when the original syslog was forwarded to phantom, some key filed(like srcIP/dstIP) was missing artifact. these key filed was in raw_data if we search artifiact in splunk.
can phantom identify/parse these field and add artifact automatically ?
It has been resolved by installing add-on and mapping cef field , thanks