HIP Match
Focus
Focus
Strata Logging Service

HIP Match

Table of Contents

HIP Match

Hipmatch logs are generated by the Palo Alto Networks GlobalProtect Host Information Profile (HIP) matching feature. These capture information about the security status of the endpoints accessing a network (such as whether they have disk encryption enabled).
Hipmatch logs are generated whenever an endpoint connects to the GlobalProtect portal on the next-generation firewall. These logs contain only the information used to match the firewall's HIP-based security rules.
See the following for information related to supported log formats:
HIP MATCH Field
(Display Name)
Description
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
count_of_repeats
(COUNT OF REPEATS)
Number of times the HIP profile matched.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: CountOfRepeats
HTTPS field name: CountOfRepeats
LEEF field name: CountOfRepeats
customer_id
(TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
endpoint_device_name
(ENDPOINT DEVICE NAME)
Name of the user’s machine.
Syslog field name: Syslog Field Order
CEF fields: All of the following: shost, dhost
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: identHostName
endpoint_os_type
(ENDPOINT OS TYPE)
The operating system installed on the user’s machine or device (or on the client system).
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
Serial number of the host on which GlobalProtect is installed.
Syslog field name: Syslog Field Order
EMAIL field name: EndpointSerialNumber
HTTPS field name: EndpointSerialNumber
LEEF field name: EndpointSerialNumber
hip_match_name
(HIP MATCH NAME)
Name of the HIP object or profile.
Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: HipMatchName
HTTPS field name: HipMatchName
LEEF field name: EventID
hip_match_type.​value
(HIP MATCH TYPE)
Identifies whether the hip field represents a HIP object or a HIP profile.
Syslog field name: Syslog Field Order
CEF field name: PanOSHipMatchType
EMAIL field name: HipMatchType
HTTPS field name: HipMatchType
LEEF field name: EventID
host_id
(HOST ID)
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_prisma_branch
(IS PRISMA NETWORKS)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_group_id
(LOG SOURCE GROUP ID)
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
panorama_serial
(PANORAMA SN)
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
platform_type
(PLATFORM TYPE)
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
source
(SOURCE)
Source.
Syslog field name: Syslog Field Order
CEF field name: PanOSSource
EMAIL field name: Source
HTTPS field name: Source
LEEF field name: Source
source_device_category
(SOURCE DEVICE CATEGORY)
Category of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceCategory
HTTPS field name: SourceDeviceCategory
LEEF field name: SourceDeviceCategory
source_device_class
(SOURCE DEVICE CLASS)
Source device class.
CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass
source_device_host
(SOURCE DEVICE HOST)
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost
source_device_mac
(SOURCE DEVICE MAC)
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac
source_device_model
(SOURCE DEVICE MODEL)
Model of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel
source_device_os
(SOURCE DEVICE OS)
Source device OS type.
CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceOSFamily
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily
source_device_osversion
(SOURCE DEVICE OS VERSION)
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion
LEEF field name: SourceDeviceOSVersion
source_device_profile
(SOURCE DEVICE PROFILE)
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile
source_device_vendor
(SOURCE DEVICE VENDOR)
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor
source_ip.​value
(SOURCE IP)
Original source IP address.
Syslog field name: Syslog Field Order
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP
HTTPS field name: SourceIP
LEEF field name: src
source_ip_v6.​value
(SOURCE IPV6)
Source from which mapping information is collected.
Syslog field name: Syslog Field Order
CEF field name: c6a1
EMAIL field name: SourceIPv6
HTTPS field name: SourceIPv6
LEEF field name: SourceIPv6
source_user
(SOURCE USER)
The username that initiated the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName
source_user_info.​domain
(SOURCE USER DOMAIN)
Domain to which the Source User belongs.
CEF fields: All of the following: sntdom, dntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
source_user_info.​name
(SOURCE USER NAME)
The Source User. That is, the username that initiated the network traffic.
CEF fields: All of the following: suser, duser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
source_user_info.​uuid
(SOURCE USER UUID)
Unique identifier assigned to the Source User.
CEF fields: All of the following: suid, duid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
sub_type.​value
(SUBTYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
timestamp_device_identification
(TIMESTAMP DEVICE IDENTIFICATION)
Time the device was identified in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
uuid
(UUID)
UUID.
CEF field name: PanOSUUID
EMAIL field name: UUID
HTTPS field name: UUID
LEEF field name: UUID
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName