Extract CVE number from Threat log event in Panora...

kevinktan · ‎06-15-2018

Dear Support,
Is there a way to extract CVE number from Threat log event in PAN-OS and forward to Splunk via syslog

thanks

Kevin

btorresgil · ‎06-18-2018

The CVE is not part of the log. It is pulled from the firewall/Panorama API into a lookup table in Splunk. Use this saved search in the documentation to pull the CVE's from the Firewall/Panorama API:

https://splunk.paloaltonetworks.com/lookups.html#contentpack

satishkompelly · ‎09-13-2021

HI @btorresgil did you add this script and when you run do you see threat:cve field added to the lookup ?

kevinktan · ‎06-18-2018

Hi Support,

We do have the same plugin installed in splunk, but there is no CVE there. Could you specify where in the app we can find it? Also, if Panorama is not sending that cve, how can splunk see it? My question is how to add the cve to be sent from the source that is along with threat id.

Sukisen1981 · ‎06-16-2018

Are you using the palto alto splunk app? - https://splunkbase.splunk.com/app/491/
I am sorry, but I am not getting your question. If you can see the CVE number in the logs what is the trouble in extracting the same?

Extract CVE number from Threat log event in Panorama and forward to Splunk via syslog

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...