Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Palo Alto Networks App for Splunk
SHA256 checksum (palo-alto-networks-app-for-splunk_601.tgz) 561894538ab6a54b2592e6c98663c07454af77662efc71e9fda56e4a9644317a SHA256 checksum (palo-alto-networks-app-for-splunk_600.tgz) a8fdc527a6ff7390a0592af67a5e99b8488f0cc335d80895fbc469a3badef553 SHA256 checksum (palo-alto-networks-app-for-splunk_542.tgz) 0bacf25c0866c980dec517111bd70a88cfd2a665a41f7b46f06b5c1febfacee6 SHA256 checksum (palo-alto-networks-app-for-splunk_541.tgz) dc938bb0057c5337f7cade691852c56a2ca1193da605f56469fc959aa36c5880 SHA256 checksum (palo-alto-networks-app-for-splunk_540.tgz) 3f18293c9ea657a756bb3c105c8f5d92afa904e0fee992b9dd8fa1d35024d586 SHA256 checksum (palo-alto-networks-app-for-splunk_531.tgz) 030fd4ebb24e96dc8b5d2813186ab6fdfa6bc41080cbfeff010cfefa28f58d28 SHA256 checksum (palo-alto-networks-app-for-splunk_520.tgz) 9237297fca57d1fe03b2f329054a209348d4c08aaa5d4b1312360a442b0fc5f9 SHA256 checksum (palo-alto-networks-app-for-splunk_510.tgz) 0ca50639e1a984186c4651266ef15ddbe373a6bc26368a655ee579a3da8b6743 SHA256 checksum (palo-alto-networks-app-for-splunk_501.tgz) cea658c31c87bcebbba5afcb69746a9401bf3ca1e1e01e33712df9695f3792b7 SHA256 checksum (palo-alto-networks-app-for-splunk_500.tgz) 93f8e6e0f8afcc8925bfc460591d55e5d416f47c92ef7ea0bebaa6d963827f03 SHA256 checksum (palo-alto-networks-app-for-splunk_422.tgz) 227485ef6cbb9907d7a56093e9e9a207453b3dc1a014d9745a0a81efe44370bd SHA256 checksum (palo-alto-networks-app-for-splunk_421.tgz) facf5905cefe8da741f77983362c1ff8891aa8245e642dd9f9e4e5dbe5ea9956 SHA256 checksum (palo-alto-networks-app-for-splunk_42.tgz) 41a70b4d4f334cb2bd266b9800e20facddab2df988bcd0bccf971a8a5c773f10 SHA256 checksum (palo-alto-networks-app-for-splunk_413.tgz) ad739a04cef12c162489c8c4d8a9b92b6744260962e5644e073d814c44385b91 SHA256 checksum (palo-alto-networks-app-for-splunk_412.tgz) b65b8320b8c418326597563deb2c2f32d1e5040c9e29a8efaec85247f77c9f5d SHA256 checksum (palo-alto-networks-app-for-splunk_411.tgz) 9b67d18f854ff7eb98a4c357e681cbf00fe772242b2e43b7671106dfee29e5a8 SHA256 checksum (palo-alto-networks-app-for-splunk_41.tgz) ceb12aadca034f0dd3d12ea537fa91f7424e9d6fd62917208db4138176ebc5ad SHA256 checksum (palo-alto-networks-app-for-splunk_402.tgz) 75b79be50f3a424ee452fe803c8a4ad183c5b46325d0cc7d36bb53bf58a741a6 SHA256 checksum (palo-alto-networks-app-for-splunk_401.tgz) e147e8bcc32e5f1f4cb7a9d17a247193dfa2bbb23b59d58e000ab1b2f239dacd SHA256 checksum (palo-alto-networks-app-for-splunk_40.tgz) 285405b5d8addb3ef29ea8e5cfdc83b7802381279cd882e2d7322b30a690adb9 SHA256 checksum (palo-alto-networks-app-for-splunk_34.tgz) 27504c31f5275384d1acfad5b7511c5ffffb058636cba8a39c8aba8e4042ee7e SHA256 checksum (palo-alto-networks-app-for-splunk_332.tgz) de8c505e49797f8018659f7dec7eb7642cea2970abdbcca2a263769eead51e7e SHA256 checksum (palo-alto-networks-app-for-splunk_331.tgz) a655ad24d55a1920980012b99e52ce9ab37a2e86f6b008f022d8f707af491866 SHA256 checksum (palo-alto-networks-app-for-splunk_33.tgz) 8aa3a25f8934025da4fbac6ee9909e89a90dbaa373a5094496ed7f444139aa6c SHA256 checksum (palo-alto-networks-app-for-splunk_321.tgz) caea7ef80df020b5ebfb89af7ba508e2b0bab517d319a816ddca1d7f5d688f88 SHA256 checksum (palo-alto-networks-app-for-splunk_32.tgz) 1ef4b93629aab6d47b01e015cf6e60eabab953de46613abb7deba6eac0012074 SHA256 checksum (palo-alto-networks-app-for-splunk_30.tgz) 32fd3f0fe7e8bc2455959d2c376ef26aa90b93295f08536fcffc89590c316508 SHA256 checksum (palo-alto-networks-app-for-splunk_30-beta.tgz) aff3db12f07a4b0da031e117c5786d7e1d4ce6c80f81df5ef76f795357887ec4 SHA256 checksum (palo-alto-networks-app-for-splunk_25.tgz) 24ab49ff6699708d1b3e0946465939d22ed62591da13cdb6e042ae84bde49612 SHA256 checksum (palo-alto-networks-app-for-splunk_23.zip) 945c03c969ccff2be24b132c54f392bc6cd48cb8a3be4062e60dc214074ea3df SHA256 checksum (palo-alto-networks-app-for-splunk_221.zip) b0d2153209fe830bb9b286a0530a9f937b35b5de72e705e09628aca78b54ea3a SHA256 checksum (palo-alto-networks-app-for-splunk_22.zip) 1c37b3886f865a6e2817e50a89b40f974c7ab3fec4e6ecf3cfb2f432c6902b2d SHA256 checksum (palo-alto-networks-app-for-splunk_201.tgz) 53a2f1efc08520ee48af16ee2b1c341d1b7f30fff33eea44be4ff51e8f46fff6 SHA256 checksum (palo-alto-networks-app-for-splunk_20.zip) 0021702b7afa3d267510e79af2d8d7ef61a1c33fa7bf5335861e6e2e3bd04fca SHA256 checksum (palo-alto-networks-app-for-splunk_120.tgz) 328ff7972e4a70075cf7720d74d0ae1979c795bbda00a400a70eade81398556e SHA256 checksum (palo-alto-networks-app-for-splunk_102.tgz) 83e3ce0c1db7516ab28a7f751ac46f995e25c451726c7fd30f576eb086dc181d SHA256 checksum (palo-alto-networks-app-for-splunk_101.tgz) 03662f409b72b4a79c13106551b760da000a810a6a77a3bfcb696b8c55b4b555
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Palo Alto Networks App for Splunk

