Splunk Enterprise Security
Common Information Model (CIM) Compliance
The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.
| CIM Datamodel | Tags | Palo Alto Networks Eventtypes |
|---|---|---|
| Change Analysis | change | pan_config |
| email, filter | pan_email | |
| Intrusion Detection | ids, attack | pan_threat |
| Malware | malware, attack, operations | pan_malware_attacks, pan_malware_operations, pan_wildfire |
| Network Sessions | network, session, start, end | pan_traffic_start, pan_traffic_end |
| Network Traffic | network, communicate | pan_traffic |
| Web | web, proxy | pan_url |
Share MineMeld Indicators
Added in Add-on version 6.0
Indicators can be shared between MineMeld and Splunk Enterprise Security. There are multiple types of indicators that can be shared:
- Domain
- File
- IPv4
- URL
Enabling indicator sharing is a two step process. First, enable the saved searches of the indicator types to be shared. Second, enable the corresponding threatlists in Splunk Enterprise Security.
Indicators are shared with Splunk Enterprise Security as a CSV file threatlist. The saved searches are all set to run once every hour by default. The Enterprise Security threatlist is set to poll every four hours by default. So after enabling the desired indicator sharing, you may need to wait for a little time before they show up in Splunk Enterprise Security.
Here's an example walk through for enabling sharing IPv4 indicators.
Enable Saved Searches
Navigate to Settings > Searches, reports, and alerts.
Find the Generate MineMeld IPv4 Enterprise Security Threatlist saved search, then in the Actions column, click Edit > Enable.
Enable Enterprise Security Threatlists
Add the following four threatlist inputs to the file:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf (or to your preferred inputs.conf file)
[threatlist://minemeld_ipv4threatlist]
description = MineMeld IPv4 threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_ipv4threatlist
[threatlist://minemeld_domainthreatlist]
description = MineMeld Domain threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_domainthreatlist
[threatlist://minemeld_urlthreatlist]
description = MineMeld URL threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_urlthreatlist
[threatlist://minemeld_filethreatlist]
description = MineMeld file threatlist indicators for Splunk ES
interval = 14400
disabled = false
type = threatlist
url = lookup://minemeld_filethreatlist