02-09-2022 04:44 AM
Hi,
we use Splunk.
We tried following searchstring: http_category=malware | timechart count BY vendor_action
We find out that we get back action allowed with category malware.
Is there a failure in the search? The action in our URL security profil for malware is block.
Is there someone with same environment and same results ?
best regards
holger
02-09-2022 12:45 PM
I think you'd really need to look at the logs on the firewall side of things in regards to these entries and actually see what's up. A snapshot of the query results doesn't present much data for troubleshooting. If you're blocking all malware sites I wouldn't expect to see any allow logs recorded, so something definitely seems odd at this point.
02-09-2022 10:58 PM
@BPry that`s my problem, the logfiles on the device don`t catch the event anymore.
02-16-2022 01:36 AM - edited 02-16-2022 01:38 AM
Hey @hnasshoven ,
Looking at the date of those logs it has been almost an year so really depending on the volume of traffic your firewalls are processing, I am almost certain that your traffic log quota on the firewall is not able to keep traffic for such long period. You can check you retention under CLI with: > show system logdb-quota
"http_category" is field for logs of type url. And url log should be generated only when the URL match category with action, alert, block, or continue. Action allow will not generate url log entry.
It is also strange that in your graph you see actions "deny" and "reset-both", which are not action from url type logs.
So it looks like your query is returning mixture of different log types and I am wondering if some of them are not threat logs or something else.
As @BPry suggested you need to looks in the detailed logs to better understand what are those. If they are no longer present on the firewall, you need to query your Splunk and review detailed or raw logs.
On other hand...Nothing in your query is filtering by vendor, or by device. Are you sure the result is only from Palo Alto firewall logs? Are there any other security devices that are sending logs to your Splunk?
02-16-2022 03:41 AM - edited 02-16-2022 03:43 AM
We have a lot of devices sending logfiles to splunk but we differentiate the logfiles by source and the source is 100% from Palo
Fact is the IP "72.5.65.111" changed in 07 Jul 21 from Hostname v10.events.data.microsoft.com
to (PAN) Category Malware on 14 Jul 21 I guess this alone is strange.
Is there a way to import logfiles to a Palo Device Virtual/Hardware? Cause we export our logfiles every day so I have the original Logfile.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
