- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-On for Palo Alto and Splunk for Palo Al...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the new Splunk Add-On now released, what should we expect in terms of the Splunk for Palo Alto Networks app? The sourcetypes are different, obviously, which is a bit of a pain. Should we expect the Splunk for Palo Alto Networks app to shift to using the new sourcetypes defined by the add-on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The new App, Add-on, and ES are all released now. The following are all compatible and designed to work together:
Palo Alto Networks App version 5.0
Palo Alto Networks Add-on version 3.5.1
Splunk Enterprise Security version 4.0
The new Add-on is Splunk_TA_paloalto. The old Add-on called TA_paloalto that came with ES 3.x is deprecated.
If upgrading to Palo Alto Networks App version 5.0, please use the upgrade guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are currently using splunk Enterprise Security suite version 5.0.0. We want to install the Palo Alto Networks App version 6 +. We also want to upgrade the Palo Alto Networks add-on from the current version 3.7.1.
For the purpose of Compatibility, I am seeking assistance.
Could someone provide insight on what versions of the APP and the ADD-ON are compatible with the Enterprise Security suite version 5.0.0.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The new App, Add-on, and ES are all released now. The following are all compatible and designed to work together:
Palo Alto Networks App version 5.0
Palo Alto Networks Add-on version 3.5.1
Splunk Enterprise Security version 4.0
The new Add-on is Splunk_TA_paloalto. The old Add-on called TA_paloalto that came with ES 3.x is deprecated.
If upgrading to Palo Alto Networks App version 5.0, please use the upgrade guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Brian, I have the new app & Splunk_TA being tested now, and it looks great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Brian, I saw this the other day; I'm very excited for some of the new features. Thanks for the hard work!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
we've unreleased Splunk_TA_paloalto while the app compatibility gets worked on; sorry for the mis-coordination.
The sourcetype differences between TA-paloalto in ES and Splunk_TA_paloalto should not be a factor; ES only cares about CIM compliant extractions, and the newer Splunk_TA_paloalto contains sourcetype renames for backwards compatibility. Sourcetype differences do make a difference for dashboards and reports working directly with raw data instead of using the CIM, which is why the app for Palo Alto doesn't work right with either add-on at this time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Josh, just to be clear, should the 'unreleased' 3.5.0 version of the TA NOT be used with ES 3.3? Its eventtypes and tags are different (and better?) from those in the 3.3.0 TA-paloalto which is included in ES 3.3
The issue here is ES compatibility only; the App for Palo Alto is not being used.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would definitely use the version we wrote with ES if you don't need it to be compatible with the PAN app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also looking for fresh advice/guidance for:
1) how exactly does one deploy for PaloAlto splunking in a distributed environment, especially with Enterprise Security in the mix. There were comments around saying that the TA-paloalto from E.S. is NOT compatible with this new app. However, if you do the naive thing like I did and send the app to your indexers and heavy forwarders, you end up with every splunk instance independently running the saved searches, which is bad. That is not hard to fix by making sure that you change the savedsearches to disabled=true EXCEPT on one webserver/cluster.
2) Is the 3.3.0 TA-paloalto now compatible with the SplunkforPaloAltoNetworks app? Because if they contain the same props/transforms/tags (it isn't trivial to determine this for me), i'd much prefer just distributing the TA.
3) Would it be recommended instead to just make my own TA-paloalto that contains the props,transforms,etc. and distribute that to my non-searching splunk servers.
4) the point about the sourcetypes is valid as well. I currently have some local mods to make sure that both old and new style sourcetypes are collected.
Thanks,
Jim
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
