This repository was archived by the owner on Dec 14, 2024. It is now read-only.
Integrate Cortex XDR incidents #166
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paulmnguyen
added
add-on
btorresgil
suggested changes
Mar 5, 2021
SplunkforPaloAltoNetworks/default/data/ui/views/cortex_xdr_incidents.xml
Outdated
Show resolved
Hide resolved
SplunkforPaloAltoNetworks/default/data/ui/views/cortex_xdr_incidents.xml
Outdated
Show resolved
Hide resolved
paulmnguyen
force-pushed
the
feature/cortex-xdr
branch
from
952ffd1 to
cc3319c
Compare
Add modular input for Cortex XDR Incidents
Add Cortex XDR incidents as events
Add Cortex XDR modinput and new Cortex XDR incidents dashboard
Change Cortex XDR variables to lowercase.
Optimized Cortex XDR Dashboard.
paulmnguyen
force-pushed
the
feature/cortex-xdr
branch
from
4dcee48 to
603c689
Compare
btorresgil
approved these changes
May 8, 2021
btorresgil
pushed a commit
that referenced
this pull request
May 8, 2021
PR: #166 BREAKING CHANGE: Replaces dashboards including Adversary Scoreboard and Incident Feed with new XDR Incidents dashboard.
btorresgil
pushed a commit
that referenced
this pull request
May 8, 2021
…cluding new XDR Incidents dashboard PR: #166 BREAKING CHANGE: Replaces Adversary Scoreboard and Incident Feed dashboards with new XDR Incidents dashboard
github-actions bot
pushed a commit
that referenced
this pull request
May 14, 2021
## [7.0.0](v6.6.1...v7.0.0) (2021-05-14) ### Features * **addon:** PAN Quality Validation and Improvement * **addon:** Significantly improve and modernize CIM compliance * **app/addon:** Add Cortex XDR incident support to App and Add-on including new XDR Incidents dashboard - #166 ### Bug Fixes * **addon:** Fix error from Minemeld automatic lookup * **addon:** Fix src_user field contained destination user - #186 ### Performance Improvements * **app:** Remove high cardinality fields from datamodel ### ⚠ MAJOR RELEASE CHANGES This is a major release Splunk dashboards and searches you have created might be affected by these changes. Please be prepared to test and adjust any dashboards not included with the App after upgrade. * **addon:** pan_traffic_start logs no longer included in CIM * **addon:** pan_traffic_end logs moved from Network Session to Network Traffic datamodel * **addon:** pan_threat event type now includes wildfire and data logs * **addon:** pan_file logs moved from Web to IDS datamodel * **addon:** pan_virus logs moved from Malware to IDS datamodel * **addon:** pan_wildfire logs moved from Malware to IDS datamodel * **addon:** pan_email removed from Email datamodel * **app:** Removes datamodel for GlobalProtect logs before PAN-OS 9.1 * **app/addon:** Removes Traps 4 support * **app/addon:** Deprecates Traps 5 and Traps 6 support * **app:** Removes support for legacy WildFire Report API * **app/addon:** Requires Splunk 8.0 or higher * **app/addon:** Replaces Adversary Scoreboard and Incident Feed dashboards with new XDR Incidents dashboard
github-actions bot
pushed a commit
to btorresgil/SplunkforPaloAltoNetworks
that referenced
this pull request
Mar 7, 2022
## [5.0.0-beta.1](v4.2.2...v5.0.0-beta.1) (2022-03-07) ### Features * **addon:** Add Decryption Log Support for PANOS 10 - PaloAltoNetworks#126 * **addon:** Cortex Data Lake HEC log support - PaloAltoNetworks#162 PaloAltoNetworks#176 * **addon:** PAN Quality Validation and Improvement * **addon:** Significantly improve and modernize CIM compliance * **app/addon:** Add Cortex XDR incident support to App and Add-on including new XDR Incidents dashboard - PaloAltoNetworks#166 * **app/addon:** Add IoT Security - PaloAltoNetworks#158 * **app/addon:** Feature/dynamic user groups - PaloAltoNetworks#150 * **app/addon:** Python 3 Support - PaloAltoNetworks#124 * **app/addon:** Support GlobalProtect log type in PANOS 9.1 - PaloAltoNetworks#118 * **app/addon:** Update pandevice to 