Splunk Enterprise Security

Common Information Model (CIM) Compliance

The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.

CIM Datamodel Tags Palo Alto Networks Eventtypes
Change Analysis change pan_config
Email email, filter pan_email
Intrusion Detection ids, attack pan_threat
Malware malware, attack, operations pan_malware_attacks, pan_malware_operations, pan_wildfire
Network Sessions network, session, start, end pan_traffic_start, pan_traffic_end
Network Traffic network, communicate pan_traffic
Web web, proxy pan_url

Share MineMeld Indicators

Added in Add-on version 6.0

Indicators can be shared between MineMeld and Splunk Enterprise Security. There are multiple types of indicators that can be shared:

  • Domain
  • File
  • IPv4
  • URL

Enabling indicator sharing is a two step process. First, enable the saved searches of the indicator types to be shared. Second, enable the corresponding threatlists in Splunk Enterprise Security.

Indicators are shared with Splunk Enterprise Security as a CSV file threatlist. The saved searches are all set to run once every hour by default. The Enterprise Security threatlist is set to poll every four hours by default. So after enabling the desired indicator sharing, you may need to wait for a little time before they show up in Splunk Enterprise Security.

Here's an example walk through for enabling sharing IPv4 indicators.

Enable Saved Searches

Navigate to Settings > Searches, reports, and alerts.

Find the Generate MineMeld IPv4 Enterprise Security Threatlist saved search, then in the Actions column, click Edit > Enable.

Enable Enterprise Security Threatlists

Navigate to Enterprise Security > Configure > Data Enrichment > Threat Intelligence Downloads.

Find the threatlist named minemeld_ipv4threatlist, then click the Enable link.

results matching ""

    No results matching ""