Overview
Details
Palo Alto Networks and Splunk have partnered to deliver an advanced security reporting and analysis tool. The collaboration delivers operational reporting, configurable dashboard views, and adaptive response across Palo Alto Networks family of next-generation firewalls, advanced endpoint security, and threat intelligence cloud.

Palo Alto Networks App for Splunk leverages the data visibility provided by the Palo Alto Networks security platform with Splunk's extensive investigation and visualization capabilities to deliver advanced security reporting and analysis. This app enables security analysts, administrators, and architects to correlate application and user activities across all network and security infrastructures from a real-time and historical perspective. Complicated incident analysis that previously consumed days of manual and error-prone data mining can now be automated, saving not only manpower but also enabling key enterprise security resources to focus on critical, time-sensitive investigations.

Overview

Requirements

Installation

Support

Products Supported

Authors

Palo Alto Networks

  • Brian Torres-Gil
  • Paul Nguyen
  • Garfield Freeman

Release Notes

Version 6.0.1
Nov. 22, 2017

v6.0.1
* Improved filtering on dashboards
* Improved debugging logs

v6.0.0
* All new dashboards
- Adversary Scoreboard
- All Incident Feed
- Real-time Event Feed
- Datamodel Audit
- User Behavior
- And many more new dashboards...
* Tool tips and Tour to help guide you through the new dashboards
* Events from Firewall, Panorama, Traps, Aperture, AutoFocus, and Minemeld correlate and combine to offer unparalleled security insights
* Support for content pack sync with PAN-OS 8.0

