PaloAlto-PAN-OS-BlockURL-EntityTrigger
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook allows blocking/unblocking URLs in PaloAlto, using predefined address group. This allows to make changes on predefined address group, which is attached to security policy rule.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | PaloAlto-PAN-OS |
| Source | View on GitHub |
Additional Documentation
📄 Source: PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL-EntityTrigger/readme.md
PaloAlto-PAN-OS-BlockURL
## Summary
This playbook allows blocking/unblocking URLs in PaloAlto, using predefined address group. This allows to make changes on predefined address group, which is attached to security policy rule. When a new Sentinel incident is created, this playbook gets triggered and performs below actions:
-
An adaptive card is sent to the SOC channel providing Incident information, URL address, list of existing security policy rules in which URL is a member of and provides an option to Block/Unblock URL Address by adding/removing it to/from the predefined address group.
-
The SOC can act on risky URL based on the information provided in the adaptive card, or ignore.
This is the adaptive card SOC will receive when playbook is triggered for each risky URL for taking actions like block/unblock/ignore ::
This is the consolidate adaptive card about the summary of actions taken on URL and the incident configuration ::
Prerequisites
- PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
- Generate an API key.Refer this link on how to generate the API Key
- Address group should be created for PAN-OS and this should be used while creating playbooks.
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here (e.g. PaloAlto-PAN-OS-BlockURL)
- Teams GroupId: Enter the Teams channel id to send the adaptive card
- Teams ChannelId: Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id
- Predefined address group name: Enter the predefined address group name here to Block URL /Unblock URL
- CustomConnectorName : Name of the custom connector, if you want to change the default name, make sure to use the same in all PaloAlto automation playbooks as well
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided)
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with risky URL
- Configure the automation rules to trigger this playbook
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Get Entities as URLs
Get the list of risky/malicious URLs as entities from the Incident
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