PaloAlto-PAN-OS-GetURLCategoryInfo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

When a new sentinal incident is created, this playbook gets triggered and performs below actions:

Attribute Value
Type Playbook
Solution PaloAlto-PAN-OS
Source View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 2
PAN-OSRestApiCustomConnector Custom 1 2
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_(V3)_2 post /Incidents/Comment
Entities_-_Get_URLs post /entities/url

PAN-OSRestApiCustomConnector (Custom)

Action Method Endpoint Other
List_address_objects get /restapi/v10.0/Objects/Addresses
List_custom_url_categories get /restapi/v10.0/Objects/CustomURLCategories

Additional Documentation

📄 Source: PaloAltoPlaybooks/PaloAlto-PAN-OS-GetURLCategoryInfo/readme.md

Summary

When a new sentinal incident is created, this playbook gets triggered and performs below actions:

  1. Fetches the address group details and URL filtering category information from PAN-OS
  2. Updates all the collected information in incident

PaloAlto-PAN-OS-GetURLCategoryInfo

Prerequisites

  1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
  2. Generate an API key. Refer this link on how to generate the API Key

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
  2. Fill in the required parameters:
    • Playbook Name: Enter the playbook name here (e.g. PAN-OS Playbook)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account
  2. Configure the automation rules to trigger this playbook

Deploy to Azure Deploy to Azure

Playbook steps explained

When Microsoft Sentinel incident creation rule is triggered

Microsoft Sentinel incident is created. The playbook receives the incident as the input.

Entities - Get URLs

Get the list of risky/malicious URLs as entities from the Incident

List-address objects

Playbook uses "List address objects" action to get address object details from PAN-OS

List URL filtering category information

Playbook uses "List URL filtering category information" action to get URL filtering category details from PAN-OS

For each-risky URL received from the incident

Iterates on the URLs found in this incident (probably one) and performs the following:

  1. For the risky URL, Filter URL from list of address objects action to get specific address object details from PAN-OS

    a. Compose body of address object where URL is a member for updating incident with address object details

  2. Create HTML table for URL category information such as name, location and description

  3. Add a comment to the incident with the information below:

    a. User information collected by "List address obects" action from PAN-OS such as

    • name, location, description and URL

    b. URL filtering category information collected by "List URL filtering category information" action from PAN-OS such as

    • name, location and description

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to PaloAlto-PAN-OS