Merge branch 'hotfix/v4.2.1'

PaloAltoNetworks · Feb 10, 2015 · 1fcd19c · 1fcd19c
2 parents caf0f80 + 40bff5a
commit 1fcd19c
Show file tree

Hide file tree

Showing 10 changed files with 44 additions and 32 deletions.
diff --git a/README.md b/README.md
@@ -11,8 +11,8 @@ Networks Firewall
 #### Latest Version ####
 
 * Splunk Version: 6.x
-* App Version: 4.2
-* Last Modified: Nov 2014
+* App Version: 4.2.1
+* Last Modified: Feb 2015
 * Authors:
     * Brian Torres-Gil - Palo Alto Networks
     * Monzy Merza - Splunk, Inc.
@@ -95,6 +95,14 @@ If you have customized the built-in dashboards of a previous app version, then t
 
 If upgrading from 3.x, please read the __Upgrade Notes__ above.
 
+Version 4.2.1
+
+- Fix Wildfire Report downloader and Applipedia New App check
+- Fix Wildfire Dashboard Drilldowns
+- Fix Threat Details Dashboard datamodel reference
+- Fix Endpoint Dashboard would not work on Splunk 6.0.x
+- Fix time range inconsistent on Overview Dashboard
+
 Version 4.2
 
 - New Palo Alto Networks [Advanced Endpoint Protection](http://media.paloaltonetworks.com/lp/traps/)

diff --git a/default/app.conf b/default/app.conf
@@ -5,11 +5,11 @@ label = Splunk for Palo Alto Networks
 [launcher]
 author = [email protected]
 description = The Splunk for Palo Alto Networks app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Palo Alto Networks Firewall data.
-version = 4.2
+version = 4.2.1
 
 [package]
 id = SplunkforPaloAltoNetworks
 
 [install]
-build = 1200
+build = 4210
 
diff --git a/default/commands.conf b/default/commands.conf
@@ -10,10 +10,10 @@ passauth = true
 filename = panoramaUserUpdate.py
 passauth = true
 
-[pan_wildfirereport]
+[panwildfirereport]
 filename = retrieveWildFireReport.py
 passauth = true
 
-[pan_newapps]
+[pannewapps]
 filename = retrieveNewApps.py
 passauth = true
diff --git a/default/data/ui/nav/default.xml.nfi_disabled b/default/data/ui/nav/default.xml.nfi_disabled
@@ -65,6 +65,16 @@
       <saved source="all" match="PAN - WildFire" view="search" />
     </collection>
   </collection>
+
+  <collection label="Endpoint">
+    <view name="endpoint_overview" />
+    <divider />
+    <collection label="Searches &amp; Reports">
+      <a href="search?q=search%20%60pan_endpoint%60">Search Endpoint Log Data</a>
+      <divider />
+      <saved source="all" match="PAN - Endpoint" view="search" />
+    </collection>
+  </collection>
 
   <collection label="Console">
     <view name="system_overview" />

diff --git a/default/data/ui/nav/default.xml.nfi_enabled b/default/data/ui/nav/default.xml.nfi_enabled
@@ -65,6 +65,16 @@
       <saved source="all" match="PAN - WildFire" view="search" />
     </collection>
   </collection>
+
+  <collection label="Endpoint">
+    <view name="endpoint_overview" />
+    <divider />
+    <collection label="Searches &amp; Reports">
+      <a href="search?q=search%20%60pan_endpoint%60">Search Endpoint Log Data</a>
+      <divider />
+      <saved source="all" match="PAN - Endpoint" view="search" />
+    </collection>
+  </collection>
 
