HIP Match LEEF Fields

Example HIP Match log in LEEF:
Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2| |profileToken=Palotoken VirtualSystemID=1 SequenceNo=6711379990526558208 SourceDeviceClass= src=xxx.xx.x.xx VirtualSystemName= devTime=2020-10-13T03:31:40.000000Z DeviceSN=xxxxxxxxxxxxx UUID= Source= identHostName=machine_name1 DeviceName=PA-5220 LogExported=false TimeGeneratedHighResolution= SourceDeviceModel= HostID=e777947f-d92e-4815-9222-89438203bc2b TimeReceived=2020-10-13T03:31:40.000000Z SourceDeviceVendor= EndpointSerialNumber=xxxxxxxxxxxxxx VirtualLocation=vsys1 SourceDeviceHost= TimestampDeviceIdentification= IsPrismaUsers=false EventID=HIPMATCH SourceUserUUID= SourceUserDomain=xxxxx SourceIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx HipMatchName=match_name1 IsDuplicateLog=false LogForwarded=true CountOfRepeats=1 usrName="xxxxx\\xxxxx xxxxx" LogSourceTimeZoneOffset= TenantID=xxxxxxxxxxxxx SourceUserName=xxxxx xxxxx SourceDeviceMac= SourceDeviceOSVersion= IsPrismaNetworks=false EndpointOSType=iOS HipMatchType=HIP Profile SourceDeviceOSFamily= LogSource=firewall SourceDeviceCategory= SourceDeviceProfile= Vendor=Palo Alto Networks cat= SourceDeviceOS= devTimeFormat=YYYY-MM-DDTHH:MM:SSZ
The following table identifies the HIP Match field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
ConfigVersion
Custom
CountOfRepeats
Custom
TenantID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
identHostName
Predefined
EndpointOSType
Custom
EndpointSerialNumber
Custom
EventID
Header
EventID
Header
HostID
Custom
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetworks
Custom
IsPrismaUsers
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
SequenceNo
Custom
Source
Custom
SourceDeviceCategory
Custom
SourceDeviceClass
Custom
SourceDeviceHost
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOS
Custom
SourceDeviceOSFamily
Custom
SourceDeviceOSVersion
Custom
SourceDeviceProfile
Custom
SourceDeviceVendor
Custom
src
Predefined
SourceIPv6
Custom
usrName
Predefined
SourceUserDomain
Custom
SourceUserName
Custom
SourceUserUUID
Custom
SubType
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
TimestampDeviceIdentification
Custom
UUID
Custom
Vendor
Header
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You