Splunk Enterprise Security
Common Information Model (CIM) Compliance
The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.
|CIM Datamodel||Tags||Palo Alto Networks Eventtypes|
|Intrusion Detection||ids, attack||pan_threat|
|Malware||malware, attack, operations||pan_malware_attacks, pan_malware_operations, pan_wildfire|
|Network Sessions||network, session, start, end||pan_traffic_start, pan_traffic_end|
|Network Traffic||network, communicate||pan_traffic|
Share MineMeld Indicators
Added in Add-on version 6.0
Indicators can be shared between MineMeld and Splunk Enterprise Security. There are multiple types of indicators that can be shared:
Enabling indicator sharing is a two step process. First, enable the saved searches of the indicator types to be shared. Second, enable the corresponding threatlists in Splunk Enterprise Security.
Indicators are shared with Splunk Enterprise Security as a CSV file threatlist. The saved searches are all set to run once every hour by default. The Enterprise Security threatlist is set to poll every four hours by default. So after enabling the desired indicator sharing, you may need to wait for a little time before they show up in Splunk Enterprise Security.
Here's an example walk through for enabling sharing IPv4 indicators.
Enable Saved Searches
Navigate to Settings > Searches, reports, and alerts.
Generate MineMeld IPv4 Enterprise Security Threatlist saved search, then in the Actions column, click Edit > Enable.
Enable Enterprise Security Threatlists
Add the following four
threatlist inputs to the file:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf (or to your preferred inputs.conf file)
[threatlist://minemeld_ipv4threatlist] description = MineMeld IPv4 threatlist indicators for Splunk ES interval = 14400 disabled = false type = threatlist url = lookup://minemeld_ipv4threatlist [threatlist://minemeld_domainthreatlist] description = MineMeld Domain threatlist indicators for Splunk ES interval = 14400 disabled = false type = threatlist url = lookup://minemeld_domainthreatlist [threatlist://minemeld_urlthreatlist] description = MineMeld URL threatlist indicators for Splunk ES interval = 14400 disabled = false type = threatlist url = lookup://minemeld_urlthreatlist [threatlist://minemeld_filethreatlist] description = MineMeld file threatlist indicators for Splunk ES interval = 14400 disabled = false type = threatlist url = lookup://minemeld_filethreatlist