Splunk Search

How to map similar extracted fields from Palo Alto logs with similar fields from Check Point OPSEC logs?

splunker12er
Motivator

More than Splunk, this question is related to firewall logs - any help is very much appreciated.

Desc: Mapping Key-value of pan_logs to OPSEC logs

Fields: category vs app_category & signature Vs rule_name ??

Details:
sourcetype: Palo alto logs
Field name: category (small-letter)

Field values:

any
computer-and-internet-info
business-and-economy
web-based-email
internet-communications-and-telephony
web-advertisements
search-engines
social-networking
private-ip-addresses
content-delivery-networks

sourcetype: opsec - checkpoint logs
Field name: I see fields app_category , matched_category--> but all the field values are extracted as= ""***** Confidential ******

How do I map similar category fields in OPSEC to similar fields from Palo Alto? Are there any other fields that map these values?

Also,

Fieldname: signature (palo_alto logs)
Fieldname: rule_name (opsec)

Can both fields be mapped?

0 Karma

spayneort
Contributor

To show the actual data instead of Confidential, you need to set the LEA Permissions to show all log fields. See here:

https://answers.splunk.com/answers/48450/opsec-lea-confidential.html

0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...