All Apps and Add-ons

Palo Alto Networks App: why is our Web Activity Dashboard empty?

chkrootkit
New Member

Running the latest PAN FW App and Add On Splunk 7.02

I followed troubleshooting steps to no avail. URLs are reported by a regular search. After a bit of investigation it looks like there's no event type "pan_url", which is used in the datamodel. So, you run a simple query such as

eventtype="pan_threat" 

The query returns results, including URLs but eventtype="pan_url" comes up empty.

Any idea?

0 Karma

btorresgil
Builder

eventtype="pan_threat" should not contain 'url' logs in the results. Palo Alto Networks uses 'THREAT' type logs for urls (even if they aren't really threats), but the App/Add-on makes a distinction, so eventtype="pan_threat" should be only actual threats (not URL's) and eventtype="pan_url" should be only URL logs. URL logs are logs with ,THREAT,url, near the beginning of the log. If you are certain you're getting url logs in the pan_threat search then it sounds like they aren't getting parsed correctly. This is a search time distinction made on the log_subtype field. Can you tell us what you're getting in the log_subtype field for the url logs?

0 Karma

chkrootkit
New Member

thank you for clarification...

double checked. the query:

eventtype="pan_threat" definitely returns url field among others.

log_subtype is listed as "vulnerability"

0 Karma

chkrootkit
New Member

and in one instance it was "spyware"

0 Karma

btorresgil
Builder

Returning a 'url' field is not the same as being a 'url' log. A url log MUST have the word 'url' in the log_subtype field. Since you're getting 'vulnerability' and 'spyware', these are vulnerability and spyware logs, not url logs.

My guess is you're not sending URL logs to Splunk from the firewall. You need to set this up on the firewall side using the URL Filtering feature.

0 Karma

panguy
Contributor

What version of the App and Add-on do you have installed?

You can check if the eventtype exist by navigating to...
Settings > Event types

Do a search or "url".

Does "pan_url" show up?

0 Karma

chkrootkit
New Member

Running Add-on ver. 6.0.2 and App ver.6.0.1

Event type searches for "url" and "pan_url" returned:

pan_threat sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "wildfire" log_subtype != "data"

pan_url sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"

Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...