There is a flaw in the Palo Alto ‘category’ field reported to Splunk. PA began support for multiple categories in 2019. A given URL can be part of multiple categories. This was done to support parallel data models. Legacy model: by industry (education, computer-and-internet, etc.) A new additional model: by security risk (high, medium, low-risk) The PA syslog only supports one value in the category field. When the URL Filtering Policy has a different action for each category, the most restrictive action is performed and its category is logged. When the URL Filtering Policy has the same action for each category, each new category replaces the previous one in the log field. This is done alphabetically (a-z). What this means to us: We haven’t observed many URLs that are double categorized, however I expect this to change with time. Splunk is already reporting the ‘low risk’ category as 10x higher than the next most frequently hit. https://enterpriselogs.va.gov/en-US/app/search/erics_workspace#en-US/app/search/erics_workspace Splunk category searches are no longer reliable. Splunk events may list a security category when you searching an industry category, and vice-versa. Splunk URL searches are still reliable, however they should be followed up with a query against the PA categorization web site. This web site will report if the URL is multi-categorized.
... View more