Skip to content

PaloAltoNGFW#

README

Description of the responder module operation for the Palo Alto NGFW system#

This description contains the required actions from the engineer to integrate the responder with the Palo Alto NGFW.

Installation#

need install: 1. pip install cortexutils 2. pip install requests 3. pip install pan-os-python 4. pip install thehive4py

ToDo#

For responders to work, you need to upload the PaloAltoNGFW folder to the directory where other responders are stored. Further it is necessary: - Reboot the cortex system;

  • To configure the responder, go to the cortex web console, go to the "Organization" tab, select the organization for which the configuration will be performed and go to the "Responders Config" tab and configure the fields for "PaloAltoNGFW_main" in accordance with their values: alt text
  • Hostname_PaloAltoNGFW - network address of the PaloAltoNGFW system
  • User_PaloAltoNGFW - user in the PaloAltoNGFW system
  • Password_PaloAltoNGFW - password for the user in the PaloAltoNGFW system
  • Security_rule_* - the name of the security rule in the PaloAltoNGFW system. The following standard rule names have been established:
    4.1 To block/unblock user:
    4.1.1 "TheHive Block internal user"
    4.1.2 "TheHive Block external user"

4.2 To block/unblock network addresses: 4.2.1 "TheHive Block internal IP address"
4.2.2 "TheHive Block external IP address"

4.3 To block/unblock FQDN:
4.3.1 "TheHive Block external Domain"
4.3.2 "TheHive Block internal Domain"

4.4 To block/unblock ports: 4.4.1 "TheHive Block port for internal communication"
4.4.2 "TheHive Block port for external communication"

4.5 TheHive_instance - url address of The Hive system (used only for case and alert types). It is important for each organization to have its own user with the API!

4.6 TheHive_API_key - API key to connect to TheHive system
Note: the specified safety rules must be created in PaloAltoNGFW, and also placed in the order of their application.
Types of data used to work in TheHive system: 1. Network address - 'ip' 2. FQDN - 'hostname' 3. port-protocol - 'port-protocol' 4. Username - 'username'
Note: types 'port-protocol' and 'username' need to be created in TheHive system. By default, TheHive does not have these data types in the Observable type, so you must add it in the admin settings.
alt text

PaloAltoNGFW_unblock_external_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_unblock_external_domain Name external Address Group for domains
Default value if not configured TheHive Block list external domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_internal_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal IP address

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_IP_address Name internal security rule for IP address
Default value if not configured TheHive Block internal IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_port_for_external_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Service_group_for_external_port_communication Name external Service Group for port communication
Default value if not configured TheHive Block list for external port communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_port_for_internal_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Service_group_for_internal_port_communication Name internal Service Group for port communication
Default value if not configured TheHive Block list for internal port communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_internal_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal ip

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_internal_IP_address Name internal Address Group for IP address
Default value if not configured TheHive Block list internal IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_external_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external IP address

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_IP_address Name external name security rule for IP address
Default value if not configured TheHive Block external IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_port_for_external_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_port_external_communication Name external security rule for port communications
Default value if not configured TheHive Block port for external communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_internal_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_domain Name internal security rule for domains
Default value if not configured TheHive Block internal Domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_external_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_user Name security rule for external users
Default value if not configured TheHive Block external user
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_internal_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_user Name security rule for internal users
Default value if not configured TheHive Block internal user
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_internal_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_internal_user Name internal security rule for users
Default value if not configured TheHive Block internal user
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_external_user#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external user

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_user Name security rule for external users
Default value if not configured TheHive Block external user
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_port_for_internal_communication#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block internal port communication

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_port_internal_communication Name internal security rule for port communications
Default value if not configured TheHive Block port for internal communication
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_external_IP_address#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock external ip

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_external_IP_address Name external Address Group for IP address
Default value if not configured TheHive Block list external IP address
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_unblock_internal_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 1.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Unblock internal domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Address_group_for_unblock_internal_domain Name internal Address Group for domains
Default value if not configured TheHive Block list internal domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

PaloAltoNGFW_block_external_domain#

Author: Maxim Konakin, OSCD Initiative
License: AGPL-V3
Version: 2.0.0
Supported data types:
- thehive:alert
- thehive:case_artifact
- thehive:case
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Block external domain

Configuration#

Hostname_PaloAltoNGFW Hostname PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
User_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Password_PaloAltoNGFW User PaloAltoNGFW
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
Security_rule_for_block_external_domain Name external security rule for domains
Default value if not configured TheHive Block external Domain
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_instance URL of the TheHive instance to query
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
TheHive_API_key TheHive API key with read access
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True