Azure-Sentinel/Playbooks/PaloAlto-Wildfire

Palo Alto WildFire Logic Apps Custom Connector and Playbook templates

Table of Contents

1. Overview
2. Prerequisites
3. Authentication
4. Deploy WildFire custom connector and 3 playbook templates
5. Deployment Instructions
6. Post-Deployment Instructions
7. References
8. Limitations

Overview

Palo Alto Wildfire Next Generation Firewall is used to fetch the verdict information of the URL and filehash, hence providing protection from malware and malicious URLs.

Prerequisites for deploying WildFire custom connector and 3 playbook ARM templates

• Palo Alto Pan-OS Custom Connector needs to be deployed prior to the deployment of playbooks under the same subscription as well as same resource group and capture the name of the connector during the deployment.
• Wildfire API end point should be known. (WildFire Console)
• Wildfire API key should be known. (Generate WildFire API Key).
• Create the security policy rule on PAN-OS VM and capture rule name.

Authentication

WildFire Custom Connector supports: API Key Authentication

Deploy Wildfire custom connector and 3 playbook ARM templates

This package includes:

• Custom connector for WildFire.
• Three playbook templates leveraging wildfire custom connector.

You can choose to deploy the whole package: connector and all three playbook templates together, or each one separately from its specific folder.

Deployment Instructions

• Deploy the WildFire custom connector and Playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
• Fill in the required parameters for deploying WildFire custom connector and playbooks.

Deployment Parameters

Parameter	Description
Filehash Enrichment Playbook Name	Enter the Filehash Enrichment Playbook Name
Block URL Playbook Name	Enter the Block URL Playbook Name
Block URL From Teams Playbook Name	Enter the Block URL From Teams Playbook Name
Wildfire Custom Connector Name	Enter the name of Palo Alto WildFire custom connector
Wildfire Service End Point	Enter the Service End Point of Wildfire API WildFire Console
Wildfire API Key	Enter the WildFire API Key
Notification Email	Enter the DL or SOC email address for receiving filehash report
PAN-OS Custom Connector Name	Enter the Palo Alto PAN-OS custom connector name
Security Policy Rule	Enter the Security Policy Rule which is created in PAN-OS

Post Deployment Instructions

a. Authorize Connections

• Once deployment is complete, you will need to authorize each connection.
  • Click the Teams connection resource
  • Click edit API connection
  • Click Authorize
  • Sign in
  • Click Save
  • Repeat steps for other connections such as Office 365 connection and Wildfire API Connection (For authorizing the Wildfire API connection, API Key needs to be provided)
• In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.

b. Configurations in Sentinel

• In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
• Configure the automation rules to trigger the playbook.

References

Connector

• Wildfire Connector

Playbooks

• WildFire Filehash Enrichment
• WildFire Block URL
• WildFire Block URL From Teams

Known Issues and Limitations

• We need to authorize the connections after deploying the playbooks.
• Palo Alto Wildfire API returns response body in XML format. To handle this, 'Parse Json' action is needed to convert xml body into json object.Refer here