- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Threat (Searches and Report)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Threat (Searches and Report)
hi,
I installed Splunk for Palo Alto Networks app and i can see all the threat, content, wildfire and traffic logs fine. All the dashboard work fine as well. My question is when i click on the drop down menu for Threat and select PAN-Threat-Collect under Searches & Reports, it just comes up with counter on the left hand side and all the other columns are empty. The number increments as I select time but tabulated data is not populated. From the search if I remove "|ts collect namespace=pan_threat", i can see tabulated data but does not summarize the results. Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your prompt reply. I am very new to Splunk so still learning my way. As far as search, it would be useful to see a table view of top N hosts with highest count of malware/spyware/av activity.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is possible in pie chart format via the Threat Dashboard. You can see the top N hosts on your network and off your network that have shown threat activity like malware/spyware/av, and top N users, too. If you're looking for a table or some specific threat type or field not on the dashboard, you can generate a table via a search like this...
`pan_threat` log_subtype="spyware" | stats count by src_ip | sort -count | head 20
For more info, you can open a new question on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is expected. The searches that end with 'Collect' are specifically for collecting the indexed data for use in the dashboard graphs and tables. They run every 5 minute by default. That's why if you remove the 'collect' command it shows a table, because you're telling it not to collect the data, but display it instead.
These searches are available in case you want to do a collect immediately instead of waiting 5 minutes. However, I understand how this might be confusing. I've considered removing these searches from the menu to prevent this kind of confusion, but that would keep people from being able to do a collection on demand.
Anyone, please let me know in the comments if you think it would be better to remove these collection searches from the menus, or leave them there.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
