Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

PaloAlto Wildfire Connector and Playbooks 

PaloAlto Wildfire Custom Connector and 3 Playbooks templates
This commit is contained in:
Javed Ahmad Khan 2021-08-05 15:06:27 +05:30
Родитель 88c24b1a5a
Коммит bdcdcf592a
36 изменённых файлов: 10299 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Playbooks/PaloAlto-Wildfire/Connectors/PaloAltoConnector/PAN-OS_CustomConnector.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.4 KiB

1953
Playbooks/PaloAlto-Wildfire/Connectors/PaloAltoConnector/azuredeploy.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

46
Playbooks/PaloAlto-Wildfire/Connectors/PaloAltoConnector/readme.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
# PaloAlto PAN-OS Logic Apps Custom Connector
![PAN-OS](./PAN-OS_CustomConnector.png)
# Overview
This custom connector connects to PAN-OS service end point and performs defined automated actions on the PAN-OS firewall.
# Authentication
* API Key authentication
# Actions supported by PaloAlto PAN-OS custom connector
| Component | Description |
| --------- | -------------- |
| **List security rules** | Retrieves a list of all security rules within a specified location in the firewall|
| **Create a security policy rule** | Creates a new security policy rule in the firewall|
| **Update a security policy rule** | References/Unreferences the address object in the security rule as a source or a destination member |
| **List custom url categories** | Retrieves a list of all URL filtering category information within a specified location in the firewall|
| **List address objects** | Retrieves a list of all address objects within a specified location in the firewall|
| **Create an address object** |Creates an address object depending on type : IP address or URL address|
| **Updates an address object** |Updates an address object depending on type : IP address or URL address|
| **List address groups** | Retrieves a list of all address object groups within a specified location in the firewall|
| **Create an address object group** | Creates a new address object group in the firewall|
| **Updates an address object group** | Updates an address object group in the firewall |
| **List URL filtering security profiles** | Retrieves a list of all URL filtering security profiles in the firewall|
| **Update URL filtering security profiles** | Updates URL filtering security profiles in the firewall|
# Prerequisites for deploying PAN-OS Custom Connector
1. PAN-OS service end point should be known. (e.g. https://{paloaltonetworkdomain})
# Deploy PAN-OS Custom Connector
Click on the below button to deploy PAN-OS Custom Connector in your Azure subscription.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
# Deployment Instructions
1. Deploy the PAN-OS custom connector by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
2. Fill in the required parameters for deploying PAN-OS custom connector.
## Deployment Parameters
| Parameter | Description |
| ------------- | ------------- |
| **Custom Connector Name** | Enter the name of PAN-OS custom connector |
| **Service End Point** | Enter the PAN-OS Service End Point |

Двоичные данные
Playbooks/PaloAlto-Wildfire/Connectors/WildFireConnector/Wildfire-CustomConnector.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.4 KiB

573
Playbooks/PaloAlto-Wildfire/Connectors/WildFireConnector/azuredeploy.Json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

47
Playbooks/PaloAlto-Wildfire/Connectors/WildFireConnector/readme.md Normal file
Просмотреть файл

@ -0,0 +1,47 @@
# Palo Alto Wildfire Logic Apps Custom Connector
![Palo Alto WildFire](./Wildfire-CustomConnector.png)
# Overview
The WildFire API extends the malware detection capabilities of WildFire through a RESTful
XML-based API. Using the API, we can get file analysis. We can also use the WildFire API
through your script or service to query WildFire for verdicts, samples, and reports.
# Authentication
* API Key authentication.
# Actions supported by Wildfire Custom Connector
| Component | Description |
| --------- | -------------- |
| **Get a WildFire Analysis Report** | Action used to get a WildFire analysis report for a specified sample hash value or web page URL |
| **Get a Sample** | Action used to get sample files based on the MD5 or SHA-256 hash value |
| **Get URL Web Artifacts** | Action used to get the web artifacts found during analysis of the specified web page URL |
| **Get a Packet Capture** |Action used to request a packet capture (PCAP) recorded during analysis of a particular sample |
| **Get a MacOSX Test File** | Action used to get a MacOSX test file, which you can use to test end-to-end WildFire sample processing |
| **Get a Android Application Package Test File** | Action used to get a APK test file, which you can use to test end-to-end WildFire sample processing |
| **Get a Executable Linkable Format Test File** | Action used to get a ELF test file, which you can use to test end-to-end WildFire sample processing |
| **Get a Portable Executable Test File** | Action used to get a PE test file, which you can use to test end-to-end WildFire sample processing |
| **Get a WildFire Verdict** | Action used to get a WildFire verdict for a sample based on the MD5 or SHA-256 hash or a web page based on the URL |
| **Submit a Website Link to WildFire** | Action used to submit a single website link for WildFire analysis |
| **Submit a Remote File to WildFire** | Action used to submit a supported file type on a website for WildFire analysis|
# Prerequisites for deploying WildFire Custom Connector
- Wildfire API end point should be known. ([WildFire Console](https://wildfire.paloaltonetworks.com))
# Deploy WildFire Custom Connector
Click on the below button to deploy WildFire Custom Connector in your Azure subscription.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FWildFireConnector%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FWildFireConnector%2Fazuredeploy.json)
# Deployment Instructions
1. Deploy the WildFire custom connector by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
2. Fill in the required parameters for deploying WildFire custom connector.
## Deployment Parameters
| Parameter | Description |
| ------------- | ------------- |
| **Custom Connector Name** | Enter the name of WildFire custom connector |
| **Service End Point** | Enter the Service End Point of Wildfire API [WildFire Console](https://wildfire.paloaltonetworks.com)|

