From f3780f08b99d2a4db3a4ab8810db5dbb773a5176 Mon Sep 17 00:00:00 2001
From: Brian Torres-Gil <btorres-gil@paloaltonetworks.com>
Date: Fri, 7 Oct 2022 08:04:56 -0700
Subject: [PATCH 1/2] fix(addon): Remove pan_file eventtype from IDS CIM
 datamodel

Not all 'file' events are bad, so having pan_file in the IDS datamodel
causes a lot of false positives.
---
 Splunk_TA_paloalto/default/eventtypes.conf | 1 -
 Splunk_TA_paloalto/default/tags.conf       | 4 +---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/Splunk_TA_paloalto/default/eventtypes.conf b/Splunk_TA_paloalto/default/eventtypes.conf
index 0a47612c..4f7c1c12 100644
--- a/Splunk_TA_paloalto/default/eventtypes.conf
+++ b/Splunk_TA_paloalto/default/eventtypes.conf
@@ -44,7 +44,6 @@ search = sourcetype=pan_threat OR sourcetype=pan:threat OR (sourcetype=pan:firew
 
 [pan_file]
 search = sourcetype=pan_threat OR sourcetype=pan:threat OR (sourcetype=pan:firewall_cloud AND LogType="THREAT") AND log_subtype = "file" 
-#tags = ids attack
 
 [pan_url]
 search = sourcetype=pan_threat OR sourcetype=pan:threat OR (sourcetype=pan:firewall_cloud AND LogType="THREAT") AND log_subtype = "url" 
diff --git a/Splunk_TA_paloalto/default/tags.conf b/Splunk_TA_paloalto/default/tags.conf
index 8f3cb4e6..34095a94 100644
--- a/Splunk_TA_paloalto/default/tags.conf
+++ b/Splunk_TA_paloalto/default/tags.conf
@@ -18,9 +18,7 @@ communicate = enabled
 ids = enabled
 attack = enabled
 
-[eventtype=pan_file]
-ids = enabled
-attack = enabled
+#[eventtype=pan_file]
 
 #[eventtype=pan_data]
 

From 87fe459b186e2fa6fa695d199a929ebae5013204 Mon Sep 17 00:00:00 2001
From: Brian Torres-Gil <btorres-gil@paloaltonetworks.com>
Date: Fri, 7 Oct 2022 08:06:00 -0700
Subject: [PATCH 2/2] chore: Remove tags comment from pan_data eventtype

pan_data does not have any tags. This comment seems out of date.
---
 Splunk_TA_paloalto/default/eventtypes.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Splunk_TA_paloalto/default/eventtypes.conf b/Splunk_TA_paloalto/default/eventtypes.conf
index 4f7c1c12..724886d9 100644
--- a/Splunk_TA_paloalto/default/eventtypes.conf
+++ b/Splunk_TA_paloalto/default/eventtypes.conf
@@ -51,7 +51,6 @@ search = sourcetype=pan_threat OR sourcetype=pan:threat OR (sourcetype=pan:firew
 
 [pan_data]
 search = sourcetype=pan_threat OR sourcetype=pan:threat OR (sourcetype=pan:firewall_cloud AND LogType="THREAT") AND log_subtype = "data" 
-#tags = web 
 
 [pan_virus]
 search = (sourcetype=pan_threat OR sourcetype=pan:threat OR (sourcetype=pan:firewall_cloud AND LogType="THREAT")) AND (log_subtype = "virus" OR log_subtype = "wildfire-virus")