PaloAltoNGFW
PaloAltoNGFW_block_external_IP_address
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
2.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block external IP address
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_external_IP_address |
Name external name security rule for IP address |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_external_domain
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
2.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block external domain
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_external_domain |
Name external security rule for domains |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_external_user
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block external user
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_external_user |
Name security rule for external users |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_internal_IP_address
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
2.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block internal IP address
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_internal_IP_address |
Name internal security rule for IP address |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_internal_domain
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
2.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block internal domain
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_internal_domain |
Name internal security rule for domains |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_internal_user
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block internal user
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_internal_user |
Name internal security rule for users |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_port_for_external_communication
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
2.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block external port communication
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_port_external_communication |
Name external security rule for port communications |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_block_port_for_internal_communication
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
2.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Block internal port communication
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_port_internal_communication |
Name internal security rule for port communications |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_external_IP_address
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock external ip
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Address_group_for_external_IP_address |
Name external Address Group for IP address |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_external_domain
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock external domain
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Address_group_for_unblock_external_domain |
Name external Address Group for domains |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_external_user
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock external user
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_external_user |
Name security rule for external users |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_internal_IP_address
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock internal ip
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Address_group_for_internal_IP_address |
Name internal Address Group for IP address |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_internal_domain
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock internal domain
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Address_group_for_unblock_internal_domain |
Name internal Address Group for domains |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_internal_user
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock internal user
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Security_rule_for_block_internal_user |
Name security rule for internal users |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_port_for_external_communication
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock external port communication
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Service_group_for_external_port_communication |
Name external Service Group for port communication |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
PaloAltoNGFW_unblock_port_for_internal_communication
Details
Author |
Maxim Konakin, OSCD Initiative |
Version |
1.0.0 |
License |
AGPL-V3 |
Website |
|
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:alert, thehive:case_artifact, thehive:case |
Description
Unblock internal port communication
Configuration
Name |
Description |
Hostname_PaloAltoNGFW |
Hostname PaloAltoNGFW |
User_PaloAltoNGFW |
User PaloAltoNGFW |
Password_PaloAltoNGFW |
User PaloAltoNGFW |
Service_group_for_internal_port_communication |
Name internal Service Group for port communication |
TheHive_instance |
URL of the TheHive instance to query |
TheHive_API_key |
TheHive API key with read access |
Additional details from the README file:
Description of the responder module operation for the Palo Alto NGFW system
This description contains the required actions from the engineer to integrate the responder with the Palo Alto NGFW.
Installation
need install:
pip install cortexutils
pip install requests
pip install pan-os-python
pip install thehive4py
ToDo
For responders to work, you need to upload the PaloAltoNGFW folder to the directory where other responders are stored. Further it is necessary:
Reboot the cortex system;
To configure the responder, go to the cortex web console, go to the “Organization” tab, select the organization for which the configuration will be performed and go to the “Responders Config” tab and configure the fields for “PaloAltoNGFW_main” in accordance with their values:
Hostname_PaloAltoNGFW - network address of the PaloAltoNGFW system
User_PaloAltoNGFW - user in the PaloAltoNGFW system
Password_PaloAltoNGFW - password for the user in the PaloAltoNGFW system
Securityrule* - the name of the security rule in the PaloAltoNGFW system. The following standard rule names have been established:
4.1 To block/unblock user:
4.1.1 “TheHive Block internal user”
4.1.2 “TheHive Block external user”
4.2 To block/unblock network addresses:
4.2.1 “TheHive Block internal IP address”
4.2.2 “TheHive Block external IP address”
4.3 To block/unblock FQDN:
4.3.1 “TheHive Block external Domain”
4.3.2 “TheHive Block internal Domain”
4.4 To block/unblock ports:
4.4.1 “TheHive Block port for internal communication”
4.4.2 “TheHive Block port for external communication”
4.5 TheHive_instance - url address of The Hive system (used only for case and alert types). It is important for each organization to have its own user with the API!
4.6 TheHive_API_key - API key to connect to TheHive system
Note: the specified safety rules must be created in PaloAltoNGFW, and also placed in the order of their application.
Types of data used to work in TheHive system:
Network address - ‘ip’
FQDN - ‘hostname’
port-protocol - ‘port-protocol’
Username - ‘username’
Note: types ‘port-protocol’ and ‘username’ need to be created in TheHive system. By default, TheHive does not have these data types in the Observable type, so you must add it in the admin settings.
