Re: How to map similar extracted fields from Palo ...

splunker12er · ‎11-15-2015

More than Splunk, this question is related to firewall logs - any help is very much appreciated.

Desc: Mapping Key-value of pan_logs to OPSEC logs

Fields: category vs app_category & signature Vs rule_name ??

Details:
sourcetype: Palo alto logs
Field name: category (small-letter)

Field values:

any
computer-and-internet-info
business-and-economy
web-based-email
internet-communications-and-telephony
web-advertisements
search-engines
social-networking
private-ip-addresses
content-delivery-networks

sourcetype: opsec - checkpoint logs
Field name: I see fields app_category , matched_category--> but all the field values are extracted as= ""***** Confidential ******

How do I map similar category fields in OPSEC to similar fields from Palo Alto? Are there any other fields that map these values?

Also,

Fieldname: signature (palo_alto logs)
Fieldname: rule_name (opsec)

Can both fields be mapped?

spayneort · ‎11-15-2015

To show the actual data instead of Confidential, you need to set the LEA Permissions to show all log fields. See here:

https://answers.splunk.com/answers/48450/opsec-lea-confidential.html

How to map similar extracted fields from Palo Alto logs with similar fields from Check Point OPSEC logs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?