Azure-Sentinel/Playbooks/PaloAlto-Wildfire
..
Connectors/WildFireConnector
Playbooks
XMLResponse.xml
azuredeployConsoildatedTemplate.json
azuredeploylinkedTemplate.json
readme.md
wildfirelogo.png

readme.md

Palo Alto WildFire Logic Apps Custom Connector and Playbook templates

wildfire

Table of Contents

  1. Overview
  2. Prerequisites
  3. Authentication
  4. Deploy WildFire custom connector and 3 playbook templates
  5. Deployment Instructions
  6. Post-Deployment Instructions
  7. References
  8. Limitations

Overview

Palo Alto Wildfire Next Generation Firewall is used to fetch the verdict information of the URL and filehash, hence providing protection from malware and malicious URLs.

Prerequisites for deploying WildFire custom connector and 3 playbook ARM templates

Authentication

WildFire Custom Connector supports: API Key Authentication

Deploy Wildfire custom connector and 3 playbook ARM templates

This package includes:

  • Custom connector for WildFire.
  • Three playbook templates leveraging wildfire custom connector.

You can choose to deploy the whole package: connector and all three playbook templates together, or each one separately from its specific folder.

Deploy to Azure Deploy to Azure Gov

Deployment Instructions

  • Deploy the WildFire custom connector and Playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
  • Fill in the required parameters for deploying WildFire custom connector and playbooks.

Deployment Parameters

Parameter Description
Filehash Enrichment Playbook Name Enter the Filehash Enrichment Playbook Name
Block URL Playbook Name Enter the Block URL Playbook Name
Block URL From Teams Playbook Name Enter the Block URL From Teams Playbook Name
Wildfire Custom Connector Name Enter the name of Palo Alto WildFire custom connector
Wildfire Service End Point Enter the Service End Point of Wildfire API WildFire Console
Wildfire API Key Enter the WildFire API Key
Notification Email Enter the DL or SOC email address for receiving filehash report
PAN-OS Custom Connector Name Enter the Palo Alto PAN-OS custom connector name
Security Policy Rule Enter the Security Policy Rule which is created in PAN-OS

Post Deployment Instructions

a. Authorize Connections

  • Once deployment is complete, you will need to authorize each connection.
    • Click the Teams connection resource
    • Click edit API connection
    • Click Authorize
    • Sign in
    • Click Save
    • Repeat steps for other connections such as Office 365 connection and Wildfire API Connection (For authorizing the Wildfire API connection, API Key needs to be provided)
  • In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.

b. Configurations in Sentinel

  • In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
  • Configure the automation rules to trigger the playbook.

References

Connector

Playbooks

Known Issues and Limitations