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/IncidentCommentDark1.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 10 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/IncidentCommentDark2.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 766 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/IncidentCommentLight1.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 10 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/IncidentCommentLight2.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 713 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/PlaybookdesignerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 179 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/PlaybookdesignerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 190 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/Images/email.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 29 KiB

881
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,881 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "File hash enrichment - Wildfire",
"description": "This playbook used to enrich sentinel incident with filehash information",
"mainSteps": [ "1. Fetches detailed verdict information of the file hash.", "2. Enriches the incident with verdict information based on the verdict values (benign, phishing, malware, grayware)." ],
"prerequisites": [
"1. Palo Alto WildFire Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
"2. Generate wildfire API key to establish the connection to wildfire custom connector."
],
"prerequisitesDeployTemplateFile": "../../WildfireConnector/azuredeploy.json",
"lastUpdateTime": "2021-07-27T00:00:00.000Z",
"entities": [ "FileHashes" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "community"
},
"author": {
"name": "Accenture"
}
},
"parameters": {
"PlaybookName": {
"type": "string",
"metadata": {
"description": "Enter Logic App / Playbook Name"
},
"minLength": 3
},
"WildfireCustomConnectorName": {
"type": "String",
"metadata": {
"description": "Enter Palo Alto WildFire Custom Connector Name"
},
"minLength": 3
},
"WildfireAPIKey": {
"type": "securestring",
"metadata": {
"description": "Enter WildFire API Key"
},
"minLength": 3
},
"NotificationEmail": {
"type": "string",
"metadata": {
"description": "Enter DL or SOC Email Address For Notification"
},
"minLength": 3
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('AzureSentinelConnector-', parameters('PlaybookName'))]",
"WildfireConnectionName": "[concat('WildfireConnector-', parameters('PlaybookName'))]",
"Office365ConnectionName": "[concat('Office365Connector-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('WildfireConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('WildfireCustomConnectorName'))]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"apiVersion": "2016-06-01",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('WildfireConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Entities_-_Get_File_Hashes": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/filehash"
}
},
"For_each_consolidated_comment": {
"foreach": "@variables('finalconsoildatedcomments')",
"actions": {
"Check_if_comment_length_exceed_maximum_": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('WildFire_Logo')}@{replace(item(), '<?xml version=\"1.0\" encoding=\"utf-8\"?>', ' ')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Add_comment_to_incident_when_exceeds_limit": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('WildFire_Logo')}Report information is exceeding the maximum limit. Please refer the PDF format report provided over mail.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"less": [
"@length(item())",
3000
]
}
]
},
"type": "If",
"description": "Condition to check comment length is less than 3000"
}
},
"runAfter": {
"For_each_file_hash": [
"Succeeded"
]
},
"type": "Foreach",
"description": "Loop for consolidated comment"
},
"For_each_file_hash": {
"foreach": "@body('Entities_-_Get_File_Hashes')?['Filehashes']",
"actions": {
"Append_consolidated_comments": {
"runAfter": {
"Check_if_file_hash_is_benign": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "finalconsoildatedcomments",
"value": "@variables('IncidentComment')"
},
"description": "To append consolidated incident comment"
},
"Check_if_file_hash_is_benign": {
"actions": {
"Add_incident_comment": {
"runAfter": {
"Create_HTML_for_benign_file_hash_verdict": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "IncidentComment",
"value": "@body('Create_HTML_for_benign_file_hash_verdict')"
},
"description": "To store incident comment"
},
"Create_HTML_for_benign_file_hash_verdict": {
"runAfter": {},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Verdict",
"value": "Benign"
},
{
"header": "Sha256",
"value": "@body('Parse_verdict_JSON')?['get-verdict-info']?['sha256']"
},
{
"header": "Md5",
"value": "@body('Parse_verdict_JSON')?['get-verdict-info']?['md5']"
},
{
"header": "Comment",
"value": "The sample is safe and does not exhibit malicious behavior."
}
],
"format": "HTML",
"from": "@createArray(body('Parse_verdict_JSON'))"
},
"description": "To create HTML table for incident comment"
}
},
"runAfter": {
"Parse_verdict_JSON": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_incident_URL_to_Email": {
"runAfter": {
"Get_file_hash_analysis_report_in_PDF_format": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<a href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\">click here to view the incident</a>",
