Palo Alto Networks Add-on for Splunk
Overview
Details
This Add-on (TA) is designed to work with the Palo Alto Networks App for Splunk and Splunk Enterprise Security.
Installation
- Follow the Installation Guide to install and configure the Add-on.
Support
Products Supported
- Firewall and Panorama
- Traps Endpoint Protection
- Aperture SaaS Application Security
- AutoFocus Threat Intelligence
- MineMeld Threat Intelligence Orchestrator
- WildFire Malware Analysis
Authors
Palo Alto Networks
- Brian Torres-Gil
- Paul Nguyen
- Garfield Freeman
Release Notes
Version 6.1.1
Version 6.1.1
- Fix: Improved API call to Aperture
- Fix: Aperture region field no longer ignored
- Fix: Traps event types updated
- Fix: Improved clustered environment support
Version 6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: Support for Firewall User-ID logs
- New: Credential Detected flag for PAN-OS 8.1
- New: MineMeld indicator retention timer
- New: Batch collection of Aperture logs
- New: Support all Aperture regions
- New: Easier to disable certificate validation for self-hosted MineMeld
- New: Malicious WildFire events tagged for Malware CIM datamodel
- Fix: category field for URL logs is now more consistent
- Fix: url_length field fixed
- Fix: Corrected the double parse of Aperture logs
Potentially breaking changes:
- Traps datamodel has been renamed from pan_endpoint to pan_traps
Version 6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: Support for Firewall User-ID logs
- New: Credential Detected flag for PAN-OS 8.1
- New: MineMeld indicator retention timer
- New: Batch collection of Aperture logs
- New: Support all Aperture regions
- New: Easier to disable certificate validation for self-hosted MineMeld
- New: Malicious WildFire events tagged for Malware CIM datamodel
- Fix: category field for URL logs is now more consistent
- Fix: url_length field fixed
- Fix: Corrected the double parse of Aperture logs
Potentially breaking changes:
- Traps datamodel has been renamed from pan_endpoint to pan_traps
Version 6.0.2
v.6.0.2
* threat_list.csv and app_list.csv updated.
v.6.0.1
* Fixed threat list warning message
v6.0.0
* MineMeld Support
* AutoFocus Tags Support
* Aperture Support
* PAN-OS 8.0 new fields
* Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security
* Improved CIM adoption
* Datamodel optimizations for size on disk and performance
Version 6.0.1
v.6.0.1
* Fixed threat list warning message
v6.0.0
* MineMeld Support
* AutoFocus Tags Support
* Aperture Support
* PAN-OS 8.0 new fields
* Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security
* Improved CIM adoption
* Datamodel optimizations for size on disk and performance
Version 6.0.0
v6.0.0
* MineMeld Support
* AutoFocus Tags Support
* Aperture Support
* PAN-OS 8.0 new fields
* Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security
* Improved CIM adoption
* Datamodel optimizations for size on disk and performance
Version 3.8.2
v3.8.2
* Improved CIM support for correlation log.
v3.8.1
* Configuration screen bug fix
v3.8.1
* Configuration screen bug fix
v3.8.0
* AutoFocus Export List modular input
* Improved configuration screen allows credentials to be changed
Version 3.8.1
v3.8.1
* Configuration screen bug fix
v3.8.0
* AutoFocus Export List modular input
* Improved configuration screen allows credentials to be changed
Version 3.8.0
v3.8.0
* AutoFocus Export List modular input
* Improved configuration screen allows credentials to be changed
Version 3.7.1
v3.7.1
- Changes made to meet new certification requirements
v3.7.0
- Integration with new Splunk Adaptive Response
- Tag to dynamic address group using modular actions and Adaptive Response
- Submit URL’s from any log in Splunk to WildFire
- Logs with malware hashes have a new event action that links directly to that hash in Autofocus
- Improved tagging for Splunk Enterprise Security, based on customer feedback
- New parser for GlobalProtect logs
Important Add-on Upgrade Notes
- Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.
Version 3.6.1
* Add-on Certified by Splunk
Version 3.6.0
* Support new Traps 3.3.2 log format
WARNING: Traps versions before 3.3.2 are no longer supported beginning with this Add-on version
Version 3.5.2
* Fix issue where endpoint logs would show up in CIM apps, but not Palo Alto Networks app
Version 3.5.1
* Add support for PAN-OS 7.0 new fields
* Add hip-match log type from Firewall and Panorama
* Add sourcetype category
* Add Sanctioned SaaS lookup table
* Update app_list.csv and threat_list.csv lookup tables with new format and data
* Fix incorrect value in report_id field for Wildfire logs in PAN-OS 6.1 or higher
* Fix src_category field should be dest_category
Version 3.5.0
Splunk Add-on for Palo Alto Networks 3.5.0. Copyright (C) 2014-2015 Splunk Inc. All rights reserved.
This new Add-on (TA) for Palo Alto Networks supports logs from Palo Alto Networks Next-generation Firewall, Panorama, and Traps Endpoint Security Manager. It is CIM 4.x compliant and designed to work with Splunk Enterprise Security 4 and the Palo Alto Networks App for Splunk v5.0.