All Apps and Add-ons

Palo Alto Traps - No Wildfire data

dalambiel
New Member

Hello
Splunk is receiving data from Palo Alto Traps (via TCP in a dedicated index). Endpoint Operations dashboard is showing data.
Admins of Traps are expecting to see also data for wildfire, like

Jun 11 2019 14:26:23 172.16.71.122 CEF:0|Palo Alto Networks|Traps Agent|4.2.3.41131|Notification Event|Threat|6|rt=Jun 11 2019 14:26:23 dhost=*** duser=*** cs2Label=Module cs2=WildFire deviceProcessName=*** fileHash=*** cs3Label=ContentVersion cs3=*** dvc=*** cs5Label=EventTime cs5=Jun 11 2019 14:26:14 msg=New notification event. Prevention Key: ***

I checked the troubleshooting guide. Typically, I don't get any result for
eventtype=pan_wildfire

I checked some of the props/transform regex, and none seems to identify those lines as wildfire events. Seems then correct that nothing pops up in the dashboard.
What raw data should I expect to find in my index confirming that I get wildfire events.

Thanks in advance for your help

0 Karma
1 Solution

panguy
Contributor

The pan_wildfire event type comes from Palo Alto Networks Firewall logs. Typically it is a THREAT log type with a subtype of wildfire. The wildfire dashboard will get populated when Firewall logs are being sent to Splunk.

View solution in original post

0 Karma

panguy
Contributor

The pan_wildfire event type comes from Palo Alto Networks Firewall logs. Typically it is a THREAT log type with a subtype of wildfire. The wildfire dashboard will get populated when Firewall logs are being sent to Splunk.

0 Karma

dalambiel
New Member

Thanks for your response.
That's explain it: we have only Traps, not the Palo Alto Firewall. Then no data for the dashboard using the pan_wildfire eventtype.

Sorry for the late response: i was out of office for a few days.
Thanks again.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...