Re: Palo log issue

Splunkers2 · ‎09-10-2024

Hi all,

I'm having issues comparing user field in Palo Alto traffic logs vs last user reported by Crowdstrike/Windows events.Palo-Alto traffic logs is showing a different user in logs initiating the traffic during the time window compared to Crowd strike last user login reported for same endpoint.

Has anyone you know faced similar issue ?

Thanks

PickleRick · ‎09-14-2024

If I understand correctly what you're saying, it's not a problem with Splunk but rather with quality of your data. If the same "truth" in reality is expressed as events saying different things in Splunk it means there's something wrong with your sources setup.

inventsekar · ‎09-13-2024

Hi @Splunkers2 May we know if you use the CIM pls.

pls copy paste the Splunk Search query you used(remove sensitive data beofre), thanks

dural_yyz · ‎09-13-2024

Since both of these are data source content issues it's difficult to determine from the Splunk side. I would start with more research at a specific machine side. What traffic is being generated and from what application. Who if anyone is logged in live.

Palo log issue

investigation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation