Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIM-signature field Alias not working on sourcetype: pan:firewall_cloud #234

Open
are0002 opened this issue Jan 17, 2022 · 1 comment
Open

CIM-signature field Alias not working on sourcetype: pan:firewall_cloud #234

are0002 opened this issue Jan 17, 2022 · 1 comment
Assignees
@paulmnguyen
Labels
bug

Comments

@are0002
Copy link

are0002 commented Jan 17, 2022

Describe the bug

The CIM field "signature" is not present in sourcetype pan:firewall_cloud

pan:firewall_cloud : FIELDALIAS-fwcloud_signature | ThreatName AS signature

Expected behavior

field "signature" is necessary for CIM datamodels

Current behavior

the field is not calculated

Possible solution

I think field "ThreatName" is not right. The right seems to be "threat:name"
Other solution is to create a field alias of "ThreadID" field

Steps to reproduce

index="*" sourcetype="pan:firewall_cloud"

Your Environment

  • Version used: 7.0.3
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Splunk cloud with Chrome
  • Operating System and version (desktop or mobile): desktop
@are0002 are0002 added the bug label Jan 17, 2022
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@paulmnguyen paulmnguyen self-assigned this Sep 13, 2022
btorresgil added a commit that referenced this issue Oct 7, 2022
@btorresgil
fix(addon): CDL threat_name field more robust
6f290d0 
Fixes #234

The threat_name field can now pull from the ThreatName field if it
exists, or the ThreatID field as a backup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulmnguyen paulmnguyen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulmnguyen @are0002