Version 6.0.0
Nov. 10, 2017

v6.0.0

* All new dashboards
- Adversary Scoreboard
- All Incident Feed
- Real-time Event Feed
- Datamodel Audit
- User Behavior
- And many more new dashboards...
* Tool tips and Tour to help guide you through the new dashboards
* Events from Firewall, Panorama, Traps, Aperture, AutoFocus, and Minemeld correlate and combine to offer unparalleled security insights
* Support for content pack sync with PAN-OS 8.0

Version 5.4.2
Aug. 4, 2017

v5.4.2
* Improved saved search cron schedule
* Improved add-on compatibility check

v5.4.1
* Endpoint Dashboard bug fix

v5.4.0
* Endpoint Operations Dashboard
* Endpoint Security Dashboard
* Endpoint Dashboard support new Traps 3.4 fields
* Support for AutoFocus Remote Search via External Search Handler
* Support for Firewall Log Link via External Search Handler
* Improved AutoFocus cross launch

Version 5.4.1
July 14, 2017

v5.4.1
* Endpoint Dashboard bug fix

v5.4.0
* Endpoint Operations Dashboard
* Endpoint Security Dashboard
* Endpoint Dashboard support new Traps 3.4 fields
* Support for AutoFocus Remote Search via External Search Handler
* Support for Firewall Log Link via External Search Handler
* Improved AutoFocus cross launch

Version 5.4.0
May 11, 2017

v5.4.0
* Endpoint Operations Dashboard
* Endpoint Security Dashboard
* Endpoint Dashboard support new Traps 3.4 fields
* Support for AutoFocus Remote Search via External Search Handler
* Support for Firewall Log Link via External Search Handler
* Improved AutoFocus cross launch

Version 5.3.1
Nov. 17, 2016

v5.3.1
- Changes made to meet new certification requirements

v5.3.0
- GlobalProtect Dashboard
- Other updates are in the Add-on (https://splunkbase.splunk.com/app/2757)

Important App Upgrade Notes
- App 5.3.x requires Add-on 3.7.x
- The App setup screen has moved to the Add-on. If you has previous set firewall credentials or a WildFire API key in the App setup screen, you’ll need to set them in the Add-on setup screen. See Step 2: Initial Setup in the Getting Started Guide.
- Datamodel acceleration might rebuild itself after installation due to updated constraints
- Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.

Version 5.2.0
July 7, 2016

* App Certified by Splunk

Note: As a certification requirement, this version drops support for Splunk 6.1 and earlier, and removes deprecated commands (**panblock** and **panupdate**). If you are using Splunk 6.1, please upgrade Splunk to 6.2 or higher before upgrading this App. If you are using panblock or panupdate, please use pantag and panuserupdate instead before upgrading this App.

Version 5.1.0
April 22, 2016

* Datamodel updated to support new Traps 3.3.2 fields
* Endpoint Dashboard updated to support new Traps 3.3.2 fields

WARNING: Traps versions before 3.3.2 are no longer supported beginning with this App version

Version 5.0.1
Feb. 4, 2016

Review the Upgrade Guide to migrate to version 5.0.x from 4.x. See the Documentation tab.

5.0.x is a major release that re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App.

Fixes in 5.0.1:

* Fix error when using pantag command with single firewall
* Fix error when using pancontentpack command
* Improved searchbar command logging

Version 5.0.0
Nov. 13, 2015

Review the Upgrade Guide to migrate to version 5.0.0. See the Documentation tab.

This major release re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App.

In addition to the new Palo Alto Networks Add-on, this version also has new features:

* New SaaS dashboard with un/sanctioned SaaS detection
* CIM 4.x compliance
* Optimized datamodel for better performance and storage efficiency
* Logs are no longer required to be stored in the pan_logs index
* Auto update script for app and threat lookup tables
* New panuserupdate command for User-ID updates
* Enhanced pantag command to leverage log data for tags
* Both commands now support Panorama and VSYS targets, and are more efficient and scalable
* Better command documentation
* Changed from CC license to ISC license
* All new documentation website at http://pansplunk.readthedocs.org

Version 4.2.2
Aug. 10, 2015

- Fix drilldowns in Wildfire and Content dashboards
- Fix panel in Content dashboard to display correct data

Version 4.2.1
Feb. 10, 2015

- Fix Wildfire Report downloader and Applipedia New App check
- Fix Wildfire Dashboard Drilldowns
- Fix Threat Details Dashboard datamodel reference
- Fix Endpoint Dashboard would not work on Splunk 6.0.x
- Fix time range inconsistent on Overview Dashboard
- Fix issue where Endpoint Dashboard disappears if Netflow is enabled.

