Splunk Enterprise Security

Splunk Palo Alto Add-on 6.0.2 and Enterprise Security issue

splunkIT
Splunk Employee
Splunk Employee

I recently upgraded the Splunk Palo Alto Add-on from 3.8.0 to 6.0.2 on our ES search head. Since that change, the category is no longer being extracted properly and it is affecting the web data model which shows all traffic in the HTTP Category Analysis as "unknown".

splunkIT
Splunk Employee
Splunk Employee

This is an issue in the Add-on 6.0.2. According to the folks at PAN, it will be fixed in 6.0.3. The current workaround solution is by modifying the following file:

$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/default/props.conf

In that file, find the line that reads:

EVAL-category = threat_category

I believe it is line 76. Change the line to this:

EVAL-category = if(log_subtype=="url" OR log_subtype=="file", raw_category, threat_category)

Then restart Splunk to put the change into effect.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...