MonkeyKa
MonkeyKa
More on this: Splunk AoD gave this config to pull event time between event types from CDL: ``` SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) KV_MODE = JSON TIME_PREFIX = (SessionStartTime":"|EventTime":"|TimeGenerated":")...
As called out by Raj, by default Splunk will use the time field for each event as sent to the HEC. This time field is not the same as any...
I am way late to this discussion and am not using the app, but would point out some use cases from the Network_Traffic CIM. 1)session_id: as pointed out, this correlates...
I posted the issue on Splunk Answers and like the idea of it going into the Add-on. The App does not play well with Splunk ES search heads, so the...
I worked with my firewall admins on setting up config after_change_detail and before_change_detail. In our environment "CONFIG" is coming through find and sourcetype evaluates to "pan:config". sample log Dec 10...
version of what? Splunk: 7.0.6 ES: 5.0.1 Pan OS 8.0.13 IIRC, the syslog config has been customized to specifically add $before-change-detail,$after-change-detail. Current custom syslog for config events: `1,$receive_time,$serial,$type,$subtype,0,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$seqno,$actionflags,$before-change-detail,$after-change-detail,$device_name,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name` note that...
To the original question, the user should create an alert on eventtype=pan_threat and set an alert action of "create notable event". However I would not do this unless you are...
I worked around this by not logging start events as recommended by PaloAlto