All Apps and Add-ons

Wildfire API Requests seems to be broken

splk
Communicator

Hello Team,

I try to setup the Wildfire API Report download.
Prerequesists are met, so API Key is setup, and we get Wildfire Logs through syslog.

While debugging I notice the following safedsearch is triggered:
search = pan_wildfire verdict="malicious" | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=main sourcetype=pan:wildfire_report

https://github.com/PaloAltoNetworks/SplunkforPaloAltoNetworks/blob/639568f065ce026e2554d4b9be04a85b2...

I see two issues, pan_wildfire alias seems not to work without an index, and the script stores the result in the main index, which should be empty.

I am wondering if anybody get this working?
Python.log is shows no entries.

Kind regards

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Are you using the add-on to collect the logs and the apps?

https://splunkbase.splunk.com/app/491/
https://splunkbase.splunk.com/app/2757/

I have used the add-on and used another index to receive traffic and threat feeds from PaloAlto IPS

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!