Palo Alto Networks App for Splunk
Overview
Details
Palo Alto Networks App for Splunk leverages the data visibility provided by the Palo Alto Networks security platform with Splunk's extensive investigation and visualization capabilities to deliver advanced security reporting and analysis. This app enables security analysts, administrators, and architects to correlate application and user activities across all network and security infrastructures from a real-time and historical perspective. Complicated incident analysis that previously consumed days of manual and error-prone data mining can now be automated, saving not only manpower but also enabling key enterprise security resources to focus on critical, time-sensitive investigations.
Overview
- Partnership Overview (video)
- App Tour (video)
Requirements
Installation
- Follow the Installation Guide to install and configure the App and Add-on.
Support
Products Supported
- Firewall and Panorama
- Traps Endpoint Protection
- Aperture SaaS Application Security
- AutoFocus Threat Intelligence
- MineMeld Threat Intelligence Orchestrator
- WildFire Malware Analysis
Authors
Palo Alto Networks
- Brian Torres-Gil
- Paul Nguyen
- Garfield Freeman
Release Notes
Version 6.4.0
Features
- addon: Decryption Log Support
Bug Fixes
- addon: Fix Remove port from `dest_name` field
Version 6.3.1
### Bug Fixes
* **addon:** Fix parser for GlobalProtect 9.1 log sourcetype
Version 6.3.0
Features
- app/addon: Python 3 Support
- app/addon: Support GlobalProtect log type in PANOS 9.1
Bug Fixes
- addon: Fix appserver/static files
Version 6.2.0
v6.2.0
- New: Palo Alto Networks Logo
- Fix: Retired "NewApp" API call to Applipedia
v6.1.1
- New: Dark mode supported
- Fix: Endpoint dashboard and datamodel
v6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: User ID updates can now be added with a timeout setting
- Enh: Real-time dashboard now uses only a single base search
- Fix: User ID updates work consistently via Panorama
- Fix: Issue with Block-Continue panel in Web Activity report
Version 6.1.1
v6.1.1
- New: Dark mode supported
- Fix: Endpoint dashboard and datamodel
v6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: User ID updates can now be added with a timeout setting
- Enh: Real-time dashboard now uses only a single base search
- Fix: User ID updates work consistently via Panorama
- Fix: Issue with Block-Continue panel in Web Activity report
Version 6.1.0
- New: Support for Traps 5.0 (Traps Management Service)
- New: User ID updates can now be added with a timeout setting
- Enh: Real-time dashboard now uses only a single base search
- Fix: User ID updates work consistently via Panorama
- Fix: Issue with Block-Continue panel in Web Activity report
Version 6.0.1
v6.0.1
* Improved filtering on dashboards
* Improved debugging logs
v6.0.0
* All new dashboards
- Adversary Scoreboard
- All Incident Feed
- Real-time Event Feed
- Datamodel Audit
- User Behavior
- And many more new dashboards...
* Tool tips and Tour to help guide you through the new dashboards
* Events from Firewall, Panorama, Traps, Aperture, AutoFocus, and Minemeld correlate and combine to offer unparalleled security insights
* Support for content pack sync with PAN-OS 8.0
Version 6.0.0
v6.0.0
* All new dashboards
- Adversary Scoreboard
- All Incident Feed
- Real-time Event Feed
- Datamodel Audit
- User Behavior
- And many more new dashboards...
* Tool tips and Tour to help guide you through the new dashboards
* Events from Firewall, Panorama, Traps, Aperture, AutoFocus, and Minemeld correlate and combine to offer unparalleled security insights
* Support for content pack sync with PAN-OS 8.0
Version 5.4.2
v5.4.2
* Improved saved search cron schedule
* Improved add-on compatibility check
v5.4.1
* Endpoint Dashboard bug fix
v5.4.0
* Endpoint Operations Dashboard
* Endpoint Security Dashboard
* Endpoint Dashboard support new Traps 3.4 fields
* Support for AutoFocus Remote Search via External Search Handler
* Support for Firewall Log Link via External Search Handler
* Improved AutoFocus cross launch
Version 5.4.1
v5.4.1
* Endpoint Dashboard bug fix
v5.4.0
* Endpoint Operations Dashboard
* Endpoint Security Dashboard
* Endpoint Dashboard support new Traps 3.4 fields
* Support for AutoFocus Remote Search via External Search Handler
* Support for Firewall Log Link via External Search Handler
* Improved AutoFocus cross launch
Version 5.4.0
v5.4.0
* Endpoint Operations Dashboard
* Endpoint Security Dashboard
* Endpoint Dashboard support new Traps 3.4 fields
* Support for AutoFocus Remote Search via External Search Handler
* Support for Firewall Log Link via External Search Handler
* Improved AutoFocus cross launch
Version 5.3.1
v5.3.1
- Changes made to meet new certification requirements
v5.3.0
- GlobalProtect Dashboard
- Other updates are in the Add-on (https://splunkbase.splunk.com/app/2757)
Important App Upgrade Notes
- App 5.3.x requires Add-on 3.7.x
- The App setup screen has moved to the Add-on. If you has previous set firewall credentials or a WildFire API key in the App setup screen, you’ll need to set them in the Add-on setup screen. See Step 2: Initial Setup in the Getting Started Guide.
- Datamodel acceleration might rebuild itself after installation due to updated constraints
- Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.
Version 5.2.0
* App Certified by Splunk
Note: As a certification requirement, this version drops support for Splunk 6.1 and earlier, and removes deprecated commands (**panblock** and **panupdate**). If you are using Splunk 6.1, please upgrade Splunk to 6.2 or higher before upgrading this App. If you are using panblock or panupdate, please use pantag and panuserupdate instead before upgrading this App.
Version 5.1.0
* Datamodel updated to support new Traps 3.3.2 fields
* Endpoint Dashboard updated to support new Traps 3.3.2 fields
WARNING: Traps versions before 3.3.2 are no longer supported beginning with this App version
Version 5.0.1
Review the Upgrade Guide to migrate to version 5.0.x from 4.x. See the Documentation tab.
5.0.x is a major release that re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App.
Fixes in 5.0.1:
* Fix error when using pantag command with single firewall
* Fix error when using pancontentpack command
* Improved searchbar command logging
Version 5.0.0
Review the Upgrade Guide to migrate to version 5.0.0. See the Documentation tab.
This major release re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App.
In addition to the new Palo Alto Networks Add-on, this version also has new features:
* New SaaS dashboard with un/sanctioned SaaS detection
* CIM 4.x compliance
* Optimized datamodel for better performance and storage efficiency
* Logs are no longer required to be stored in the pan_logs index
* Auto update script for app and threat lookup tables
* New panuserupdate command for User-ID updates
* Enhanced pantag command to leverage log data for tags
* Both commands now support Panorama and VSYS targets, and are more efficient and scalable
* Better command documentation
* Changed from CC license to ISC license
* All new documentation website at http://pansplunk.readthedocs.org
Version 4.2.2
- Fix drilldowns in Wildfire and Content dashboards
- Fix panel in Content dashboard to display correct data
Version 4.2.1
- Fix Wildfire Report downloader and Applipedia New App check
- Fix Wildfire Dashboard Drilldowns
- Fix Threat Details Dashboard datamodel reference
- Fix Endpoint Dashboard would not work on Splunk 6.0.x
- Fix time range inconsistent on Overview Dashboard
- Fix issue where Endpoint Dashboard disappears if Netflow is enabled.
Version 4.2
Version 4.2
- New Palo Alto Networks [Advanced Endpoint Protection](http://media.paloaltonetworks.com/lp/traps/)
- Support Palo Alto Networks [PAN-OS 6.1](https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide.html)
Version 4.1.3
- Special commands (panblock, panupdate, pantag) now available from other apps
- Fix issue with unknown lookup errors during search
- Fix issue with meta scope and global namespace
Version 4.1.2
- Fix some Threat dashboard drilldowns
- Fix scope of CIM fields to remove conflict with some apps
- Remove macros from datamodel that were causing slower acceleration
Note: changes to datamodel in this version may require the acceleration index to be rebuilt before data will show up in the dashboards
Version 4.1.1
Version 4.1.1
- Handle new fields in latest PAN-OS syslogs and WildFire reports
- Significant improvements to indexing efficiency
- Improved handling of Dynamic Address Group tagging
- Improvements and minor updates for Splunk 6.1.x
- Fix minor dashboard issues
- Fix minor field parsing issue
Version 4.1
Version 4.1
If upgrading from a previous version, please read the __Upgrade Notes__ in the documentation.
- PAN-OS Data model including acceleration
- Data model accelerated dashboards (replaces TSIDX-based dashboards)
- New command: `pantag` - tag IP addresses on the firewall into Dynamic Address Groups
- IP Classification - add metadata to your CIDR blocks, classifying them as internet/external/dmz/datacenter/etc.
- Applipedia change notifications and highlighting - know when Palo Alto Networks releases new application signatures and if those applications are on your network
Version 4.0.2
- Fix: Overview dashboard optimizations
- Fix: Top Applications panel would sometimes show error
- Fix: Traffic dashboard form filter works
Version 4.0.1
Version 4.0.1
- Fix: Config dashboard shows all events
- Fix: Better handling of navbar changes
Version 4.0
- Splunk 6 support
- Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now:
---- Print
---- Export as pdf
---- Produce scheduled reports
---- Use pre-populated dropdowns in filters
---- Change using SplunkWeb by editing the panels
- Maps converted to Splunk 6 built-in maps (removes dependencies on other apps)
- Updated navbar including icons and colors
Version 4.0
Version 4.0
- Splunk 6 support
- Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now:
---- Print
---- Export as pdf
---- Produce scheduled reports
---- Use pre-populated dropdowns in filters
---- Change using SplunkWeb by editing the panels
- Maps converted to Splunk 6 built-in maps (removes dependencies on other apps
- Updated navbar including icons and colors
Version 3.4
- NetFlow support using NetFlow Integrator, a 3rd party program from NetFlow Logic
- New set of dashboards, charts and graphs centered around NetFlow records from Palo Alto Networks devices
- App-ID and User-ID information is available in NetFlow records
Download a 30-day free trial of NetFlow Integrator at https://www.netflowlogic.com/downloads
Steps to configure NetFlow are available in the NetFlow section of the app documentation.
