Skip to main content
Important

This TA and App is now deprecated and will no longer receive updates or support. For continued support and future updates, please switch to the new app supported by Splunk.

Please follow the documentation for a migration path to use the Splunk supported Splunk App for Palo Alto Networks.

Please follow the documentation for a migration path to use the Splunk supported Splunk Add-on for Palo Alto Networks.

Splunk Enterprise Security

Common Information Model (CIM) Compliance

The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.

CIM DatamodelTagsPalo Alto Networks Eventtypes
Change Analysischangepan_config
Emailemail, filterpan_email
Intrusion Detectionids, attackpan_threat
Malwaremalware, attack, operationspan_malware_attacks, pan_malware_operations, pan_wildfire
Network Sessionsnetwork, session, start, endpan_traffic_start, pan_traffic_end
Network Trafficnetwork, communicatepan_traffic
Webweb, proxypan_url

Share MineMeld Indicators

Added in Add-on version 6.0

Indicators can be shared between MineMeld and Splunk Enterprise Security. There are multiple types of indicators that can be shared:

  • Domain
  • File
  • IPv4
  • URL

Enabling indicator sharing is a two step process. First, enable the saved searches of the indicator types to be shared. Second, enable the corresponding threatlists in Splunk Enterprise Security.

Indicators are shared with Splunk Enterprise Security as a CSV file threatlist. The saved searches are all set to run once every hour by default. The Enterprise Security threatlist is set to poll every four hours by default. So after enabling the desired indicator sharing, you may need to wait for a little time before they show up in Splunk Enterprise Security.

Here's an example walk through for enabling sharing IPv4 indicators.

Enable Saved Searches

Navigate to Settings > Searches, reports, and alerts.

Find the Generate MineMeld IPv4 Enterprise Security Threatlist saved search, then in the Actions column, click Edit > Enable.

Enable Enterprise Security Threatlists

Add the following four threatlist inputs to the file: $SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf (or to your preferred inputs.conf file)

[threatlist://minemeld_ipv4threatlist]
description = MineMeld IPv4 threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_ipv4threatlist

[threatlist://minemeld_domainthreatlist]
description = MineMeld Domain threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_domainthreatlist

[threatlist://minemeld_urlthreatlist]
description = MineMeld URL threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_urlthreatlist

[threatlist://minemeld_filethreatlist]
description = MineMeld file threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_filethreatlist