Hi
We have noticed that within the Palo Alto app-->Activity-GlobalProtect that "user" is always unknown.
In the transforms:
[extract_globalprotect_user]
SOURCE_KEY = description
REGEX = User name: (?[^,]+)
[extract_globalprotect_ip]
SOURCE_KEY = description
REGEX = Private IP: (?[^,]+)
The user should be extracted out of the description.
Within the props.conf in traffic section
EVAL-user = coalesce(src_user,dest_user,"unknown")
has anyone found this issue and resolved it?