PaloAltoNGFW
============
PaloAltoNGFW_block_external_IP_address
--------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 2.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block external IP address
.. rubric:: Configuration
=========================================== ===============================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_external_IP_address Name external name security rule for IP address
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
=========================================== ===============================================
PaloAltoNGFW_block_external_domain
----------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 2.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block external domain
.. rubric:: Configuration
======================================= =======================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_external_domain Name external security rule for domains
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
======================================= =======================================
PaloAltoNGFW_block_external_user
--------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block external user
.. rubric:: Configuration
===================================== =====================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_external_user Name security rule for external users
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
===================================== =====================================
PaloAltoNGFW_block_internal_IP_address
--------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 2.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block internal IP address
.. rubric:: Configuration
=========================================== ==========================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_internal_IP_address Name internal security rule for IP address
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
=========================================== ==========================================
PaloAltoNGFW_block_internal_domain
----------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 2.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block internal domain
.. rubric:: Configuration
======================================= =======================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_internal_domain Name internal security rule for domains
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
======================================= =======================================
PaloAltoNGFW_block_internal_user
--------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block internal user
.. rubric:: Configuration
===================================== =====================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_internal_user Name internal security rule for users
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
===================================== =====================================
PaloAltoNGFW_block_port_for_external_communication
--------------------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 2.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block external port communication
.. rubric:: Configuration
=================================================== ===================================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_port_external_communication Name external security rule for port communications
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
=================================================== ===================================================
PaloAltoNGFW_block_port_for_internal_communication
--------------------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 2.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Block internal port communication
.. rubric:: Configuration
=================================================== ===================================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_port_internal_communication Name internal security rule for port communications
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
=================================================== ===================================================
PaloAltoNGFW_unblock_external_IP_address
----------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock external ip
.. rubric:: Configuration
===================================== ==========================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Address_group_for_external_IP_address Name external Address Group for IP address
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
===================================== ==========================================
PaloAltoNGFW_unblock_external_domain
------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock external domain
.. rubric:: Configuration
========================================= =======================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Address_group_for_unblock_external_domain Name external Address Group for domains
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
========================================= =======================================
PaloAltoNGFW_unblock_external_user
----------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock external user
.. rubric:: Configuration
===================================== =====================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_external_user Name security rule for external users
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
===================================== =====================================
PaloAltoNGFW_unblock_internal_IP_address
----------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock internal ip
.. rubric:: Configuration
===================================== ==========================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Address_group_for_internal_IP_address Name internal Address Group for IP address
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
===================================== ==========================================
PaloAltoNGFW_unblock_internal_domain
------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock internal domain
.. rubric:: Configuration
========================================= =======================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Address_group_for_unblock_internal_domain Name internal Address Group for domains
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
========================================= =======================================
PaloAltoNGFW_unblock_internal_user
----------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock internal user
.. rubric:: Configuration
===================================== =====================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Security_rule_for_block_internal_user Name security rule for internal users
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
===================================== =====================================
PaloAltoNGFW_unblock_port_for_external_communication
----------------------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock external port communication
.. rubric:: Configuration
============================================= ==================================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Service_group_for_external_port_communication Name external Service Group for port communication
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
============================================= ==================================================
PaloAltoNGFW_unblock_port_for_internal_communication
----------------------------------------------------
.. rubric:: Details
=========================== ==================================================
Author Maxim Konakin, OSCD Initiative
Version 1.0.0
License AGPL-V3
Website https://www.paloaltonetworks.com/
Requires Registration No
Requires Subscription No
Free Subscription Available No
DataType Supported energysoar:alert, energysoar:case_artifact, energysoar:case
=========================== ==================================================
.. rubric:: Description
Unblock internal port communication
.. rubric:: Configuration
============================================= ==================================================
Name Description
Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
User_PaloAltoNGFW User PaloAltoNGFW
Password_PaloAltoNGFW User PaloAltoNGFW
Service_group_for_internal_port_communication Name internal Service Group for port communication
EnergySOARBase_instance URL of the Energy SOAR Base instance to query
EnergySOARBase_API_key Energy SOAR Base API key with read access
============================================= ==================================================
.. rubric:: Additional details from the README file:
.. role:: raw-html-m2r(raw)
:format: html
Description of the responder module operation for the Palo Alto NGFW system
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This description contains the required actions from the engineer to integrate the responder with the Palo Alto NGFW.
Installation
~~~~~~~~~~~~
need install:
#. pip install requests
#. pip install pan-os-python
ToDo
^^^^
For responders to work, you need to upload the PaloAltoNGFW folder to the directory where other responders are stored.
Further it is necessary:
*
Reboot the cortex system;
*
To configure the responder, go to the cortex web console, go to the "Organization" tab, select the organization for which the configuration will be performed and go to the "Responders Config" tab and configure the fields for "PaloAltoNGFW_main" in accordance with their values:
.. image:: assets/Responders.jpg
:target: assets/Responders.jpg
:alt: alt text
#. Hostname_PaloAltoNGFW - network address of the PaloAltoNGFW system
#. User_PaloAltoNGFW - user in the PaloAltoNGFW system
#. Password_PaloAltoNGFW - password for the user in the PaloAltoNGFW system
#. Security\ *rule*\ * - the name of the security rule in the PaloAltoNGFW system. The following standard rule names have been established:\ :raw-html-m2r:`
`
4.1 To block/unblock user:\ :raw-html-m2r:`
`
4.1.1 "Energy SOAR Base Block internal user"\ :raw-html-m2r:`
`
4.1.2 "Energy SOAR Base Block external user"
4.2 To block/unblock network addresses:
4.2.1 "Energy SOAR Base Block internal IP address"\ :raw-html-m2r:`
`
4.2.2 "Energy SOAR Base Block external IP address"
4.3 To block/unblock FQDN:\ :raw-html-m2r:`
`
4.3.1 "Energy SOAR Base Block external Domain"\ :raw-html-m2r:`
`
4.3.2 "Energy SOAR Base Block internal Domain"
4.4 To block/unblock ports:
4.4.1 "Energy SOAR Base Block port for internal communication"\ :raw-html-m2r:`
`
4.4.2 "Energy SOAR Base Block port for external communication"
4.5 EnergySOARBase_instance - url address of Energy SOAR Base system (used only for case and alert types).
It is important for each organization to have its own user with the API!
4.6 EnergySOARBase_API_key - API key to connect to Energy SOAR Base system\ :raw-html-m2r:`
`
Note: the specified safety rules must be created in PaloAltoNGFW, and also placed in the order of their application.\ :raw-html-m2r:`
`
Types of data used to work in Energy SOAR Base system:
#. Network address - 'ip'
#. FQDN - 'hostname'
#. port-protocol - 'port-protocol'
#. Username - 'username'\ :raw-html-m2r:`
`
Note: types 'port-protocol' and 'username' need to be created in Energy SOAR Base system. By default, Energy SOAR Base does not have these data types in the Observable type, so you must add it in the admin settings.\ :raw-html-m2r:`
`
.. image:: assets/AddObservableType.jpg
:target: assets/AddObservableType.jpg
:alt: alt text