Palo Alto Panorama
Integration version: 29.0
Integrate Palo Alto Panorama with Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
|
Instance Name
|
String | N/A | No | Name of the Instance you intend to configure integration for. |
|
Description
|
String | N/A | No | Description of the Instance. |
|
Api Root
|
String | https:// IP_ADDRESS
/api |
Yes | Address of the Palo Alto Networks Panorama instance. |
|
Username
|
String | N/A | Yes | A username that should be used to connect to Palo Alto Networks Panorama. |
|
Password
|
Password | N/A | Yes | The password of the according user. |
|
Run Remotely
|
Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Some actions can require additional configuration like permissions, device name, or device group name.
Action permissions
For actions to execute properly, the following permissions are required:
| Tab | Required permissions |
|---|---|
| Configuration | Read & Write
Permissions to retrieve or modify Panorama and firewall configurations. |
| Operational Requests | Read & Write
Permissions to run operational commands on Panorama and firewalls. |
| Commit | Read & Write
Permissions to commit Panorama and firewall configurations. |
Obtain device name or device group name
-
To obtain the device name, use the following link:
https:// PANORAMA_WEB_CONSOLE_IP /php/rest/browse.php/config::devices -
To obtain the device group name, use the following link:
https:// PANORAMA_WEB_CONSOLE_IP /php/rest/browse.php/config::devices::entry[@name=' DEVICE_NAME ']::device-group
Add IPs to Group
Add IP addresses to an address group.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
Address Group Name
|
String | N/A | Yes | Specify the name of the address group. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"192.0.2.1"
,
"203.0.113.1"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
if successful and at least one of the provided IPs was added (is_success = true): print "Successfully added the following IPs to the Palo Alto Networks Panorama address group ''{0}'': \n {1}".format (address_group, entity.identifier list) If fail to add specific IPs (is_success = true): print "Action was not able to add the following IPs to the Palo Alto Networks Panorama address group ''{0}':\n {1}".format(address_group, [entity.identifier]) If fail to add for all IPs (is_success = false): Print: "No IPs were added to the Palo Alto Networks Panorama address group '{0}'.format(address_group) |
General |
Block IPs in Policy
Block IP addresses in a given policy.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
Policy Name
|
String | N/A | Yes | Specify the name of the policy. |
|
Target
|
String | N/A | Yes | Specify what should be the target. Possible values: source, destination. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"192.0.2.1"
,
"203.0.113.1"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
if successful and at least one of the provided IPs was blocked (is_success = true): print "Successfully blocked the following IPs in the Palo Alto Networks Panorama policy ''{0}'': \n {1}".format(policy_name, entity.identifier list) If fail to block specific IPs (is_success = true): print "Action was not able to block the following IPs in the Palo Alto Networks Panorama policy ''{0}':\n {1}".format(policy_name, [entity.identifier]) If fail to add for all IPs (is_success = false): Print: "No IPs were blocked in the Palo Alto Networks Panorama policy '{0}'.format(policy_name) |
General |
Block URLs
Add URLs to a given URL category.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
URL Category Name
|
String | N/A | Yes | Specify the name of the URL Category. |
Run on
This action runs on the URL entity.
Action results
Script result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"www.example.com"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
if successful and at least one of the provided URLs was added (is_success = true): print "Successfully added the following URLs to the Palo Alto Networks Panorama URL Category ''{0}'': \n {1}".format(category, entity.identifier list)
If fail to add specific URLs (is_success = true): print "Action was not able to add the following URLs to the Palo Alto Networks Panorama URL Category''{0}':\n {1}". format(category, [entity.identifier])
If fail to add for all URLs (is_success = false): Print: "No URLs were added to the Palo Alto Networks Panorama URL Category '{0}'.format(category) |
General |
Edit Blocked Applications
Block and unblock applications. Each application is added to or removed from a given policy.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Applications To Block
|
String | N/A | No | Specify what kind of application should be blocked. Example: apple-siri,windows-azure |
|
Applications To UnBlock
|
String | N/A | No | Specify what kind of application should be unblocked. Example: apple-siri,windows-azure |
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
Policy Name
|
String | N/A | Yes | Specify the name of the policy. |
Run on
This action runs on all entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"1und1-mail"
,
"Filter"
,
"Group1"
,
"SiemplifyAppBlacklist"
,
"apple-siri"
,
"google-analytics"
]
Get Blocked Applications
List all blocked applications in a given policy.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
Policy Name
|
String | N/A | Yes | Specify the name of the policy. |
Run On
This action runs on all entities.