"description": "To compose incident URL for email body"
},
"Append_incident_comment": {
"runAfter": {
"Create_HTML_table_for_task_information": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "IncidentComment",
"value": " Find verdict \"Behavior Summary\" report and PDF file has been sent to Email \"@{variables('SOCEmail')} @{triggerBody()?['object']?['properties']?['owner']?['email']}\"\n\n File Information\n@{body('Create_HTML_table_for_file_information')}\n Task Information\n\n@{body('Create_HTML_table_for_task_information')}"
},
"description": "To append incident comment"
},
"Construct_report_JSON_object": {
"runAfter": {
"Construct_report_XML_object": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ReportJSONObject",
"value": "@json(variables('ReportXMLObject'))"
},
"description": "To store report json object"
},
"Construct_report_XML_object": {
"runAfter": {
"Get_file_hash_analysis_report_in_XML_format": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ReportXMLObject",
"value": "@xml(body('Get_file_hash_analysis_report_in_XML_format'))"
},
"description": "To compose report xml object"
},
"Create_HTML_table_for_file_information": {
"runAfter": {
"Parse_report_JSON_object": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "File Signer",
"value": "@body('Parse_report_JSON_object')?['wildfire']?['file_info']?['file_signer']"
},
{
"header": "File Type",
"value": "@body('Parse_report_JSON_object')?['wildfire']?['file_info']?['filetype']"
},
{
"header": "Malware",
"value": "@body('Parse_report_JSON_object')?['wildfire']?['file_info']?['malware']"
},
{
"header": "File Hash",
"value": "@body('Parse_report_JSON_object')?['wildfire']?['file_info']?['md5']"
},
{
"header": "Sha256",
"value": "@body('Parse_report_JSON_object')?['wildfire']?['file_info']?['sha256']"
},
{
"header": "Size",
"value": "@body('Parse_report_JSON_object')?['wildfire']?['file_info']?['size']"
}
],
"format": "HTML",
"from": "@createArray(body('Parse_report_JSON_object')?['wildfire']?['file-info'])"
},
"description": "To create html table for incident comment"
},
"Create_HTML_table_for_task_information": {
"runAfter": {
"Create_HTML_table_for_file_information": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Version",
"value": "@item()?['version']"
},
{
"header": "Platform",
"value": "@item()?['platform']"
},
{
"header": "Software",
"value": "@item()?['software']"
},
{
"header": "Malware",
"value": "@item()?['malware']"
},
{
"header": "Summary",
"value": "@replace(replace(replace(replace(string(item()?['summary']?['entry']),'[',''),']',''),'\"',''),',','\r\n')"
}
],
"format": "HTML",
"from": "@body('Parse_report_JSON_object')?['wildfire']?['task_info']?['report']"
},
"description": "To create html table for incident comment"
},
"Get_file_hash_analysis_report_in_PDF_format": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"apikey": "@variables('apikey')",
"format": "pdf",
"hash": "@items('For_each_file_hash')?['Value']"
},
"headers": {
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloaltoWFConnector']['connectionId']"
}
},
"method": "post",
"path": "/get/report"
}
},
"Get_file_hash_analysis_report_in_XML_format": {
"runAfter": {
"Send_email_with_file_hash_attachment": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"apikey": "@variables('apikey')",
"format": "xml",
"hash": "@items('For_each_file_hash')?['Value']"
},
"headers": {
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloaltoWFConnector']['connectionId']"
}
},
"method": "post",
"path": "/get/report"
}
},
"Parse_report_JSON_object": {
"runAfter": {
"Construct_report_JSON_object": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@variables('ReportJSONObject')",
"schema": {
"properties": {
"wildfire": {
"properties": {
"file_info": {
"properties": {
"file_signer": {
"description": "File Signer of the verdict report",
"type": "string"
},
"filetype": {
"description": "File Type of the verdict report",
"type": "string"
},
"malware": {
"description": "Malware of the verdict report",
"type": "string"
},
"md5": {
"description": "md5 of the verdict report",
"type": "string"
},
"sha1": {
"description": "sha1 of the verdict report",
"type": "string"
},
"sha256": {
"description": "sha256 of the verdict report",
"type": "string"
},
"size": {
"description": "size of the verdict report",
"type": "string"
}
},
"type": "object"
},
"task_info": {
"properties": {
"report": {
"items": {
"properties": {
"malware": {
"description": "Malware of the verdict report",
"type": "string"
},
"md5": {
"description": "md5 of the verdict report",
"type": "string"
},
"platform": {
"description": "Platform of the verdict report",
"type": "string"
},
"sha256": {
"description": "sha256 of the verdict report",
"type": "string"
},
"size": {
"description": "Size of the verdict report",
"type": "string"
},
"software": {
"description": "Software of the verdict report",
"type": "string"
},
"summary": {
"properties": {
"entry": {
"items": {
"description": "Summary of the verdict report",
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"version": {
"description": "Version of the verdict report",
"type": "string"
}
},
"required": [
"version",
"platform",
"software",
"sha256",
"md5",
"malware",
"summary"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"version": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
},
"description": "To parse report json object"
},
"Send_email_with_file_hash_attachment": {
"runAfter": {
