HIP Match CEF Fields

Example HIP Match log in CEF:
Mar 1 21:20:14 xxx.xx.x.xx 1505 <14>1 2021-03-01T21:20:14.889Z stream-logfwd20-587718190-03011312-b28y-harness-x4nx logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid= PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\xxxxx xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1 dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=xxx.xx.x.xx dst=xxx.xx.x.xx cat=match_name1 cnt=1 PanOSHipMatchType=HIP Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceMac= PanOSSourceDeviceHost= PanOSSource= PanOSTimestampDeviceIdentification=Dec PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12
The following table identifies the HIP Match field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
PanOSConfigVersion
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
shost and dhost
Header Type:
Predefined
cs2
Query Name:
endpoint_os_type
Header Type:
Predefined
Label:
cs2Label
Label Text:
EndpointOSType
Max Length:
4000
PanOSEndpointSerialNumber
Header Type:
Custom
cat
Query Name:
hip_match_name
Header Type:
Predefined
Max Length:
1023
PanOSHipMatchType
Header Type:
Custom
PanOSHostID
Query Name:
host_id
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsPrismaNetworks
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
PanOSSource
Query Name:
source
Header Type:
Custom
PanOSSourceDeviceCategory
Header Type:
Custom
PanOSSourceDeviceClass
Header Type:
Custom
PanOSSourceDeviceHost
Query Name:
source_device_host
Header Type:
Custom
PanOSSourceDeviceMac
Query Name:
source_device_mac
Header Type:
Custom
PanOSSourceDeviceModel
Header Type:
Custom
PanOSSourceDeviceOS
Query Name:
source_device_os
Header Type:
Custom
PanOSSourceDeviceOSFamily
Header Type:
Custom
PanOSSourceDeviceOSVersion
Header Type:
Custom
PanOSSourceDeviceProfile
Header Type:
Custom
PanOSSourceDeviceVendor
Header Type:
Custom
src and dst, or c6a2 and c6a3
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label && c6a3Label
Label Text:
|| Source IPv6 Address && Destination IPv6 Address
c6a1
Header Type:
Predefined
Label:
c6a1Label
Label Text:
Device IPv6 Address
PanOSSourceUser
Query Name:
source_user
Header Type:
Custom
sntdom and dntdom
Header Type:
Predefined
suser and duser
Header Type:
Predefined
suid and duid
Header Type:
Predefined
Name
Query Name:
sub_type.​value
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
PanOSTimestampDeviceIdentification
Header Type:
Custom
PanOSUUID
Query Name:
uuid
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
cn2
Query Name:
vsys_id
Header Type:
Predefined
Label:
cn2Label
Label Text:
VirtualSystemID
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom

Recommended For You