Re: Extract CVE number from Threat log event in Pa...

kevinktan · ‎06-15-2018

Dear Support,
Is there a way to extract CVE number from Threat log event in PAN-OS and forward to Splunk via syslog

thanks

Kevin

btorresgil · ‎06-18-2018

The CVE is not part of the log. It is pulled from the firewall/Panorama API into a lookup table in Splunk. Use this saved search in the documentation to pull the CVE's from the Firewall/Panorama API:

https://splunk.paloaltonetworks.com/lookups.html#contentpack

satishkompelly · ‎09-13-2021

HI @btorresgil did you add this script and when you run do you see threat:cve field added to the lookup ?

kevinktan · ‎06-18-2018

Hi Support,

We do have the same plugin installed in splunk, but there is no CVE there. Could you specify where in the app we can find it? Also, if Panorama is not sending that cve, how can splunk see it? My question is how to add the cve to be sent from the source that is along with threat id.

Sukisen1981 · ‎06-16-2018

Are you using the palto alto splunk app? - https://splunkbase.splunk.com/app/491/
I am sorry, but I am not getting your question. If you can see the CVE number in the logs what is the trouble in extracting the same?

Extract CVE number from Threat log event in Panorama and forward to Splunk via syslog

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms