IoT Security Input 'Interval' Not Used To Influence 'stime' All Data All The Time

[simonsigre]

Describe the bug

The TA Input for PAN IOT has a single option "on" and on every run it pulls in "All Time" for the 3x Entity Types. Obviously the type of Alert we want to see ASAP .. so we leave the default of 300 seconds .. this means that every 300 seconds we get a "All Time" for Vulnerabilities same as Alerts.. .so a malware detection or a discovered Vuln will (forever) generate a log event in Splunk every 300 seconds.

Traditionally with this type of data you pass in a "first seen" filter .. so every 300 seconds you only pull the last 300 seconds worth of new or modified logs.

TL;DR every 300 seconds I get 10s of thousands of events pulled into the Splunk index.. for stuff that was generated 5 months ago.

Expected behavior

Only the delta should be pulled in, Time Range should be offset based on the Inputs cron schedule..

Current behavior

Every run all events across all Entity types (vuln, device and alert) are pulled in

Possible solution

Looking at the doco here; https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api/get-vulnerability-instances There is a field stime that can be passed in.. this should be set based on the cron schedule so if the cron is set for 300sec then the stime field should be zulu - 300 seconds..

Steps to reproduce

1. Create API token in PAN IOT
2. Deployed latest Palo Alto TA for Splunk
3. Set input at 300 seconds
4. Profit

Screenshots

Context

Security Operations Response

Your Environment

Splunk Cloud and Splunk OnPrem

• Splunk_TA_paloalto 8.1.1

[simonsigre]

For anyone interested, we have our own TA that resolves this (and a few other) issues;

• seperate inputs per data type
• CIM compliance
• no longer duplicates events (proper tailing)

It's up on Splunkbase ... but drop me a post here if you're interested.