   <collection label="Console">
     <view name="system_overview" />

diff --git a/default/data/ui/views/endpoint_overview.xml b/default/data/ui/views/endpoint_overview.xml
@@ -52,7 +52,6 @@
     </input>
   </fieldset>
   <row>
-    <panel>
       <chart>
         <title>Logs by Subtype</title>
         <searchString>| `tstats` count FROM `ep_node` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(_time log.log_subtype)` | timechart values(count) by log_subtype</searchString>
@@ -84,8 +83,6 @@
           </link>
         </drilldown>
       </chart>
-    </panel>
-    <panel>
       <chart>
         <title>Logs by Severity</title>
         <searchString>| `tstats` count FROM `ep_node` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(_time log.severity)` | timechart values(count) by severity</searchString>
@@ -117,10 +114,8 @@
           </link>
         </drilldown>
       </chart>
-    </panel>
   </row>
   <row>
-    <panel>
       <chart>
         <title>Targeted Applications</title>
         <searchString>| `tstats` count FROM `ep_node(log.event)` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(log.ProcessName)`</searchString>
@@ -152,8 +147,6 @@
           </link>
         </drilldown>
       </chart>
-    </panel>
-    <panel>
       <chart>
         <title>Targeted Machines</title>
         <searchString>| `tstats` count FROM `ep_node(log.event)` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(log.dhost)`</searchString>
@@ -185,8 +178,6 @@
               </link>
           </drilldown>
       </chart>
-    </panel>
-    <panel>
       <chart>
         <title>Targeted Users</title>
         <searchString>| `tstats` count FROM `ep_node(log.event)` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(log.user)`</searchString>
@@ -218,10 +209,8 @@
               </link>
           </drilldown>
       </chart>
-    </panel>
   </row>
   <row>
-    <panel>
       <chart>
         <title>Endpoint Module</title>
         <searchString>| `tstats` count FROM `ep_node(log.event)` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(log.epm)`</searchString>
@@ -253,8 +242,6 @@
               </link>
           </drilldown>
       </chart>
-    </panel>
-    <panel>
       <chart>
         <title>Action</title>
         <searchString>| `tstats` count FROM `ep_node(log.event)` $process$ $user$ $hostname$ $epm$ $severity$ $action$ `groupby(log.PreventionMode)`</searchString>
@@ -286,10 +273,8 @@
               </link>
           </drilldown>
       </chart>
-    </panel>
   </row>
   <row>
-    <panel>
       <chart>
         <title>Heartbeats by Endpoint Server</title>
           <searchString>| `tstats` count FROM `ep_node(log.heartbeat)` $hostname$ `groupby(_time log.dhost)` | timechart values(count) by dhost</searchString>
@@ -303,6 +288,5 @@
               </link>
           </drilldown>
       </chart>
-    </panel>
   </row>
 </form>
diff --git a/default/data/ui/views/overview.xml b/default/data/ui/views/overview.xml
@@ -2,36 +2,36 @@
   <label>Overview</label>
   <description/>
   <searchTemplate>`pan_index` | fillnull value="" | stats count by host sourcetype log_subtype action category</searchTemplate>
-  <earliestTime>rt-30s</earliestTime>
+  <earliestTime>rt-5m</earliestTime>
   <latestTime>rt</latestTime>
   <row>
     <single>
       <searchPostProcess>stats dc(host)</searchPostProcess>
-      <earliestTime>rt-30s</earliestTime>
+      <earliestTime>rt-5m</earliestTime>
       <latestTime>rt</latestTime>
       <option name="classField">None</option>
       <option name="underLabel">PAN Reporting</option>
       <option name="linkView">search</option>
     </single>
     <single>
       <searchPostProcess>stats sum(count) as sum count(count) | eval sum=if(isnull(sum),0,sum)</searchPostProcess>
-      <earliestTime>rt-30s</earliestTime>
+      <earliestTime>rt-5m</earliestTime>
       <latestTime>rt</latestTime>
       <option name="classField">None</option>
       <option name="underLabel">Total Events</option>
       <option name="linkView">search</option>
     </single>
     <single>
       <searchPostProcess>search action=block* OR action=deny | stats sum(count) as sum count(count) | eval sum=if(isnull(sum),0,sum)</searchPostProcess>
-      <earliestTime>rt-30s</earliestTime>
+      <earliestTime>rt-5m</earliestTime>
       <latestTime>rt</latestTime>
       <option name="classField">None</option>
       <option name="underLabel">Total Blocks</option>
       <option name="linkView">search</option>
     </single>
     <single>
       <searchPostProcess>search sourcetype="pan_traffic" category!="any" category!="private-ip-addresses" category!="not-resolved"  | sort -count | head 1 | stats values(category) as category count(category) | eval category=if(isnull(category),"---",category)</searchPostProcess>
-      <earliestTime>rt-30s</earliestTime>
+      <earliestTime>rt-5m</earliestTime>
       <latestTime>rt</latestTime>
       <option name="classField">None</option>
       <option name="underLabel">Top URL Category</option>

