Release notes for the Splunk Add-on for Palo Alto Networks¶
About this release¶
Version 3.0.0 of the Splunk Add-on for Palo Alto Networks was released on Nov 05, 2025. It was tested with the following software, CIM versions, and platforms:
| Component | Description |
|---|---|
| Splunk platform versions | 9.1.x, 9.2.x, 9.3.x, 9.4.x |
| CIM | 5.x |
| Platforms | Platform independent |
| Vendor Products | Cortex XDR, IoT Security, NGFW, Strata Logging Service, PAN-OS, Data Security |
New features¶
- Added new endpoints support in Cortex XDR input to collect management audit logs. Introduced a new sourcetype:
pan:xdr:auditandpan:xdr:mgmt:audit. - Added compatibility with the default log formats of the latest product version 11.0.
- Enhance lookup to extract few new fields — block-override, override, override-lockout, random-drop, and syncookie-sent.
- Added CIM support for new sourcetypes pan:userid and pan:hipmatch.
- The Account field in Cortex XDR inputs now also supports numeric values within the XDR tenant.
Breaking Changes¶
- Modified the data model for security detections to align with ESCU content.
- Renamed following sourcetypes as per standard practices:
pan:xdr_incidentrenamed topan:xdr:incidentpan:firewall_cloudrenamed topan:firewall:cloud
- Added sourcetype routing for
pan:firewall_cloudevents based on the LogType field, similar to the routing used for syslog events (for example,pan:firewall_cloudwith LogType “traffic”, the sourcetype would bepan:traffic:cloud)
Fixed issues¶
Version 3.0.0 of the Splunk Add-on for Palo Alto Networks contains the following known issues, if any.
Known issues¶
Version 3.0.0 of the Splunk Add-on for Palo Alto Networks contains the following known issues, if any.
Third-party software attributions¶
Third-party software attributions for the Splunk Add-on for Palo Alto Networks