cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

Syslog Splunk Parsing

L3 Networker

Hey everyone, 

 

First time poster. We just rolled out XDR and having some issues getting data into Splunk. The Splunk TA App says it does not support Syslog, but there is loads of documentation for getting agent logs, alerts, management logs sent to Splunk. It seems there may be a disconnect between the DEV's for the APP and Product Management. Has anyone successfully parsed this data? Right now the only thing we are seeing in the API is INC and there are no mappings for CIM data (Which the documentation also says it has support for)

Introduction · GitBook (paloaltonetworks.com)

Cortex XDR is supported starting with App/Add-on 7.0.0.

Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported).

 

Splunk Enterprise Security · GitBook (paloaltonetworks.com)
(Looking at you malware)

Common Information Model (CIM) Compliance

The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.

CIM Datamodel Tags Palo Alto Networks Eventtypes

Change Analysischangepan_config
Emailemail, filterpan_email
Intrusion Detectionids, attackpan_threat
Malwaremalware, attack, operationspan_malware_attacks, pan_malware_operations, pan_wildfire
Network Sessionsnetwork, session, start, endpan_traffic_start, pan_traffic_end
Network Trafficnetwork, communicatepan_traffic
Webweb, proxypan_url
Who rated this post