Skip to main content

Release Notes


Release notes have moved to GitHub:

Archived Release Notes

App 6.1.1

  • New: Dark mode supported
  • Fix: Endpoing dashboard and datamodels support for Traps 5.0(Traps Management Service)

Add-on 6.1.1

  • Fix: Improved API call to Aperture
  • Fix: Aperture region field saves
  • Fix: Traps event types updated
  • Fix: Improved clustered environment support

App 6.1

  • New: Support for Traps 5.0 (Traps Management Service)
  • New: User ID updates can now be added with a timeout setting
  • Fix: User ID updates work consistently via Panorama
  • Fix: Issue with Block-Continue panel in Web Activity report

Add-on 6.1

  • New: Support for Traps 5.0 (Traps Management Service)
  • New: Support for Firewall User-ID logs
  • New: Credential Detected flag for PAN-OS 8.1
  • New: MineMeld indicator retention timer
  • New: Batch collection of Aperture logs
  • New: Support all Aperture regions
  • New: Easier to disable certificate validation for self-hosted MineMeld
  • New: Malicious WildFire events tagged for Malware CIM datamodel
  • Fix: category field for URL logs is now more consistent
  • Fix: url_length field fixed
  • Fix: Corrected the double parse of Aperture logs

Traps datamodel has been renamed from pan_endpoint to pan_traps and some fields have changed names in the datamodel to support Traps 5.0 additional data. If you have previously created your own dashboards based on the Palo Alto Networks datamodels, you may need to update those dashboards.

App 6.0


Is your organization safe from those who intend the most harm? Know your adversary with the new Adversary Scoreboard and measure how effective your security is at defeating their attacks. Automatically prioritize attacks with the new All Incident Feed, and investigate with the new Incident Context View.

Add-on 6.0



Some fields have changed names in the datamodel. If you have previously created your own dashboards based on the Palo Alto Networks datamodels, you may need to update some field names.

App 5.4


  • Improved saved search cron schedule
  • Improved add-on compatibility check


  • Endpoint Dashboard bug fix


  • Endpoint Operations Dashboard
  • Endpoint Security Dashboard
  • Endpoint Dashboard support new Traps 3.4 fields
  • Support for AutoFocus Remote Search via External Search Handler
  • Support for Firewall Log Link via External Search Handler
  • Improved AutoFocus cross launch

Add-on 3.8


  • Improved CIM support for correlation logs


  • Configuration screen bug fix


  • AutoFocus Export List modular input
  • Improved configuration screen allows credentials to be changed

App 5.3


  • Changes made to meet new certification requirements


  • GlobalProtect Dashboard

  • Other updates are in the Add-on (see below)

  • App 5.3.x requires Add-on 3.7.x

  • REQUIRED ACTION: The App setup screen has moved to the Add-on. If you had previously set firewall credentials or a WildFire API key in the App setup screen, you'll need to set them again in the Add-on setup screen. You may delete the file $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/passwords.conf to remove the credentails from the App, since they are no longer used.

  • Datamodel acceleration might rebuild itself after installation due to updated constraints

  • Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire. You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.

Add-on 3.7


  • Changes made to meet new certification requirements


  • Integration with new Splunk Adaptive Response
  • Tag to dynamic address group using modular actions and Adaptive Response
  • Submit URL’s from any log in Splunk to WildFire
  • Logs with malware hashes have a new event action that links directly to that hash in Autofocus
  • Improved tagging for Splunk Enterprise Security, based on customer feedback
  • New parser for GlobalProtect logs

Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire.
You might need to update custom searches or panels you created that leverage the pan_threat eventtype. There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire.

App 5.2

  • Certified by Splunk
  • Removed deprecated commands (panblock and panupdate) as a requirement for certification.
  • Removes support for Splunk 6.1 and ealier as a requirement for certification.

If you are using Splunk 6.1 or earlier, you must upgrade to Splunk 6.2 or later before upgrading to App v5.2.0. If you currently use panblock or panupdate commands, please update your usage of the App to leverage pantag and panuserupdate instead.

App 5.1


  • Datamodel updated to support new Traps 3.3.2 fields
  • Endpoint Dashboard updated to support new Traps 3.3.2 fields

WARNING: Traps versions before 3.3.2 are no longer supported beginning with this App version

Add-on 3.6


  • Certified by Splunk
  • Add logo files for Splunkbase


  • Support new Traps 3.3.2 log format

Traps versions before 3.3.2 are no longer supported beginning with this Add-on version

App 5.0


  • Fix error when using pantag command with single firewall
  • Fix error when using pancontentpack command
  • Improved searchbar command logging

This major release re-architects the Palo Alto Networks App by splitting it into an App and an Add-on. The Palo Alto Networks Add-on is included in the Palo Alto Networks App and is installed or upgraded automatically with the App.

