feat(addon): Add new THREAT fields introduced in PANOS 10

Splunk_TA_paloalto/default/props.conf

@@ -106,7 +106,7 @@ EVAL-report_id       = if(log_subtype=="wildfire", coalesce(report_id,threat_id)
 EVAL-http_category   = if(log_subtype=="url", raw_category, null())
 EVAL-verdict         = if(log_subtype=="wildfire", raw_category, null())
 EVAL-threat_category = if(log_subtype!="url" AND log_subtype!="file", if(threat_category=="unknown",log_subtype,coalesce(threat_category,log_subtype)), null())
-EVAL-category        = if(log_subtype=="url" OR log_subtype=="file", raw_category, threat_category)
+EVAL-category        = if(log_subtype=="url" OR log_subtype=="file", split(coalesce(new_category, raw_category), ","), threat_category)
 
 # Decode hex flags
 EVAL-flags           = mvappend(if(floor(tonumber(session_flags,16) / pow(2, 31))%2==0,null(),"pcap"),if(floor(tonumber(session_flags,16) / pow(2, 28))%2==0,null(),"credential_detected"),if(floor(tonumber(session_flags,16) / pow(2, 25))%2==0,null(),"ipv6"),if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted"),if(floor(tonumber(session_flags,16) / pow(2, 23))%2==0,null(),"denied_by_url_filtering"),if(floor(tonumber(session_flags,16) / pow(2, 22))%2==0,null(),"nat"),if(floor(tonumber(session_flags,16) / pow(2, 21))%2==0,null(),"captive_portal"),if(floor(tonumber(session_flags,16) / pow(2, 19))%2==0,null(),"x_forwarded_for"),if(floor(tonumber(session_flags,16) / pow(2, 18))%2==0,null(),"http_proxy"),if(floor(tonumber(session_flags,16) / pow(2, 15))%2==0,null(),"container_page"),if(floor(tonumber(session_flags,16) / pow(2, 13))%2==0,null(),"implicit_application"),if(floor(tonumber(session_flags,16) / pow(2, 11))%2==0,null(),"symmetric_return"))

Splunk_TA_paloalto/default/transforms.conf

@@ -74,7 +74,7 @@ FORMAT = sourcetype::pan:config_traps
 
 [extract_threat]
 DELIMS = ","
-FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version"
+FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version","future_use5","sctp_id","payload_protocol_id","http_headers","url_category_list","rule_uuid", "http2_connection","dynamic_user_group_name"
 
 [extract_traffic]
 DELIMS = ","