search

PaloAltoNetworks / Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
https://pan.dev/splunk/docs/
ISC License
106 stars 48 forks source link

get_incident_extra_data #290

Closed thasteve closed 1 year ago

thasteve commented 1 year ago

Describe the bug

Splunk Palo Alto Add-On app (https://splunkbase.splunk.com/app/2757) retrieves incidents via API. However, it appears the "Extra Incident Details" are not retrieved, which would add context to the incident, primarily the alert IDs.

Expected behavior

What should happen is when the incident ID is in a response, the Splunk_TA_Palo app returns to the URI for extra incident data. I read through the source for the Palo Alto Add-on, and I can see in the python script where it would be POSTing to /public_api/v1/incidents/get_incident_extra_data/. However, that extra incident data is not present anywhere in Cortex logs coming into Splunk via the Palo Alto Add-On app. Again, the URI appears in the script, but the data is not present.

Current behavior

The Splunk TA Palo app just grabs the incident without the extra incident details such as alert data.

Possible solution

I read through the source for the Palo Alto Add-on, and I can see in the python script where it would be POSTing to /public_api/v1/incidents/get_incident_extra_data/. However, that extra incident data is not present anywhere in Cortex logs coming into Splunk via the Palo Alto Add-On app. Again, the URI appears in the script, but the data is not present.

Steps to reproduce

  1. Splunk ES or Splunk Cloud (attempting with both)
  2. Install Splunk_TA_Palo
  3. Connect API to Advanced "Viewer" in Cortex
  4. read logs.

Context

Our organization is limited in correlating endpoint and network data in Splunk with the incidents in Cortex. Also, Cortex UI is dog-crap when it comes to searching and navigating logs and incidents. It would be better to have it in Splunk.

Your Environment

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

thasteve commented 1 year ago

Screenshot 2023-03-28 at 3 31 18 PM A piece of the python script for the app that would indicate it should be getting the extra incident details.

thasteve commented 1 year ago

It's worth mentioning I've already uncommented and recompiled for this section with no luck -

# Uncomment this section if we decide to capture incident details. # if helper.get_arg("XDR_GET_DETAILS") == "True": # get_details = True

thasteve commented 1 year ago

Finally, I'll add that I came here after opening a ticket with Palo Alto proper. They could not give me a hand, nor did our on-demand requests from Splunk.

paulmnguyen commented 1 year ago

This feature was something we considered but decided to go with the cross launch approach instead for details. We left the code in so that customers may uncomment and use it however it is not supported if it's not working.