Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Field Calc Misconfiguration Pan:Threat #243

Open
RH-3 opened this issue Mar 11, 2022 · 1 comment
Open

User Field Calc Misconfiguration Pan:Threat #243

RH-3 opened this issue Mar 11, 2022 · 1 comment
Labels
add-on Related to the Splunk Add-On bug

Comments

@RH-3
Copy link

RH-3 commented Mar 11, 2022

Describe the bug

For the pan:threat sourcetype we are observing, un-parsed sender and recipient field values in the user field.

This is due to the fact the Splunk does not allow for chained Field Calculations.
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence#Calculated_fields

"All EVAL- configurations within a single props.conf stanza are processed in parallel, rather than in any particular sequence. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field."

Relevant Config from Props.conf:

# Reformat email related fields
EVAL-sender          = split(replace(sender,"^From: (.*?);?$","\1"),";")
EVAL-recipient       = split(replace(recipient,"^To: (.*?);?$","\1"),";")
EVAL-user              = coalesce(src_user,dest_user,recipient,sender,"unknown")

Expected behavior

When src_user or dest_user is null, user will return the following:

sourcetype user src_user dest_user sender recipient
pan:threat x_user@email.com x_user@email.com
pan:threat y_user@email.com y_user@email.com

Current behavior

When src_user or dest_user is null, we will observe the following on user:

sourcetype user src_user dest_user sender recipient
pan:threat From: x_user@email.com; x_user@email.com
pan:threat To: y_user@email.com; y_user@email.com

Possible solution

Merge the field calc logic from sender and recipient into the user coalesce logic.

# Reformat email related fields
EVAL-sender          = split(replace(sender,"^From: (.*?);?$","\1"),";")
EVAL-recipient       = split(replace(recipient,"^To: (.*?);?$","\1"),";")
EVAL-user              = coalesce(src_user,dest_user,split(replace(recipient,"^To: (.*?);?$","\1"),";"),split(replace(sender,"^From: (.*?);?$","\1"),";"),"unknown")

Steps to reproduce

Run SPL against smtp traffic that triggered signatures and filter on results that have null values for src_user and dest_user.

Your Environment

  • Observed in App version 7.0.3
  • Validated that this also impacts 7.0.4
@RH-3 RH-3 added the bug label Mar 11, 2022
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@paulmnguyen paulmnguyen added the add-on Related to the Splunk Add-On label May 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
add-on Related to the Splunk Add-On bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulmnguyen @RH-3