All Apps and Add-ons

pantag to update dynamic group

benobiwan
New Member

Hi community,

I wish to know if the following

  1. For pantag to update the dynamic group, i am assuming that the data from wildfire is sufficient to accomplish this. The reason is that we have a splunk cloud and our panorama are located on prem. The only way to perform the integration is to deploy a on prem splunk enterprise that will use the data from wildfire which is collected via api.
  2. If the malware connects to microsoft site to download powershell, does it get block as well after running the script?

Rgrds,
Benson

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Hello @Benobiwan

Currently pantag takes IP address as the variable that is sent to the PAN device for adding to a dynamic address group:
http://pansplunk.readthedocs.org/en/latest/commands.html#pantag

The source of the data is generally immaterial as long as it contains an IP address, pantag should be able to accept it and pass it on to the PAN Device.

For your second question, it all comes down to the policy associated with the dynamic address group. That's set up on the PAN device, if you reference the previous link it should show some examples.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...