{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "AuthLogPayload",
  "description": "Schema for a forwarded PAN-OS authentication log entry. Authentication logs capture user authentication events processed by the firewall's Authentication Policy, providing identity-based visibility for security monitoring, compliance, and zero-trust enforcement.\n",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/strata-logging-forwarding-auth-log-payload-schema.json",
  "type": "object",
  "properties": {
    "receive_time": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the authentication log entry was received by Strata Logging Service.\n"
    },
    "serial": {
      "type": "string",
      "description": "Serial number of the Palo Alto Networks device that generated this authentication log entry.\n"
    },
    "type": {
      "type": "string",
      "enum": [
        "AUTH"
      ],
      "description": "Log type identifier, always AUTH for authentication log entries.\n"
    },
    "subtype": {
      "type": "string",
      "enum": [
        "auth-success",
        "auth-fail",
        "auth-challenge",
        "auth-timeout"
      ],
      "description": "Authentication log subtype indicating the outcome of the authentication event.\n"
    },
    "src": {
      "type": "string",
      "description": "Source IP address of the authenticating client."
    },
    "src_user": {
      "type": "string",
      "description": "Username or user principal name presented during authentication.\n"
    },
    "auth_method": {
      "type": "string",
      "enum": [
        "SAML",
        "Kerberos",
        "LDAP",
        "RADIUS",
        "TACACS+",
        "local-database",
        "client-certificate",
        "MFA"
      ],
      "description": "Authentication protocol or method used to authenticate the user.\n"
    },
    "auth_source": {
      "type": "string",
      "description": "The name of the authentication source, server profile, or identity provider (e.g., Okta-SAML, corp-ldap, radius-server).\n"
    },
    "auth_result": {
      "type": "string",
      "enum": [
        "success",
        "failure",
        "challenge",
        "timeout"
      ],
      "description": "The result of the authentication attempt indicating whether it succeeded, failed, required an additional challenge, or timed out.\n"
    },
    "mfa_vendor": {
      "type": "string",
      "description": "Multi-factor authentication vendor name if MFA was triggered during authentication (e.g., Duo, Okta, PingID, RSA SecurID).\n"
    },
    "mfa_result": {
      "type": "string",
      "enum": [
        "success",
        "failure",
        "timeout",
        "bypass"
      ],
      "description": "Result of the MFA challenge if multi-factor authentication was triggered as part of the authentication flow.\n"
    },
    "rule_name": {
      "type": "string",
      "description": "Name of the Authentication Policy rule that triggered the authentication challenge for this session.\n"
    },
    "auth_profile": {
      "type": "string",
      "description": "Name of the authentication profile configured on the firewall that was used to process this authentication event.\n"
    },
    "device_name": {
      "type": "string",
      "description": "Hostname of the firewall that generated this authentication log entry.\n"
    },
    "vsys": {
      "type": "string",
      "description": "Virtual system name or identifier on the firewall."
    },
    "log_forwarding_profile": {
      "type": "string",
      "description": "Name of the log forwarding profile that forwarded this log entry.\n"
    },
    "output_format": {
      "type": "string",
      "enum": [
        "CSV",
        "LEEF",
        "CEF",
        "JSON",
        "PARQUET"
      ],
      "description": "Output format in which this log entry was forwarded."
    }
  }
}