ciscosecurity/tr-05-palo-alto-ngfw

By ciscosecurity

Updated 1 day ago

Image

289

Gitter Chat

Palo Alto

Palo Alto Networks Firewalls with Strata Logging Service

Palo Alto Networks Next-Generation Firewalls (NGFW) provide advanced and integrated security features beyond traditional firewalls. These features include application awareness, URL filtering, content inspection, and threat prevention capabilities. Forwarding NGFW logs to the Strata Logging Service, where they are normalized and enriched with endpoint and cloud data from various products, enables the ability to query NGFW alerts via the Cortex API. Leveraging Palo Alto Networks NGFW alerts allows you to query security detections for observables such as IP addresses, URLs, file names, MD5 hashes, SHA256 hashes, emails, and email subjects.

v1.0.6

  • refactor OCSF endpoint to be based on the cisco_security_finding_dto library
  • return empty responses in case of invalid or unsupported input types

v1.0.5

  • update input schema

v1.0.4

  • matadata.product.uid: 99->13
  • matadata.extension.extension: 0.5.2.2->0.5.3
  • remove empty observables
  • replaced missing times with 0s
  • update finding.uid to f"qaf:pan_ngfw:{session}:{start_time}"
  • add finding.types = ["Network"]

v1.0.3

❗ Testing purposes only

  • add support for the associated alert for the event and to support the search by file name

v1.0.2

-added support for OCSF

v1.0.1

Updated relations

v1.0.0

Implemented Relay Endpoints
  • POST /health

    • Authenticates to the underlying external service to check that provided credentials are valid and the service is available at the moment.
  • POST /observe/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data (get the alerts in our case) on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Attack Patterns
      • Indicators
      • Relationships
      • Sightings
    • Supports optional ?start_time= and end_time= query parameters in ISO format.
      • Specified parameters filters on '{start_time}<=creation_time<={end_time}' with CortexXDR
      • If not specified - return data for the last 30 days.
  • POST /version

    • Returns the version of the running integration module.
Supported Types of Observables(/observe/observables)
  • domain
  • email
  • email_subject
  • file_name
  • ip
  • ipv6
  • md5
  • sha256
  • url
CTIM Mapping Specifics

Each response from the Cortex XDR API for the supported observables generates the following CTIM entities:

  • Attack Patterns
  • Indicators
  • Relationships
  • Sightings
JWT Payload Structure
{
  "api_key": "<API key>",
  "api_key_id": "<API ID>",
  "api_base_url": "<API URL>",
  "CTR_ENTITIES_LIMIT": "<limit the number of sightings in response. Default: 100 (optional)>"
}

Docker Pull Command

docker pull ciscosecurity/tr-05-palo-alto-ngfw