Are there best practices when mapping PaloAlto firewall logs to CIM datamodels?
One think that I noticed is that Network_Traffic maps anything with tag="network" and tag="communicate". This means all logs of type "start" and "end", which are not filter terms for the Network_Traffic datamodel. It seems to me that the datamodel should only include "end" events to prevent double counting traffic. Is that right? Are there other considerations for how PaloAlto firewall logs should get mapped into Network_Traffic?
How about how PaloAloto firewall logs get mapped into other datamodels?
-Network_Sessions
-Web
Are there best practice docs for other log sources getting properly mapped to CIM datamodels? If not, such docs could prove invaluable to a person trying to get their datamodels working properly.
This has been bugging me since we implemented Splunk ES. Our professional services consultant thought I should have had an answer for Network_Traffic (we didn't even address others), but without more knowledge of how the datamodels were used, I could not know.
↧