"Add_incident_URL_to_Email": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Attachments": [
{
"ContentBytes": "@{base64(body('Get_file_hash_analysis_report_in_PDF_format'))}",
"Name": "@{items('For_each_file_hash')?['Value']}.pdf"
}
],
"Body": "<p>Hi,<br>\n<br>\n@{outputs('WildFire_Logo')}As part of the INC# @{triggerBody()?['object']?['properties']?['incidentNumber']}, the summary of the File Hash verdict report is updated in the comments and the complete verdict report is attached in this email for reference.<br>\n<br>\n<strong>Additional details</strong>:<br>\n&nbsp;&nbsp;&nbsp;&nbsp;Incident Title : @{triggerBody()?['object']?['properties']?['title']}<br>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File Hash:@{items('For_each_file_hash')?['Value']}<br>\n<br>\n@{outputs('Add_incident_URL_to_Email')}<br>\n<br>\n<br>\n<span style=\"color: rgb(124,112,107)\">Note: Do not respond to this Email.It is triggered from the playbook automation.</span></p>",
"Subject": "INC#:@{triggerBody()?['object']?['properties']?['incidentNumber']} @{items('For_each_file_hash')?['Value']}-WildFire Analysis Report",
"To": "@{triggerBody()?['object']?['properties']?['owner']?['email']};@{variables('SOCEmail')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"description": "To send an email for the SOC user with report in the PDF format"
}
}
},
"expression": {
"and": [
{
"equals": [
"@int(body('Parse_verdict_JSON')?['get-verdict-info']?['verdict'])",
0
]
}
]
},
"type": "If",
"description": "Condition to check file hash verdict"
},
"Construct_verdict_JSON": {
"runAfter": {
"Get_file_hash_verdict": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "VerdictJSON",
"value": {
"get-verdict-info": {
"md5": "@json(xml(body('Get_file_hash_verdict')))['wildfire']['get-verdict-info']['md5']",
"sha256": "@json(xml(body('Get_file_hash_verdict')))['wildfire']['get-verdict-info']['sha256']",
"verdict": "@json(xml(body('Get_file_hash_verdict')))['wildfire']['get-verdict-info']['verdict']"
}
}
},
"description": "To construct JSON object for XML"
},
"Get_file_hash_verdict": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"apikey": "@variables('apikey')",
"hash": "@items('For_each_file_hash')?['Value']"
},
"headers": {
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloaltoWFConnector']['connectionId']"
}
},
"method": "post",
"path": "/get/verdict"
},
"description": "Generate file hash verdict"
},
"Parse_verdict_JSON": {
"runAfter": {
"Construct_verdict_JSON": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@variables('VerdictJSON')",
"schema": {
"properties": {
"get-verdict-info": {
"properties": {
"md5": {
"description": "md5 of the file hash",
"type": "string"
},
"sha256": {
"description": "Algorithm of the file hash",
"type": "string"
},
"verdict": {
"description": "Verdict value of the file hash",
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
},
"description": "To parse verdict json object"
}
},
"runAfter": {
"WildFire_Logo": [
"Succeeded"
]
},
"type": "Foreach",
"description": "Loop for file hash associated entity"
},
"Initialize_SOC_user_variable": {
"runAfter": {
"Initialize_consolidated_comments_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "SOCEmail",
"type": "string",
"value": "[parameters('NotificationEmail')]"
}
]
},
"description": "To store SOC user"
},
"Initialize_URL_action_object_variable": {
"runAfter": {
"Initialize_SOC_user_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "URLActionObject",
"type": "object"
}
]
},
"description": "To store URL action object variable"
},
"Initialize_apikey_variable": {
"runAfter": {
"Initialize_verdict_JSON_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "apikey",
"type": "string",
"value": "[parameters('WildfireAPIKey')]"
}
]
},
"description": "To store apikey globally"
},
"Initialize_consolidated_comments_variable": {
"runAfter": {
"Initialize_incident_comment_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "finalconsoildatedcomments",
"type": "array"
}
]
},
"description": "To store consolidated comments "
},
"Initialize_incident_comment_variable": {
"runAfter": {
"Initialize_apikey_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "IncidentComment",
"type": "string"
}
]
},
"description": "To store incident comment"
},
"Initialize_report_JSON_object_variable": {
"runAfter": {
"Entities_-_Get_File_Hashes": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ReportJSONObject",
"type": "object"
}
]
},
"description": "To store report JSON object"
},
"Initialize_report_XML_object_variable": {
"runAfter": {
"Initialize_report_JSON_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ReportXMLObject",
"type": "object"
}
]
}
},
"Initialize_verdict_JSON_variable": {
"runAfter": {
"Initialize_report_XML_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "VerdictJSON",
"type": "object"
}
]
},
"description": "To store verdict JOSN object"
},
"WildFire_Logo": {
"runAfter": {
"Initialize_URL_action_object_variable": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<img src=\"https://avatars.githubusercontent.com/u/4855743?s=200&v=4\",alt=\"Lamp\" width=\"32\" height=\"32\" />",
"description": "To store Paloalto Wildfire logo"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"PaloaltoWFConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('WildfireConnectionName'))]",
"connectionName": "[variables('WildfireConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('WildfireCustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}

71
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_Filehash_Enrichment/readme.md Normal file
Просмотреть файл

@ -0,0 +1,71 @@
# Wildfire Filehash Incident Enrichment Playbook
# Summary
This playbook enriches the incident with verdict information.
When a new Azure Sentinel incident is created, this playbook gets triggered and performs below actions:
- It fetches detailed verdict information of the file hash.
- It enriches the incident with verdict information based on the verdict values (benign, phishing, malware, grayware).
**PlayBook Overview:**
![wildfire](./Images/PlaybookdesignerLight.png)
![wildfire](./Images/PlaybookdesignerDark.png)
# Prerequisites
- Palo Alto WildFire Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription and same resource group. Capture the name of connector during deployment.
- Generate wildfire API key to establish the connection to wildfire custom connector. [Generate Wildfire API Key](https://wildfire.paloaltonetworks.com/wildfire/dashboard)
# Deployment Instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FPlaybooks%2FWildfire_Filehash_Enrichment%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FPlaybooks%2FWildfire_Filehash_Enrichment%2Fazuredeploy.json)
- Fill in the required parameters for deploying playbook.
## Deployment Parameters
| Parameter | Description |
| ------------- | ------------- |
| **Playbook Name** | Enter the Playbook Name (e.g. Wildfire-file-hash-Enrichment) |
| **Wildfire API Key** | Enter the WildFire API Key |
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
| **Notification Email** | Enter the DL or SOC email address for receiving filehash report|
# Post-Deployment Instructions
## a. Authorize connections
* Once deployment is complete, authorize each API connection.
- Click the Wildfire API Connection resource
- Click edit API connection
- Provide the API Key
- Click Save
## b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
- Configure the automation rules to trigger the playbook.
# Playbook Steps
## When Azure Sentinel incident creation rule is triggered
- Captures filehash details from incident information.
## For each malicious file hash received from the incident
Iterates on the filehash found in this incident (probably one) and performs the following:
- Fetches the verdict information by making call to wildfire connector.
- Check for verdict status (benign, phishing, malware, grayware).
- If verdict status is benign (code=0) then constructs HTML table with details of verdict.
- If verdict status other than benign then constructs HTML table with details of report information and the verdict report is sent to SOC via email.
# Enrich Incident with verdict or verdict report details as follows
## **When URL is having verdict status benign**
![wildfire](./Images/IncidentCommentLight1.PNG)
![wildfire](./Images/IncidentCommentDark1.PNG)
## **When URL is having verdict status other than benign**
![wildfire](./Images/IncidentCommentLight2.PNG)
![wildfire](./Images/IncidentCommentDark2.PNG)
## **Email received by SOC when verdict status is other than benign**
![wildfire](./Images/email.PNG)

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/AdaptiveCard.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 854 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/IncidentCommentDark1.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 9.7 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/IncidentCommentDark2.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 8.2 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/IncidentCommentLight1.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 9.8 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/IncidentCommentLight2.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 8.2 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/PlaybookdesignerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 178 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/Images/PlaybookdesignerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 190 KiB

1142
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/azuredeploy.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

77
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_Automation/readme.md Normal file
Просмотреть файл

@ -0,0 +1,77 @@
# Palo Alto Wildfire URL Verdict Automation Playbook
# Summary
This playbook automates the URL verdict and adds it to security policy rules.
When a new Azure Sentinel incident is created, this playbook gets triggered and performs below actions:
- It fetches detailed verdict information of the URL.
- It checks for verdict status. If it is benign then it closes the incident with URL verdict information.
- If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules.
**PlayBook Overview:**
![wildfire](./Images/PlaybookdesignerLight.png)
![wildfire](./Images/PlaybookdesignerDark.png)
# Prerequisites
- Deploy both palo alto wildfire custom connector and palo alto PAN-OS custom connector in the same resource group and same subscription as this playbook. Capture the name for both connectors during deployment.
- Generate wildfire API key to establish the connection to wildfire custom connector. [Generate Wildfire API Key](https://wildfire.paloaltonetworks.com/wildfire/dashboard)
- Spin Palo alto PAN-OS VM and Generate API key. [Generate PaloAlto PAN-OS Api Key](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/licensing-api/manage-the-licensing-api-key.html)
- Create the security policy rule in the Palo Alto PAN-OS VM.
- Users must have access to Microsoft Teams and they should be a part of a Teams channel and also "Power Automate" app should be installed in the Microsoft Teams channel.
# Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FPlaybooks%2FWildfire_URL_Verdict_Automation%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FPlaybooks%2FWildfire_URL_Verdict_Automation%2Fazuredeploy.json)
- Fill in the required parameters for deploying playbook.
## Deployment Parameters
| Parameter | Description |
| ------------- | ------------- |
| **Playbook Name** | Enter the Playbook Name (e.g. Wildfire_URL_verdict) |
| **Wildfire API Key** | Enter the WildFire API Key |
| **Security Policy Rule** | Enter the Security Policy Rule which is created in PAN-OS |
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
| **Palo Alto Custom Connector Name** | Enter the name of PaloAlto PAN-OS custom connector |
# Post-Deployment Instructions
## a. Authorize connections
* Once deployment is complete, authorize each API connection.
* Go to each API connections and provide required information as per the API connection and authorize them.
- Click the Wildfire API Connection resource
- Click edit API connection
- Provide the API Key
- Click Save
* In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.
## b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
- Configure the automation rules to trigger the playbook.
# Playbook Steps
## When Azure Sentinel incident creation rule is triggered
- Captures filehash details from incident information.
### For each malicious URL received from the incident
Iterates on the URL found in this incident (probably one) and performs the following:
- Fetches the verdict information by making call to wildfire connector.
- Check for verdict status (benign, phishing, malware, grayware).
- If verdict status benign (code=0), then it closes the incident with URL verdict information.
- If verdict status is other than benign (phishing, malware, grayware), it automatically create address object for URL and adds address object into security policy rule.
## Incident Comment created by Palo Alto Wildfire URL Verdict Automation
### When verdict status is benign
![Wildfire](./Images/IncidentCommentLight1.PNG)
![Wildfire](./Images/IncidentCommentDark1.PNG)
### When verdict status is not benign
![Wildfire](./Images/IncidentCommentLight2.PNG)
![Wildfire](./Images/IncidentCommentDark2.PNG)
## Triggered an infomative adaptive card for the SOC
![wildfire](./Images/AdaptiveCard.jpg)