0.14.0 - PaloAltoNetworks#145 ### Bug Fixes * **addon:** Add fields for GlobalProtect logs * **addon:** Add fields for GlobalProtect logs * **addon:** Add GlobalProtect SourceUserName - PaloAltoNetworks#209 PaloAltoNetworks#202 * **addon:** Add modinputs as tasks in app.manifest - PaloAltoNetworks#153 * **addon:** Add virus eventtype to malware CIM - PaloAltoNetworks#114 PaloAltoNetworks#138 * **addon:** Fix appserver/static files * **addon:** Fix CDL logs contained string 'null' in 'user' field - PaloAltoNetworks#187 * **addon:** Fix error from Minemeld automatic lookup * **addon:** Fix GlobalProtect logs dvc_name field * **addon:** Fix GlobalProtect logs dvc_name field * **addon:** Fix nav bar background color * **addon:** Fix src_user field contained destination user - PaloAltoNetworks#186 * **addon:** Fix typo in transform.conf ([PaloAltoNetworks#227](https://github.com/btorresgil/SplunkforPaloAltoNetworks/issues/227)) * **addon:** Fix user showing as unknown from GlobalProtect logs. - PaloAltoNetworks#217 * **addon:** Parse GP and Decryption logs w/ pan:firewall - PaloAltoNetworks#168 * **addon:** Parse GP and Decryption logs w/ pan:firewall - PaloAltoNetworks#168 * **addon:** Remove endpoint tags and eventtypes - PaloAltoNetworks#196 * **addon:** Remove port from `dest_name` field - PaloAltoNetworks#129 PaloAltoNetworks#128 * **addon:** Remove white space from GlobalProtect sourcetype - PaloAltoNetworks#131 * **addon:** Restore "unknown" string for empty 'user' field * **app:** Fix error after upgrade to 7.0.0: "Unknown search command 'panwildfirereport'" - PaloAltoNetworks#189 * **app:** Fix IoT Security dashboard filter - PaloAltoNetworks#181 * **app:** Fix panContentPack error. Fixes bug [PaloAltoNetworks#222](https://github.com/btorresgil/SplunkforPaloAltoNetworks/issues/222) - PaloAltoNetworks#225 * **app:** Incident counters flash in Splunk 8.1 - PaloAltoNetworks#163 * **app:** Incident counters flash in Splunk 8.1 - PaloAltoNetworks#163 * **app:** Remove endpoint from Data Model Audit dashboard - PaloAltoNetworks#218 * **app/addon:** correct user-id tag_user / untag_user * **app/addon:** Fix background color of logo - PaloAltoNetworks#141 ### Performance Improvements * **app:** Change simple XML to use JQuery 3.5 - PaloAltoNetworks#207 * **app:** Remove high cardinality fields from datamodel ### ⚠ MAJOR RELEASE CHANGES This is a major release Splunk dashboards and searches you have created might be affected by these changes. Please be prepared to test and adjust any dashboards not included with the App after upgrade. * **addon:** pan_traffic_start logs no longer included in CIM * **addon:** pan_traffic_end logs moved from Network Session to Network Traffic datamodel * **addon:** pan_threat event type now includes wildfire and data logs * **addon:** pan_file logs moved from Web to IDS datamodel * **addon:** pan_virus logs moved from Malware to IDS datamodel * **addon:** pan_wildfire logs moved from Malware to IDS datamodel * **addon:** pan_email removed from Email datamodel * **app:** Removes datamodel for GlobalProtect logs before PAN-OS 9.1 * **app/addon:** Removes Traps 4 support * **app/addon:** Deprecates Traps 5 and Traps 6 support * **app:** Removes support for legacy WildFire Report API * **app/addon:** Requires Splunk 8.0 or higher * **app/addon:** Replaces Adversary Scoreboard and Incident Feed dashboards with new XDR Incidents dashboard
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Support Cortex XDR Incidents in Palo Alto Networks Splunk App and Add-on.
This integration includes
Motivation and Context
Traps has become Cortex XDR, so we will retire Traps support in the Splunk App and Add-on and replace it with Cortex XDR support.
How Has This Been Tested?
Modular input tested with Cortex XDR API in Splunk 8.1.
Incidents and notable events tested in Splunk ES.
Types of changes
Checklist