Data normalization differences¶

See the following page for data normalization differences between versions 8.1.3 of the Palo Alto Networks Add-on for Splunk and 1.0.0 of the Splunk Add-on for Palo Alto Networks

CIM model comparison between Add-ons.¶

Sourcetype	event_type	Previous CIM model	New CIM model
`pan:system`	`pan_system_alert`		Change
`pan:system`	`pan_system_auth`		Authentication
`pan:traffic`	`pan_traffic_start`, `pan_traffic_end`	Network Sessions	Network Traffic
`pan:threat`	`pan_virus`, `pan_spyware`, `pan_threat`	Intrusion Detection	Intrusion Detection
`pan:threat`	`pan_url`	Web	Web
`pan:threat`	`pan_wildfire`	Malware	Intrusion Detection
`pan:globalprotect`	`pan_globalprotect`		Authentication
`pan:decryption`	`pan_decryption`		Network Traffic
`pan:correlation`	`pan_correlation`		Alerts
`pan:iot_alert`	`pan_iot_alert`		Alerts
`pan:iot_device`	`pan_iot_device`		Inventory
`pan:iot_vulnerability`	`pan_iot_vulnerability`		Vulnerabilities
`pan:xdr:incident`	`pan_xdr_incident`, `pan_xdr_incident_detailed`		Ticket Management
`pan:userid`	`pan_userid`		Not mapped to CIM
`pan:hipmatch`	`pan_hipmatch`		Not mapped to CIM
`pan:config`	`pan_config`	Change Analysis	Change

Source type	Event name	Fields added	1.0.0 extractions
`pan:firewall_cloud`	`pan_traffic`	`duration`	344
`pan:firewall_cloud`	`pan_traffic`	`protocol`	tcp
`pan:firewall_cloud`	`pan_traffic`	`ids_type`	network
`pan:firewall_cloud`	`pan_traffic`	`dest_translated_port`	443
`pan:firewall_cloud`	`pan_traffic`	`dest_translated_ip`	172.168.197.239
`pan:firewall_cloud`	`pan_traffic`	`src_translated_port`	58983
`pan:firewall_cloud`	`pan_traffic`	`src_translated_ip`	192.168.1.10
`pan:firewall_cloud`	`pan_threat`	`dest_translated_port`	80
`pan:firewall_cloud`	`pan_threat`	`dest_translated_ip`	192.168.185.49
`pan:firewall_cloud`	`pan_threat`	`src_translated_port`	34479
`pan:firewall_cloud`	`pan_threat`	`src_translated_ip`	192.168.1.10
`pan:firewall_cloud`	`pan_threat`	`protocol`	tcp
`pan:firewall_cloud`	`pan_threat`	`ids_type`	network
`pan:firewall_cloud`	`pan_threat`	`action`	success
`pan:firewall_cloud`	`pan_threat`	`app`	Palo Alto Networks Firewall
`pan:system`	`pan_system_auth`	`change_type`	FileSystem
`pan:system`	`pan_system_auth`	`user`	admin
`pan:system`	`pan_system_auth`	`src_user`	admin
`pan:system`	`pan_system_auth`	`src`	192.168.2.2
`pan:system`	`pan_system_auth`	`status`	failure
`pan:system`	`pan_system_alert`	`action`	modified
`pan:system`	`pan_system_alert`	`object`	url_filtering
`pan:system`	`pan_system_alert`	`object_attrs`	20240513.20182
`pan:system`	`pan_system_alert`	`object_category`	File
`pan:system`	`pan_system_alert`	`status`	success
`pan:system`	`pan_system_alert`	`result`	upgrade-url-database-success
`pan:system`	`pan_system_alert`	`src`	Firewall
`pan:xdr:incident`	`pan_xdr_detailed`	`comments`	NO COMMENTS
`pan:xdr:incident`	`pan_xdr_detailed`	`description`	‘Ransomware Activity - 244825228’ along with 5 other alerts generated by XDR Agent detected on host c2376524598 involving 2 user
`pan:xdr:incident`	`pan_xdr_detailed`	`dest`	c2376524598:1c482c0623b2445xxxxx13e7707eca
`pan:xdr:incident`	`pan_xdr_detailed`	`src_user`	administrator
`pan:config`	`pan_config`	`action`	modified
`pan:config`	`pan_config`	`change_type`	filesystem
`pan:correlation`	`pan_correlation`	`description`	Host visited known malware URL (100 times).
`pan:decryption`	`pan_decryption`	`dest`	192.168.160.26
`pan:decryption`	`pan_decryption`	`dvc`	Firewall
`pan:decryption`	`pan_decryption`	`src`	192.168.4.5
`pan:globalprotect`	`pan_globalprotect`	`action`	success
`pan:globalprotect`	`pan_globalprotect`	`app`	Palo Alto Firewall
`pan:globalprotect`	`pan_globalprotect`	`dest`	GPGW_xxxxx_xxxxxx-xxx_6490686
`pan:globalprotect`	`pan_globalprotect`	`dest_ip`	192.168.1.222
`pan:globalprotect`	`pan_globalprotect`	`src_mac`	00:0c:xx:xx:xx:34
`pan:iot_alert`	`pan_iot_alert`	`description`	Detected established connections to malicious ip 192.168.1.94
`pan:iot_alert`	`pan_iot_alert`	`src_ip`	192.168.1.17
`pan:iot_device`	`pan_iot_device`	`name`	30:xx:xx:xx:xx:44
`pan:iot_device`	`pan_iot_device`	`src_ip`	10.3.3.190
`pan:iot_vulnerability`	`pan_iot_vulnerability`	`cvss`	10
`pan:iot_vulnerability`	`pan_iot_vulnerability`	`signature`	SNMP v1 Usage

