CREATE CUSTOM REPORT FOR UNKNOW USERS?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

CREATE CUSTOM REPORT FOR UNKNOW USERS?

L3 Networker

Hello,

I want create a custom reports for identify all User there are not identified by the PALO-ALTO

I can do that with the traffic log with the fitler : not (user.src neq '') ( I do a negate on user is present)

I can see the unknow users in real time, in cli with : show user ip-user-mapping | match unknow

but with the custom report filter is not possible to use "negate" and the blank space doesnt WORK

i can juste use ( =, in, is present, not in, !=) for the source user culomn.

AND I don't know how to see wich ip no match user during a period.

any IDEA

thx

PS: when I create a report with destination hostname I see correctly the hostname but When I do an export I see the ip address not the hostname!

1 REPLY 1

L4 Transporter

Current there is no way from the WebUI to add a custom rule with with a search value of NO user. I would send a feature request to your SE.

There is however a work around for this. The is present search string creates a value which you can change in the xml manually.

If you export your XML and search for the rule name you will see this; <query>user.src neq ''</query>. You can change the neq to eq and and reimport the config which will change the rule to user = <blank Value>, and it will search for users without username.

Hope this helps.

Dominic

  • 1885 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!