diff --git a/default/data/ui/views/threat_detail.xml b/default/data/ui/views/threat_detail.xml
@@ -33,7 +33,7 @@
     </input>
   </fieldset>
   <searchTemplate>| `tstats` values(sourcetype) as sourcetype values(log.threat_name) as threat_name sum(log.bytes) as bytes sum(log.elapsed_time) as duration
-        FROM datamodel="pan_logs" WHERE (nodename="log.traffic" OR (nodename="log.threat" $threat_name$)) $user$ $app$ $location$
+        FROM datamodel="pan_firewall" WHERE (nodename="log.traffic" OR (nodename="log.threat" $threat_name$)) $user$ $app$ $location$
         `groupby(log.session_id log.user log.server_ip log.application log.server_location)`
         | search sourcetype="pan_threat" bytes!="" server_location!="" user!="" | eval KB=bytes/1024</searchTemplate>
   <earliestTime>$earliest$</earliestTime>

diff --git a/default/data/ui/views/wildfire_overview.xml b/default/data/ui/views/wildfire_overview.xml
@@ -111,7 +111,7 @@
   <row>
     <table>
       <title>Possible Malware Traffic</title>
-      <searchString>| `tstats` count(traffic) FROM `node(log.traffic)` $src_ip$ $dst_ip$ $user$ $misc$ $vsys$ $app$ groupby _time log.traffic.dst_ip_port log.dst_ip log.dst_port log.src_ip log.user log.app | rename log.traffic.dst_ip_port AS ip_port | join type=inner ip_port [ | `tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port | rename wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dst_ip log.dst_port log.app wildfire.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dst_ip AS "Dest IP" | rename log.dst_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename wildfire.id AS "WildFire Report ID" | sort -_time</searchString>
+      <searchString>| `tstats` count(traffic) FROM `node(log.traffic)` $src_ip$ $dst_ip$ $user$ $misc$ $vsys$ $app$ groupby _time log.traffic.dst_ip_port log.dst_ip log.dst_port log.src_ip log.user log.app | rename log.traffic.dst_ip_port AS ip_port | join type=inner ip_port [ | `tstats` count(wildfire_report) FROM datamodel="pan_wildfire_report" WHERE earliest=-1y latest=now nodename="wildfire_report" groupby wildfire_report.wildfire.id wildfire_report.tcp_ip_port | rename wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dst_ip log.dst_port log.app wildfire_report.wildfire.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dst_ip AS "Dest IP" | rename log.dst_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename wildfire_report.wildfire.id AS "WildFire Report ID" | sort -_time</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -170,7 +170,7 @@
         </link>
         <link field="WildFire Link">
           <![CDATA[
-            /app/SplunkforPaloAltoNetworks/search?q=`pan_index` (sourcetype="pan_wildfire_report" wildfire.id="$row.WildFire Report ID$") OR (sourcetype="pan_threat" log_subtype="wildfire" threat_id="$row.WildFire Report ID$")&earliest=$earliest$&latest=$latest$
+            /app/SplunkforPaloAltoNetworks/search?q=`pan_index` (sourcetype="pan_wildfire_report" (wildfire.id="$row.WildFire Report ID$" OR wildfire.report.id="$row.WildFire Report ID$")) OR (sourcetype="pan_threat" log_subtype="wildfire" report_id="$row.WildFire Report ID$")&earliest=$earliest$&latest=$latest$
 	  ]]>
         </link>
         <link field="*">

diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -10,7 +10,7 @@ displayview = flashtimeline
 enableSched = 1
 realtime_schedule = 0
 request.ui_dispatch_view = flashtimeline
-search = `pan_wildfire` | pan_wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
+search = `pan_wildfire` | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
 disabled = 0
 
 ########################
@@ -27,5 +27,5 @@ displayview = flashtimeline
 enableSched = 1
 realtime_schedule = 0
 request.ui_dispatch_view = flashtimeline
-search = index=pan_logs sourcetype=pan_newapps | table app{@name} | pan_newapps | collect index=pan_logs sourcetype=pan_newapps
+search = index=pan_logs sourcetype=pan_newapps | table app{@name} | pannewapps | collect index=pan_logs sourcetype=pan_newapps
 disabled = 0