Skip to content

Custom search commands

pancontentpack

Update the app and threat lookup tables from the latest firewall content pack.

Syntax:

pancontentpack <hostname-of-firewall-or-panorama> <apps|threats>

Example 1: Display a table of app information from the application content pack loaded on the device at 10.5.5.5.

| pancontentpack 10.5.5.5 apps

Example 2: Display a table of threat information from the content pack loaded on the device at 10.7.7.7.

| pancontentpack 10.7.7.7 threats

Update app and threat metadata from Content Pack

Splunk Add-on for Palo Alto Networks comes with two lookup files with metadata about applications and threat signatures called app_list.csv and threat_list.csv, respectively. These lookup tables are responsible for populating the app:xyz and threat:xyz fields used in the dashboards and displayed during a search.

To keep the files up to date, they can be updated dynamically from the content pack metadata in your firewall or Panorama. This is done by creating a saved search inside the add-on to periodically pull the metadata from the firewall or Panorama and update the lookup tables.

Create the following saved searches in the add-on, by creating the file: $SPLUNK_HOME/etc/apps/Splunk_TA_paloalto_networks/local/savedsearches.conf:

[Palo Alto Networks - Retrieve ContentPack Apps]
cron_schedule = 5 0 * * 6
dispatch.earliest_time = -1m@m
displayview = flashtimeline
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = flashtimeline
search = | pancontentpack <IP-or-hostname> apps | outputlookup createinapp=true app_lookup
disabled = 0
[Palo Alto Networks - Retrieve ContentPack Threats]
cron_schedule = 10 0 * * 6
dispatch.earliest_time = -1m@m
displayview = flashtimeline
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = flashtimeline
search = | pancontentpack <IP-or-hostname> threats | outputlookup createinapp=true threat_lookup
disabled = 0

Set <IP-or-hostname> to the IP or hostname of your Firewall or Panorama. Ensure you set the credentials for this device in the Add-on configuration. See how to configure Firewall/Panorama account

This example updates the lookup tables every Saturday at 12:05 AM for apps and 12:10 AM for threats. Change the cron_schedule to your desired update schedule.