We have Security Hub data centralized from all our accounts and have now connected Data Manager to that central account so we can get all Security Hub findings into Splunk Cloud. I have noticed that the data coming in has a basic parser but it isn't separating the different streams, i.e. GuardDuty, Config, etc.   Is there a way to properly parse and tag all this data from the Security Hub feed so that it will populate all dashboards and data models etc.?  ... View more

We are having issues with pan:firewall_cloud parser (which came with the Palo Alto Netowrks Add-on) not parsing logs from Cortex Data Lake. We are centralizing all of our SASE Prisma and Firewall logs into the Cortex Data Lake and then streaming them from there to Splunk Cloud via the HEC. When I configure that HEC to use the Source Type of pan:firewall_cloud, which was recommended in the setup docs,  we don't get field extraction. When I use a standard _json parser it extracts all fields as expected. Is anyone else having this issue? Is there a fix? I can't use any of the Palo dashboards and there is no CIM normalization happening without that official Add-on parser working.  ... View more