Splunk App for Palo Alto Networks
| Author(s) | Splunk |
| Copyright | Splunk Documentation covered by: Legal | Terms | Privacy© Copyright 2024 Splunk Inc. All rights reserved. Webpages built on GitHub Pages | GitHub Terms | GitHub Privacy |
Overview ↵
Introduction to the Splunk App for Palo Alto Networks¶
| Version | 1.0.1 |
| Supported vendor products | Cortex XDR, IoT Security, Firewalls, Panorama, Strata Logging Service (Previously Cortex Data Lake) |
Splunk App for Palo Alto Networks leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk’s extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool. This app enables security analysts, administrators, and architects to correlate application and user activities across all network and security infrastructures from a real-time and historical perspective. Complicated incident analysis that previously consumed days of manual and error-prone data mining can now be completed in a fraction of the time, saving not only manpower but also enabling key enterprise security resources to focus on critical, time-sensitive investigations.
-
The Splunk App for Palo Alto Networks is dependent on the Splunk Add-on for Palo Alto Networks from Splunkbase.
-
Download the Splunk App for Palo Alto Networks from Splunkbase.
-
See Installation for information about installing and configuring the Splunk App for Palo Alto Networks.
-
See Release notes for the Splunk App for Palo Alto Networks for a summary of new features, fixed issues, and known issues.
See Questions related to Splunk App for Palo Alto Networks on the Splunk Community page.
Ended: Overview
Installation ↵
Installation overview for the Splunk App for Palo Alto Networks¶
Notice: If upgrading to the Splunk App for Palo Alto Networks from any version of the “Palo Alto Networks App for Splunk” you will need to remove the latter from your search head and install the Splunk app for Palo Alto Networks.
-
Ensure you are using the Splunk Add-on for Palo Alto Networks and have followed the migrations steps contained in Splunk Add-on for Palo Alto Networks Documentation if migrating from the Palo Alto Networks Add-on for Splunk.
-
Download the Splunk App for Palo Alto Networks from Splunkbase or Splunk Web.
- Use the tables in this topic to determine where to install this add-on.
- Perform any prerequisite steps specified in the tables before installing.
- Use the links in the Installation walkthrough section to perform the installation.
Distributed deployments¶
Use the following tables to install the Splunk App for Palo Alto Networks in a deployment.
Where to install this App¶
Unless otherwise noted, you can safely install all supported add-ons to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific App to a distributed deployment of the Splunk platform:
| Splunk platform component | Supported | Required | Comments |
|---|---|---|---|
| Search heads/ Search head cluster | Yes | Yes | The Splunk App for Palo Alto Networks contains visualizations |
| Indexers | No | No | Not Applicable |
| Heavy forwarders | No | No | Not Applicable |
| Universal forwarders | No | No | Not Applicable |
Install the Splunk App for Palo Alto Networks in a single-instance Splunk Enterprise deployment¶
Follow these steps to install the Splunk App for Palo Alto Networks in a single-instance deployment:
- From the Splunk Web home screen, click the gear icon next to Apps in the navigation bar.
- Click Install app from file.
- Locate the downloaded file and click Upload.
- If Splunk Enterprise prompts you to restart, do so.
- Verify that the app appears in the list of apps and add-ons. You can
also find it on the server at
$SPLUNK_HOME/etc/apps/Splunk_App_for_paloaltonetworks.
Install the Splunk App for Palo Alto Networks in a distributed Splunk Enterprise deployment¶
If you are using a distributed Splunk Enterprise deployment, follow the instructions in each of the following sections to deploy the Splunk App for Palo Alto Networks to your search heads.
Search heads¶
To install the Splunk App for Palo Alto Networks to a search head, follow these steps:
- Download the Splunk App for Palo Alto Networks from Splunkbase, if you have not already done so.
- From the Splunk Web home screen, click the gear icon next to Apps.
- Click Install app from file.
- Locate the downloaded file and click Upload.
- If Splunk Enterprise prompts you to restart, do so.
- Verify that the app appears in the list of apps and add-ons. You can
also find it on the server at
$SPLUNK_HOME/etc/apps/Splunk_App_for_paloaltonetworks
Search head clusters¶
Use the deployer to deploy an add-on to the search head cluster members.
See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.
Configure the Data Model used by the Splunk App for Palo Alto Networks¶
Many of the visualization in the Splunk App for Palo Alto Networks use the pan_firewall Data Model, you must enable data model acceleration to see data in the dashboards. The data model acceleration is not enabled by default.