Fields removed in version 1.0.0¶

See the following table for fields removed in plunk Add-on for Palo Alto Networks v1.0.0:

Source type	Event name	Fields removed	Comments
`pan:traffic`	`pan_traffic_start`, `pan_traffic_ends`	`application`	removed due to being duplicate of field app
`pan:firewall_cloud`	`pan_globalprotect`	`status`
`pan:xdr_incident`	`pan_xdr_incident`	`id`
`pan:config`	`pan_config`	`before_change_detail`
`pan:config`	`pan_config`	`after_change_detail`
`pan:iot_device`	`pan_iot_device`	`enabled`

Fields modified in version 1.0.0¶

See the following table for fields modified in Splunk Add-on for Palo Alto Networks v1.0.0:

Source type	Event name	Fields modified	8.1.3 extractions	1.0.0 extractions	Comments
`pan:threat`	`pan_spyware`	`category`	spyware	social-networking
`pan:traffic`	`pan_spyware`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:traffic`	`pan_url`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:traffic`	`pan_file`	`category`	N/A	computer-and-internet-info
`pan:traffic`	`pan_file`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:traffic`	`pan_wildfire`	`category`	N/A	benign
`pan:traffic`	`pan_wildfire`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:traffic`	`pan_threat`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:traffic`	`pan_virus`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:firewall_cloud`	`pan_traffic`	`bytes_in`	10368	15009	switched mapping for bytes_in and bytes_out as it was incorrectly mappped in past
`pan:firewall_cloud`	`pan_traffic`	`bytes_out`	15009	10368	switched mapping for bytes_in and bytes_out as it was incorrectly mappped in past
`pan:firewall_cloud`	`pan_traffic`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:firewall_cloud`	`pan_threat`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:firewall_cloud`	`pan_globalprotect`	`dvc`	host1	GPGW_xxxxx_xxxxxx-xxx_6490686
`pan:system`	`pan_system_alert`	`app`	Palo Alto Networks Firewall	PAN-OS
`pan:system`	`pan_system_alert`	`dvc`	host1	Firewall	now maps to value of dvc_name instead of host
`pan:config`	`pan_config`	`dest`	host1	xxx.xx.x.xx
`pan:correlation`	`pan_correlation`	`signature`	Host visited known malware URL (100 times).	beacon-heuristics
`pan:decryption`	`pan_decryption`	`action`	allow	allowed
`pan:iot_alert`	`pan_iot_alert`	`action`	unknown	Palo Alto Network IoT Security
`pan:iot_alert`	`pan_iot_alert`	`id`	5f3e066e5e3caa7b4f540475	alert-mki-mB7uA3
`pan:iot_alert`	`pan_iot_alert`	`src`	192.168.1.17	Hikivision-Camera
`pan:iot_alert`	`pan_iot_alert`	`type`	policy_alert	alert