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/Images/AdaptiveCard1.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 881 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/Images/AdaptiveCard2.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 613 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/Images/IncidentCommentDark.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 12 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/Images/IncidentCommentLight.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 12 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/Images/PlaybookdesignerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 189 KiB

Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/Images/PlaybookdesignerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 204 KiB

1347
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/azuredeploy.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

72
Playbooks/PaloAlto-Wildfire/Playbooks/Wildfire_URL_Verdict_on_Teams/readme.md Normal file
Просмотреть файл

@ -0,0 +1,72 @@
# Palo Alto Wildfire URL Verdict on Teams Action Playbook
# Summary
This playbook automates the URL verdict and adds it to security policy rules.
When a new Azure Sentinel incident is created, this playbook gets triggered and performs below actions:
- It fetches detailed verdict information of the URL.
- It checks for verdict status. If it is benign then it closes the incident with URL verdict information.
- If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules.
**PlayBook Overview:**
![wildfire](./Images/PlaybookdesignerLight.png)
![wildfire](./Images/PlaybookdesignerDark.png)
# Prerequisites
- Deploy both palo alto wildfire custom connector and palo alto PAN-OS custom connector in the same resource group and same subscription as this playbook. Capture the name for both connectors during deployment.
- Generate wildfire API key to establish the connection to wildfire custom connector. [Generate Wildfire API Key](https://wildfire.paloaltonetworks.com/wildfire/dashboard)
- Spin Palo alto PAN-OS VM and Generate API key. [Generate PaloAlto PAN-OS Api Key](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/licensing-api/manage-the-licensing-api-key.html)
- Create the security policy rule in the Palo Alto PAN-OS VM.
- Users must have access to Microsoft Teams and they should be a part of a Teams channel and also "Power Automate" app should be installed in the Microsoft Teams channel.
# Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FPlaybooks%2FWildfire_URL_Verdict_on_Teams%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FPlaybooks%2FWildfire_URL_Verdict_on_Teams%2Fazuredeploy.json)
- Fill in the required parameters for deploying playbook.
## Deployment Parameters
| Parameter | Description |
| ------------- | ------------- |
| **Playbook Name** | Enter the Playbook Name (e.g. Wildfire_URL_verdict_on_Teams) |
| **Wildfire API Key** | Enter the WildFire API Key |
| **Security Policy Rule** | Enter the Security Policy Rule which is created in PAN-OS |
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
| **Palo Alto Custom Connector Name** | Enter the name of PaloAlto PAN-OS custom connector|
# Post-Deployment Instructions
## a. Authorize connections
* Once deployment is complete, authorize each API connection.
- Click the Wildfire API Connection resource
- Click edit API connection
- Provide the API Key
- Click Save
* In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.
## b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
- Configure the automation rules to trigger the playbook.
# Playbook Steps
## When Azure Sentinel incident creation rule is triggered
- Captures filehash details from incident information.
### For each-malicious URL received from the incident
Iterates on the URL found in this incident (probably one) and performs the following:
- Fetches the verdict info by making call to wildfire connector.
- Check for verdict status (benign, phishing, malware, grayware).
- If it is verdict status is benign (code=0) then it closes the incident with URL verdict information.
- If verdict status is not benign (phishing, malware, grayware) then it sends an adaptive card to the SOC user and creates address object for URL and adds address object into security policy rule.
## Enrich Incident with verdict or verdict report details as follows
![wildfire](./Images/IncidentCommentLight.PNG)
![wildfire](./Images/IncidentCommentDark.PNG)
## Adaptive card recieved by SOC
![Wildfire](./Images/AdaptiveCard2.jpg)
## SOC user can change the Configurations of incidents
![Wildfire](./Images/AdaptiveCard1.jpg)

