You might need to update custom searches or panels you created that leverage the pan_threat eventtype. Improved tagging for Splunk Enterprise Security, based on customer feedbackĮventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire.Logs with malware hashes have a new event action that links directly to that hash in Autofocus.Submit URL’s from any log in Splunk to WildFire.Tag to dynamic address group using modular actions and Adaptive Response.Integration with new Splunk Adaptive Response.There are new eventtypes for each of the removed log_subtypes: pan_url, pan_data, pan_file, and pan_wildfire. Eventtype pan_threat no longer includes these log_subtypes: url, data, file, and wildfire.Datamodel acceleration might rebuild itself after installation due to updated constraints.You may delete the file $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/nf to remove the credentails from the App, since they are no longer used. If you had previously set firewall credentials or a WildFire API key in the App setup screen, you'll need to set them again in the Add-on setup screen. REQUIRED ACTION: The App setup screen has moved to the Add-on. Other updates are in the Add-on (see below)
Changes made to meet new certification requirements.Improved configuration screen allows credentials to be changed.Improved CIM support for correlation logs.Support for Firewall Log Link via External Search Handler.Support for AutoFocus Remote Search via External Search Handler.Endpoint Dashboard support new Traps 3.4 fields.
If you have previously created your own dashboards based on the Palo Alto Networks datamodels, you may need to update some field names. Some fields have changed names in the datamodel. Datamodel optimizations for size on disk and performance.Threat Intelligence from MineMeld can be shared with Splunk Enterprise Security.Support for content pack sync with PAN-OS 8.0.Events from Firewall, Panorama, Traps, Aperture, AutoFocus, and Minemeld correlate and combine to offer unparalleled security insights.Tool tips and Tour to help guide you through the new dashboards.Automatically prioritize attacks with the new All Incident Feed, and investigate with the new Incident Context View. Is your organization safe from those who intend the most harm? Know your adversary with the new Adversary Scoreboard and measure how effective your security is at defeating their attacks. If you have previously created your own dashboards based on the Palo Alto Networks datamodels, you may need to update those dashboards. Traps datamodel has been renamed from pan_endpoint to pan_traps and some fields have changed names in the datamodel to support Traps 5.0 additional data. Fix: Corrected the double parse of Aperture logs.Fix: category field for URL logs is now more consistent.New: Malicious WildFire events tagged for Malware CIM datamodel.New: Easier to disable certificate validation for self-hosted MineMeld.New: MineMeld indicator retention timer.