fix(addon): CDL threat_name field more robust

Fixes #234 The threat_name field can now pull from the ThreatName field if it exists, or the ThreatID field as a backup.
PaloAltoNetworks · Oct 7, 2022 · 6f290d0 · 6f290d0
1 parent af609bc
commit 6f290d0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf
@@ -84,7 +84,7 @@ FIELDALIAS-fwcloud_src_zone = FromZone as src_zone
 FIELDALIAS-fwcloud_start_time = SessionStartTime as start_time
 FIELDALIAS-fwcloud_threat_category = ThreatCategory as threat_category
 FIELDALIAS-fwcloud_threat = ThreatID as threat
-FIELDALIAS-fwcloud_threat_name = ThreatName as threat_name 
+EVAL-threat_name = coalesce(ThreatName, ThreatNameFromID)
 FIELDALIAS-fwcloud_transport = Protocol as transport
 FIELDALIAS-fwcloud_type = LogType as type
 FIELDALIAS-fwcloud_log_type = LogType as log_type

diff --git a/Splunk_TA_paloalto/default/transforms.conf b/Splunk_TA_paloalto/default/transforms.conf
@@ -146,7 +146,7 @@ REGEX = \((?<threat_id>\d+)\)
 
 [extract_threat_name_cloud]
 SOURCE_KEY = ThreatID
-REGEX = ^(?<threat_name>[^(]*)
+REGEX = ^(?<ThreatNameFromID>[^(]*)
 
 [extract_dest_hostname_cloud]
 SOURCE_KEY = URL