HIP Match
Table of Contents
HIP Match
Hipmatch logs are generated by the Palo Alto Networks GlobalProtect Host Information Profile
(HIP) matching feature. These capture information about the security status of the endpoints
accessing a network (such as whether they have disk encryption enabled).
Hipmatch logs are generated whenever an endpoint connects to the GlobalProtect portal on
the next-generation firewall. These logs contain only the information used to match the
firewall's HIP-based security rules.
See the following for information related to supported log formats:
HIP MATCH Field
(Display Name)
|
Description
|
|---|---|
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
count_of_repeats
(COUNT OF REPEATS)
| Number of times the HIP profile matched. Syslog field name: Syslog Field Order CEF field name: cnt EMAIL field name: CountOfRepeats HTTPS field name: CountOfRepeats LEEF field name: CountOfRepeats |
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID EMAIL field name: TenantID HTTPS field name: TenantID LEEF field name: TenantID |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
endpoint_device_name
(ENDPOINT DEVICE NAME)
|
Name of the user’s machine.
Syslog field name: Syslog Field Order EMAIL field name: EndpointDeviceName HTTPS field name: EndpointDeviceName LEEF field name: identHostName |
endpoint_os_type
(ENDPOINT OS TYPE)
|
The operating system installed on the user’s machine or device (or on the client system).
Syslog field name: Syslog Field Order CEF field name: cs2 EMAIL field name: EndpointOSType HTTPS field name: EndpointOSType LEEF field name: EndpointOSType |
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
|
Serial number of the host on which GlobalProtect is installed.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointSerialNumber EMAIL field name: EndpointSerialNumber HTTPS field name: EndpointSerialNumber LEEF field name: EndpointSerialNumber |
hip_match_name
(HIP MATCH NAME)
|
Name of the HIP object or profile.
Syslog field name: Syslog Field Order CEF field name: cat EMAIL field name: HipMatchName HTTPS field name: HipMatchName LEEF field name: EventID |
hip_match_type.value
(HIP MATCH TYPE)
|
Identifies whether the hip field represents a HIP object or a HIP profile.
Syslog field name: Syslog Field Order CEF field name: PanOSHipMatchType EMAIL field name: HipMatchType HTTPS field name: HipMatchType LEEF field name: EventID |
host_id
(HOST ID)
|
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order CEF field name: PanOSHostID EMAIL field name: HostID HTTPS field name: HostID LEEF field name: HostID |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_prisma_branch
(IS PRISMA NETWORKS)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks EMAIL field name: IsPrismaNetworks HTTPS field name: IsPrismaNetworks LEEF field name: IsPrismaNetworks |
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
| The ID of the Cloud NGFW resource. CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
source
(SOURCE)
|
Source.
Syslog field name: Syslog Field Order CEF field name: PanOSSource EMAIL field name: Source HTTPS field name: Source LEEF field name: Source |
source_device_category
(SOURCE DEVICE CATEGORY)
|
Category of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceCategory EMAIL field name: SourceDeviceCategory HTTPS field name: SourceDeviceCategory LEEF field name: SourceDeviceCategory |
source_device_class
(SOURCE DEVICE CLASS)
|
Source device class.
CEF field name: PanOSSourceDeviceClass EMAIL field name: SourceDeviceClass HTTPS field name: SourceDeviceClass LEEF field name: SourceDeviceClass |
source_device_host
(SOURCE DEVICE HOST)
|
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceHost EMAIL field name: SourceDeviceHost HTTPS field name: SourceDeviceHost LEEF field name: SourceDeviceHost |
source_device_mac
(SOURCE DEVICE MAC)
|
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceMac EMAIL field name: SourceDeviceMac HTTPS field name: SourceDeviceMac LEEF field name: SourceDeviceMac |
source_device_model
(SOURCE DEVICE MODEL)
|
Model of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceModel EMAIL field name: SourceDeviceModel HTTPS field name: SourceDeviceModel LEEF field name: SourceDeviceModel |
source_device_os
(SOURCE DEVICE OS)
|
Source device OS type.
CEF field name: PanOSSourceDeviceOS EMAIL field name: SourceDeviceOS HTTPS field name: SourceDeviceOS LEEF field name: SourceDeviceOS |
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
|
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSFamily EMAIL field name: SourceDeviceOSFamily HTTPS field name: SourceDeviceOSFamily LEEF field name: SourceDeviceOSFamily |
source_device_osversion
(SOURCE DEVICE OS VERSION)
|
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSVersion EMAIL field name: SourceDeviceOSVersion HTTPS field name: SourceDeviceOSVersion LEEF field name: SourceDeviceOSVersion |
source_device_profile
(SOURCE DEVICE PROFILE)
|
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceProfile EMAIL field name: SourceDeviceProfile HTTPS field name: SourceDeviceProfile LEEF field name: SourceDeviceProfile |
source_device_vendor
(SOURCE DEVICE VENDOR)
|
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceVendor EMAIL field name: SourceDeviceVendor HTTPS field name: SourceDeviceVendor LEEF field name: SourceDeviceVendor |
source_ip_v6.value
(SOURCE IPV6)
|
Source from which mapping information is collected.
Syslog field name: Syslog Field Order CEF field name: c6a1 EMAIL field name: SourceIPv6 HTTPS field name: SourceIPv6 LEEF field name: SourceIPv6 |
source_user
(SOURCE USER)
|
The username that initiated the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceUser EMAIL field name: SourceUser HTTPS field name: SourceUser LEEF field name: usrName |
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
EMAIL field name: SourceUserDomain HTTPS field name: SourceUserDomain LEEF field name: SourceUserDomain |
source_user_info.name
(SOURCE USER NAME)
|
The Source User. That is, the username that initiated the network traffic.
EMAIL field name: SourceUserName HTTPS field name: SourceUserName LEEF field name: SourceUserName |
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
EMAIL field name: SourceUserUUID HTTPS field name: SourceUserUUID LEEF field name: SourceUserUUID |
sub_type.value
(SUBTYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: Subtype HTTPS field name: Subtype LEEF field name: SubType |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
timestamp_device_identification
(TIMESTAMP DEVICE IDENTIFICATION)
|
Time the device was identified in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimestampDeviceIdentification EMAIL field name: TimestampDeviceIdentification HTTPS field name: TimestampDeviceIdentification LEEF field name: TimestampDeviceIdentification |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cn2 EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |