All Apps and Add-ons
Highlighted

Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto

Communicator

Are there plans to add support for the 'Network Sessions' and 'Authentication' CIM data models from the SplunkTApaloalto Add-on for globalprotect events?

Highlighted

Re: Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto

Builder

Yes, there are plans to do this and other improvements to CIM datamodel for better ES integration. Keep an eye out in the next couple Add-on releases. Thanks for the feedback!

View solution in original post

Highlighted

Re: Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto

Communicator

Thank you Brian. Do you have a road map or a time frame for when this support will be added?

0 Karma
Highlighted

Re: Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto

Communicator

Its been 2 years for this answer! @btorresgil

0 Karma
Highlighted

Re: Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto

Builder

Hi saurabhtek11, thanks for bumping this. We support network sessions, see eventtype=pantrafficstart and pantraffic_end. We could support Authentication to some extent with USERID type logs from the firewall, but the Authentication CIM is not a great fit because it's geared more toward the logs from the actual point of authentication, which the firewall typically is not in enterprise environments. This would be your RADIUS, LDAP, or AD server usually.

I opened a feature request so you can share your use cases for supporting the Authentication CIM. I'm very interested in any feedback, thanks!
https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/33

0 Karma