Splunk-Apps icon indicating copy to clipboard operation
Splunk-Apps copied to clipboard
verified publisher icon PaloAltoNetworks

Notable Events

Open geebee101 opened this issue 8 years ago • 3 comments

Splunk + Enterprise Security + PaloAlto add-on + App events are fed, parsed correctly and threats do appear in the PaloAlto App Threat dashboard.

I cannot figure out which correlation search need to be enabled to have threats create Enterprise Security Notable Events so that they appear in Splunk ES Threat Dashboard and Indicators as well.

geebee101 avatar Apr 05 '17 12:04 geebee101

Hi,

Thanks for reaching out to us. I understand you are trying to show notable events in ES Threat Dashboard. Could you clarify to what it is you are trying to enable to show notable events?

Regards,

Paul Nguyen

paulmnguyen avatar May 12 '17 21:05 paulmnguyen

Is there anything further we can help you with on this issue? Note that you can also get help at Splunk Answers. Whenever you open a question there a team of Splunk and Palo Alto Networks engineers get notified and will respond.

btorresgil avatar Jun 20 '17 15:06 btorresgil

To the original question, the user should create an alert on eventtype=pan_threat and set an alert action of "create notable event". However I would not do this unless you are ready to evaluate every pan_threat and accept that the number could be very large.

MonkeyKa avatar Nov 08 '17 04:11 MonkeyKa