You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The TA Input for PAN IOT has a single option "on" and on every run it pulls in "All Time" for the 3x Entity Types. Obviously the type of Alert we want to see ASAP .. so we leave the default of 300 seconds .. this means that every 300 seconds we get a "All Time" for Vulnerabilities same as Alerts.. .so a malware detection or a discovered Vuln will (forever) generate a log event in Splunk every 300 seconds.
Traditionally with this type of data you pass in a "first seen" filter .. so every 300 seconds you only pull the last 300 seconds worth of new or modified logs.
TL;DR every 300 seconds I get 10s of thousands of events pulled into the Splunk index.. for stuff that was generated 5 months ago.
Expected behavior
Only the delta should be pulled in, Time Range should be offset based on the Inputs cron schedule..
Current behavior
Every run all events across all Entity types (vuln, device and alert) are pulled in
Describe the bug
The TA Input for PAN IOT has a single option "on" and on every run it pulls in "All Time" for the 3x Entity Types. Obviously the type of Alert we want to see ASAP .. so we leave the default of 300 seconds .. this means that every 300 seconds we get a "All Time" for Vulnerabilities same as Alerts.. .so a malware detection or a discovered Vuln will (forever) generate a log event in Splunk every 300 seconds.
Traditionally with this type of data you pass in a "first seen" filter .. so every 300 seconds you only pull the last 300 seconds worth of new or modified logs.
TL;DR every 300 seconds I get 10s of thousands of events pulled into the Splunk index.. for stuff that was generated 5 months ago.
Expected behavior
Only the delta should be pulled in, Time Range should be offset based on the Inputs cron schedule..
Current behavior
Every run all events across all Entity types (vuln, device and alert) are pulled in
Possible solution
Looking at the doco here; https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api/get-vulnerability-instances There is a field
stime
that can be passed in.. this should be set based on the cron schedule so if the cron is set for300sec
then thestime
field should be zulu - 300 seconds..Steps to reproduce
Screenshots
Context
Security Operations Response
Your Environment
Splunk Cloud and Splunk OnPrem
The text was updated successfully, but these errors were encountered: