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceHost EMAIL field name: SourceDeviceHost HTTPS field name: SourceDeviceHost LEEF field name: SourceDeviceHost |
source_device_mac
(SOURCE DEVICE MAC)
| MAC Address of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceMac EMAIL field name: SourceDeviceMac HTTPS field name: SourceDeviceMac LEEF field name: SourceDeviceMac |
source_device_model
(SOURCE DEVICE MODEL)
| Model of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceModel EMAIL field name: SourceDeviceModel HTTPS field name: SourceDeviceModel LEEF field name: SourceDeviceModel |
source_device_os
(SOURCE DEVICE OS)
| Source device OS type. CEF field name: PanOSSourceDeviceOS EMAIL field name: SourceDeviceOS HTTPS field name: SourceDeviceOS LEEF field name: SourceDeviceOS |
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
| OS family of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSFamily EMAIL field name: SourceDeviceOSFamily HTTPS field name: SourceDeviceOSFamily LEEF field name: SourceDeviceOSFamily |
source_device_osversion
(SOURCE DEVICE OS VERSION)
| OS version of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSVersion EMAIL field name: SourceDeviceOSVersion HTTPS field name: SourceDeviceOSVersion LEEF field name: SourceDeviceOSVersion |
source_device_profile
(SOURCE DEVICE PROFILE)
| Profile of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceProfile EMAIL field name: SourceDeviceProfile HTTPS field name: SourceDeviceProfile LEEF field name: SourceDeviceProfile |
source_device_vendor
(SOURCE DEVICE VENDOR)
| Vendor of the device from which the session originated. Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceVendor EMAIL field name: SourceDeviceVendor HTTPS field name: SourceDeviceVendor LEEF field name: SourceDeviceVendor |
source_ip_v6.value
(SOURCE IPV6)
| Source from which mapping information is collected. Syslog field name: Syslog Field Order CEF field name: c6a1 EMAIL field name: SourceIPv6 HTTPS field name: SourceIPv6 LEEF field name: SourceIPv6 |
source_user
(SOURCE USER)
| The username that initiated the network traffic. Syslog field name: Syslog Field Order CEF field name: PanOSSourceUser EMAIL field name: SourceUser HTTPS field name: SourceUser LEEF field name: usrName |
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
EMAIL field name: SourceUserDomain HTTPS field name: SourceUserDomain LEEF field name: SourceUserDomain |
source_user_info.name
(SOURCE USER NAME)
|
The Source User. That is, the username that initiated the network traffic.
EMAIL field name: SourceUserName HTTPS field name: SourceUserName LEEF field name: SourceUserName |
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
EMAIL field name: SourceUserUUID HTTPS field name: SourceUserUUID LEEF field name: SourceUserUUID |
sub_type.value
(SUBTYPE)
| Identifies the log subtype. Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: Subtype HTTPS field name: Subtype LEEF field name: SubType |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
| Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
timestamp_device_identification
(TIMESTAMP DEVICE IDENTIFICATION)
| Time the device was identified in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. Syslog field name: Syslog Field Order CEF field name: PanOSTimestampDeviceIdentification EMAIL field name: TimestampDeviceIdentification HTTPS field name: TimestampDeviceIdentification LEEF field name: TimestampDeviceIdentification |
vendor_name
(VENDOR NAME)
| Identifies the vendor that produced the data. CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vsys
(VIRTUAL LOCATION)
| String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
| A unique identifier for a virtual system on a Palo Alto Networks firewall. Syslog field name: Syslog Field Order CEF field name: cn2 EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
| The name of the virtual system associated with the network traffic. Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