Enable it using the following steps:
-
Navigate to Settings -> Datamodels and locate the Palo Alto Networks Firewall Logs Data Model
-
Under Actions, select Edit Acceleration
-
Click the checkbox next to Accelerate and set the Summary Range to 7 days.
-
Click Save
-
It may take a few minutes for the acceleration to complete. To check the status of the acceleration, expand Palo Alto Networks Firewall Logs and locate the status under Acceleration.
The time period represents how much data will show in the dashboards, and has a significant impact on storage usage. If unsure, set the acceleration time period to 7 days.
Data Model acceleration is not required if using the Add-on only.
In cases where data model acceleration is not possible, the macro pan_summariesonly needs to be updated. To update the macro, use the following steps:
-
Navigate to Settings -> Advanced search -> Search macros and locate pan_summariesonly
-
Click pan_summariesonly to open settings and replace the definition with summariesonly=false
-
Click Save
Ended: Installation
Dashboards ↵
Active Dashboards¶
The Active dashboards show activity in Palo Alto. Dashboards contain information on SaaS, File, Web, IoT and GlobalProtect activities.
User Behavior¶
Dashboard can be filtered by Serial Number, Virtual Systems(Vsys), User, Log Subtype, Source IP, Destination IP, Hostname, Application, and Web Category.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Traffic Events | Total number of traffic events. Counts number of sessions ended. Click the panel to navigate to the File Activity Dashboard. |
| File Events | Total number of file events. Counts the number of events in threat logs with subtype file. Click the panel to navigate to the File Activity Dashboard. |
| URL Events | Total number of URL events. Counts the number of events in threat logs with subtype url. Click the panel to navigate to the Web Activity Dashboard. |
| SaaS Events | Total number of SaaS Events. Counts the number events with application labeled as SaaS. SaaS applications are labeled using app_list.csv. Click the panel to navigate to the SaaS Activity Dashboard. |
| Top Hostnames | Displays most common hostnames in URL events. |
| Top Web Categories | Displays most common web categories in URL events. |
| Top Applications | Displays most common apps in URL events. |
| Files Blocked | Displays the user, app, and file name of blocked files in URL events. |
| Applications Not Using Default Port | Displays traffic events where default and destination ports are not the same. |
| Rare Applications | Displays the least common apps in traffic events. |
SaaS Activity¶
Dashboard can be filtered by Source IP, Destination IP, Serial Number, Vsys, Source User, Application, Category, and Action
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| SaaS Applications | Displays unique count of SaaS applications. |
| Users | Displays unique count of users using SaaS applications. |
| Megabytes | Displays number of bytes in and out used by SaaS applications. |
| SaaS Usage | Count of application activity by time. |
| SaaS Actions | Count of actions by time. |
| SaaS Distribution | Displays sparkline of sum of bytes by application, category, and subcategory |
| SaaS Statistics | Displays count of users, megabytes, and sessions by sanctioned and non-sanctioned SaaS |
| Sanctioned SaaS Applications | Displays count and percentage of sanctioned SaaS applications found in logs. Select an app to filter the dashboard. |
| Non-Sanctioned SaaS Applications | Displays count and percentage of Non-Sanctioned SaaS Applications found in logs. Select an App to filter the dashboard. |
| % SaaS Distribution | Displays percentage of Non-sanction vs. Sanctioned activity |
| Top File Sharing SaaS Apps | Most Common File Sharing Saas Apps based on activity. Click an app to filter the dashboard. |
| Top Categories - Sanctioned | Most Common categories for Santioned SaaS Apps. Click a sub-category to filter the dashboard. |
| Top Categories - Non-Sanctioned | Most Common categories for Non-Santioned SaaS Apps. Click a sub-category to filter the dashboard. |
File Activity¶
Dashboard can be filtered by log subtype, serial number, virtual system, source IP, destination IP, application, and direction.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Blocked | Displays count of blocked files. |
| Allowed | Displays count of allowed files. |
| Total | Displays total count of files in logs. |
| File Actions Over Time | Displays count of file actions (blocked, allowed) by time |
| Bytes Transferred Over Time | Displays count bytes in and out by time |
| File Direction | Displays percentage of file direction (server-to-client, client-to-server) |
| Top Zone File Activity | Display most common source/destination zones found in logs. |
| Top Apps | Displays the highest application activity |
| File Activity | Displays the highest file activity |
Web Activity¶
Dashboard can be filtered by serial number, virtual system, source IP, destination hostname, user, application, category, content type, and action.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel, filtering events under URL logs.
