( subtype eq vpn ) and ( severity eq low )

( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name, Client region: GB, Client IP: 11.22.33.44, Client OS version: Apple iOS 12.3.1, error: Matching client config not found.' )</code> ( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name Client region: NULL, Client IP: 11.22.33.44, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Invalid authentication cookie.' )</code>

( subtype eq vpn ) and ( severity eq informational )

( eventid eq globalprotectportal-gencookie-succ ) and ( description contains 'GlobalProtect portal generate cookie success. Login from: 11.22.33.44, User name: username@domain.com.' )

( eventid eq globalprotectgateway-gencookie-succ ) and ( description contains 'GlobalProtect gateway generate cookie success. Login from: 91.125.197.23, User name: username@domain.com, Client OS version: Mac.' )

( eventid eq globalprotectportal-gencookie-fail ) and ( description contains 'GlobalProtect portal generate cookie failed. Login from: 11.22.33.44, User name: pre-logon, Client OS version: Mac.' )

( eventid eq globalprotectgateway-gencookie-fail ) and ( description contains 'GlobalProtect gateway generate cookie failed. Login from: 11.22.33.44, User name: pre-logon, Client OS version: Mac.' )

( eventid eq globalprotectportal-logout-succ ) and ( description contains 'GlobalProtect portal user logout succeeded. User name: domain.com\username, Reason: timed out' )

( eventid eq globalprotectportal-auth-succ ) and ( object eq PortalName ) and ( description contains 'GlobalProtect portal user authentication succeeded. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Auth type: SAML.Client OS version: Apple Mac OS X 10.15.4.' )

( eventid eq globalprotectportal-auth-fail ) and ( object eq PortalName ) and ( description contains 'GlobalProtect portal user authentication failed. Login from: 11.22.33.446, Source region: GB, User name: username@domain.com, Client OS version: Microsoft Windows 10 Enterprise N LTSC 2019 , 64-bit, Reason: Cookie expired, Auth type: cookie.' )

( eventid eq globalprotectportal-config-succ ) and ( object eq PortalName ) and ( description contains 'GlobalProtect portal client configuration generated. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.15.4, Config name: Client, Client OS: Mac, Machine Certificate CN : , Host ID: ff:55:99:bb:aa:00, Serial No : C984JHUJT65N' )

( eventid eq globalprotectgateway-auth-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user authentication succeeded. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Auth type: cookie, Client OS version: Apple Mac OS X 10.14.6.' )

( eventid eq globalprotectgateway-auth-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user authentication failed. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.15.4, Reason: Cookie expired, Auth type: cookie.' )

( eventid eq globalprotectgateway-regist-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user login succeeded. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.14.6.' )

( eventid eq globalprotectgateway-config-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration generated. User name: username@domain.com, Config name: User-Config, Private IP: 192.168.221.106, Client region: GB, Client IP: 11.22.33.44, Client version: 5.1.0-75, Device name: UJDD74HFJFU29, Client OS version: Apple Mac OS X 10.14.6, VPN type: Device Level VPN.' )

( eventid eq globalprotectgateway-config-release ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration released. User name: username@domain.comm, Private IP: 192.168.1.1, Client version: 5.1.0-75, Device name: MFVFXMJPHHV29, Client OS version: Apple Mac OS X 10.14.6, VPN type: Device Level VPN.' )

( eventid eq globalprotectgateway-logout-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user logout succeeded. User name: username@domain.com, Client OS version: Apple Mac OS X 10.14.6, Reason: client logout.' )

( eventid eq globalprotectgateway-switch-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client switch to SSL tunnel mode succeeded. User name: username@domain.com, Private IP: 192.168.1.1.' )

( eventid eq globalprotectgateway-regist-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user login failed. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.14.6, error: Existing user session found.' )

( eventid eq globalprotectgateway-agent-msg ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway agent message. Login from: 11.22.33.44, User name: username@domain.com, Time: Fri May 8 09:32:44 2020., Message: Agent Disable, Comment: disable allowed.. Override(s)=91' )

<code>( eventid eq globalprotectgateway-agent-msg )