Splunk Enterprise Security

How can I implement pantag as a workflow or alert action in Splunk Enterprise Security?

MonkeyK
Builder

I would like to be able to define an alert for various forms of scanning activity (Broadscanning, Port Scanning, and application specific scanning like web vulnerability scannign). Based on the alert, I would like to take action to block the source IP address. I understand that the Palo Alto Networks App for Splunk can perform this sort of action with it's pantag.

How do I build similar functionality into my Enterprise search or Splunk Enterprise Security (ES) apps.

I imagine that the steps are:
1) Make pantag available to ES
*either install Palo Alto app for Splunk or add pantag.py to my ES server
*somehow set up credentials to allow pantag to submit a request to panorama
2) Create integration
*Create a workflow to call the new command
*create a custom alert action?

Does this seem about right? Where can i learn how to do these things?

0 Karma
1 Solution

panguy
Contributor

Hi,

Yes this is all very possible and available now. Please checkout the "Advanced Features" section of the documentation:

http://pansplunk.readthedocs.io/en/latest/

When using Splunk ES all you need is the Palo Alto Networks Add-on to be installed. The pantag feature is available as part of Adaptive Response.

Regards,

Paul

View solution in original post

0 Karma

panguy
Contributor

Hi,

Yes this is all very possible and available now. Please checkout the "Advanced Features" section of the documentation:

http://pansplunk.readthedocs.io/en/latest/

When using Splunk ES all you need is the Palo Alto Networks Add-on to be installed. The pantag feature is available as part of Adaptive Response.

Regards,

Paul

View solution in original post

0 Karma

MonkeyK
Builder

Great news! thank you panguy!

I do have a couple of questions:
1) Does the document note what firewall rules I need to make pantag work? Is it just ssl from the Search Head to panorama?
2) If I create a dynamic Address group does that somehow avoid the need to commit the address submitted via pantag? If not does the process handle commit for me?

0 Karma

panguy
Contributor

The documentation does not tell you which rules to create. You can create whatever rules you like and associate a dynamic address group to the rule. The rule will enforce the policy based on the dynamic address group.

0 Karma

alikapucu
Explorer

i would like to use

| pantag device=firewall action=add

on my enterprise security but looks like pantag is not available i have TA installed and adaptive action is working fine but i would like use as a workflow item

0 Karma

MonkeyK
Builder

alikapucu, sorry to not have seen this for so long. If it is still helpful to know, pantag is not available for Enterprise Security.

The pantag workflow is defined in the PAN app. Installing the PAN app to ES would be disasterous (been there, done that). In ES, there is an adaptive response item to "tag to dynamic address group". This adaptive response item comes with the PAN add-on. I don't really understand why, but these two items do not use the same code.

you should be able to configure the PAN add-on with creds to do what you want.

panguy
Contributor

MonkeyK is correct. The custom command 'pantag' is only available in the app. However, you can do the same in ES using adaptive response. That is the best way to use it.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!