| Panel | Description |
|---|---|
| Web Destinations | Displays count of destination names by app and category. |
| Categories | Displays count of activity by categories. Click a category to filter the dashboard. |
| Applications | Displays count of activity by applications. Click a category to filter the dashboard. |
| Content Type | Displays count of activity by content type. Click a content type to filter the dashboard. |
| Requests Over Time By Action | Displays count of URL requests over time |
| Methods Over Time | Displays count of method requests over time |
| Hostnames Block-Continue | Displays hostnames with action ‘block-continue’. Click a hostname to filter the dashboard |
| Top Referrers | Displays most common destination names that are not set to http_referrer_name |
| Top File Downloads | Displays most common file downloads |
| Decrypted Traffic | Displays source IP, user, destination name, category, and applications with flags set to decrypted |
IoT Activity¶
Dashboard uses using logs under sourcetype=pan:iot_device
| Panel | Description |
|---|---|
| Monitored Devices | Distinct count of devices |
| IoT Devices | Distinct count of devices with profile_type “IoT” |
| Applications | Distinct count of applications |
| Subnets | Distinct count of subnets |
| Devices by Profile Vertical | Count of devices by profile_vertical field |
| Devices by Profile Vertical | Distinct count of devices, profile, and categories |
| New Devices Seen in the Last 24 hours | Displays devices with earliest event found in the last 24 hours. |
GlobalProtect¶
Dasboard can be filtered by serial number, virtual system, source IP, user, and Portal/Gateway
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Connection Events | Displays login and logout events with same event ID |
| Events by User | Displays GlobalProtect activity by user |
| Events by Source IP | Displays Source IP activity by user |
| Failed Login by User | Displays logins with action=failed by user |
| Connected by User | Displays top 20 users with log_subtype=”connected” |
| Total Users Logged In | Total amount of users with login events |
| Users Logged In | Displays users with log_subtype=”connected” or log_subtype=”logout” with latest_event=”gateway-connected” |
| User Location by Source IP | Displays user location using source IP |
Operations Dashboards¶
Firewall System¶
Dashboard can be filtered by Log Subtype, Serial Number, Virtual System, Event ID, Description, and Severity.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel, logtype system
| Panel | Description |
|---|---|
| System Events Over Time | Displays timechart of count of events by log subtype. |
| Severity | Displays timechart of count of events by severity. |
| Latest Events | Displays table of events IDs by serial number, description, log subtype and severity |
Firewall Configuration¶
Dashboard can be filtered by Serial Number, Admin, Host, Admin IP, Admin Type, Command, and Result.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Config Events | Displays timechart of count of events by commands. |
| Configuration Administrators | Displays timechart of count of events by admin. |
| Clients Used | Displays percentage of host names found in logs. |
| Results | Displays percentage of results found in logs. Examples of results include Failed, Submitted Succeeded |
| Latest Events | Display table of firewall configuration events. |
Data Audit¶
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Next-generation Firewalls | Displays distinct count of serial numbers. |
| Logs Indexed - NGF Logs | Displays total count of events in sourcetypes pan_* OR pan:* |
| Datamodel Acceleration Status | Displays status of acceleration for the Palo Alto Networks Firewall Logs datamodel. |
| Next-generation Firewall Accelerated Logs by Device | Displays count of logtypes by serial numbers. |
| Sourcetypes - Pie | Percentage distribution of sourcetypes found in the the Palo Alto Networks Firewall Logs datamodel. |
| Data Sources - Pie | Percentage distribution of sourcetypes found in the Palo Alto Networks Firewall Logs datamodel. |
| Sourcetypes - Time Chart | Displays timechart of count of sourcetypes found in the Palo Alto Networks Firewall Logs datamodel. |
| Data Sources - Time Chart | Displays timechart of count of sources found in the Palo Alto Networks Firewall Logs datamodel. |
| Sourcetypes Breakdown | Displays table of count of sourcetypes found in the Palo Alto Networks Firewall Logs datamodel. |
| Data Sources Breakdown | Displays table of count of sourcetypes found in the Palo Alto Networks Firewall Logs datamodel. |
Threats Dashboards¶
The Threats dashboards show threat and incident logs from Palo Alto. Dashboards contain information on Cortex XDR, Malware, and Network, SaaS, IoT, and Email Security.
Cortex XDR Incidents¶
Dashboard can be filtered by incident ID, severity, and status.
