Get System Info - Palo Alto PAN-OS XML API

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook allows us to get System Info of a Palo Alto device for a Microsoft Sentinel alert.

Attribute Value
Type Playbook
Solution PaloAlto-PAN-OS
Source View on GitHub

Additional Documentation

📄 Source: PaloAltoPlaybooks/PaloAlto-PAN-OS-GetSystemInfo/readme.md

PaloAlto-PAN-OS-GetSYstemInfo

## Summary

This playbook allows us to get System Info of a Palo Alto device for a Microsoft Sentinel alert.

When a new Sentinel incident is created, this playbook gets triggered and performs below actions:

  1. Gets the various parameters from the alert

  2. Gets the System Info for the device in the alert.

  3. Creates a Sentinel Incident and updates it with the system info.

Prerequisites

  1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
  2. Generate an API key.Refer this link on how to generate the API Key
  3. This playbook only works for Palo Alto incidents.

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.

Deploy to Azure Deploy to Azure Gov

  1. Fill in the required parameters:
    • Playbook Name: The playbook name here (e.g. PaloAlto-PAN-OS-GetSystemInfo)
    • CustomConnectorName : Name of the custom connector, if you want to change the default name, make sure to use the same in all PaloAlto automation playbooks as well

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP
  2. Configure the automation rules to trigger this playbook

c. Assign Playbook Microsoft Sentinel Responder Role

  1. Select the Playbook (Logic App) resource
  2. Click on Identity Blade
  3. Choose Systen assigned tab
  4. Click on Azure role assignments
  5. Click on Add role assignments
  6. Select Scope - Resource group
  7. Select Subscription - where Playbook has been created
  8. Select Resource group - where Playbook has been created
  9. Select Role - Microsoft Sentinel Responder
  10. Click Save (It takes 3-5 minutes to show the added role.)

Playbook steps explained

When Microsoft Sentinel incident creation rule is triggered

Microsoft Sentinel incident is created. The playbook receives the incident as the input.

Run Query and List Results

Get the logs from the incident.

For Each

Iterates on each result and performs the following:

If alert is Palo Alto alert

Checks if the alert is a Palo Alto alert. Required when logs from various devices are present

Query XML API

Sets the device name, and queries the device's XML API to retrieve the system info for the device

Alert - Get Incident

Creates Incident for the alert

Add Comment to Incident (V3)

Adds a comment containing the system info to the incident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to PaloAlto-PAN-OS