Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender)

[dharmanr]

We have observed the props enabled with comma separated defined fields and its mapped with incorrect values..

User field mapped with the value (music-low risk, private IP addressed) which is actually http category and its mapped to sender.

https://splunkbase.splunk.com/app/2757

EVAL-user = case(SourceUser!="null",'SourceUser',SourceUserName !="null",'SourceUserName',src_user!="null",'src_user',dest_user!="null",'dest_user',recipient!="null",'recipient',sender!="null",'sender',true(),"unknown")

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[paulmnguyen]

Hi @dharmanr Could you please let me know what version of PANOS you are using?

[dharmanr]

Hi All, We are on PANOS 10.1.5 on all of our Palos. Thanks Warm Regards, Dharman.R Director – Security Operations Center M +91 9384049333 From: Paul Nguyen ***@***.***> Sent: Wednesday, June 7, 2023 10:06 AM To: PaloAltoNetworks/Splunk-Apps ***@***.***> Cc: Dharman R ***@***.***>; Mention ***@***.***> Subject: [EXTERNAL] : Re: [PaloAltoNetworks/Splunk-Apps] Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender) (Issue #297) CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Hi @dharmanr<https://github.com/dharmanr> Could you please let me know what version of PANOS you are using? — Reply to this email directly, view it on GitHub<#297 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BACWXVNYRG4H6REQST6VVX3XKAALBANCNFSM6AAAAAAYOHNQEI>. You are receiving this because you were mentioned.Message ID: ***@***.***>