Dashboard uses sourcetype pan:xdr_incident
| Panel | Description |
|---|---|
| Unique Incidents | Displays total number of unique incident IDs. |
| New Incidents | Displays total number of unique incident IDs with status of new |
| Starred Incidents | Displays total number of unique incident IDs with starred set to true |
| Incident Severity Over Time | Displays time chart of count of incident IDs by levels of severity |
| Incidents by Status | Displays percentage of incident statuses. Options are new, under_investigation, resolved_known_issue, resolved_false_positive, resolved_true_positive resolved_security_testing, resolved_other, resolved_auto. |
| Incidents by Assignee | Displays percentage of user assigned to incidents. Displays full name of user, if no name is found, UNASSIGNED is used. |
| Starred Incident Feed | Displays table with information of starred Incident IDs. Click Open in XDR to navigate to the incident in XDR. |
| Incident Feed | Displays table with information of all Incident IDs. Click Open in XDR to navigate to the incident in XDR. |
Malware¶
Dashboard can be filtered by log subtype, serial number, virtual system, source ip, destination ip, filename, user, severity, application, and action.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Top Domains Serving Malware | Displays most common destination name and IP |
| Malware Events by Product | Displays percentage of products |
| Malware Events by Action | Displays percentage of actions taken from malware events |
| Malware Delivery and Installation | Displays information on logs with log_subtype virus or wildfire-virus |
| Command and Control Traffic | Displays information on logs with log_subtype spyware |
Network Security¶
Dashboard can be filtered by log subtype, serial number, virtual system, source ip, destination ip, threat, severity, and application.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Top Correlation Events | Displays count of Threat events under log subtype correlation |
| Top 20 Vulnerability Events | Displays 20 most common threats under log subtype vulnerability |
| Top 20 Virus and Malware Events | Displays 20 most common virus and malware events under log subtype virus |
| DNS Sinkhole | Displays information on DNS sinkhole events. Searches for vendor action sinkhole |
| Top 10 Apps With Threats By Severity | Displays chart of total count of app events by severity. |
| Threats By Source Location | Displays map of client IP locations related to threat events. |
SaaS Security¶
Dashboard can be filtered by serial number, virtual system, client IP, destination IP, source user, application, and action.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Blocked | Displays count of block files events. |
| Security Events | Displays total count of SaaS events. |
| Allowed | Displays count of allowed file events. |
| Malicious SaaS Files | Displays information on malicious files found with category malware or malicious in logs. |
| SaaS Apps Over Time | Displays time chart of total count of SaaS app events. |
| SaaS Threats by Type | Displays time chart of total count of SaaS threat events by log subtype. |
IoT Security¶
Dashboard can be filtered by rick level, name, and vulnerability CVE.
Dashboard uses sourcetypes pan:iot_alert and pan:iot_vulnerability
| Panel | Description |
|---|---|
| Active Alerts | Total number of unique alert IDs |
| Vulnerabilities | Total number of unique ticket IDs |
| Alerts | Displays time chart of count of alerts by device category to which the alert belongs to. |
| Category | Displays table of device categories found in logs. |
| Vulnerabilities | Displays information on vulnerabilities. Click Details to navigate to the vulnerability in Palo Alto. |
Email Security¶
Dashboard can be filtered by serial number, virtual system, client IP, destination IP, source user, application.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel, searching for subcategory email
| Panel | Description |
|---|---|
| Inbound SMTP Emails per Minute | Display number of smtp inbound emails per minute. |
| Email Threats Per Minute | Display number of email events in sourcetype pan:threat per minute. |
| Outbound SMTP Emails per Minute | Display number of smtp outbound emails per minute. |
| Threats By Source Location | Display count of threats by client IP. Displays map using geo location of client IP. |
| Email Apps With Threats By Severity | Displays 10 most common email apps found in logs by severity. |
| Top Email Threats Source | Displays information on email threats sorted by count. |
| Large Email Senders | Displays information on bytes out, user, sender, and IP address of email. |
Ended: Dashboards
Reference ↵
Palo Alto Networks Firewall Logs¶
The Palo Alto App includes a data models that is used by searches and dashboards.
