I would like to be able to define an alert for various forms of scanning activity (Broadscanning, Port Scanning, and application specific scanning like web vulnerability scannign). Based on the alert, I would like to take action to block the source IP address. I understand that the Palo Alto Networks App for Splunk can perform this sort of action with it's pantag.
How do I build similar functionality into my Enterprise search or Splunk Enterprise Security (ES) apps.
I imagine that the steps are:
1) Make pantag available to ES
*either install Palo Alto app for Splunk or add pantag.py to my ES server
*somehow set up credentials to allow pantag to submit a request to panorama
2) Create integration
*Create a workflow to call the new command
*create a custom alert action?
Does this seem about right? Where can i learn how to do these things?
Yes this is all very possible and available now. Please checkout the "Advanced Features" section of the documentation:
When using Splunk ES all you need is the Palo Alto Networks Add-on to be installed. The pantag feature is available as part of Adaptive Response.
Great news! thank you panguy!
I do have a couple of questions:
1) Does the document note what firewall rules I need to make pantag work? Is it just ssl from the Search Head to panorama?
2) If I create a dynamic Address group does that somehow avoid the need to commit the address submitted via pantag? If not does the process handle commit for me?
i would like to use
| pantag device=firewall action=add
on my enterprise security but looks like pantag is not available i have TA installed and adaptive action is working fine but i would like use as a workflow item
alikapucu, sorry to not have seen this for so long. If it is still helpful to know, pantag is not available for Enterprise Security.
The pantag workflow is defined in the PAN app. Installing the PAN app to ES would be disasterous (been there, done that). In ES, there is an adaptive response item to "tag to dynamic address group". This adaptive response item comes with the PAN add-on. I don't really understand why, but these two items do not use the same code.
you should be able to configure the PAN add-on with creds to do what you want.
MonkeyK is correct. The custom command 'pantag' is only available in the app. However, you can do the same in ES using adaptive response. That is the best way to use it.
The documentation does not tell you which rules to create. You can create whatever rules you like and associate a dynamic address group to the rule. The rule will enforce the policy based on the dynamic address group.