Skip to content
This repository was archived by the owner on Dec 14, 2024. It is now read-only.

Commit af609bc

Browse files
paulmnguyenpaulmnguyen
committed
fix(addon): Optomize type field for CIM compliance
Update log field from type to log_type
1 parent 5cc9ea7 commit af609bc

File tree

2 files changed

+10
-4
lines changed

2 files changed

+10
-4
lines changed

Splunk_TA_paloalto/default/props.conf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@ FIELDALIAS-fwcloud_threat = ThreatID as threat
8787
FIELDALIAS-fwcloud_threat_name = ThreatName as threat_name
8888
FIELDALIAS-fwcloud_transport = Protocol as transport
8989
FIELDALIAS-fwcloud_type = LogType as type
90+
FIELDALIAS-fwcloud_log_type = LogType as log_type
9091
EVAL-user = case(SourceUser!="null",'SourceUser',SourceUserName !="null",'SourceUserName',src_user!="null",'src_user',dest_user!="null",'dest_user',recipient!="null",'recipient',sender!="null",'sender',true(),"unknown")
9192
FIELDALIAS-fwcloud_url = URL as url
9293
FIELDALIAS-fwcloud_vendor_action = Action as vendor_action
@@ -333,6 +334,8 @@ SHOULD_LINEMERGE = false
333334
TIME_PREFIX = ^(?:[^,]*,){6}
334335
MAX_TIMESTAMP_LOOKAHEAD = 32
335336
REPORT-search = extract_globalprotect
337+
338+
FIELDALIAS-type = log_type as type
336339
FIELDALIAS-status_for_results = status as result
337340
FIELDALIAS-stage_for_log_subtype = stage as log_subtype
338341
EVAL-dvc_name = coalesce(dvc_name, machine_name)
@@ -353,6 +356,7 @@ MAX_TIMESTAMP_LOOKAHEAD = 32
353356

354357
REPORT-search = extract_decryption
355358

359+
FIELDALIAS-type = log_type as type
356360

357361
[pan_config]
358362
rename = pan:config
@@ -391,6 +395,7 @@ MAX_TIMESTAMP_LOOKAHEAD = 32
391395

392396
REPORT-search = extract_hipmatch
393397

398+
FIELDALIAS-type = log_type as type
394399
FIELDALIAS-virtual_system = vsys as virtual_system
395400

396401
# Field Aliases to map specific fields to the Splunk Common Information Model--Intrusion Detection
@@ -436,6 +441,7 @@ SHOULD_LINEMERGE = false
436441
TIME_PREFIX = ^(?:[^,]*,){6}
437442
MAX_TIMESTAMP_LOOKAHEAD = 32
438443
REPORT-search = extract_userid
444+
FIELDALIAS-type = log_type as type
439445
FIELDALIAS-virtual_system = vsys as virtual_system
440446
FIELDALIAS-src_for_pan_correlation = src_ip as src
441447
FIELDALIAS-dest_ip_for_pan_correlation = src_ip as dest_ip

Splunk_TA_paloalto/default/transforms.conf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -85,20 +85,20 @@ FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","
8585

8686
[extract_hipmatch]
8787
DELIMS = ","
88-
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_user","vsys","host_name","os","src_ip","hip_name","hip_count","hip_type","future_use3","future_use4","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","ipv6_system_address"
88+
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_user","vsys","host_name","os","src_ip","hip_name","hip_count","hip_type","future_use3","future_use4","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","ipv6_system_address"
8989

9090
[extract_correlation]
9191
DELIMS = ","
9292
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","src_user","vsys","category","severity","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","object","object_id","evidence"
9393

9494
[extract_userid]
9595
DELIMS = ","
96-
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"
96+
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"
9797

9898
# GlobalProtect extraction for PAN-OS 9.1.1+
9999
[extract_globalprotect]
100100
DELIMS = ","
101-
FIELDS = "future_use1","receive_time","serial_number","type","future_use2","version","time_generated","vsys","event_id","stage","auth_method","tunnel_type","src_user","src_region","machine_name","public_ip","public_ipv6","private_ip","private_ipv6","host_id","serial_number","client_ver","client_os","client_os_ver","repeat_count","reason","error","opaque","status","location","login_duration","connect_method","error_code","portal","sequence_number","action_flags","event_time","selection_type","response_time","priority","attempted_gateways","gateway","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id"
101+
FIELDS = "future_use1","receive_time","serial_number","log_type","future_use2","version","time_generated","vsys","event_id","stage","auth_method","tunnel_type","src_user","src_region","machine_name","public_ip","public_ipv6","private_ip","private_ipv6","host_id","serial_number","client_ver","client_os","client_os_ver","repeat_count","reason","error","opaque","status","location","login_duration","connect_method","error_code","portal","sequence_number","action_flags","event_time","selection_type","response_time","priority","attempted_gateways","gateway","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id"
102102

103103
[extract_traps_analytics]
104104
DELIMS = ","
@@ -114,7 +114,7 @@ FIELDS = "record_type","class","future_user1","log_subtype","event_type","catego
114114

115115
[extract_decryption]
116116
DELIMS = ","
117-
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","start_time","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","flags","IP_PROTOCOL","action","tunnel_id","future_use2","future_use3","src_vm_uuid","dest_vm_uuid","uuid_rule","stage_client_firewall","stage_firewall_client","tls_version","key_exchange_algorithm","encryption_algorithm","hash_algorithm","rule","elliptic_curve","error_index","root_status","chain_status","proxy_type","cert_serial_number","fingerprint","cert_start_time","cert_end_time","cert_version","cert_size","cn_length","issuer_cn_length","root_cn_length","sni_length","cert_flags","subject_cn","issuer_subject_cn","root_subject_cn","server_name","error","container_id","pod_namespace","pod_name","src_edl","dest_edl","src_dag","dest_dag","timestamp","src_dvc_category","src_dvc_profile","src_dvc_model","src_dvc_vendor","src_dvc_os","src_dvc_os_version","src_name","src_mac","dest_dvc_category","dest_dvc_profile","dest_dvc_model","dest_dvc_vendor","dest_dvc_os","dest_dvc_os_version","dest_name","dest_mac","sequence_number","action_flags"
117+
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","start_time","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","flags","IP_PROTOCOL","action","tunnel_id","future_use2","future_use3","src_vm_uuid","dest_vm_uuid","uuid_rule","stage_client_firewall","stage_firewall_client","tls_version","key_exchange_algorithm","encryption_algorithm","hash_algorithm","rule","elliptic_curve","error_index","root_status","chain_status","proxy_type","cert_serial_number","fingerprint","cert_start_time","cert_end_time","cert_version","cert_size","cn_length","issuer_cn_length","root_cn_length","sni_length","cert_flags","subject_cn","issuer_subject_cn","root_subject_cn","server_name","error","container_id","pod_namespace","pod_name","src_edl","dest_edl","src_dag","dest_dag","timestamp","src_dvc_category","src_dvc_profile","src_dvc_model","src_dvc_vendor","src_dvc_os","src_dvc_os_version","src_name","src_mac","dest_dvc_category","dest_dvc_profile","dest_dvc_model","dest_dvc_vendor","dest_dvc_os","dest_dvc_os_version","dest_name","dest_mac","sequence_number","action_flags"
118118

119119
[extract_threat_id]
120120
SOURCE_KEY = threat

0 commit comments

Comments
 (0)