All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Paloalto Network add-on parsing concern

pavanbmishra
Path Finder
‎12-28-2021 11:25 PM

Hi Team,

We could see paloalto network add-on parsing informational messages to alert datamodel (having tag=alert) assigned. Sharing the snap-shot for ref. Can anyone assist me to identify & some business justification behind this please. Thanks in advance 

pavanbmishra_0-1640762646733.png

 

Tags (3)
0 Karma
Reply

tscroggins
Influencer
‎01-02-2022 07:27 PM

@pavanbmishra 

Looking at the add-on, we can infer the developer recognized device generated notifications as external alerts and tagged them appropriately. I.e. The device generated an event of note separate from any traffic logging it may be performing.

For example, event type pan_system_alert uses the following search:

sourcetype=pan_system OR sourcetype=pan:system AND log_subtype="url-filtering"

pan_system and pan:system have both been used historically as source types. log_subtype comes from the extract_system transform.

In your screenshot, the event likely indicates the device's URL database was updated. If you're dependent on the device to perform URL filtering, alerting, etc. a configuration change of this type is probably important from a change or configuration management standpoint. An operations team may want to correlate the alert with a change request, for example, and consider the event suspicious if the correct process wasn't followed.

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...