Block IP - Palo Alto PAN-OS - Entity trigger
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook interacts with relevant stakeholders, such incident response team, to approve blocking/allowing IPs in Palo Alto PAN-OS, using Address Object Groups. This allows to make changes on predefined address group, which is attached to predefined security policy rule.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | PaloAlto-PAN-OS |
| Source | View on GitHub |
Additional Documentation
📄 Source: PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockIP-EntityTrigger/readme.md
PaloAlto-PAN-OS-BlockIP
## Summary
This playbook allows blocking/unblocking IPs in PaloAlto, using Address Object Groups. This allows to make changes on predefined address group, which is attached to predefined security policy rule.
When a new Sentinel incident is created, this playbook gets triggered and performs below actions:
-
An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore.
-
The SOC can take action on risky IP based on the information provided in the adaptive card.
This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:
This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:
Prerequisites
- PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
- Generate an API key. Refer this link on how to generate the API Key
- Address group should be created for PAN-OS and this should be used while creating playbooks.
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here (e.g. PaloAlto-PAN-OS-BlockIP)
- Teams GroupId: Enter the Teams channel id to send the adaptive card
- Teams ChannelId: Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id
- Predefined address group name: Enter the predefined address group name here to Block IP / Unblock IP
- CustomConnectorName : Name of the custom connector, if you want to change the default name, make sure to use the same in all PaloAlto automation playbooks as well
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided)
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP
- Configure the automation rules to trigger this playbook
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Get Entities as IPs
Get the list of risky/malicious IPs as entities from the Incident.
Initialize variables
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