All Apps and Add-ons

Extract CVE number from Threat log event in Panorama and forward to Splunk via syslog

kevinktan
New Member

Dear Support,
Is there a way to extract CVE number from Threat log event in PAN-OS and forward to Splunk via syslog

thanks

Kevin

0 Karma

btorresgil
Builder

The CVE is not part of the log. It is pulled from the firewall/Panorama API into a lookup table in Splunk. Use this saved search in the documentation to pull the CVE's from the Firewall/Panorama API:

https://splunk.paloaltonetworks.com/lookups.html#contentpack

0 Karma

satishkompelly
New Member

HI @btorresgil  did you add this script and when you run do you see threat:cve field added to the lookup ?

0 Karma

kevinktan
New Member

Hi Support,

We do have the same plugin installed in splunk, but there is no CVE there. Could you specify where in the app we can find it? Also, if Panorama is not sending that cve, how can splunk see it? My question is how to add the cve to be sent from the source that is along with threat id.

0 Karma

Sukisen1981
Champion

Are you using the palto alto splunk app? - https://splunkbase.splunk.com/app/491/
I am sorry, but I am not getting your question. If you can see the CVE number in the logs what is the trouble in extracting the same?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.