How to map similar extracted fields from Palo Alto...

splunker12er · ‎11-15-2015

More than Splunk, this question is related to firewall logs - any help is very much appreciated.

Desc: Mapping Key-value of pan_logs to OPSEC logs

Fields: category vs app_category & signature Vs rule_name ??

Details:
sourcetype: Palo alto logs
Field name: category (small-letter)

Field values:

any
computer-and-internet-info
business-and-economy
web-based-email
internet-communications-and-telephony
web-advertisements
search-engines
social-networking
private-ip-addresses
content-delivery-networks

sourcetype: opsec - checkpoint logs
Field name: I see fields app_category , matched_category--> but all the field values are extracted as= ""***** Confidential ******

How do I map similar category fields in OPSEC to similar fields from Palo Alto? Are there any other fields that map these values?

Also,

Fieldname: signature (palo_alto logs)
Fieldname: rule_name (opsec)

Can both fields be mapped?

spayneort · ‎11-15-2015

To show the actual data instead of Confidential, you need to set the LEA Permissions to show all log fields. See here:

https://answers.splunk.com/answers/48450/opsec-lea-confidential.html

How to map similar extracted fields from Palo Alto logs with similar fields from Check Point OPSEC logs?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to map similar extracted fields from Palo Alto logs with similar fields from Check Point OPSEC logs?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem