Palo Alto Networks App for Splunk

Version: 5.2.0

* App Certified by Splunk Note: As a certification requirement, this version drops support for Splunk 6.1 and earlier, and removes deprecated commands (**panblock** and **panupdate**). If you are using Splunk 6.1, please upgrade Splunk to 6.2 or higher before upgrading this App. If you are using panblock or panupdate, please use pantag and panuserupdate instead before upgrading this App.

Version: 5.1.0

* Datamodel updated to support new Traps 3.3.2 fields * Endpoint Dashboard updated to support new Traps 3.3.2 fields WARNING: Traps versions before 3.3.2 are no longer supported beginning with this App version

Version: 5.0.1

Review the Upgrade Guide to migrate to version 5.0.x from 4.x. See the Documentation tab. 5.0.x is a major release that re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App. Fixes in 5.0.1: * Fix error when using pantag command with single firewall * Fix error when using pancontentpack command * Improved searchbar command logging

Version: 5.0.0

Review the Upgrade Guide to migrate to version 5.0.0. See the Documentation tab. This major release re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App. In addition to the new Palo Alto Networks Add-on, this version also has new features: * New SaaS dashboard with un/sanctioned SaaS detection * CIM 4.x compliance * Optimized datamodel for better performance and storage efficiency * Logs are no longer required to be stored in the pan_logs index * Auto update script for app and threat lookup tables * New panuserupdate command for User-ID updates * Enhanced pantag command to leverage log data for tags * Both commands now support Panorama and VSYS targets, and are more efficient and scalable * Better command documentation * Changed from CC license to ISC license * All new documentation website at http://pansplunk.readthedocs.org

Version: 4.2.2

- Fix drilldowns in Wildfire and Content dashboards - Fix panel in Content dashboard to display correct data

Version: 4.2.1

- Fix Wildfire Report downloader and Applipedia New App check - Fix Wildfire Dashboard Drilldowns - Fix Threat Details Dashboard datamodel reference - Fix Endpoint Dashboard would not work on Splunk 6.0.x - Fix time range inconsistent on Overview Dashboard - Fix issue where Endpoint Dashboard disappears if Netflow is enabled.

Version: 4.2

Version 4.2 - New Palo Alto Networks [Advanced Endpoint Protection](http://media.paloaltonetworks.com/lp/traps/) - Support Palo Alto Networks [PAN-OS 6.1](https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide.html)

Version: 4.1.3

- Special commands (panblock, panupdate, pantag) now available from other apps - Fix issue with unknown lookup errors during search - Fix issue with meta scope and global namespace

Version: 4.1.2

- Fix some Threat dashboard drilldowns - Fix scope of CIM fields to remove conflict with some apps - Remove macros from datamodel that were causing slower acceleration Note: changes to datamodel in this version may require the acceleration index to be rebuilt before data will show up in the dashboards

Version: 4.1.1

Version 4.1.1 - Handle new fields in latest PAN-OS syslogs and WildFire reports - Significant improvements to indexing efficiency - Improved handling of Dynamic Address Group tagging - Improvements and minor updates for Splunk 6.1.x - Fix minor dashboard issues - Fix minor field parsing issue

Version: 4.1

Version 4.1 If upgrading from a previous version, please read the __Upgrade Notes__ in the documentation. - PAN-OS Data model including acceleration - Data model accelerated dashboards (replaces TSIDX-based dashboards) - New command: `pantag` - tag IP addresses on the firewall into Dynamic Address Groups - IP Classification - add metadata to your CIDR blocks, classifying them as internet/external/dmz/datacenter/etc. - Applipedia change notifications and highlighting - know when Palo Alto Networks releases new application signatures and if those applications are on your network

Version: 4.0.2

- Fix: Overview dashboard optimizations - Fix: Top Applications panel would sometimes show error - Fix: Traffic dashboard form filter works

Version: 4.0.1

Version 4.0.1 - Fix: Config dashboard shows all events - Fix: Better handling of navbar changes Version 4.0 - Splunk 6 support - Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now: ---- Print ---- Export as pdf ---- Produce scheduled reports ---- Use pre-populated dropdowns in filters ---- Change using SplunkWeb by editing the panels - Maps converted to Splunk 6 built-in maps (removes dependencies on other apps) - Updated navbar including icons and colors

Version: 4.0

Version 4.0 - Splunk 6 support - Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now: ---- Print ---- Export as pdf ---- Produce scheduled reports ---- Use pre-populated dropdowns in filters ---- Change using SplunkWeb by editing the panels - Maps converted to Splunk 6 built-in maps (removes dependencies on other apps - Updated navbar including icons and colors

Version: 3.4

- NetFlow support using NetFlow Integrator, a 3rd party program from NetFlow Logic - New set of dashboards, charts and graphs centered around NetFlow records from Palo Alto Networks devices - App-ID and User-ID information is available in NetFlow records Download a 30-day free trial of NetFlow Integrator at https://www.netflowlogic.com/downloads Steps to configure NetFlow are available in the NetFlow section of the app documentation.

