- Changes made to meet new certification requirements
- Changes made to meet new certification requirements
- GlobalProtect Dashboard
- Other updates are in the Add-on (see below)
- App 5.3.x requires Add-on 3.7.x
- REQUIRED ACTION: The App setup screen has moved to the Add-on. If you had previously set firewall credentials
or a WildFire API key in the App setup screen, you’ll need to set them again in the Add-on
setup screen. See Step 2: Initial Setup in the updated Getting Started Guide.
You may delete the file
$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/passwords.confto remove the credentails from the App, since they are no longer used.
- Datamodel acceleration might rebuild itself after installation due to updated constraints
- Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.
- Integration with new Splunk Adaptive Response
- Tag to dynamic address group using modular actions and Adaptive Response
- Submit URL’s from any log in Splunk to WildFire
- Logs with malware hashes have a new event action that links directly to that hash in Autofocus
- Improved tagging for Splunk Enterprise Security, based on customer feedback
- New parser for GlobalProtect logs
Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.
- Certified by Splunk
- Removed deprecated commands (panblock and panupdate) as a requirement for certification.
- Removes support for Splunk 6.1 and ealier as a requirement for certification.
- Certified by Splunk
- Add logo files for Splunkbase
- Support new Traps 3.3.2 log format
Traps versions before 3.3.2 are no longer supported beginning with
Add-on 3.6.0 and App 5.1.0.
- Datamodel updated to support new Traps 3.3.2 fields
- Endpoint Dashboard updated to support new Traps 3.3.2 fields
WARNING: Traps versions before 3.3.2 are no longer supported beginning with this App version
- Fix error when using pantag command with single firewall
- Fix error when using pancontentpack command
- Improved searchbar command logging
- Fix issue where endpoint logs would show up in CIM apps, but not Palo Alto Networks app
This major release re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App.
Review the Upgrade Guide to upgrade to version 5.0.0.
In addition to the new Palo Alto Networks Add-on, this version also has the following new features:
- New SaaS dashboard with Un/Sanctioned SaaS Detection
- CIM 4.x compliance
- Optimized Datamodel for better performance and storage efficiency
- Logs are no longer required to be stored in the pan_logs index
- Auto update script for app and threat lookup tables
- New panuserupdate command for User-ID update
- Enhanced pantag command to leverage log data for tags
- Both commands now support Panorama and VSYS targets, and are more efficient and scalable
- Better command documentation
- Changed from CC license to ISC license
- All new documentation website at http://pansplunk.readthedocs.io
- Add support for PAN-OS 7.0 new fields
- Add hip-match log type from Firewall and Panorama
- Add sourcetype category
- Add Sanctioned SaaS lookup table (see Un/Sanctioned SaaS Detection)
- Update app_list.csv and threat_list.csv lookup tables with new format and data
- Fix incorrect value in report_id field for Wildfire logs in PAN-OS 6.1 or higher
- Fix src_category field should be dest_category
Included with Splunk Enterprise Security 4.
This new Add-on (TA) for Palo Alto Networks supports logs from Palo Alto Networks Next-generation Firewall, Panorama, and Traps Endpoint Security Manager. It is CIM 4.x compliant and designed to work with Splunk Enterprise Security 4 and the Palo Alto Networks App for Splunk v5.
- Fix drilldowns in Wildfire and Content dashboards
- Fix panel in Content dashboard to display correct data
- Fix Wildfire Report downloader and Applipedia New App check
- Fix Wildfire Dashboard Drilldowns
- Fix Threat Details Dashboard datamodel reference
- Fix Endpoint Dashboard would not work on Splunk 6.0.x
- Fix time range inconsistent on Overview Dashboard
- Fix issue where Endpoint Dashboard disappears if Netflow is enabled.
- Special commands (panblock, panupdate, pantag) now available from other apps
- Fix issue with unknown lookup errors during search
- Fix issue with meta scope and global namespace
- Fix some Threat dashboard drilldowns
- Fix scope of CIM fields to remove conflict with some apps
- Remove macros from datamodel that were causing slower acceleration
Note: changes to datamodel may require the acceleration to be rebuilt before data will show up in the dashboards
- Handle new fields in latest PAN-OS syslogs and WildFire reports
- Significant improvements to indexing efficiency
- Improved handling of Dynamic Address Group tagging
- Improvements and minor updates for Splunk 6.1.x
- Fix minor dashboard issues
- Fix minor field parsing issue
This is a major update. If upgrading from a previous version, please read the Upgrade Notes in the documentation.
- PAN-OS Data model including acceleration
- Data model accelerated dashboards (replaces TSIDX-based dashboards)
- New command: pantag - tag IP addresses on the firewall into Dynamic Address Groups
- IP Classification - add metadata to your CIDR blocks, classifying them as internet/external/dmz/datacenter/etc.
- Applipedia change notifications and highlighting - know when Palo Alto Networks releases new application signatures and if those applications are on your network
- Fix: Overview dashboard optimizations
- Fix: Top Applications panel would sometimes show error
- Fix: Traffic dashboard form filter works
- Fix: Config dashboard shows all events
- Fix: Better handling of navbar changes
- Splunk 6 support
- Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now:
- Export as pdf
- Produce scheduled reports
- Use pre-populated dropdowns in filters
- Change using SplunkWeb by editing the panels
- Maps converted to Splunk 6 built-in maps (removes dependencies on other apps)
- Updated navbar including icons and colors
- NetFlow support using NetFlow Integrator, a 3rd party program from NetFlow Logic
- New set of dashboards, charts and graphs centered around NetFlow records from Palo Alto Networks devices
- App-ID and User-ID information is available in NetFlow records
Download a 30-day free trial of NetFlow Integrator at https://www.netflowlogic.com/downloads
Steps to configure NetFlow are available in the NetFlow section of the app documentation and README.
- Fix: URL in WildFire dashboard corrected
- Fix: Overview dashboard colors were gray on some servers, set back to white
- Fix: Corrected description fields in commands.conf that resulted in log errors
- Fix: Corrected sourcetype in inputs.conf.sample
- Fix: App setup screen allows blank values
- Fix: Several GUI fixes and enhancements
- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation
Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com
- savedsearches.conf: changed hard coded index=pan_logs to pan_index in scheduled searches. Thanks to Genti Zaimi for finding the issue and providing the fix
- pan_overview_switcher_maps.xml: modified geoip search to include localop to force the search to run on the searchhead. Thanks to Genti Zaimi for identifying the problem and providing the fix