All Apps and Add-ons

Palo Alto Networks App: why is our Web Activity Dashboard empty?

chkrootkit
New Member

Running the latest PAN FW App and Add On Splunk 7.02

I followed troubleshooting steps to no avail. URLs are reported by a regular search. After a bit of investigation it looks like there's no event type "pan_url", which is used in the datamodel. So, you run a simple query such as

eventtype="pan_threat" 

The query returns results, including URLs but eventtype="pan_url" comes up empty.

Any idea?

0 Karma

btorresgil
Builder

eventtype="pan_threat" should not contain 'url' logs in the results. Palo Alto Networks uses 'THREAT' type logs for urls (even if they aren't really threats), but the App/Add-on makes a distinction, so eventtype="pan_threat" should be only actual threats (not URL's) and eventtype="pan_url" should be only URL logs. URL logs are logs with ,THREAT,url, near the beginning of the log. If you are certain you're getting url logs in the pan_threat search then it sounds like they aren't getting parsed correctly. This is a search time distinction made on the log_subtype field. Can you tell us what you're getting in the log_subtype field for the url logs?

0 Karma

chkrootkit
New Member

thank you for clarification...

double checked. the query:

eventtype="pan_threat" definitely returns url field among others.

log_subtype is listed as "vulnerability"

0 Karma

chkrootkit
New Member

and in one instance it was "spyware"

0 Karma

btorresgil
Builder

Returning a 'url' field is not the same as being a 'url' log. A url log MUST have the word 'url' in the log_subtype field. Since you're getting 'vulnerability' and 'spyware', these are vulnerability and spyware logs, not url logs.

My guess is you're not sending URL logs to Splunk from the firewall. You need to set this up on the firewall side using the URL Filtering feature.

0 Karma

panguy
Contributor

What version of the App and Add-on do you have installed?

You can check if the eventtype exist by navigating to...
Settings > Event types

Do a search or "url".

Does "pan_url" show up?

0 Karma

chkrootkit
New Member

Running Add-on ver. 6.0.2 and App ver.6.0.1

Event type searches for "url" and "pan_url" returned:

pan_threat sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "wildfire" log_subtype != "data"

pan_url sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"

Thanks

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...