3730
Playbooks/PaloAlto-Wildfire/azuredeployConsoildatedTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

244
Playbooks/PaloAlto-Wildfire/azuredeploylinkedTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,244 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Logic Apps Custom Connector and Playbook templates - wildfire",
"description": "This is a linked json file for deploying wildfire custom connector + 3 playbooks.",
"prerequisites": [
"1. PaloAlto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
"2. Generate wildfire API key to establish the connection to wildfire custom connector.",
"3. Palo alto API key.",
"4. Security policy rule in the Palo Alto PAN-OS VM.",
"5. Wildfire API end point should be known.",
"6. Users must have access to Microsoft Teams and they should be a part of a Teams channel and also Power Automate app should be installed in the Microsoft Teams channel."
],
"lastUpdateTime": "2021-07-23T00:00:00.000Z",
"entities": [ "URLs", "Filehash" ],
"tags": [ "Teams", "enrichment", "automation" ],
"support": {
"tier": "community"
},
"author": {
"name": "Accenture"
}
},
"parameters": {
"linkedTemplateWildfireCustomConnectorURI": {
"type": "string",
"metadata": {
"description": "The Uri of the linked template for WildFire custom connector"
},
"minLength": 3
},
"linkedTemplatePlaybookFilehashEnrichmentURI": {
"type": "string",
"metadata": {
"description": "The Uri of the linked template for file hash enrichment playbook"
},
"minLength": 3
},
"linkedTemplatePlaybookURLVerdictURI": {
"type": "string",
"metadata": {
"description": "The Uri of the linked template for URL verdict playbook"
},
"minLength": 3
},
"linkedTemplatePlaybookURLVerdictOnTeamsURI": {
"type": "string",
"metadata": {
"description": "The Uri of the linked template for URL Verdict on Teams playbook"
},
"minLength": 3
},
"FilehashEnrichmentPlaybookName": {
"type": "String",
"metadata": {
"description": "Name of the Enrichment Filehash Playbook"
},
"minLength": 3
},
"URLVerdictPlaybookName": {
"type": "String",
"metadata": {
"description": "Name of the URL Verdict Playbook"
},
"minLength": 3
},
"URLVerdictOnTeamsPlaybookName": {
"type": "String",
"metadata": {
"description": "Name of the URL Verdict on Teams Playbook"
},
"minLength": 3
},
"WildfireCustomConnectorName": {
"type": "String",
"metadata": {
"description": "Enter Palo Alto WildFire Custom Connector Display Name"
},
"minLength": 3
},
"PaloAltoCustomConnectorName": {
"type": "String",
"metadata": {
"description": "Enter Palo Alto Custom Connector Display Name"
},
"minLength": 3
},
"WildfireServiceEndPoint": {
"type": "String",
"metadata": {
"description": "Enter WildFire Endpoint (ex: https://{yourDomain})"
},
"minLength": 3
},
"WildfireAPIKey": {
"type": "securestring",
"metadata": {
"description": "Enter WildFire API Key"
},
"minLength": 3
},
"SecurityPolicyRule": {
"type": "string",
"metadata": {
"description": "Enter Security Policy Rule Name - Created in PAN-OS"
},
"minLength": 3
},
"NotificationEmail": {
"type": "string",
"metadata": {
"description": "Enter DL or SOC Email Address For Notification"
},
"minLength": 3
}
},
"variables": {},
"resources": [
{
"name": "linkedTemplateWildfireCustomConnectorURI",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[parameters('linkedTemplateWildfireCustomConnectorURI')]"
},
"parameters": {
"CustomConnectorName": {
"value": "[parameters('WildfireCustomConnectorName')]"
},
"ServiceEndPoint": {
"value": "[parameters('WildfireServiceEndPoint')]"
}
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('PaloAltoCustomConnectorName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('PaloAltoCustomConnectorName'))]"
}
}
},
{
"name": "linkedTemplatePlaybookFilehashEnrichmentURI",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplateWildfireCustomConnectorURI')]"
],
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[parameters('linkedTemplatePlaybookFilehashEnrichmentURI')]"
},
"parameters": {
"PlaybookName": {
"Value": "[parameters('FilehashEnrichmentPlaybookName')]"
},
"WildfireAPIKey": {
"Value": "[parameters('WildfireAPIKey')]"
},
"NotificationEmail": {
"Value": "[parameters('NotificationEmail')]"
},
"WildfireCustomConnectorName": {
"Value": "[parameters('WildfireCustomConnectorName')]"
}
}
}
},
{
"name": "linkedTemplatePlaybookURLVerdictURI",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplateWildfireCustomConnectorURI')]",
"[resourceId('Microsoft.Web/connections', parameters('PaloAltoCustomConnectorName'))]"
],
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[parameters('linkedTemplatePlaybookURLVerdictURI')]"
},
"parameters": {
"PlaybookName": {
"Value": "[parameters('URLVerdictPlaybookName')]"
},
"WildfireAPIKey": {
"Value": "[parameters('WildfireAPIKey')]"
},
"SecurityPolicyRule": {
"Value": "[parameters('SecurityPolicyRule')]"
},
"WildfireCustomConnectorName": {
"Value": "[parameters('WildfireCustomConnectorName')]"
},
"PaloAltoCustomConnectorName": {
"Value": "[parameters('PaloAltoCustomConnectorName')]"
}
}
}
},
{
"name": "linkedTemplatePlaybookURLVerdictOnTeamsURI",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplateWildfireCustomConnectorURI')]",
"[resourceId('Microsoft.Web/connections', parameters('PaloAltoCustomConnectorName'))]"
],
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[parameters('linkedTemplatePlaybookURLVerdictOnTeamsURI')]"
},
"parameters": {
"PlaybookName": {
"Value": "[parameters('URLVerdictOnTeamsPlaybookName')]"
},
"WildfireAPIKey": {
"Value": "[parameters('WildfireAPIKey')]"
},
"SecurityPolicyRule": {
"Value": "[parameters('SecurityPolicyRule')]"
},
"WildfireCustomConnectorName": {
"Value": "[parameters('WildfireCustomConnectorName')]"
},
"PaloAltoCustomConnectorName": {
"Value": "[parameters('PaloAltoCustomConnectorName')]"
}
}
}
}
]
}