Version: 3.3.2

Version 3.3.2 - Fix: URL in WildFire dashboard corrected - Fix: Overview dashboard colors were gray on some servers, set back to white - Fix: Corrected description fields in commands.conf that resulted in log errors - Fix: Corrected sourcetype in inputs.conf.sample Version 3.3.1 - Fix: App setup screen allows blank values - Fix: Several GUI fixes and enhancements Version 3.3 - Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall. - WildFire dashboard - Recent WildFire events - Graphs of WildFire statistical data - Detect compromised hosts using malware behavior to traffic log correlation

Version: 3.3.1

- Fix: App setup screen allows blank values - Fix: Several GUI fixes and enhancements And features from version 3.3 - Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall. - WildFire dashboard - Recent WildFire events - Graphs of WildFire statistical data - Detect compromised hosts using malware behavior to traffic log correlation Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com

Version: 3.3

- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall. - WildFire dashboard - Recent WildFire events - Graphs of WildFire statistical data - Detect compromised hosts using malware behavior to traffic log correlation Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com

Version: 3.2.1

Bug Fixes: savedsearches.conf: changed hard coded index=pan_logs to `pan_index` in scheduled searches. Thanks to Genti Zaimi for finding the issue and providing the fix pan_overview_switcher_maps.xml: modified geoip search to include localop to force the search to run on the searchhead. Thanks to Genti Zaimi for identifying the problem and providing the fix

Version: 3.2

Major improvements on drilldowns in charts - Greets to Joel Bennett Added a setup.xml Palo Alto device credentials. Bug Fix: panupdate custom command; removed hardcoded IP for panorama. Greets to Jeff Hillon and Palo Alto Networks teams for identifying this issue and helping to test the fix.

Version: 3.0

- Completely redone searches for views and dashboards - Significant performance improvements for dashboards and views - A new Threat Detail Dashboard - Threat Overview fields auto-update filter and auto-redirect to Threat Detail - panblock: Custom Command to add/remove host/address objects from the PAN firewall - panupdate: Custom Command to add User-ID and IP mapping in PAN - Removed summary indexing - Overview page runs on base index - Pan Log sourcetype now visible in web ui for adding new inputs - Added new app icon - Remove submit button from web usage report page - Main landing page runs on pan_index macro Known Issues - Drill down from charts goes to a table view and not flashtimeline view

Version: 3.0 Beta

Completely redone searches for views and dashboards Significant performance improvements for dashboards and views A new Threat Detail Dashboard Threat Overview fields auto-update filter and auto-redirect to Threat Detail Custom Command to add/remove host/address objects from the PAN firewall Removed summary indexing Overview page runs on base index Pan Log sourcetype now visible in web ui for adding new inputs Added new app icon Remove submit button from web usage report page Main landing page runs on pan_index macro

Version: 2.5

Fixed: Web dashboard doesn't render Fixed: pan_traffic macro doesn't produce results Fixed: TRANSFORM- to TRANSFORMS- in props.conf Fixed: Ingress/Egress interface labeling errors Fixed: Sometimes the main dashboard's single value font matches background Request: Make app installable via the web ui Request: Change macros definitions to include base index other than pan_logs Request: Allow for custom index to be inherited automatically. works on all view except for landing page Request: Disable summary indexing Request: Add a README file to the app

Version: 2.3

App is now CIM compliant. Many thanks to Jim Hansen for this effort.

Version: 2.2.1

Updated timestamp extraction. Updated Sourcetyping to accommodate PA-2050 threat events (thanks to Andy Stovall for highlighting this.)

Version: 2.2

FIXED: dangling MAX_TIMESTAMP_LOOKAHEAD in props.conf; causing app conflict (Thanks to Tat-Wee Kan for bringing this up) FIXED: traffic search in traffic_overview dashboard to include 'Action' as a parameter Added: default indexes.conf

Version: 2.0.1

Removed Inputs.conf from local Added Screenhot.jpg Updated REAME instructions for adding inputs

Version: 2.0

- Updated Install instructions. Please see README for installation instructions and dependencies - All fields specified in the Palo Alto Networks log specification have been extracted. - Dashboards have been enhanced. - Added filters for views include: user, vsys and admin - Summary indexed dashboards with drill down - Added multiple new dashboards. Including: URL Filtering, Data Filtering and Content Filtering. - Updated the threat list and app lists - Capability to use online (google) or offline (ammap) maps. - App is HTML 5 compliant. It has been tested to run successfully on iPads and Android phones.

Version: 1.2.0

- App now works with 4.2.x - Updated lookup (app_list.csv and threat_list.csv) - Added print option for User Web Activity

Version: 1.0.2

- Added additional steps to README.txt. - Typo fixes.

Version: 1.0.1