All Apps and Add-ons

Why aren't the Palo Alto App and Palo Alto Add-on transforming global protect user?

aarongensch
Engager

Hi
We have noticed that within the Palo Alto app-->Activity-GlobalProtect that "user" is always unknown.

In the transforms:

[extract_globalprotect_user]
SOURCE_KEY =  description
REGEX = User name: (?[^,]+)

[extract_globalprotect_ip]
SOURCE_KEY =  description
REGEX = Private IP: (?[^,]+)

The user should be extracted out of the description.

Within the props.conf in traffic section
EVAL-user = coalesce(src_user,dest_user,"unknown")

has anyone found this issue and resolved it?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...