Splunk-Apps icon indicating copy to clipboard operation
Splunk-Apps copied to clipboard
verified publisher icon PaloAltoNetworks

User Field Calc Misconfiguration Pan:Threat

Open RH-3 opened this issue 3 years ago • 1 comments

Describe the bug

For the pan:threat sourcetype we are observing, un-parsed sender and recipient field values in the user field.

This is due to the fact the Splunk does not allow for chained Field Calculations. https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence#Calculated_fields

"All EVAL- configurations within a single props.conf stanza are processed in parallel, rather than in any particular sequence. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field."

Relevant Config from Props.conf:

# Reformat email related fields
EVAL-sender          = split(replace(sender,"^From: (.*?);?$","\1"),";")
EVAL-recipient       = split(replace(recipient,"^To: (.*?);?$","\1"),";")
EVAL-user              = coalesce(src_user,dest_user,recipient,sender,"unknown")

Expected behavior

When src_user or dest_user is null, user will return the following:

sourcetype user src_user dest_user sender recipient
pan:threat [email protected] [email protected]
pan:threat [email protected] [email protected]

Current behavior

When src_user or dest_user is null, we will observe the following on user:

sourcetype user src_user dest_user sender recipient
pan:threat From: [email protected]; [email protected]
pan:threat To: [email protected]; [email protected]

Possible solution

Merge the field calc logic from sender and recipient into the user coalesce logic.

# Reformat email related fields
EVAL-sender          = split(replace(sender,"^From: (.*?);?$","\1"),";")
EVAL-recipient       = split(replace(recipient,"^To: (.*?);?$","\1"),";")
EVAL-user              = coalesce(src_user,dest_user,split(replace(recipient,"^To: (.*?);?$","\1"),";"),split(replace(sender,"^From: (.*?);?$","\1"),";"),"unknown")

Steps to reproduce

Run SPL against smtp traffic that triggered signatures and filter on results that have null values for src_user and dest_user.

Your Environment

  • Observed in App version 7.0.3
  • Validated that this also impacts 7.0.4

RH-3 avatar Mar 11 '22 17:03 RH-3

:tada: Thanks for opening your first issue here! Welcome to the community!

welcome-to-palo-alto-networks[bot] avatar Mar 11 '22 17:03 welcome-to-palo-alto-networks[bot]