Solved: Splunk for Palo Alto

lazhar · ‎08-03-2011

Hi,

I am using Splunk for Palo Alto application to collect and correlate logs coming from my PANs, i am able now to see the 4 types of Palo Alto Logs (Threat, Traffic, Configuration and System),
Now that i have my Threat Dashboard and reports, i would like to differentiate virus, spyware and vulnerabilities logs, How can i do this?

Thanks
Lazhar

MarioM · ‎08-03-2011

One of the app's field extraction is "log_subtype" which contains those different types:

Then you could filter your searches on those

sourcetype="pan_threat" log_subtype="vulnerability" OR log_subtype="virus" OR log_subtype="spyware" | top dst_user by log_subtype

OR

filter on each one of those

sourcetype="pan_threat" log_subtype="vulnerability" | top dst_user by app

View solution in original post

MarioM · ‎08-03-2011

One of the app's field extraction is "log_subtype" which contains those different types:

Then you could filter your searches on those

sourcetype="pan_threat" log_subtype="vulnerability" OR log_subtype="virus" OR log_subtype="spyware" | top dst_user by log_subtype

OR

filter on each one of those

sourcetype="pan_threat" log_subtype="vulnerability" | top dst_user by app

Splunk for Palo Alto

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation