-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender) #297
Labels
Comments
🎉 Thanks for opening your first issue here! Welcome to the community! |
Hi @dharmanr Could you please let me know what version of PANOS you are using? |
Hi All,
We are on PANOS 10.1.5 on all of our Palos.
Thanks
Warm Regards,
Dharman.R
Director – Security Operations Center
M +91 9384049333
From: Paul Nguyen ***@***.***>
Sent: Wednesday, June 7, 2023 10:06 AM
To: PaloAltoNetworks/Splunk-Apps ***@***.***>
Cc: Dharman R ***@***.***>; Mention ***@***.***>
Subject: [EXTERNAL] : Re: [PaloAltoNetworks/Splunk-Apps] Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender) (Issue #297)
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi @dharmanr<https://github.com/dharmanr> Could you please let me know what version of PANOS you are using?
—
Reply to this email directly, view it on GitHub<#297 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BACWXVNYRG4H6REQST6VVX3XKAALBANCNFSM6AAAAAAYOHNQEI>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have observed the props enabled with comma separated defined fields and its mapped with incorrect values..
User field mapped with the value (music-low risk, private IP addressed) which is actually http category and its mapped to sender.
https://splunkbase.splunk.com/app/2757
EVAL-user = case(SourceUser!="null",'SourceUser',SourceUserName !="null",'SourceUserName',src_user!="null",'src_user',dest_user!="null",'dest_user',recipient!="null",'recipient',sender!="null",'sender',true(),"unknown")
The text was updated successfully, but these errors were encountered: