From c0ed71ce7352f5dd8262a90f0450e61f609a376a Mon Sep 17 00:00:00 2001 From: Henri Date: Wed, 7 Oct 2020 16:19:26 +1100 Subject: [PATCH] Update category URL filtering issue #147 https://github.com/PaloAltoNetworks/Splunk-Apps/issues/147 Proposed changes to update field category extraction Changes applied transforms.conf file: -extended capturing for report extract_threat to include new field extraction new_category props.conf file: -re-evaluate category from new_category and threat_category fields --- Splunk_TA_paloalto/default/props.conf | 2 +- Splunk_TA_paloalto/default/transforms.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf index eed3c741..ea16ee09 100644 --- a/Splunk_TA_paloalto/default/props.conf +++ b/Splunk_TA_paloalto/default/props.conf @@ -106,7 +106,7 @@ EVAL-report_id = if(log_subtype=="wildfire", coalesce(report_id,threat_id) EVAL-http_category = if(log_subtype=="url", raw_category, null()) EVAL-verdict = if(log_subtype=="wildfire", raw_category, null()) EVAL-threat_category = if(log_subtype!="url" AND log_subtype!="file", if(threat_category=="unknown",log_subtype,coalesce(threat_category,log_subtype)), null()) -EVAL-category = if(log_subtype=="url" OR log_subtype=="file", raw_category, threat_category) +EVAL-category = if(log_subtype=="url" OR log_subtype=="file", split(new_category, ","), threat_category) # Decode hex flags EVAL-flags = mvappend(if(floor(tonumber(session_flags,16) / pow(2, 31))%2==0,null(),"pcap"),if(floor(tonumber(session_flags,16) / pow(2, 28))%2==0,null(),"credential_detected"),if(floor(tonumber(session_flags,16) / pow(2, 25))%2==0,null(),"ipv6"),if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted"),if(floor(tonumber(session_flags,16) / pow(2, 23))%2==0,null(),"denied_by_url_filtering"),if(floor(tonumber(session_flags,16) / pow(2, 22))%2==0,null(),"nat"),if(floor(tonumber(session_flags,16) / pow(2, 21))%2==0,null(),"captive_portal"),if(floor(tonumber(session_flags,16) / pow(2, 19))%2==0,null(),"x_forwarded_for"),if(floor(tonumber(session_flags,16) / pow(2, 18))%2==0,null(),"http_proxy"),if(floor(tonumber(session_flags,16) / pow(2, 15))%2==0,null(),"container_page"),if(floor(tonumber(session_flags,16) / pow(2, 13))%2==0,null(),"implicit_application"),if(floor(tonumber(session_flags,16) / pow(2, 11))%2==0,null(),"symmetric_return")) diff --git a/Splunk_TA_paloalto/default/transforms.conf b/Splunk_TA_paloalto/default/transforms.conf index fb0375e1..c11a1354 100644 --- a/Splunk_TA_paloalto/default/transforms.conf +++ b/Splunk_TA_paloalto/default/transforms.conf @@ -74,7 +74,7 @@ FORMAT = sourcetype::pan:config_traps [extract_threat] DELIMS = "," -FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version" +FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version","future_use5","future_use6","future_use7","future_use8","new_category" [extract_traffic] DELIMS = ","