This Add-on (TA) is designed to work with the Palo Alto Networks App for Splunk and Splunk Enterprise Security.
Palo Alto Networks
Features
- app/addon: Tag to Dynamic User Group
- app/addon: Update pandevice to 0.14.0
Bug Fixes
- addon: Remove the 'state_change_requires_restart' flag
Features
- addon: Decryption Log Support
Bug Fixes
- addon: Fix Remove port from `dest_name` field
### Bug Fixes
* **addon:** Fix parser for GlobalProtect 9.1 log sourcetype
Features
- app/addon: Python 3 Support
- app/addon: Support GlobalProtect log type in PANOS 9.1
Bug Fixes
- addon: Fix appserver/static files
Version 6.2.0
- New: Palo Alto Networks Logo
- Fix: Improved Transform of Traps Analytics Logs
- Fix: Removed of deprecated "NewApp" API call to Applipedia
Version 6.1.1
- Fix: Improved API call to Aperture
- Fix: Aperture region field no longer ignored
- Fix: Traps event types updated
- Fix: Improved clustered environment support
Version 6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: Support for Firewall User-ID logs
- New: Credential Detected flag for PAN-OS 8.1
- New: MineMeld indicator retention timer
- New: Batch collection of Aperture logs
- New: Support all Aperture regions
- New: Easier to disable certificate validation for self-hosted MineMeld
- New: Malicious WildFire events tagged for Malware CIM datamodel
- Fix: category field for URL logs is now more consistent
- Fix: url_length field fixed
- Fix: Corrected the double parse of Aperture logs
Potentially breaking changes:
- Traps datamodel has been renamed from pan_endpoint to pan_traps
Version 6.1.1
- Fix: Improved API call to Aperture
- Fix: Aperture region field no longer ignored
- Fix: Traps event types updated
- Fix: Improved clustered environment support
Version 6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: Support for Firewall User-ID logs
- New: Credential Detected flag for PAN-OS 8.1
- New: MineMeld indicator retention timer
- New: Batch collection of Aperture logs
- New: Support all Aperture regions
- New: Easier to disable certificate validation for self-hosted MineMeld
- New: Malicious WildFire events tagged for Malware CIM datamodel
- Fix: category field for URL logs is now more consistent
- Fix: url_length field fixed
- Fix: Corrected the double parse of Aperture logs
Potentially breaking changes:
- Traps datamodel has been renamed from pan_endpoint to pan_traps
- New: Support for Traps 5.0 (Traps Management Service)
- New: Support for Firewall User-ID logs
- New: Credential Detected flag for PAN-OS 8.1
- New: MineMeld indicator retention timer
- New: Batch collection of Aperture logs
- New: Support all Aperture regions
- New: Easier to disable certificate validation for self-hosted MineMeld
- New: Malicious WildFire events tagged for Malware CIM datamodel
- Fix: category field for URL logs is now more consistent
- Fix: url_length field fixed
- Fix: Corrected the double parse of Aperture logs
Potentially breaking changes:
- Traps datamodel has been renamed from pan_endpoint to pan_traps
v.6.0.2
* threat_list.csv and app_list.csv updated.
v.6.0.1
* Fixed threat list warning message
v6.0.0
* MineMeld Support
* AutoFocus Tags Support
* Aperture Support
* PAN-OS 8.0 new fields
* Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security
* Improved CIM adoption
* Datamodel optimizations for size on disk and performance
v.6.0.1
* Fixed threat list warning message
v6.0.0
* MineMeld Support
* AutoFocus Tags Support
* Aperture Support
* PAN-OS 8.0 new fields
* Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security
* Improved CIM adoption
* Datamodel optimizations for size on disk and performance
v6.0.0
* MineMeld Support
* AutoFocus Tags Support
* Aperture Support
* PAN-OS 8.0 new fields
* Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security
* Improved CIM adoption
* Datamodel optimizations for size on disk and performance
v3.8.2
* Improved CIM support for correlation log.
v3.8.1
* Configuration screen bug fix
v3.8.1
* Configuration screen bug fix
v3.8.0
* AutoFocus Export List modular input
* Improved configuration screen allows credentials to be changed
v3.8.1
* Configuration screen bug fix
v3.8.0
* AutoFocus Export List modular input
* Improved configuration screen allows credentials to be changed
v3.8.0
* AutoFocus Export List modular input
* Improved configuration screen allows credentials to be changed
v3.7.1
- Changes made to meet new certification requirements
v3.7.0
- Integration with new Splunk Adaptive Response
- Tag to dynamic address group using modular actions and Adaptive Response
- Submit URL’s from any log in Splunk to WildFire
- Logs with malware hashes have a new event action that links directly to that hash in Autofocus
- Improved tagging for Splunk Enterprise Security, based on customer feedback
- New parser for GlobalProtect logs
Important Add-on Upgrade Notes
- Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.
* Add-on Certified by Splunk
* Support new Traps 3.3.2 log format
WARNING: Traps versions before 3.3.2 are no longer supported beginning with this Add-on version
* Fix issue where endpoint logs would show up in CIM apps, but not Palo Alto Networks app
* Add support for PAN-OS 7.0 new fields
* Add hip-match log type from Firewall and Panorama
* Add sourcetype category
* Add Sanctioned SaaS lookup table
* Update app_list.csv and threat_list.csv lookup tables with new format and data
* Fix incorrect value in report_id field for Wildfire logs in PAN-OS 6.1 or higher
* Fix src_category field should be dest_category
Splunk Add-on for Palo Alto Networks 3.5.0. Copyright (C) 2014-2015 Splunk Inc. All rights reserved.
This new Add-on (TA) for Palo Alto Networks supports logs from Palo Alto Networks Next-generation Firewall, Panorama, and Traps Endpoint Security Manager. It is CIM 4.x compliant and designed to work with Splunk Enterprise Security 4 and the Palo Alto Networks App for Splunk v5.0.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.