Comments (2)
Hello, thanks for opening this issue.
One concern with this approach is that threat id's (the number portion) can be reused. So, you might end up with a situation where the signature field has the name of one signature and the threat:name field has a different threat name. This is unlikely with recent events, but the further you look back at older logs, it is possible the id could be reused. We're aware of this limitation and it will be solved in the future by always using unique threat id's.
Additionally, not everyone sets up the metadata sync feature to keep the threat lookup tables updated, so for some customer they could be out of sync with the firewall.
Due to those two reasons, I'm reluctant to use threat:name
field over the signature
field. I think threat:name
should decorate the log fields, not replace them. However, if you decide to implement it and want to share your code, I'd be happy to add it to the documentation as an alternative approach. And both the concerns above will eventually be resolved, so we can revisit this in the future.
from splunk-apps.
Closing out this issue, but if you have further concerns on this please feel free to comment.
from splunk-apps.
Related Issues (20)
- get_incident_extra_data HOT 5
- Issues getting sourcetype=pan:* to produce data in query. HOT 7
- Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender) HOT 3
- App is not parsing the URI to create interesting fields HOT 1
- Where are the release notes for 8.1.0? HOT 5
- field offset wrong at src_user and source_name in transforms.conf HOT 2
- pan:config in default is broken
- Logs not being properly parsed when shipped from Panorama to Splunk HOT 8
- Splunk HEC PAN firewall events "_time" not matching configured "TimeGenerated" field HOT 2
- Minemeld feeds URL inputs not accepted HOT 3
- Version 8.1.0 not listed as Splunk Cloud compatible on Splunkbase HOT 5
- Splunk Cloud App Vetting Failing Due to File in "PaxHeader" Directories HOT 1
- The splunk_ta_paloalto requests package is claiming a dependency on Older chardet and urllib3 versions, please update to new versions. HOT 1
- Not getting data from Cortex
- IoT Security Input 'Interval' Not Used To Influence 'stime' All Data All The Time HOT 1
- PAN-OS Authentication Log Field Extractions
- SourceType Confusion
- Base Search in network_security.xml does not contain vendor_action so sink holing subsearch fails
- Logs have only sourcetype of pan:log HOT 1
- [Bug] Cortex Data > Splunk HEC event line breaks missing HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from splunk-apps.