Version 3.3.2
Version 3.3.2
- Fix: URL in WildFire dashboard corrected
- Fix: Overview dashboard colors were gray on some servers, set back to white
- Fix: Corrected description fields in commands.conf that resulted in log errors
- Fix: Corrected sourcetype in inputs.conf.sample
Version 3.3.1
- Fix: App setup screen allows blank values
- Fix: Several GUI fixes and enhancements
Version 3.3
- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation
Version 3.3.1
- Fix: App setup screen allows blank values
- Fix: Several GUI fixes and enhancements
And features from version 3.3
- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation
Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com
Version 3.3
- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation
Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com
Version 3.2.1
Bug Fixes:
savedsearches.conf: changed hard coded index=pan_logs to `pan_index` in scheduled searches. Thanks to Genti Zaimi for finding the issue and providing the fix
pan_overview_switcher_maps.xml: modified geoip search to include localop to force the search to run on the searchhead. Thanks to Genti Zaimi for identifying the problem and providing the fix
Version 3.2
Major improvements on drilldowns in charts - Greets to Joel Bennett
Added a setup.xml Palo Alto device credentials.
Bug Fix: panupdate custom command; removed hardcoded IP for panorama. Greets to Jeff Hillon and Palo Alto Networks teams for identifying this issue and helping to test the fix.
Version 3.0
- Completely redone searches for views and dashboards
- Significant performance improvements for dashboards and views
- A new Threat Detail Dashboard
- Threat Overview fields auto-update filter and auto-redirect to Threat Detail
- panblock: Custom Command to add/remove host/address objects from the PAN firewall
- panupdate: Custom Command to add User-ID and IP mapping in PAN
- Removed summary indexing
- Overview page runs on base index
- Pan Log sourcetype now visible in web ui for adding new inputs
- Added new app icon
- Remove submit button from web usage report page
- Main landing page runs on pan_index macro
Known Issues
- Drill down from charts goes to a table view and not flashtimeline view
Version 3.0 Beta
Completely redone searches for views and dashboards
Significant performance improvements for dashboards and views
A new Threat Detail Dashboard
Threat Overview fields auto-update filter and auto-redirect to Threat Detail
Custom Command to add/remove host/address objects from the PAN firewall
Removed summary indexing
Overview page runs on base index
Pan Log sourcetype now visible in web ui for adding new inputs
Added new app icon
Remove submit button from web usage report page
Main landing page runs on pan_index macro
Version 2.5
Fixed: Web dashboard doesn't render
Fixed: pan_traffic macro doesn't produce results
Fixed: TRANSFORM- to TRANSFORMS- in props.conf
Fixed: Ingress/Egress interface labeling errors
Fixed: Sometimes the main dashboard's single value font matches background
Request: Make app installable via the web ui
Request: Change macros definitions to include base index other than pan_logs
Request: Allow for custom index to be inherited automatically. works on all view except for landing page
Request: Disable summary indexing
Request: Add a README file to the app
Version 2.3
App is now CIM compliant. Many thanks to Jim Hansen for this effort.
Version 2.2.1
Updated timestamp extraction. Updated Sourcetyping to accommodate PA-2050 threat events (thanks to Andy Stovall for highlighting this.)
Version 2.2
FIXED: dangling MAX_TIMESTAMP_LOOKAHEAD in props.conf; causing app conflict (Thanks to Tat-Wee Kan for bringing this up)
FIXED: traffic search in traffic_overview dashboard to include 'Action' as a parameter
Added: default indexes.conf
Version 2.0.1
Removed Inputs.conf from local
Added Screenhot.jpg
Updated REAME instructions for adding inputs
Version 2.0
- Updated Install instructions. Please see README for installation instructions and dependencies
- All fields specified in the Palo Alto Networks log specification have been extracted.
- Dashboards have been enhanced.
- Added filters for views include: user, vsys and admin
- Summary indexed dashboards with drill down
- Added multiple new dashboards. Including: URL Filtering, Data Filtering and Content Filtering.
- Updated the threat list and app lists
- Capability to use online (google) or offline (ammap) maps.
- App is HTML 5 compliant. It has been tested to run successfully on iPads and Android phones.
Version 1.2.0
- App now works with 4.2.x
- Updated lookup (app_list.csv and threat_list.csv)
- Added print option for User Web Activity
Version 1.0.2
- Added additional steps to README.txt.
- Typo fixes.