Azure-Sentinel/Playbooks/PaloAlto-PAN-OS
kapetanios55 8cfba6dcab
Update readme.md
Updating the PAN OS link provided on line 24 - Please double check the link
2022-10-18 15:58:35 +01:00
..
PaloAltoCustomConnector
Playbooks Update readme.md 2022-10-18 15:58:35 +01:00
readme.md

readme.md

PAN-OS Logic Apps connector and playbook templates

drawing

Table of Contents

  1. Overview
  2. Deploy Custom Connector + 3 Playbook templates
  3. Authentication
  4. Prerequisites
  5. Deployment
  6. Post Deployment Steps
  7. Known issues and limitations

Overview

PANOS is the software that runs all Palo Alto Networks next-generation firewalls. This integration will allow your SOC to leverage automation to block traffic to/from specific IP or URL as a response to Azure Sentinel incidents.

PAN-OS custom connector includes various actions which allow you to create your own playbooks from scratch. In addition to the connector, there are 3 OOTB playbooks templates which leverage it so you can start automating Blocking of IPs an URLs with minimum configurations and effort. The OOTB scenarios are leveraging address objects groups, which are pre-configured to be referenced to Security Policy rules. The playbooks will add IPs and URLs as address objects to these groups, so the policies will apply on them.

Deploy Custom Connector + 3 Playbook templates

This package includes:

  • Custom connector for PAN-OS.
  • Three playbook templates leverage PAN-OS custom connector.

You can choose to deploy the whole package connector + all three playbook templates, or each one separately from it's specific folder.

Deploy to Azure Deploy to Azure Gov

Authentication

This connector supports API Key authentication.

Prerequisites for using and deploying Custom Connector

  1. PAN-OS service end point should be known. (e.g. https://{paloaltodomain})
  2. Generate an API key. Refer this link on how to generate the API Key
  3. Address group should be created for PAN-OS for blocking/unblocking address objects and this address group should be used while creating playbooks.

Deployment instructions

  1. Deploy the Custom Connector and playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
  2. Fill in the required parameters for deploying custom connector and playbooks:
Parameter description
Custom connector name Enter the Custom connector name (e.g. contoso PAN-OS connector). This is the name that will appear in the connectors gallery in the Logic Apps designer.
Service Endpoint Enter the PAN-OS service end point (e.g. https://{yourPaloAltoDomain})
Enrich Incident Playbook Name Give a name to the enrichment playbook (e.g. PaloAlto-PAN-OS-GetURLCategoryInfo playbook)
PaloAlto-PAN-OS-BlockIP Playbook Name Enter name for the response playbook which blocks IPs name here (e.g. PaloAlto-PAN-OS-BlockIP)
PaloAlto-PAN-OS-BlockURL Playbook Name Enter name for the response playbook which blocks URLs (e.g. PaloAlto-PAN-OS-BlockURL)
Teams GroupId Enter the Teams channel id to send the adaptive card in both response playbooks
Teams ChannelId Enter the Teams Group id to send the adaptive card in both response playbooks
Refer the below link to get the channel id and group id
Predefined address group name for block IP: Enter the pre-defined address group name which blocks IP
Predefined address group name for block URL: Enter the pre-defined address group name which blocks URL



Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Azure Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections such as Teams connection and PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. In Azure sentinel analytical rules should be configured to trigger an incident with risky user account.
  2. Configure the automation rules to trigger the playbooks.

Known issues and limitations

name is required twice

In some of the connector actions, user is required to enter the name of the object twice. Both fields should be identical, due to custom connector limitation. Relevant for the following actions:

  • Create a security policy rule
  • Update a security policy rule
  • Create an address object
  • Update an address object
  • Create an address object group
  • Update an address object group
  • Update URL filtering security profile

Update an address group object requires adding existing members

The action update an address object group is overriding the existing group. This means that the member field should include the existing members in addition to the new ones the playbook is adding.