topic Re: Palo Alto Traps - No Wildfire data in All Apps and Add-ons

Palo Alto Traps - No Wildfire data

dalambiel — Wed, 12 Jun 2019 07:57:54 GMT

Hello
Splunk is receiving data from Palo Alto Traps (via TCP in a dedicated index). Endpoint Operations dashboard is showing data.
Admins of Traps are expecting to see also data for wildfire, like

Jun 11 2019 14:26:23 172.16.71.122 CEF:0|Palo Alto Networks|Traps Agent|4.2.3.41131|Notification Event|Threat|6|rt=Jun 11 2019 14:26:23 dhost=*** duser=*** cs2Label=Module cs2=WildFire deviceProcessName=*** fileHash=*** cs3Label=ContentVersion cs3=*** dvc=*** cs5Label=EventTime cs5=Jun 11 2019 14:26:14 msg=New notification event. Prevention Key: ***

I checked the troubleshooting guide. Typically, I don't get any result for
eventtype=pan_wildfire

I checked some of the props/transform regex, and none seems to identify those lines as wildfire events. Seems then correct that nothing pops up in the dashboard.
What raw data should I expect to find in my index confirming that I get wildfire events.

Thanks in advance for your help

Re: Palo Alto Traps - No Wildfire data

panguy — Tue, 25 Jun 2019 23:06:32 GMT

The pan_wildfire event type comes from Palo Alto Networks Firewall logs. Typically it is a THREAT log type with a subtype of wildfire. The wildfire dashboard will get populated when Firewall logs are being sent to Splunk.

Re: Palo Alto Traps - No Wildfire data

dalambiel — Wed, 03 Jul 2019 12:26:54 GMT

Thanks for your response.
That's explain it: we have only Traps, not the Palo Alto Firewall. Then no data for the dashboard using the pan_wildfire eventtype.

Sorry for the late response: i was out of office for a few days.
Thanks again.