updated hunting query description and added Release Notes
This commit is contained in:
v-rusraut
Родитель
2404ba52a3
Коммит
58adaf4d7f
|
|
@ -1,12 +1,8 @@
|
|||
id: 2f8522fc-7807-4f0a-b53d-458296edab8d
|
||||
name: Palo Alto - potential beaconing detected
|
||||
description: |
|
||||
'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.
|
||||
The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.
|
||||
This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.
|
||||
Reference Blog:
|
||||
http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/
|
||||
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'
|
||||
'Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.
|
||||
Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'
|
||||
severity: Low
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
Двоичные данные
Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip
Двоичные данные
Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\r\n1. **PaloAlto-PAN-OS via AMA** - This data connector helps in ingesting PaloAlto-PAN-OS logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAlto-PAN-OS via Legacy Agent** - This data connector helps in ingesting PaloAlto-PAN-OS logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAlto-PAN-OS via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -73,7 +73,6 @@
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
@ -261,7 +260,7 @@
|
|||
"name": "huntingquery2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on PaloAltoNetworks data connector (CommonSecurityLog Parser or Table)"
|
||||
"text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on PaloAltoNetworks data connector (CommonSecurityLog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -792,7 +792,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"body": {
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on IP's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident]()\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n{\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on IP's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident]()\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n{\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"recipient": {
|
||||
"channelId": "@parameters('Teams channel Id')"
|
||||
},
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -5,7 +5,7 @@
|
|||
"comments": "This playbook uses the PaloAlto connector to take necessary actions on URL address like Block URL/Unblock URL from predefined address group and also gives an option to close the incident.",
|
||||
"title": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
|
||||
"description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.",
|
||||
"prerequisites": [ "1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks." ],
|
||||
"prerequisites": [ "1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks." ],
|
||||
"lastUpdateTime": "2023-05-30T00:00:00.000Z",
|
||||
"entities": [ "Url" ],
|
||||
"prerequisitesDeployTemplateFile": "../../PaloAltoCustomConnector/PaloAlto_PAN-OS_Rest_API_CustomConnector/azuredeploy.json",
|
||||
|
|
@ -793,7 +793,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"body": {
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on URL's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident]()\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on URL's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident]()\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"recipient": {
|
||||
"channelId": "@parameters('Teams channel Id')"
|
||||
},
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -4,7 +4,7 @@
|
|||
"metadata": {
|
||||
"title": "Get System Info - Palo Alto PAN-OS XML API",
|
||||
"description": "This playbook allows us to get System Info of a Palo Alto device for a Microsoft Sentinel alert.",
|
||||
"prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. This playbook only works for Palo Alto incidents."],
|
||||
"prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. This playbook only works for Palo Alto incidents."],
|
||||
"lastUpdateTime": "2022-07-25T00:00:00.000Z",
|
||||
"entities": [ "Ip" ],
|
||||
"prerequisitesDeployTemplateFile": "../../PaloAltoCustomConnector/PaloAlto_PAN-OS_XML_API_CustomConnector/azuredeploy.json",
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
"metadata": {
|
||||
"title": "Get Threat PCAP - Palo Alto PAN-OS XML API",
|
||||
"description": "This playbook allows us to get a threat PCAP for a given PCAP ID.",
|
||||
"prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. This playbook only works for Palo Alto incidents with a threat PCAP where the PCAP ID is not null or zero."],
|
||||
"prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. This playbook only works for Palo Alto incidents with a threat PCAP where the PCAP ID is not null or zero."],
|
||||
"lastUpdateTime": "2022-07-25T00:00:00.000Z",
|
||||
"entities": [ "host" ],
|
||||
"prerequisitesDeployTemplateFile": "../../PaloAltoCustomConnector/PaloAlto_PAN-OS_XML_API_CustomConnector/azuredeploy.json",
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
"comments": "This playbook uses the PaloAlto connector to automatically enrich incidents generated by Sentinel for address object details and URL filtering category information from PAN-OS",
|
||||
"title": "PaloAlto-PAN-OS-GetURLCategoryInfo",
|
||||
"description": " When a new sentinal incident is created, this playbook gets triggered and performs below actions:",
|
||||
"prerequisites": ["1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)"],
|
||||
"prerequisites": ["1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key)"],
|
||||
"lastUpdateTime": "2023-05-30T00:00:00.000Z",
|
||||
"prerequisitesDeployTemplateFile": "../../PaloAltoCustomConnector/PaloAlto_PAN-OS_Rest_API_CustomConnector/azuredeploy.json",
|
||||
"entities": ["url"],
|
||||
|
|
|
|||
|
|
@ -38,13 +38,13 @@ You can choose to deploy the whole package connector + all three playbook templa
|
|||
<a name="authentication">
|
||||
|
||||
## Authentication
|
||||
This connector supports [API Key authentication](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation).
|
||||
This connector supports [API Key authentication](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key).
|
||||
|
||||
<a name="prerequisites">
|
||||
|
||||
### Prerequisites for using and deploying Custom Connector
|
||||
1. PAN-OS service end point should be known. (e.g. https://{paloaltodomain})
|
||||
2. Generate an API key. [Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)
|
||||
2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key)
|
||||
3. Address group should be created for PAN-OS for blocking/unblocking address objects and this address group should be used while creating playbooks.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|--------------------------------------------------------------------|
|
||||
| 3.0.0 | 25-09-2023 | Addition of new PaloAlto-PAN-OS AMA **Data Connector** | |
|
||||
|
||||
|
||||
| 3.0.0 | 06-10-2023 | Fixed Playbooks issue |
|
||||
Загрузка…
Ссылка в новой задаче