From 28ac5f3d50e17c4c5a265c78301a74b05c860b75 Mon Sep 17 00:00:00 2001 From: as3923 Date: Wed, 18 Aug 2021 21:59:40 -0400 Subject: [PATCH 1/3] feat(addon): Extract all URL Categories to category as a multi-value field --- Splunk_TA_paloalto/default/props.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf index 1b5c9512..2c49b69d 100644 --- a/Splunk_TA_paloalto/default/props.conf +++ b/Splunk_TA_paloalto/default/props.conf @@ -105,7 +105,7 @@ EVAL-dest_name = replace(dest_hostname, "^([^:/]+).*", "\1") FIELDALIAS-fwcloud_vendor_protocol = protocol as vendor_protocol -EVAL-category = coalesce(http_category, threat_category) +EVAL-category = coalesce(split(URLCategoryList,","), threat_category) LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product,ids_type LOOKUP-pan_threat_id = threat_lookup threat_id From 79a8ff41f668d1313118f5b015c76f540f613ddd Mon Sep 17 00:00:00 2001 From: as3923 Date: Thu, 19 Aug 2021 15:40:41 -0400 Subject: [PATCH 2/3] Update props.conf Added `isnotnull(URLCategoryList)` check because some events only have URLCategory. --- Splunk_TA_paloalto/default/props.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf index 2c49b69d..e684b572 100644 --- a/Splunk_TA_paloalto/default/props.conf +++ b/Splunk_TA_paloalto/default/props.conf @@ -105,7 +105,7 @@ EVAL-dest_name = replace(dest_hostname, "^([^:/]+).*", "\1") FIELDALIAS-fwcloud_vendor_protocol = protocol as vendor_protocol -EVAL-category = coalesce(split(URLCategoryList,","), threat_category) +EVAL-category = coalesce(if(isnotnull(URLCategoryList), split(URLCategoryList, ","), http_category), threat_category) LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product,ids_type LOOKUP-pan_threat_id = threat_lookup threat_id From dec3998141ea0ae8b824e14b6e816552c4262ec9 Mon Sep 17 00:00:00 2001 From: as3923 Date: Sun, 22 Aug 2021 20:07:53 -0400 Subject: [PATCH 3/3] Update props.conf For some Cortex eventtypes `http_category` is not in the `URLCategoryList`, but for other eventtypes it is in the list. Updated the eval to check whether `http_category` is in the list, and to append it if it is not already in the list. --- Splunk_TA_paloalto/default/props.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf index e684b572..f4996e03 100644 --- a/Splunk_TA_paloalto/default/props.conf +++ b/Splunk_TA_paloalto/default/props.conf @@ -105,7 +105,7 @@ EVAL-dest_name = replace(dest_hostname, "^([^:/]+).*", "\1") FIELDALIAS-fwcloud_vendor_protocol = protocol as vendor_protocol -EVAL-category = coalesce(if(isnotnull(URLCategoryList), split(URLCategoryList, ","), http_category), threat_category) +EVAL-category = coalesce(if(isnotnull(URLCategoryList), if(in(http_category, split(URLCategoryList, ",")), split(URLCategoryList, ","), split(http_category.",".URLCategoryList, ",")), http_category), threat_category) LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product,ids_type LOOKUP-pan_threat_id = threat_lookup threat_id