https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/466156#M102657 <P>We have&nbsp; a lot of devices sending logfiles to splunk but we&nbsp;<SPAN>differentiate</SPAN>&nbsp; the logfiles by source and the source is 100% from Palo</P><P>&nbsp;</P><P>Fact is the IP "<SPAN>72.5.65.111" changed in 07 Jul 21 from Hostname v10.events.data.microsoft.com </SPAN></P><P><SPAN>to (PAN) Category Malware on 14 Jul 21 I guess this alone is strange.</SPAN></P><P>&nbsp;</P><P><SPAN>Is there a way to import logfiles to a Palo Device Virtual/Hardware? Cause we export our logfiles every day so I have the original Logfile. </SPAN></P><P>&nbsp;</P> Wed, 16 Feb 2022 11:43:12 GMT hnasshoven 2022-02-16T11:43:12Z https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/464473#M102512 <P>Hi,</P> <P>we use Splunk.</P> <P>&nbsp;</P> <P>We tried following searchstring: <FONT color="#FF0000">http_category=malware | timechart count BY vendor_action</FONT></P> <P>&nbsp;</P> <P>We find out that we get back action allowed with category malware.</P> <P>Is there a failure in the search?&nbsp;The action in our URL security profil for malware is block.&nbsp;</P> <P>Is there someone with same environment and same results ?</P> <P>&nbsp;</P> <P>best regards</P> <P>holger</P> Wed, 09 Feb 2022 12:44:08 GMT https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/464473#M102512 hnasshoven 2022-02-09T12:44:08Z https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/464629#M102517 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10783">@hnasshoven</a>,</P> <P>I think you'd really need to look at the logs on the firewall side of things in regards to these entries and actually see what's up. A snapshot of the query results doesn't present much data for troubleshooting. If you're blocking all malware sites I wouldn't expect to see any allow logs recorded, so something definitely seems odd at this point.&nbsp;</P> Wed, 09 Feb 2022 20:45:03 GMT https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/464629#M102517 BPry 2022-02-09T20:45:03Z https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/464771#M102533 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; that`s my problem, the logfiles on the device don`t catch the event anymore.&nbsp;&nbsp;</P> Thu, 10 Feb 2022 06:58:25 GMT https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/464771#M102533 hnasshoven 2022-02-10T06:58:25Z https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/466108#M102651 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10783">@hnasshoven</a> ,</P> <P>Looking at the date of those logs it has been almost an year so really depending on the volume of traffic your firewalls are processing, I am almost certain that your traffic log quota on the firewall is not able to keep traffic for such long period. You can check you retention under CLI with: &gt; show system logdb-quota</P> <P>&nbsp;</P> <P>"http_category" is field for logs of type url. And url log should be generated only when the URL match category with action, alert, block, or continue. Action allow will not generate url log entry.</P> <P>&nbsp;</P> <P>It is also strange that in your graph you see actions "deny" and "reset-both", which are not action from url type logs.</P> <P>So it looks like your query is returning mixture of different log types and I am wondering if some of them are not threat logs or something else.</P> <P>&nbsp;</P> <P>As <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> suggested you need to looks in the detailed logs to better understand what are those. If they are no longer present on the firewall, you need to query your Splunk and review detailed or raw logs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>On other hand...Nothing in your query is&nbsp; filtering by vendor, or by device. Are you sure the result is only from Palo Alto firewall logs? Are there any other security devices that are sending logs to your Splunk?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 16 Feb 2022 09:38:08 GMT https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/466108#M102651 aleksandar.astardzhiev 2022-02-16T09:38:08Z https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/466156#M102657 <P>We have&nbsp; a lot of devices sending logfiles to splunk but we&nbsp;<SPAN>differentiate</SPAN>&nbsp; the logfiles by source and the source is 100% from Palo</P><P>&nbsp;</P><P>Fact is the IP "<SPAN>72.5.65.111" changed in 07 Jul 21 from Hostname v10.events.data.microsoft.com </SPAN></P><P><SPAN>to (PAN) Category Malware on 14 Jul 21 I guess this alone is strange.</SPAN></P><P>&nbsp;</P><P><SPAN>Is there a way to import logfiles to a Palo Device Virtual/Hardware? Cause we export our logfiles every day so I have the original Logfile. </SPAN></P><P>&nbsp;</P> Wed, 16 Feb 2022 11:43:12 GMT https://live.paloaltonetworks.com/t5/general-topics/category-malware-with-action-allowed/m-p/466156#M102657 hnasshoven 2022-02-16T11:43:12Z