possible miss in parsing of Palo Alto logs for Category field with event "computer-and-internet-info,high-risk" with Splunk_TA_paloalto TA

[mike1li]

PAN syslog events with "computer-and-internet-info,high-risk" have Category of "computer-and-internet-info" instead of "computer-and-internet-info,high-risk" for pan:threat logs

Expected behavior

Category is "computer-and-internet-info,high-risk"

Current behavior

Category is "computer-and-internet-info" only

Possible solution

Steps to reproduce

The raw log data where it should multiple categories, that I also see when viewing directly in the Palo Alto Panorama Console. However, if you look at the parsed data below, you will not see “high-risk” and will only see the “computer-and-internet-info” category. The domain/url example is sync.ipredictive.com/ FWPICSZ003.ntwk.example.org, 15:09:15,013101008579,THREAT,url,2305,2022/01/10 15:09:15,10.7.146.226,54.210.154.62,#.#.#.#,54.210.154.62,User Internet URL filter-Base,domain\kexample,,ssl,vsys1,Remotevpn,Internet,tunnel.12,ae1.401,EXAMPLE_Log_Forwarding,2022/01/10 15:09:15,34874725,1,51995,443,36068,443,0x40b000,tcp,alert,"sync.ipredictive.com/",(9999),computer-and-internet-info,informational,client-to-server,7038208499611954141,0xa000000000000000,10.0.0.0-10.255.255.255,United States,0,,0,,,0,,,,,,,,0,14,20,21,23,,FWPICSZ003,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"computer-and-internet-info,high-risk",f2e4344b-4e53-4c98-91ff-3574e24a4890,0,

Your Environment

• Version used: Splunk_TA_paloalto ver7.0.4 on Splunk server 8.2.2.2
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Chrome and Firefox
• Operating System and version (desktop or mobile): Windows 10

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[cmosdaru]

Bump. We are experiencing similar issues. This has been opened since 11 Jan, Is there any movement on this?