Dear Support,
Is there a way to extract CVE number from Threat log event in PAN-OS and forward to Splunk via syslog
thanks
Kevin
The CVE is not part of the log. It is pulled from the firewall/Panorama API into a lookup table in Splunk. Use this saved search in the documentation to pull the CVE's from the Firewall/Panorama API:
https://splunk.paloaltonetworks.com/lookups.html#contentpack
HI @btorresgil did you add this script and when you run do you see threat:cve field added to the lookup ?
Hi Support,
We do have the same plugin installed in splunk, but there is no CVE there. Could you specify where in the app we can find it? Also, if Panorama is not sending that cve, how can splunk see it? My question is how to add the cve to be sent from the source that is along with threat id.
Are you using the palto alto splunk app? - https://splunkbase.splunk.com/app/491/
I am sorry, but I am not getting your question. If you can see the CVE number in the logs what is the trouble in extracting the same?