IoT Security Input 'Interval' Not Used To Influence 'stime' All Data All The Time #318
Labels
Comments
|
For anyone interested, we have our own TA that resolves this (and a few other) issues;
It's up on Splunkbase ... but drop me a post here if you're interested. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The TA Input for PAN IOT has a single option "on" and on every run it pulls in "All Time" for the 3x Entity Types. Obviously the type of Alert we want to see ASAP .. so we leave the default of 300 seconds .. this means that every 300 seconds we get a "All Time" for Vulnerabilities same as Alerts.. .so a malware detection or a discovered Vuln will (forever) generate a log event in Splunk every 300 seconds.
Traditionally with this type of data you pass in a "first seen" filter .. so every 300 seconds you only pull the last 300 seconds worth of new or modified logs.
TL;DR every 300 seconds I get 10s of thousands of events pulled into the Splunk index.. for stuff that was generated 5 months ago.
Expected behavior
Only the delta should be pulled in, Time Range should be offset based on the Inputs cron schedule..
Current behavior
Every run all events across all Entity types (vuln, device and alert) are pulled in
Possible solution
Looking at the doco here; https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api/get-vulnerability-instances There is a field
stimethat can be passed in.. this should be set based on the cron schedule so if the cron is set for300secthen thestimefield should be zulu - 300 seconds..Steps to reproduce
Screenshots
Context
Security Operations Response
Your Environment
Splunk Cloud and Splunk OnPrem
The text was updated successfully, but these errors were encountered: