A look at new features and functionality with the 6.0 release
Palo Alto Networks recently introduced the latest version of their Splunk App, which is version 6.0. Within the app, Palo Alto Networks provides a centralized view into their extensive security ecosystem. Utilizing a combination of syslog feeds and API calls, a Splunk user can quickly navigate through events and take a deep dive into metrics coming from their next generation firewalls, endpoint security solution (Traps), Wildfire, Panorama, Minemeld, Autofocus and Aperture.
FULL SUITE OF CLOUD SERVICES AVAILABLE
The biggest addition to the dashboards is the expansion of cloud services information. The full suite of cloud information is now available between WildFire and Aperture feeds, and Minemeld is utilized as a central threat intelligence feed within the Splunk KV Store. MineMeld is an extensible threat intelligence processing framework that can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or Palo Alto Networks security platforms. AutoFocus is one of those possible sources of threat intelligence, which can be routed through Minemeld instead of Splunk directly, which may make sense if other threat intelligence feeds are also utilized. If the cloud services are purchased, all the feeds and submission results become available through APIs providing threat intelligence and cloud access security metrics to the Splunk platform.
DASHBOARDS ARE NOW ORGANIZED BY USE CASE
Palo Alto Networks has broken out the individual dashboards based on customer use case, whether that is operational metrics or security analytics.
Operational metrics dashboard
The operational dashboards give the user the ability to search among several fields and time ranges, allowing the operator to quickly search for any specific event. The GlobalProtect dashboard also visualizes the geolocation of the user to facilitate the correlation of any location-based issues. One of the interesting activity dashboards is the User Behavior, which allows the Splunk user to see topics such as rare applications, applications using non-standard ports and possible data leaks. This feature leverages SaaS information from Aperture and the firewalls to search for anomalous behavior.
Security analytics dashboard
Within the threat dashboards for security analytics, Palo Alto Networks has given a visualization of the Cyber Attack Lifecycle with clickable links to their online Cyberpedia, which is a deep-dive reference guide to understanding the attack lifecycle and mitigation techniques.One of the interesting features of the new app is the ability to pivot to the threat intelligence feeds directly from the events. For example, either within an individual event or from the WildFire submissions screen, a user can click “Open in AutoFocus” to pivot to a new tab within the event analysis.
TROUBLESHOOTING KV STORE AND TA LOOKUP ERRORS
Out of the box, the information that is presented in the app is meant to take advantage of the full Palo Alto Networks portfolio, which does require subscriptions to the various feeds and services. The app could use a setup screen, to facilitate the configuration of scripted inputs, or to disable specific dashboards and reports if the end user does not have all of the Palo Alto Networks components.
For example, the new app updates all searches for the pan:threat and pan:traffic sourcetypes to leverage information from the Minemeld threat intelligence lookup. This lookup leverages the Splunk KV Store from the add-on, so KV Store replication is needed from the search heads to the indexers to alleviate the errors that arise. Without this replication or some other mitigating tactic, all Splunk searches return an error from the Minemeld lookup. Replication of the KV Stores is not common except for specific scenarios, so the Splunk deployment may need to be updated to allow the replication. Documentation about the error and how to work with KV Stores can be found through the following links:
- Palo Alto Networks TA lookup error solution: https://answers.splunk.com/answers/590248/error-at-search-time-after-upgrading-palo-alto-net-1.html
- Information about KV Store lookups: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureKVstorelookups#KV_store_lookup_example
The searches also could be customized to utilize any threat intelligence feed available instead of the Minemeld feed. Another alternative could also be for the Splunk administrator to simply disable the lookup with custom Splunk props and transforms.
CONNECTED TO SPLUNK ANSWERS
The app additionally includes a feedback button that takes you to the Splunk Answers website. Here you can provide constructive feedback to the community for the next release, or look for answers related to the new app.
Overall, this latest version of the Palo Alto Networks app is a clear improvement over the last one available to the Splunk marketplace. Not only does it provide robust dashboards to visualize any aspect of a Palo Alto Networks deployment, it also allows a network or security administrator to quickly pivot between individual events and the threat intelligence behind the alerts.
Moreover, the Adversary Scoreboard has significant value to quickly visualize the summarized events that map to critical stages of an attack lifecycle, assuming the end user has an Autofocus subscription. If the intelligence feed is available, it’s worth considering setting the default landing page for the app to the Adversary Scoreboard.
Author Note: A big thanks to Technical Solutions Architect Ernest Pavon for his contributions to this post.