Version 4.2
Nov. 18, 2014

Version 4.2

- New Palo Alto Networks [Advanced Endpoint Protection](http://media.paloaltonetworks.com/lp/traps/)
- Support Palo Alto Networks [PAN-OS 6.1](https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide.html)

Version 4.1.3
Oct. 16, 2014

- Special commands (panblock, panupdate, pantag) now available from other apps
- Fix issue with unknown lookup errors during search
- Fix issue with meta scope and global namespace

Version 4.1.2
Oct. 10, 2014

- Fix some Threat dashboard drilldowns
- Fix scope of CIM fields to remove conflict with some apps
- Remove macros from datamodel that were causing slower acceleration

Note: changes to datamodel in this version may require the acceleration index to be rebuilt before data will show up in the dashboards

Version 4.1.1
May 22, 2014

Version 4.1.1

- Handle new fields in latest PAN-OS syslogs and WildFire reports
- Significant improvements to indexing efficiency
- Improved handling of Dynamic Address Group tagging
- Improvements and minor updates for Splunk 6.1.x
- Fix minor dashboard issues
- Fix minor field parsing issue

Version 4.1
April 2, 2014

Version 4.1

If upgrading from a previous version, please read the __Upgrade Notes__ in the documentation.

- PAN-OS Data model including acceleration
- Data model accelerated dashboards (replaces TSIDX-based dashboards)
- New command: `pantag` - tag IP addresses on the firewall into Dynamic Address Groups
- IP Classification - add metadata to your CIDR blocks, classifying them as internet/external/dmz/datacenter/etc.
- Applipedia change notifications and highlighting - know when Palo Alto Networks releases new application signatures and if those applications are on your network

Version 4.0.2
March 27, 2014

- Fix: Overview dashboard optimizations
- Fix: Top Applications panel would sometimes show error
- Fix: Traffic dashboard form filter works

Version 4.0.1
Nov. 7, 2013

Version 4.0.1

- Fix: Config dashboard shows all events
- Fix: Better handling of navbar changes

Version 4.0

- Splunk 6 support
- Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now:
---- Print
---- Export as pdf
---- Produce scheduled reports
---- Use pre-populated dropdowns in filters
---- Change using SplunkWeb by editing the panels
- Maps converted to Splunk 6 built-in maps (removes dependencies on other apps)
- Updated navbar including icons and colors

Version 4.0
Oct. 21, 2013

Version 4.0

- Splunk 6 support
- Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now:
---- Print
---- Export as pdf
---- Produce scheduled reports
---- Use pre-populated dropdowns in filters
---- Change using SplunkWeb by editing the panels
- Maps converted to Splunk 6 built-in maps (removes dependencies on other apps
- Updated navbar including icons and colors

Version 3.4
Sept. 19, 2013

- NetFlow support using NetFlow Integrator, a 3rd party program from NetFlow Logic
- New set of dashboards, charts and graphs centered around NetFlow records from Palo Alto Networks devices
- App-ID and User-ID information is available in NetFlow records

Download a 30-day free trial of NetFlow Integrator at https://www.netflowlogic.com/downloads
Steps to configure NetFlow are available in the NetFlow section of the app documentation.

