What Changed
ASIM Authentication parsers for Palo Alto PAN-OS and GlobalProtect corrected the mapping of the DvcIpAddr field from Computer hostname to DeviceAddress IP address.
Parser Impact
- Field mapping corrected: DvcIpAddr now uses DeviceAddress instead of Computer hostname
- Affected parsers: ASimAuthenticationPaloAltoPanOS and ASimAuthenticationPaloAltoGlobalProtect (both standard and filtering variants)
- Data fidelity fix: Queries referencing DvcIpAddr against these parsers previously received hostname values instead of IP addresses — this corrects the field semantics to match ASIM schema expectations
The change affects the device IP address field normalization in authentication events from Palo Alto firewalls and GlobalProtect VPN connections. Existing detections using DvcIpAddr will now receive proper IP address values instead of hostnames.
Affected Files
Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoPanOS/ASimAuthenticationPaloAltoPanOS.json
Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoGlobalProtect/vimAuthenticationPaloAltoGlobalProtect.json
Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoPanOS/vimAuthenticationPaloAltoPanOS.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoGlobalProtect.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoPanOS.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoGlobalProtect.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoPanOS.md
Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoGlobalProtect.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoPanOS.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoGlobalProtect.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoPanOS.yaml