Skip to content

Data normalization differences between versions 8.1.3 of the Palo Alto Networks Add-on for Splunk and 1.0.0 of the Splunk Add-on for Palo Alto Networks

CIM model comparison between Addons.

Sourcetype event_type Previous CIM model New CIM model
pan:system pan_system_alert Change
pan:system pan_system_auth Authentication
pan:traffic pan_traffic_start, pan_traffic_end Network Sessions Network Traffic
pan:threat pan_virus, pan_spyware, pan_threat Intrusion Detection Intrusion Detection
pan:threat pan_url Web Intrusion Detection
pan:threat pan_wildfire Malware Intrusion Detection
pan:globalprotect pan_globalprotect Authentication
pan:decryption pan_decryption Network Traffic
pan:correlation pan_correlation Alerts
pan:iot_alert pan_iot_alert Alerts
pan:iot_device pan_iot_device Inventory
pan:iot_vulnerability pan_iot_vulnerability Vulnerabilities
pan:xdr_incident pan_xdr_incident, pan_xdr_incident_detailed Ticket Management
pan:userid pan_userid Not mapped to CIM
pan:hipmatch pan_hipmatch Not mapped to CIM
pan:config pan_config Change Analysis Change

Fields added in Splunk Add-on for Palo Alto Networks v1.0.0

Source type Event name Fields added 1.0.0 extractions
pan:firewall_cloud pan_traffic duration 344
pan:firewall_cloud pan_traffic protocol tcp
pan:firewall_cloud pan_traffic ids_type network
pan:firewall_cloud pan_traffic dest_translated_port 443
pan:firewall_cloud pan_traffic dest_translated_ip 172.168.197.239
pan:firewall_cloud pan_traffic src_translated_port 58983
pan:firewall_cloud pan_traffic src_translated_ip 192.168.1.10
pan:firewall_cloud pan_threat dest_translated_port 80
pan:firewall_cloud pan_threat dest_translated_ip 192.168.185.49
pan:firewall_cloud pan_threat src_translated_port 34479
pan:firewall_cloud pan_threat src_translated_ip 192.168.1.10
pan:firewall_cloud pan_threat protocol tcp
pan:firewall_cloud pan_threat ids_type network
pan:firewall_cloud pan_threat action success
pan:firewall_cloud pan_threat app Palo Alto Networks Firewall
pan:system pan_system_auth change_type FileSystem
pan:system pan_system_auth user admin
pan:system pan_system_auth src_user admin
pan:system pan_system_auth src 192.168.2.2
pan:system pan_system_auth status failure
pan:system pan_system_alert action modified
pan:system pan_system_alert object url_filtering
pan:system pan_system_alert object_attrs 20240513.20182
pan:system pan_system_alert object_category File
pan:system pan_system_alert status success
pan:system pan_system_alert result upgrade-url-database-success
pan:system pan_system_alert src Firewall
pan:xdr_incident pan_xdr_detailed comments NO COMMENTS
pan:xdr_incident pan_xdr_detailed description ‘Ransomware Activity - 244825228’ along with 5 other alerts generated by XDR Agent detected on host c2376524598 involving 2 user
pan:xdr_incident pan_xdr_detailed dest c2376524598:1c482c0623b2445xxxxx13e7707eca
pan:xdr_incident pan_xdr_detailed src_user administrator
pan:config pan_config action modified
pan:config pan_config change_type filesystem
pan:correlation pan_correlation description Host visited known malware URL (100 times).
pan:decryption pan_decryption dest 192.168.160.26
pan:decryption pan_decryption dvc Firewall
pan:decryption pan_decryption src 192.168.4.5
pan:globalprotect pan_globalprotect action success
pan:globalprotect pan_globalprotect app Palo Alto Firewall
pan:globalprotect pan_globalprotect dest GPGW_xxxxx_xxxxxx-xxx_6490686
pan:globalprotect pan_globalprotect dest_ip 192.168.1.222
pan:globalprotect pan_globalprotect src_mac 00:0c:xx:xx:xx:34
pan:iot_alert pan_iot_alert description Detected established connections to malicious ip 192.168.1.94
pan:iot_alert pan_iot_alert src_ip 192.168.1.17
pan:iot_device pan_iot_device name 30:xx:xx:xx:xx:44
pan:iot_device pan_iot_device src_ip 10.3.3.190
pan:iot_vulnerability pan_iot_vulnerability cvss 10
pan:iot_vulnerability pan_iot_vulnerability signature SNMP v1 Usage

Fields removed in Splunk Add-on for Palo Alto Networks v1.0.0

Source type Event name Fields removed Comments
pan:traffic pan_traffic_start, pan_traffic_ends application removed due to being duplicate of field app
pan:firewall_cloud pan_globalprotect status
pan:xdr_incident pan_xdr_incident id
pan:config pan_config before_change_detail
pan:config pan_config after_change_detail
pan:iot_device pan_iot_device enabled

Fields modified in Splunk Add-on for Palo Alto Networks v1.0.0

Source type Event name Fields modified 8.1.3 extractions 1.0.0 extractions Comments
pan:threat pan_spyware category spyware social-networking
pan:traffic pan_spyware dvc host1 Firewall now maps to value of dvc_name instead of host
pan:traffic pan_url dvc host1 Firewall now maps to value of dvc_name instead of host
pan:traffic pan_file category N/A computer-and-internet-info
pan:traffic pan_file dvc host1 Firewall now maps to value of dvc_name instead of host
pan:traffic pan_wildfire category N/A benign
pan:traffic pan_wildfire dvc host1 Firewall now maps to value of dvc_name instead of host
pan:traffic pan_threat dvc host1 Firewall now maps to value of dvc_name instead of host
pan:traffic pan_virus dvc host1 Firewall now maps to value of dvc_name instead of host
pan:firewall_cloud pan_traffic bytes_in 10368 15009 switched mapping for bytes_in and bytes_out as it was incorrectly mappped in past
pan:firewall_cloud pan_traffic bytes_out 15009 10368 switched mapping for bytes_in and bytes_out as it was incorrectly mappped in past
pan:firewall_cloud pan_traffic dvc host1 Firewall now maps to value of dvc_name instead of host
pan:firewall_cloud pan_threat dvc host1 Firewall now maps to value of dvc_name instead of host
pan:firewall_cloud pan_globalprotect dvc host1 GPGW_xxxxx_xxxxxx-xxx_6490686
pan:system pan_system_alert app Palo Alto Networks Firewall PAN-OS
pan:system pan_system_alert dvc host1 Firewall now maps to value of dvc_name instead of host
pan:config pan_config dest host1 xxx.xx.x.xx
pan:correlation pan_correlation signature Host visited known malware URL (100 times). beacon-heuristics
pan:decryption pan_decryption action allow allowed
pan:iot_alert pan_iot_alert action unknown Palo Alto Network IoT Security
pan:iot_alert pan_iot_alert id 5f3e066e5e3caa7b4f540475 alert-mki-mB7uA3
pan:iot_alert pan_iot_alert src 192.168.1.17 Hikivision-Camera
pan:iot_alert pan_iot_alert type policy_alert alert