Version 3.3.2
Sept. 12, 2013

Version 3.3.2

- Fix: URL in WildFire dashboard corrected
- Fix: Overview dashboard colors were gray on some servers, set back to white
- Fix: Corrected description fields in commands.conf that resulted in log errors
- Fix: Corrected sourcetype in inputs.conf.sample

Version 3.3.1

- Fix: App setup screen allows blank values
- Fix: Several GUI fixes and enhancements

Version 3.3

- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation

Version 3.3.1
July 27, 2013

- Fix: App setup screen allows blank values
- Fix: Several GUI fixes and enhancements

And features from version 3.3
- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation

Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com

Version 3.3
July 22, 2013

- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation

Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com

Version 3.2.1
June 7, 2013

Bug Fixes:
savedsearches.conf: changed hard coded index=pan_logs to `pan_index` in scheduled searches. Thanks to Genti Zaimi for finding the issue and providing the fix
pan_overview_switcher_maps.xml: modified geoip search to include localop to force the search to run on the searchhead. Thanks to Genti Zaimi for identifying the problem and providing the fix

Version 3.2
May 9, 2013

Major improvements on drilldowns in charts - Greets to Joel Bennett

Added a setup.xml Palo Alto device credentials.

Bug Fix: panupdate custom command; removed hardcoded IP for panorama. Greets to Jeff Hillon and Palo Alto Networks teams for identifying this issue and helping to test the fix.

Version 3.0
Feb. 24, 2013

- Completely redone searches for views and dashboards
- Significant performance improvements for dashboards and views
- A new Threat Detail Dashboard
- Threat Overview fields auto-update filter and auto-redirect to Threat Detail
- panblock: Custom Command to add/remove host/address objects from the PAN firewall
- panupdate: Custom Command to add User-ID and IP mapping in PAN
- Removed summary indexing
- Overview page runs on base index
- Pan Log sourcetype now visible in web ui for adding new inputs
- Added new app icon
- Remove submit button from web usage report page
- Main landing page runs on pan_index macro

Known Issues

- Drill down from charts goes to a table view and not flashtimeline view

Version 3.0 Beta
Feb. 13, 2013

Completely redone searches for views and dashboards
Significant performance improvements for dashboards and views
A new Threat Detail Dashboard
Threat Overview fields auto-update filter and auto-redirect to Threat Detail
Custom Command to add/remove host/address objects from the PAN firewall
Removed summary indexing
Overview page runs on base index
Pan Log sourcetype now visible in web ui for adding new inputs
Added new app icon
Remove submit button from web usage report page
Main landing page runs on pan_index macro

Version 2.5
Dec. 20, 2012

Fixed: Web dashboard doesn't render

Fixed: pan_traffic macro doesn't produce results

Fixed: TRANSFORM- to TRANSFORMS- in props.conf

Fixed: Ingress/Egress interface labeling errors

Fixed: Sometimes the main dashboard's single value font matches background

Request: Make app installable via the web ui

Request: Change macros definitions to include base index other than pan_logs

Request: Allow for custom index to be inherited automatically. works on all view except for landing page

Request: Disable summary indexing

Request: Add a README file to the app

Version 2.3
Sept. 7, 2012

App is now CIM compliant. Many thanks to Jim Hansen for this effort.

Version 2.2.1
Aug. 10, 2012

Updated timestamp extraction. Updated Sourcetyping to accommodate PA-2050 threat events (thanks to Andy Stovall for highlighting this.)

Version 2.2
July 4, 2012

FIXED: dangling MAX_TIMESTAMP_LOOKAHEAD in props.conf; causing app conflict (Thanks to Tat-Wee Kan for bringing this up)

FIXED: traffic search in traffic_overview dashboard to include 'Action' as a parameter

Added: default indexes.conf

Version 2.0.1
June 6, 2012

Removed Inputs.conf from local
Added Screenhot.jpg
Updated REAME instructions for adding inputs

Version 2.0
June 4, 2012

- Updated Install instructions. Please see README for installation instructions and dependencies
- All fields specified in the Palo Alto Networks log specification have been extracted.
- Dashboards have been enhanced.
- Added filters for views include: user, vsys and admin
- Summary indexed dashboards with drill down
- Added multiple new dashboards. Including: URL Filtering, Data Filtering and Content Filtering.
- Updated the threat list and app lists
- Capability to use online (google) or offline (ammap) maps.
- App is HTML 5 compliant. It has been tested to run successfully on iPads and Android phones.

Version 1.2.0
June 2, 2011

- App now works with 4.2.x
- Updated lookup (app_list.csv and threat_list.csv)
- Added print option for User Web Activity

Version 1.0.2
Feb. 16, 2011

- Added additional steps to README.txt.
- Typo fixes.

Version 1.0.1
Feb. 15, 2011

3,772
Installs
40,807
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.