All Apps and Add-ons

Paloalto Network add-on parsing concern

pavanbmishra
Path Finder

Hi Team,

We could see paloalto network add-on parsing informational messages to alert datamodel (having tag=alert) assigned. Sharing the snap-shot for ref. Can anyone assist me to identify & some business justification behind this please. Thanks in advance 

pavanbmishra_0-1640762646733.png

 

Labels (1)
Tags (3)
0 Karma

tscroggins
Influencer

@pavanbmishra 

Looking at the add-on, we can infer the developer recognized device generated notifications as external alerts and tagged them appropriately. I.e. The device generated an event of note separate from any traffic logging it may be performing.

For example, event type pan_system_alert uses the following search:

sourcetype=pan_system OR sourcetype=pan:system AND log_subtype="url-filtering"

pan_system and pan:system have both been used historically as source types. log_subtype comes from the extract_system transform.

In your screenshot, the event likely indicates the device's URL database was updated. If you're dependent on the device to perform URL filtering, alerting, etc. a configuration change of this type is probably important from a change or configuration management standpoint. An operations team may want to correlate the alert with a change request, for example, and consider the event suspicious if the correct process wasn't followed.

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...