Skip to content

PaloAltoNGFW#

README

Описание работы responder модуля для системы Palo Alto NGFW#

Данное описание содержит требуемые действия от инженера для интеграции работы responder с Palo Alto NGFW.

Installation#

need install: 1. pip install cortexutils 2. pip install requests 3. pip install pan-os-python 4. pip install thehive4py

ToDo#

Для работы responders, необходимо загрузить папку PaloAltoNGFW в директорию, где храняться другие responder. Далее необходимо: - Выполнить перезагрузку системы cortex;

  • Для настройки респондера необходимо перейти в веб консоли cortex перейти на вкладку "Organization", выбрать организацию для которой будет выполнена настройка и перейти на вкладку "Responders Config" и выполняем настройку полей для "PaloAltoNGFW_main" в соответсвии с их значениями: alt text
  • Hostname_PaloAltoNGFW - сетевой адрес системы PaloAltoNGFW
  • User_PaloAltoNGFW - пользователь в системе PaloAltoNGFW
  • Password_PaloAltoNGFW - пароль для пользователя в системе PaloAltoNGFW
  • Security_rule_* - имя правила безопасности в системе PaloAltoNGFW. Установлены следующие стандартные наименования правил:
    4.1 Для блокировки\разблокировки имени пользователей:
    4.1.1 "TheHive Block internal user"
    4.1.2 "TheHive Block external user"

4.2 Для блокировки\разблокировки сетевых адресов:
4.2.1 "TheHive Block internal IP address"
4.2.2 "TheHive Block external IP address"

4.3 Для блокировки\разблокировки FQDN:
4.3.1 "TheHive Block external Domain"
4.3.2 "TheHive Block internal Domain"

4.4 Для блокировки\разблокировки портов:
4.4.1 "TheHive Block port for internal communication"
4.4.2 "TheHive Block port for external communication"

4.5 TheHive_instance - url адрес системы TheHive (используется только для типов case и alert). Важно для каждой организации должен быть свой пользователь с API!

4.6 TheHive_API_key - API ключ для подключения к системе TheHive
Примечание: указанные правила безопасноти должны быть созданы в PaloAltoNGFW, а так же расставлены в порядке их применения.
Типы используемых данных для работы в системе TheHive: 1. Сетевой адрес - 'ip' 2. FQDN - 'hostname' 3. порт-протокол - 'port-protocol' 4. имя пользователя - 'username'
Примечание: типы 'port-protocol' и 'username' необходимо создать в системе TheHive. По умолчанию TheHive не имеет данных типов данных в Observable type, поэтому мы должны добавить его в настройках администратора.
alt text

PaloAltoNGFW_unblock_port_for_internal_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Service_group_for_internal_port_communication Name internal Service Group for port communication
Default value if not configured TheHive Block list for internal port communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_external_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external ip

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_external_IP_address Name external Address Group for IP address
Default value if not configured TheHive Block list external IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_external_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_unblock_external_domain Name external Address Group for domains
Default value if not configured TheHive Block list external domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_internal_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_unblock_internal_domain Name internal Address Group for domains
Default value if not configured TheHive Block list internal domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_port_for_internal_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_port_internal_communication Name internal security rule for port communications
Default value if not configured TheHive Block port for internal communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_internal_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal IP address

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_IP_address Name internal security rule for IP address
Default value if not configured TheHive Block internal IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_external_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_domain Name external security rule for domains
Default value if not configured TheHive Block external Domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_port_for_external_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_port_external_communication Name external security rule for port communications
Default value if not configured TheHive Block port for external communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_external_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_user Name security rule for external users
Default value if not configured TheHive Block external user
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_external_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external IP address

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_IP_address Name external name security rule for IP address
Default value if not configured TheHive Block external IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_port_for_external_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Service_group_for_external_port_communication Name external Service Group for port communication
Default value if not configured TheHive Block list for external port communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_external_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_user Name security rule for external users
Default value if not configured TheHive Block external user
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_internal_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_user Name security rule for internal users
Default value if not configured TheHive Block internal user
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_internal_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal ip

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_internal_IP_address Name internal Address Group for IP address
Default value if not configured TheHive Block list internal IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_internal_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_domain Name internal security rule for domains
Default value if not configured TheHive Block internal Domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_internal_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_user Name internal security rule for users
Default value if not configured TheHive Block internal user
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Last update: November 15, 2021 06:39:14