https://live.paloaltonetworks.com/t5/log-forwarding-discussions/palo-alto-networks-app-for-splunk-url-category-logging-issue/m-p/382854#M29 <P>There is a flaw in the Palo Alto ‘category’ field reported to Splunk.</P><UL><LI>PA began support for multiple categories in 2019.&nbsp; A given URL can be part of multiple categories.&nbsp; This was done to support parallel data models.&nbsp;</LI><UL><LI>Legacy model: by industry (education, computer-and-internet, etc.)</LI><LI>A new additional model: by security risk (high, medium, low-risk)</LI></UL><LI>The PA syslog only supports one value in the category field.</LI><UL><LI>When the URL Filtering Policy has a different action for each category, the most restrictive action is performed and its category is logged.</LI></UL></UL><P>When the URL Filtering Policy has the same action for each category, each new category replaces the previous one in the log field.&nbsp; This is done alphabetically (a-z).</P><P>&nbsp;</P><P>What this means to us:</P><UL><LI>We haven’t observed many URLs that are double categorized, however I expect this to change with time.&nbsp; Splunk is already reporting the ‘low risk’ category as 10x higher than the next most frequently hit.&nbsp; <A href="https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__gcc01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fenterpriselogs.va.gov-252Fen-2DUS-252Fapp-252Fsearch-252Ferics-5Fworkspace-2523en-2DUS-252Fapp-252Fsearch-252Ferics-5Fworkspace-26data-3D04-257C01-257C-257C5b7c2cc685524ac5090a08d89e132e6d-257Ce95f1b23abaf45ee821db7ab251ab3bf-257C0-257C0-257C637433152499045623-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DBhFOj-252BeOZFMUwYt-252B30N5Cu9NbcRjJAtunpkA1vdOs-252BQ-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DV9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo%26r%3DxquKz8jbXrIwc-c2fYKWmBIKsiAKxeQkP4Xk9ccoyag%26m%3DGschLh4vTUj5t1y6p-OGsfn_Jaek-2y8hZU9t368P_s%26s%3DkeElS-w0DHLZ1kBIypVgCMvlQvB-iyrsbi6XD-LOMsE%26e%3D&amp;data=04%7C01%7C%7C23c226b2c00447d9ea1f08d8c3dbe5da%7Ce95f1b23abaf45ee821db7ab251ab3bf%7C0%7C0%7C637474696503650744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LYy%2FIEIhVCAG%2F8%2BKH1iBBFrFHMqUd0plpB6ro7sjGbc%3D&amp;reserved=0" target="_blank">https://enterpriselogs.va.gov/en-US/app/search/erics_workspace#en-US/app/search/erics_workspace</A></LI><LI>Splunk category searches are no longer reliable.&nbsp; Splunk events may list a security category when you searching an industry category, and vice-versa.</LI></UL><P>Splunk URL searches are still reliable, however they should be followed up with a query against the PA categorization web site.&nbsp; This web site will report if the URL is multi-categorized.</P> Fri, 29 Jan 2021 12:47:46 GMT dsmeerkat 2021-01-29T12:47:46Z https://live.paloaltonetworks.com/t5/log-forwarding-discussions/palo-alto-networks-app-for-splunk-url-category-logging-issue/m-p/382854#M29 <P>There is a flaw in the Palo Alto ‘category’ field reported to Splunk.</P><UL><LI>PA began support for multiple categories in 2019.&nbsp; A given URL can be part of multiple categories.&nbsp; This was done to support parallel data models.&nbsp;</LI><UL><LI>Legacy model: by industry (education, computer-and-internet, etc.)</LI><LI>A new additional model: by security risk (high, medium, low-risk)</LI></UL><LI>The PA syslog only supports one value in the category field.</LI><UL><LI>When the URL Filtering Policy has a different action for each category, the most restrictive action is performed and its category is logged.</LI></UL></UL><P>When the URL Filtering Policy has the same action for each category, each new category replaces the previous one in the log field.&nbsp; This is done alphabetically (a-z).</P><P>&nbsp;</P><P>What this means to us:</P><UL><LI>We haven’t observed many URLs that are double categorized, however I expect this to change with time.&nbsp; Splunk is already reporting the ‘low risk’ category as 10x higher than the next most frequently hit.&nbsp; <A href="https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__gcc01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fenterpriselogs.va.gov-252Fen-2DUS-252Fapp-252Fsearch-252Ferics-5Fworkspace-2523en-2DUS-252Fapp-252Fsearch-252Ferics-5Fworkspace-26data-3D04-257C01-257C-257C5b7c2cc685524ac5090a08d89e132e6d-257Ce95f1b23abaf45ee821db7ab251ab3bf-257C0-257C0-257C637433152499045623-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DBhFOj-252BeOZFMUwYt-252B30N5Cu9NbcRjJAtunpkA1vdOs-252BQ-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DV9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo%26r%3DxquKz8jbXrIwc-c2fYKWmBIKsiAKxeQkP4Xk9ccoyag%26m%3DGschLh4vTUj5t1y6p-OGsfn_Jaek-2y8hZU9t368P_s%26s%3DkeElS-w0DHLZ1kBIypVgCMvlQvB-iyrsbi6XD-LOMsE%26e%3D&amp;data=04%7C01%7C%7C23c226b2c00447d9ea1f08d8c3dbe5da%7Ce95f1b23abaf45ee821db7ab251ab3bf%7C0%7C0%7C637474696503650744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LYy%2FIEIhVCAG%2F8%2BKH1iBBFrFHMqUd0plpB6ro7sjGbc%3D&amp;reserved=0" target="_blank">https://enterpriselogs.va.gov/en-US/app/search/erics_workspace#en-US/app/search/erics_workspace</A></LI><LI>Splunk category searches are no longer reliable.&nbsp; Splunk events may list a security category when you searching an industry category, and vice-versa.</LI></UL><P>Splunk URL searches are still reliable, however they should be followed up with a query against the PA categorization web site.&nbsp; This web site will report if the URL is multi-categorized.</P> Fri, 29 Jan 2021 12:47:46 GMT https://live.paloaltonetworks.com/t5/log-forwarding-discussions/palo-alto-networks-app-for-splunk-url-category-logging-issue/m-p/382854#M29 dsmeerkat 2021-01-29T12:47:46Z