All Apps and Add-ons

pantag to update dynamic group

benobiwan
New Member

Hi community,

I wish to know if the following

  1. For pantag to update the dynamic group, i am assuming that the data from wildfire is sufficient to accomplish this. The reason is that we have a splunk cloud and our panorama are located on prem. The only way to perform the integration is to deploy a on prem splunk enterprise that will use the data from wildfire which is collected via api.
  2. If the malware connects to microsoft site to download powershell, does it get block as well after running the script?

Rgrds,
Benson

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Hello @Benobiwan

Currently pantag takes IP address as the variable that is sent to the PAN device for adding to a dynamic address group:
http://pansplunk.readthedocs.org/en/latest/commands.html#pantag

The source of the data is generally immaterial as long as it contains an IP address, pantag should be able to accept it and pass it on to the PAN Device.

For your second question, it all comes down to the policy associated with the dynamic address group. That's set up on the PAN device, if you reference the previous link it should show some examples.

0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...