08-27-2021 08:31 AM
Hey everyone,
First time poster. We just rolled out XDR and having some issues getting data into Splunk. The Splunk TA App says it does not support Syslog, but there is loads of documentation for getting agent logs, alerts, management logs sent to Splunk. It seems there may be a disconnect between the DEV's for the APP and Product Management. Has anyone successfully parsed this data? Right now the only thing we are seeing in the API is INC and there are no mappings for CIM data (Which the documentation also says it has support for)
Introduction · GitBook (paloaltonetworks.com)
Cortex XDR is supported starting with App/Add-on 7.0.0.
Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported).
Splunk Enterprise Security · GitBook (paloaltonetworks.com)
(Looking at you malware)
Common Information Model (CIM) Compliance
The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.
CIM Datamodel Tags Palo Alto Networks Eventtypes
| Change Analysis | change | pan_config |
| email, filter | pan_email | |
| Intrusion Detection | ids, attack | pan_threat |
| Malware | malware, attack, operations | pan_malware_attacks, pan_malware_operations, pan_wildfire |
| Network Sessions | network, session, start, end | pan_traffic_start, pan_traffic_end |
| Network Traffic | network, communicate | pan_traffic |
| Web | web, proxy | pan_url |
