fix(addon): CDL threat_name field more robust

Fixes #234

The threat_name field can now pull from the ThreatName field if it
exists, or the ThreatID field as a backup.

Author: btorresgil

Splunk_TA_paloalto/default/props.conf

@@ -84,7 +84,7 @@ FIELDALIAS-fwcloud_src_zone = FromZone as src_zone
 FIELDALIAS-fwcloud_start_time = SessionStartTime as start_time
 FIELDALIAS-fwcloud_threat_category = ThreatCategory as threat_category
 FIELDALIAS-fwcloud_threat = ThreatID as threat
-FIELDALIAS-fwcloud_threat_name = ThreatName as threat_name 
+EVAL-threat_name = coalesce(ThreatName, ThreatNameFromID)
 FIELDALIAS-fwcloud_transport = Protocol as transport
 FIELDALIAS-fwcloud_type = LogType as type
 FIELDALIAS-fwcloud_log_type = LogType as log_type

Splunk_TA_paloalto/default/transforms.conf

@@ -146,7 +146,7 @@ REGEX = \((?<threat_id>\d+)\)
 
 [extract_threat_name_cloud]
 SOURCE_KEY = ThreatID
-REGEX = ^(?<threat_name>[^(]*)
+REGEX = ^(?<ThreatNameFromID>[^(]*)
 
 [extract_dest_hostname_cloud]
 SOURCE_KEY = URL