search

PaloAltoNetworks / Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
https://pan.dev/splunk/docs/
ISC License
106 stars 49 forks source link

App is not parsing the URI to create interesting fields #298

Open jchubbar opened 1 year ago

jchubbar commented 1 year ago

Describe the bug

In our environment where we have the Splunk Addon 6.6, we can use q= OR pq= to parse URIs to gather search terms in search engines. But we upgraded to 8.2 and no longer have that functionality.

Expected behavior

In 6.6 , if I add (pq= OR query= OR p= OR q=) as a part of the search terms, I see interesting fields that contain what the user searched for.

Current behavior

In 8.2, with the same query, no results are returned.

Possible solution

None

Steps to reproduce

Run a Splunk query like: (index=corp_palo_alto sourcetype=pan:threat log_subtype=url) (pq= OR query= OR p= OR q=) categories IN (search-engines, streaming-media)

See the results and Interesting Fields populate in our Splunk environment that has the TA app 6.6.

Context

Need to move all functionality to SplunkCloud and the 6.6 version of the Palo Alto app is not supported.

Your Environment

On-prem Splunk that has the Palo Alto Networks Addon 6.6.0 installed SplunkCloud that has the Palo Alto Networks Addon 8.2.0 installed

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!