Skip to content
This repository has been archived by the owner on Dec 14, 2024. It is now read-only.

Fix user showing as unknown from GlobalProtect logs. #217

Merged
merged 2 commits into from
Sep 24, 2021
Merged

Fix user showing as unknown from GlobalProtect logs. #217

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
71f0956
fix(addon): Add GlobalProtect SourceUserName to user field
paulmnguyen Sep 24, 2021
62c2683
test: Add Prisma Access logs to eventgen test
paulmnguyen Sep 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Splunk_TA_paloalto/default/props.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ FIELDALIAS-fwcloud_threat = ThreatID as threat
FIELDALIAS-fwcloud_threat_name = ThreatName as threat_name
FIELDALIAS-fwcloud_transport = Protocol as transport
FIELDALIAS-fwcloud_type = LogType as type
EVAL-user = case(src_user!="null",'src_user',dest_user!="null",'dest_user',recipient!="null",'recipient',sender!="null",'sender',true(),"unknown")
EVAL-user = case(SourceUser!="null",'SourceUser',SourceUserName !="null",'SourceUserName',src_user!="null",'src_user',dest_user!="null",'dest_user',recipient!="null",'recipient',sender!="null",'sender',true(),"unknown")
FIELDALIAS-fwcloud_url = URL as url
FIELDALIAS-fwcloud_vendor_action = Action as vendor_action
FIELDALIAS-fwcloud_verdict = Verdict as verdict
Expand Down Expand Up @@ -128,7 +128,7 @@ FIELDALIAS-fwcloud_cmd = EventName as cmd
FIELDALIAS-fwcloud_command = EventName as command
FIELDALIAS-fwcloud_configuration_path = EventPath as configuration_path
FIELDALIAS-fwcloud_host_name = LogSourceName as host_name
FIELDALIAS-fwcloud_path = EventPath as path # CIM
FIELDALIAS-fwcloud_path = EventPath as path
FIELDALIAS-fwcloud_result = EventResult as result

# URL Logs
Expand Down
28 changes: 8 additions & 20 deletions demo/conf/eventgen_conf/eventgen.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -453,32 +453,20 @@ token.1.replacementType = timestamp
token.1.replacement = %Y/%m/%d %H:%M:%S


[pan_globalprotect.samplelog]

[pan_firewall_cloud_globalprotect.json]
outputMode = splunkstream
disabled = false
interval = 60
disabled = false
earliest = -60s
latest = now
count = 0
autotimestamp = 1
interval = 60
count = 4
randomizeCount = 0.2
randomizeEvents = 0

sourcetype = pan:log
source = eventgen:pan_globalprotect.samplelog
randomizeEvents = true

## replace 1st timestamp
## Apr 8 01:24:58
token.0.token = ^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2})
token.0.replacementType = timestamp
token.0.replacement = %b %d %H:%M:%S
sourcetype=pan:firewall_cloud
source = eventgen:pan_firewall_cloud_globalprotect.json
autotimestamp = 1

## replace 2nd, 3rd & 4th timestamps (downstream)
## ,2012/04/10 03:32:56,
token.1.token = ,(\d{4}/\d{2}/\d{2}\s+\d{2}:\d{2}:\d{2})
token.1.replacementType = timestamp
token.1.replacement = %Y/%m/%d %H:%M:%S

[pan_incident.samplelog]

Expand Down
Loading