Solved: CIM datamodel mapping for PaloAlto threat (includi...

HiroshiSatoh · ‎03-19-2019

I would like to borrow the wisdom of the Palo Alto experienced person.
Which data model does PaloAlto's threat (including URL Filtering) correspond to? "Intrusion Detection"?

lakshman239 · ‎03-20-2019

The PA firewall supports a number of Datamodels - Network Traffic, Network Sessions, Malware, Web .

If you install the Splunk Add on for Palo Alto and look at the default/tags.conf and eventtypes.conf, you can see all the event grouping and tags corresponding to the datamodel.

The events - threat/traffic all depends on the license for the modules which you may have on the PA.

View solution in original post

DEAD_BEEF · ‎06-17-2019

Documentation from Palo now breaks out each sourcetype into it's intended CIM datamodel.

lakshman239 · ‎03-20-2019

The PA firewall supports a number of Datamodels - Network Traffic, Network Sessions, Malware, Web .

If you install the Splunk Add on for Palo Alto and look at the default/tags.conf and eventtypes.conf, you can see all the event grouping and tags corresponding to the datamodel.

The events - threat/traffic all depends on the license for the modules which you may have on the PA.

CIM datamodel mapping for PaloAlto threat (including URL Filtering) log

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes