Skip to content
This repository has been archived by the owner on Dec 14, 2024. It is now read-only.

User Field Calc Misconfiguration Pan:Threat #243

Open
RH-3 opened this issue Mar 11, 2022 · 1 comment
Open

User Field Calc Misconfiguration Pan:Threat #243

RH-3 opened this issue Mar 11, 2022 · 1 comment
Labels
add-on Related to the Splunk Add-On bug

Comments

@RH-3
Copy link

RH-3 commented Mar 11, 2022

Describe the bug

For the pan:threat sourcetype we are observing, un-parsed sender and recipient field values in the user field.

This is due to the fact the Splunk does not allow for chained Field Calculations.
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence#Calculated_fields

"All EVAL- configurations within a single props.conf stanza are processed in parallel, rather than in any particular sequence. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field."

Relevant Config from Props.conf:

# Reformat email related fields
EVAL-sender          = split(replace(sender,"^From: (.*?);?$","\1"),";")
EVAL-recipient       = split(replace(recipient,"^To: (.*?);?$","\1"),";")
EVAL-user              = coalesce(src_user,dest_user,recipient,sender,"unknown")

Expected behavior

When src_user or dest_user is null, user will return the following:

sourcetype user src_user dest_user sender recipient
pan:threat [email protected] [email protected]
pan:threat [email protected] [email protected]

Current behavior

When src_user or dest_user is null, we will observe the following on user:

sourcetype user src_user dest_user sender recipient
pan:threat From: [email protected]; [email protected]
pan:threat To: [email protected]; [email protected]

Possible solution

Merge the field calc logic from sender and recipient into the user coalesce logic.

# Reformat email related fields
EVAL-sender          = split(replace(sender,"^From: (.*?);?$","\1"),";")
EVAL-recipient       = split(replace(recipient,"^To: (.*?);?$","\1"),";")
EVAL-user              = coalesce(src_user,dest_user,split(replace(recipient,"^To: (.*?);?$","\1"),";"),split(replace(sender,"^From: (.*?);?$","\1"),";"),"unknown")

Steps to reproduce

Run SPL against smtp traffic that triggered signatures and filter on results that have null values for src_user and dest_user.

Your Environment

  • Observed in App version 7.0.3
  • Validated that this also impacts 7.0.4
@RH-3 RH-3 added the bug label Mar 11, 2022
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@paulmnguyen paulmnguyen added the add-on Related to the Splunk Add-On label May 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
add-on Related to the Splunk Add-On bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulmnguyen @RH-3