In addition to the new Palo Alto Networks Add-on, this version also has the following new features:

  • New SaaS dashboard with Un/Sanctioned SaaS Detection
  • CIM 4.x compliance
  • Optimized Datamodel for better performance and storage efficiency
  • Logs are no longer required to be stored in the pan_logs index
  • Auto update script for app and threat lookup tables
  • New panuserupdate command for User-ID update
  • Enhanced pantag command to leverage log data for tags
  • Both commands now support Panorama and VSYS targets, and are more efficient and scalable
  • Better command documentation
  • Changed from CC license to ISC license
  • All new documentation website at

Add-on 3.5


  • Fix issue where endpoint logs would show up in CIM apps, but not Palo Alto Networks app


  • Add support for PAN-OS 7.0 new fields
  • Add hip-match log type from Firewall and Panorama
  • Add sourcetype category
  • Add Sanctioned SaaS lookup table (see Un/Sanctioned SaaS Detection)
  • Update app_list.csv and threat_list.csv lookup tables with new format and data
  • Fix incorrect value in report_id field for Wildfire logs in PAN-OS 6.1 or higher
  • Fix src_category field should be dest_category

Included with Splunk Enterprise Security 4.

This new Add-on (TA) for Palo Alto Networks supports logs from Palo Alto Networks Next-generation Firewall, Panorama, and Traps Endpoint Security Manager. It is CIM 4.x compliant and designed to work with Splunk Enterprise Security 4 and the Palo Alto Networks App for Splunk v5.

App 4.2


  • Fix drilldowns in Wildfire and Content dashboards
  • Fix panel in Content dashboard to display correct data


  • Fix Wildfire Report downloader and Applipedia New App check
  • Fix Wildfire Dashboard Drilldowns
  • Fix Threat Details Dashboard datamodel reference
  • Fix Endpoint Dashboard would not work on Splunk 6.0.x
  • Fix time range inconsistent on Overview Dashboard
  • Fix issue where Endpoint Dashboard disappears if Netflow is enabled.


App 4.1


  • Special commands (panblock, panupdate, pantag) now available from other apps
  • Fix issue with unknown lookup errors during search
  • Fix issue with meta scope and global namespace


  • Fix some Threat dashboard drilldowns
  • Fix scope of CIM fields to remove conflict with some apps
  • Remove macros from datamodel that were causing slower acceleration

Note: changes to datamodel may require the acceleration to be rebuilt before data will show up in the dashboards


  • Handle new fields in latest PAN-OS syslogs and WildFire reports
  • Significant improvements to indexing efficiency
  • Improved handling of Dynamic Address Group tagging
  • Improvements and minor updates for Splunk 6.1.x
  • Fix minor dashboard issues
  • Fix minor field parsing issue

This is a major update. If upgrading from a previous version, please read the Upgrade Notes in the documentation.

  • PAN-OS Data model including acceleration
  • Data model accelerated dashboards (replaces TSIDX-based dashboards)
  • New command: pantag - tag IP addresses on the firewall into Dynamic Address Groups
  • IP Classification - add metadata to your CIDR blocks, classifying them as internet/external/dmz/datacenter/etc.
  • Applipedia change notifications and highlighting - know when Palo Alto Networks releases new application signatures and if those applications are on your network

App 4.0


  • Fix: Overview dashboard optimizations
  • Fix: Top Applications panel would sometimes show error
  • Fix: Traffic dashboard form filter works


  • Fix: Config dashboard shows all events
  • Fix: Better handling of navbar changes


  • Splunk 6 support
  • Dashboards converted to Splunk 6 SimpleXML, meaning dashboards can now:
    • Print
    • Export as pdf
    • Produce scheduled reports
    • Use pre-populated dropdowns in filters
    • Change using SplunkWeb by editing the panels
  • Maps converted to Splunk 6 built-in maps (removes dependencies on other apps)
  • Updated navbar including icons and colors

App 3.4

  • NetFlow support using NetFlow Integrator, a 3rd party program from NetFlow Logic
    • New set of dashboards, charts and graphs centered around NetFlow records from Palo Alto Networks devices
    • App-ID and User-ID information is available in NetFlow records

Download a 30-day free trial of NetFlow Integrator at

Steps to configure NetFlow are available in the NetFlow section of the app documentation and README.

App 3.3


  • Fix: URL in WildFire dashboard corrected
  • Fix: Overview dashboard colors were gray on some servers, set back to white
  • Fix: Corrected description fields in commands.conf that resulted in log errors
  • Fix: Corrected sourcetype in inputs.conf.sample


  • Fix: App setup screen allows blank values
  • Fix: Several GUI fixes and enhancements


  • Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
  • WildFire dashboard
    • Recent WildFire events
    • Graphs of WildFire statistical data
    • Detect compromised hosts using malware behavior to traffic log correlation

Note: Malware analysis report retrieval requires a WildFire API Key from

App 3.2


Bug Fixes:

  • savedsearches.conf: changed hard coded index=pan_logs to pan_index in scheduled searches. Thanks to Genti Zaimi for finding the issue and providing the fix
  • pan_overview_switcher_maps.xml: modified geoip search to include localop to force the search to run on the searchhead. Thanks to Genti Zaimi for identifying the problem and providing the fix