aad48299ca
|
||
|---|---|---|
| .. | ||
| Connectors/WildFireConnector | ||
| Playbooks | ||
| XMLResponse.xml | ||
| azuredeployConsoildatedTemplate.json | ||
| azuredeploylinkedTemplate.json | ||
| readme.md | ||
| wildfirelogo.png | ||
readme.md
Palo Alto WildFire Logic Apps Custom Connector and Playbook templates
Table of Contents
- Overview
- Prerequisites
- Authentication
- Deploy WildFire custom connector and 3 playbook templates
- Deployment Instructions
- Post-Deployment Instructions
- References
- Limitations
Overview
Palo Alto Wildfire Next Generation Firewall is used to fetch the verdict information of the URL and filehash, hence providing protection from malware and malicious URLs.
Prerequisites for deploying WildFire custom connector and 3 playbook ARM templates
- Palo Alto Pan-OS Custom Connector needs to be deployed prior to the deployment of playbooks under the same subscription as well as same resource group and capture the name of the connector during the deployment.
- Wildfire API end point should be known. (WildFire Console)
- Wildfire API key should be known. (Generate WildFire API Key).
- Create the security policy rule on PAN-OS VM and capture rule name.
Authentication
WildFire Custom Connector supports: API Key Authentication
Deploy Wildfire custom connector and 3 playbook ARM templates
This package includes:
- Custom connector for WildFire.
- Three playbook templates leveraging wildfire custom connector.
You can choose to deploy the whole package: connector and all three playbook templates together, or each one separately from its specific folder.
Deployment Instructions
- Deploy the WildFire custom connector and Playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying WildFire custom connector and playbooks.
Deployment Parameters
| Parameter | Description |
|---|---|
| Filehash Enrichment Playbook Name | Enter the Filehash Enrichment Playbook Name |
| Block URL Playbook Name | Enter the Block URL Playbook Name |
| Block URL From Teams Playbook Name | Enter the Block URL From Teams Playbook Name |
| Wildfire Custom Connector Name | Enter the name of Palo Alto WildFire custom connector |
| Wildfire Service End Point | Enter the Service End Point of Wildfire API WildFire Console |
| Wildfire API Key | Enter the WildFire API Key |
| Notification Email | Enter the DL or SOC email address for receiving filehash report |
| PAN-OS Custom Connector Name | Enter the Palo Alto PAN-OS custom connector name |
| Security Policy Rule | Enter the Security Policy Rule which is created in PAN-OS |
Post Deployment Instructions
a. Authorize Connections
- Once deployment is complete, you will need to authorize each connection.
- Click the Teams connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Office 365 connection and Wildfire API Connection (For authorizing the Wildfire API connection, API Key needs to be provided)
- In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.
b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with filehash and URL.
- Configure the automation rules to trigger the playbook.
References
Connector
Playbooks