116
Playbooks/PaloAlto-Wildfire/readme.md Normal file
Просмотреть файл

@ -0,0 +1,116 @@
# PaloAlto WildFire Logic Apps Custom Connector and Playbook templates
![wildfire](./wildfirelogo.png)
## Table of Contents
1. [Overview](#overview)
1. [Prerequisites](#prerequisites)
1. [Authentication](#authentication)
1. [Deploy PaloAlto PAN-OS custom connector](#deplyoment)
1. [Deploy WildFire custom connector and 3 playbook templates](#deployall)
1. [Deployment Instructions](#instructions)
1. [Post-Deployment Instructions](#postdeployment)
1. [References](#references)
1. [Limitations](#limitations)
<a name="overview">
# Overview
Palo Alto Wildfire Next Generation Firewall is used to fetch the verdict information of the URL and filehash, hence providing protection from malware and malicious URLs.
<a name="prerequisites">
# Prerequisites for deploying WildFire custom connector and 3 playbook ARM templates
- PaloAlto Pan-OS Custom Connector needs to be deployed prior to the deployment of playbooks under the same subscription as well as same resource group and capture the name of the connector during the deployment.
- Wildfire API end point should be known. ([WildFire Console](https://wildfire.paloaltonetworks.com))
- Wildfire API key should be known. ([Generate WildFire API Key](https://wildfire.paloaltonetworks.com/wildfire/dashboard)).
- Create the security policy rule on PAN-OS VM and capture rule name.
- Posting a message or adaptive card as the Flow bot to a channel requires that the Power Automate should be set to "allow" state in Teams admin center.
<a name="authentication">
# Authentication
WildFire Custom Connector supports: API Key Authentication
<a name="deplyoment">
# Deploy PaloAlto PAN-OS custom connector
To deploy PaloAlto PAN-OS Custom connector goto [Pre-requisites to deploy PaloAlto PAN-OS Custom Connector](/Connectors/PaloAltoConnector/readme.md)
Click on the below button to deploy PaloAlto PAN-OS Custom Connector in your Azure subscription.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
<a name="deployall">
# Deploy Wildfire custom connector and 3 playbook ARM templates
This package includes:
* Custom connector for WildFire.
* Three playbook templates leveraging wildfire custom connector.
You can choose to deploy the whole package: connector and all three playbook templates together, or each one separately from its specific folder.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2PaloAlto-Wildfire%2FazuredeployConsoildatedTemplate.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FazuredeployConsoildatedTemplate.json)
<a name="instructions">
# Deployment Instructions
- Deploy the WildFire custom connector and Playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying WildFire custom connector and playbooks.
## Deployment Parameters
| Parameter | Description |
| ------------- | ------------- |
| **Filehash Enrichment Playbook Name** | Enter the Filehash Enrichment Playbook Name (e.g. Wildfire_filehash_enrichment) |
| **URL Verdict Playbook Name** | Enter the URL verdict Playbook Name (e.g. Wildfire_URL_verdict) |
| **URL Verdict On Teams Playbook Name** | Enter the URL verdict on teams Playbook Name (e.g. URL_verdict_on_teams) |
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
| **Wildfire Service End Point** | Enter the Service End Point of Wildfire API [WildFire Console](https://wildfire.paloaltonetworks.com)|
| **Wildfire API Key** | Enter the WildFire API Key|
| **Notification Email** | Enter the DL or SOC email address for receiving filehash report|
| **Palo Alto Custom Connector Name** | Enter the PaloAlto PAN-OS custom connector name |
| **Security Policy Rule** | Enter the Security Policy Rule which is created in PAN-OS |
<a name="postdeployment">
# Post Deployment Instructions
## a. Authorize Connections
* Once deployment is complete, you will need to authorize each connection.
- Click the Teams connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Office 365 connection and Wildfire API Connection (For authorizing the Wildfire API connection, API Key needs to be provided)
* In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.
## b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
- Configure the automation rules to trigger the playbook.
<a name="references">
# References
Connector
* [Wildfire Connector](Connectors/WildFireConnector/readme.md)
Playbooks
* [Wildfire_Filehash_Enrichment](/Playbooks/Wildfire_Filehash_Enrichment/readme.md)
* [Wildfire_URL_Verdict_Automation](/Playbooks/Wildfire_URL_Verdict_Automation/readme.md)
* [Wildifre_URL_verdict_on_Teams](/Playbooks/Wildfire_URL_Verdict_on_Teams/readme.md)
<a name="limitations">
# Known Issues and Limitations
- We need to authorize the connections after deploying the playbooks.

Двоичные данные
Playbooks/PaloAlto-Wildfire/wildfirelogo.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.4 KiB