Splunk Search

How to map similar extracted fields from Palo Alto logs with similar fields from Check Point OPSEC logs?

splunker12er
Motivator

More than Splunk, this question is related to firewall logs - any help is very much appreciated.

Desc: Mapping Key-value of pan_logs to OPSEC logs

Fields: category vs app_category & signature Vs rule_name ??

Details:
sourcetype: Palo alto logs
Field name: category (small-letter)

Field values:

any
computer-and-internet-info
business-and-economy
web-based-email
internet-communications-and-telephony
web-advertisements
search-engines
social-networking
private-ip-addresses
content-delivery-networks

sourcetype: opsec - checkpoint logs
Field name: I see fields app_category , matched_category--> but all the field values are extracted as= ""***** Confidential ******

How do I map similar category fields in OPSEC to similar fields from Palo Alto? Are there any other fields that map these values?

Also,

Fieldname: signature (palo_alto logs)
Fieldname: rule_name (opsec)

Can both fields be mapped?

0 Karma

spayneort
Contributor

To show the actual data instead of Confidential, you need to set the LEA Permissions to show all log fields. See here:

https://answers.splunk.com/answers/48450/opsec-lea-confidential.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...