From 6f290d058d8c5c8788927e39fc1b83e3501073fa Mon Sep 17 00:00:00 2001
From: Brian Torres-Gil <btorres-gil@paloaltonetworks.com>
Date: Fri, 7 Oct 2022 08:01:49 -0700
Subject: [PATCH] fix(addon): CDL threat_name field more robust

Fixes #234

The threat_name field can now pull from the ThreatName field if it
exists, or the ThreatID field as a backup.
---
 Splunk_TA_paloalto/default/props.conf      | 2 +-
 Splunk_TA_paloalto/default/transforms.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf
index 25deca6c..737e74db 100644
--- a/Splunk_TA_paloalto/default/props.conf
+++ b/Splunk_TA_paloalto/default/props.conf
@@ -84,7 +84,7 @@ FIELDALIAS-fwcloud_src_zone = FromZone as src_zone
 FIELDALIAS-fwcloud_start_time = SessionStartTime as start_time
 FIELDALIAS-fwcloud_threat_category = ThreatCategory as threat_category
 FIELDALIAS-fwcloud_threat = ThreatID as threat
-FIELDALIAS-fwcloud_threat_name = ThreatName as threat_name 
+EVAL-threat_name = coalesce(ThreatName, ThreatNameFromID)
 FIELDALIAS-fwcloud_transport = Protocol as transport
 FIELDALIAS-fwcloud_type = LogType as type
 FIELDALIAS-fwcloud_log_type = LogType as log_type
diff --git a/Splunk_TA_paloalto/default/transforms.conf b/Splunk_TA_paloalto/default/transforms.conf
index f6b702ca..95a7cbdc 100644
--- a/Splunk_TA_paloalto/default/transforms.conf
+++ b/Splunk_TA_paloalto/default/transforms.conf
@@ -146,7 +146,7 @@ REGEX = \((?<threat_id>\d+)\)
 
 [extract_threat_name_cloud]
 SOURCE_KEY = ThreatID
-REGEX = ^(?<threat_name>[^(]*)
+REGEX = ^(?<ThreatNameFromID>[^(]*)
 
 [extract_dest_hostname_cloud]
 SOURCE_KEY = URL