I am using Palo Alto App for Splunk and its adaptive response feature.
We have done some troubleshooting and testing and based on what we have accomplished so far, I have few questions:
According to documents,
"The IP is tagged on the firewall immediately, however, it can take up to 60 seconds for the tagged IP addresses to show up in the corresponding Dynamic Address Group in the security policy. This delay is intentional to prevent accidental DoS scenarios."
We've waited couple minutes or more but we found that admin has to initiate "commit" for the IP to be included in the Group.
This is the command we tried:
index=pan_logs sourcetype=pan:threat host=$PA_FIREWALL$ category=malware vendor_action=allowed dest_zone=internal | stats count by src_ip | pantag device="$PA_FIREWALL$" action=add tag="SplunkBlock" ip_field="src_ip"
We are getting Palo Alto logs from the device and for config type logs, following custom format is used:
$receive_time $admin $host $client $cmd $result $path $before-change-detail $after-change-detail
Strangely, we do not see any log related to the IP being added to the tag or to the group.
Is this expected behaviour? or are we missing some field in syslog setting?
the firewall account used by the TA, is it available on the firewall?
is the Firewall having the required tags and DAG where you need to populate the IP.
We made this working by creating the required policies on PANORAMA and made the changes there, which pushed the policies to the serial mentioned in the command. something like this:
index=panlogs sourcetype="pan:threat" desthostname="www.apple.com" | stats dc(destip) by destip | pantag panorama="" serial="" action="add" ipfield="destip" tag="Splunk_block"
Yes, we have created separate account specific for this feature with correct capabilities.
IP is tagged correctly and is added to the group correctly but the issue is that it requires a manual commit.
The only difference I see is the use of Panorama which we do not have.
If I am readying your answer correctly, the dest_ip is added to this DAG as soon as the query is completed? Without any further action?
We have given the "commit" capability to the account as well but still, we need to commit the changes manually for new IP to be added to the group.