Your SlideShare is downloading. ×

Splunk for palo_alto


Published on

Splunk for Palo Alto Application

Splunk for Palo Alto Application

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. F a c t S h e e t could identify a potential security risk in message logs and trigger an update to that user’s profile on the Palo Alto Networks firewall, resulting in an automated, improved security posture. All security-relevant data can be searched and analyzed from one place in Splunk—catching attackers and malicious insiders who may have previously gone undetected. Splunk software can be deployed without requiring custom parsers or connectors and the Splunk App for Palo Alto Networks and its content are available at no additional cost. You can extend the App for Palo Alto Networks by creating your own dashboards, visualizations and alerts to match the specific use case as needed. Palo Alto Networks Next-Generation Firewall and Splunk The Splunk App for Palo Alto Networks also fully supports the virtualization capabilities available in the Palo Alto Networks firewall. The user is provided an aggregate view of metrics across all virtualized firewalls, but can choose to view one or a subset of all virtualized firewalls. In this way, the security of business services can be tracked and monitored over time. The following visualizations and reports are available in the Splunk App for Palo Alto Networks. Each visualization or report can be clicked on to see the Palo Alto Networks data fueling the dashboard graphic: Palo Alto Networks Overview Geographic overview of threats and event types – A geographic view of threats shown on a world map (Splunk Google Maps App or amMap App required). Includes a real-time presentation of events flowing through the firewall shown by event type. Traffic and Web Activity Dashboards Selecting any combination of the following data elements can alter dashboard views: Source IP, Destination IP, Destination port, Action, Source user, and/or App. Palo Alto Networks next-generation firewalls enhance network security and enable enterprises to look beyond IP addresses and packets. These innovative firewalls let you see and control applications, user behaviors and content using three unique identification technologies: App-ID, User-ID and Content-ID. The Palo Alto Networks identification technologies enable you to create business-relevant and application-based security policies. This approach goes beyond the traditional “all-or-nothing” method offered by traditional port-blocking firewalls used in many security infrastructures. Palo Alto Networks firewalls integrate IPS and firewall capabilities and use signature heuristics to identify particular application risks and threats. They also integrate with LDAP or Active Directory and can dynamically link IP addresses to users and groups that access your network. Palo Alto Networks firewalls also support virtual firewall instances on a single pair of firewalls (for high availability). This allows for network segmentation for departmental services that apply specific customized policies per business service. The departmental chargeback services model is fully supported. Why Splunk for Palo Alto Networks? Splunk offers Palo Alto Networks firewall users a massively scalable real-time IT data engine. The Splunk App for Palo Alto Networks gives you pre-defined content with key performance indicators (KPIs) and long-term trending. In addition to robust reporting, Splunk supports the collection of terabytes of data per day in real time. Splunk software extends Palo Alto Networks’ situational awareness capabilities with real-time continuous monitoring and trending. Using data from Palo Alto Networks, Splunk can be set for a specific risk threshold and monitor for variances based on time-of-day, day- of-the week or over a year’s worth of data. Palo Alto Networks’ URL filtering capabilities are enhanced by Splunk’s ability to perform long-term trending and provide business-level reports as needed. There are numerous immediate benefits to deploying the Splunk App for Palo Alto Networks. The App delivers advanced security reporting and analysis. Security analysts, network administrators and architects can now leverage application and user visibility at an unprecedented scale and rate. Security administrators can drill down into Palo Alto Networks data in one or two clicks, allowing them to investigate incidents in minutes instead of hours or days. In addition, human resource departments can leverage dashboards and reports in Splunk to track security compliance. The Splunk App for Palo Alto Networks also includes custom commands to enable Splunk searches to automatically change configurations on Palo Alto Networks firewalls. For example, an administrator analyzing data in Splunk from an Exchange server Maximizing Network and Application Security, Visibility and Control Splunk® App for Palo Alto Networks
  • 2. 250 Brannan St, San Francisco, CA, 94107 | 866-438-7758 | 415-848-8400 Copyright © 2013 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws. Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item # FS-Splunk-PaloAlto-Networks-105 F a c t s h e e t Content, Data Filtering and URL Filtering Dashboards Selecting any combination of the following data elements can alter dashboard views: Source IP, Destination IP, Content Type, Category, Virtual System, and/or App. These dashboards allow the user to understand the content types and browsing history of users over time. Event actions and data events by application are tracked in real time, while data event threat IDs, data filtering by country and by application and category are supported in snapshot views. Splunk software takes full advantage of the average threat risk data and monitors the average risk in real time. Console System and Configuration Dashboards Selecting any combination of the following data elements can alter dashboard views: Log Subtype, Event ID, Serial Number, Virtual System, Severity, and/or Description. These dashboards allow the Palo Alto Networks firewall administrator to monitor key performance metrics and configuration changes. Views of the latest system events by Log subtype, Event ID and by Virtual system provide a complete picture of system performance. Up-to-the-minute system configuration changes are monitored in the App so that unscheduled configuration changes can be monitored and system integrity maintained. This information is broken down in a way that allows knowing which systems were changed, who made the change and what changes were made. Free Download Download Splunk. You’ll get a Splunk Enterprise license for 60 days and you can index up to 500 megabytes of data per day. You can convert to a perpetual Free license or purchase an Enterprise license by contacting Bytes Transferred Over Time – Watches for spikes in traffic and allows for drill-down into specific time periods to view anomalous behavior Protocols Over Time – Top protocols in use over time Bytes Transferred Over Time – Bytes sent and Bytes received Top App by Bytes Transferred – Records the app transferring the most data in or out of the network Top App by Request – Monitors the use of app requests and classifies them using Palo Alto Networks categories Top Source IP – Presents a view of inbound traffic by IP Top Destination Port – Presents a view of the traffic through the firewall by common port number Top Destination IP – Indicates what IPs are being accessed outside the network Top Destination User – Indicates which users are making the most connections to external websites Palo Alto Networks Threat Dashboard Selecting any combination of the following data elements can alter dashboard views: Source IP, Destination IP, Log Sub Type, Threat ID, App, and/or Virtual System. Threats Over Time by Subtype – Monitors and tracks real-time or historic data from Palo Alto Networks by threat sub-type. Views include all sub-types or only vulnerability, virus, or Spyware Threats Over Time by Risk – Monitors and tracks real-time or historic data from Palo Alto Networks using their risk scoring data for risk trending Top Threat IDs – Using Splunk’s look-up capability, the actual ‘plain English’ meaning for a threat ID number is displayed along with the count or number of times the threat has been seen by the firewall Threats by Application – Shows which applications are being seen by Palo Alto Networks as a threat Threats by Destination Category – Indicates which business category of hosts is being threatened Top Source IP – Shows the Top Source IPs by the number of attempts to access the network Threats by Severity – Uses Palo Alto Networks’ threat category classifications to graphically represent the number of threats seen by an application Top Destination IP – Shows the Top Destination IPs by the number of attempts