All the app’s dashboards are based on this accelerated data model for extremely fast data retrieval and visualization. So the app itself is using the same Data Model that Splunk administrators would use to generate visualizations.
| Dataset name | Dataset ID | Description |
|---|---|---|
Firewall Logs |
logs | Searches the following logs: traffic, threat, config, system, hipmatch, correlation, globalprotect, and firewall cloud |
-Traffic |
traffic | Searches traffic logs and firewall cloud logs with logtype TRAFFIC |
--Flow Start |
start | Searches for log_subtype start |
--Flow End |
end | Searches for log_subtype end |
-Threat |
threat | Searches threat logs and firewall cloud logs with logtype THREAT |
--Vulnerability |
vulnerability | Searches log_subtype vulnerability |
--Virus |
virus | Searches log_subtype virus |
--Spyware |
spyware | Searches log_subtype spyware |
-URL Filtering |
url | Searches threat logs and log_subtype url |
-File Blocking |
file | Searches threat logs and log_subtype file |
-Data Filtering |
data | Searches threat logs and log_subtype data |
-WildFire |
wildfire | Searches threat logs and log_subtype wildfire |
--Benign File |
benign | Searches for verdict set to benign |
--Malicious File |
malicious | Searches for verdict not set to benign |
-Config |
config | Searches config logs |
-System |
system | Searches system logs and firewall cloud logs with logtype SYSTEM |
-Correlation |
correlation | Searches correlation logs and firewall cloud logs with logtype CORRELATION |
-GlobalProtect |
GlobalProtect | Searches globalprotect logs and firewall cloud logs with logtype GLOBALPROTECT |
Ended: Reference
Release Notes ↵
Release notes for the Splunk App for Palo Alto Networks¶
Version 1.0.1 of the Splunk App for Palo Alto Networks was released on November 13, 2024.
Compatibility¶
Version 1.0.1 of the Splunk App for Palo Alto Networks is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 9.1.0 and later |
| Splunk Add-on for Palo Alto Networks version | 1.0.0 |
| CIM | 5.x and later |
| Platforms | Platform independent |
| Vendor Products | Cortex XDR, IoT Security, NGFW, Strata Logging Service, PAN-OS |
New features¶
Version 1.0.1 of the Splunk App for Palo Alto Networks contains the following new and changed features:
- Bug fixes for Cortex XDR Incident, Malware, and SaaS Security Dashboard inputs.
Fixed issues¶
Version 1.0.1 of the Splunk App for Palo Alto Networks fixes the following, if any, issues.
| Date filed | Issue number | Description |
|---|---|---|
| 10/29/2024 | S2PL-650 | Cortex XDR Incident, Malware, and SaaS Security Dashboard inputs are not functioning as expected and prefix is visible to user for Splunk Cloud versions 9.2 |
Known issues¶
Version 1.0.1 of the Splunk App for Palo Alto Networks has the following, if any, known issues.
Third-party software attributions¶
Version 1.0.1 of the Splunk App for Palo Alto Networks incorporates the following third-party libraries:
Does not use any third-party libraries
Release history for the Splunk App for Palo Alto Networks¶
Latest release¶
The latest version of the Splunk App for Palo Alto Networks is version 1.0.1. See Release notes for the Splunk App for Palo Alto Networks for the release notes of this latest version.
Version 1.0.0¶
Version 1.0.0 of the Splunk App for Palo Alto Networks was released on October 3rd, 2024.
Compatibility¶
Version 1.0.0 of the Splunk App for Palo Alto Networks is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 9.1.0 and later |
| Splunk Add-on for Palo Alto Networks version | 1.0.0 |
| CIM | 5.x and later |
| Platforms | Platform independent |
| Vendor Products | Cortex XDR, IoT Security, NGFW, Strata Logging Service, PAN-OS |
New features¶
Version 1.0.0 of the Splunk App for Palo Alto Networks contains the following new and changed features:
- Migrated from XML to Dashboard Studio
- Deprecated the following:
- Realtime Event Feed Dashboard
- Threat Intelligence Dashboard
- Wildfire Submissions Dashboard
- Palo Alto Networks Aperture Logs Datamodel
- References to minemeld
- Added additional panels to the Data Audit Dashboards
- Minor dashboard bug and search fixes.
Fixed issues¶
Version 1.0.0 of the Splunk App for Palo Alto Networks fixes the following, if any, issues.
Known issues¶
Version 1.0.0 of the Splunk App for Palo Alto Networks has the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 10/29/2024 | S2PL-650 | Cortex XDR Incident, Malware, and SaaS Security Dashboard inputs are not functioning as expected and prefix is visible to user for Splunk Cloud versions 9.2 |
Third-party software attributions¶
Version 1.0.0 of the Splunk App for Palo Alto Networks incorporates the following third-party libraries:
Does not use any third-party libraries