Action results
Script result
| Script Result Name | Value options | Example |
|---|---|---|
|
blocked_applications
|
N/A | N/A |
JSON result
[
"1und1-mail"
,
"Filter"
,
"Group1"
,
"SiemplifyAppBlacklist"
,
"apple-siri"
,
"google-analytics"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
"Successfully listed blocked applications in a policy ''{0}: {1}".format(Policy name, \n separated list of applications) | General |
Ping
Test connectivity to Panorama.
Parameters
N/A
Run on
This action runs on all entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Commit Changes
Action commits changes in Palo Alto Networks Panorama.
To use the Only My Changes
parameter, the user must be an administrator.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Only My Changes
|
Checkbox | Unchecked | No | If enabled, action will only commit changes that were done by the current user. |
Run on
This action runs on all entities.
Action results
Script result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Push Changes
Push commits of a device group in Palo Alto Networks Panorama.
It can take several minutes before changes are pushed.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. Visit action documentation to get more insights on where you can find this value. |
Run on
This action runs on all entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
Remove IPs From Group
Remove IP addresses from an address group.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
Address Group Name
|
String | N/A | Yes | Specify the name of the address group. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"192.0.2.1"
,
"203.0.113.1"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
if successful and at least one of the provided IPs was removed (is_success = true): print "Successfully removed the following IPs from the Palo Alto Networks Panorama address group ''{0}'': \n {1}".format(address_group, entity.identifier list)
If fail to remove specific IPs (is_success = true): print "Action was not able to remove the following IPs from the Palo Alto Networks Panorama address group ''{0}':\n {1}".format(address_group, [entity.identifier])
If fail to remove for all IPs (is_success = false): Print: "No IPs were removed from the Palo Alto Networks Panorama address group '{0}'.format(address_group) |
General |
Unblock IPs in Policy
Block IP addresses in a given policy.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
Policy Name
|
String | N/A | Yes | Specify the name of the policy. |
|
Target
|
String | N/A | Yes | Specify what should be the target. Possible values: source, destination. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"192.0.2.1"
,
"203.0.113.1"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
if successful and at least one of the provided IPs was unblocked (is_success = true): print "Successfully unblocked the following IPs in the Palo Alto Networks Panorama policy ''{0}'': \n {1}".format(policy_name, entity.identifier list)
If fail to block specific IPs (is_success = true): print "Action was not able to unblock the following IPs in the Palo Alto Networks Panorama policy ''{0}':\n {1}".format(policy_name, [entity.identifier])
If fail to add for all IPs (is_success = false): Print: "No IPs were unblocked in the Palo Alto Networks Panorama policy '{0}'.format(policy_name) |
General |
Unblock URLs
Remove URLs from a given URL category.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Device Name
|
String | N/A | Yes | Specify the name of the device. The default device name for Palo Alto Networks Panorama is localhost.localdomain. |
|
Device Group Name
|
String | N/A | Yes | Specify the name of the device group. |
|
URL Category Name
|
String | N/A | Yes | Specify the name of the URL Category. |
Run on
This action runs on the URL entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
[
"www.example.com"
]
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
|
Output message*
|
if successful and at least one of the provided URLs was removed (is_success = true): print "Successfully removed the following URLs from the Palo Alto Networks Panorama URL Category ''{0}'': \n {1}".format(category, entity.identifier list)
If fail to add specific URLs (is_success = true): print "Action was not able to remove the following URLs from the Palo Alto Networks Panorama URL Category''{0}':\n {1}".format(category, [entity.identifier])
If fail to add for all URLs (is_success = false): Print: "No URLs were removed from the Palo Alto Networks Panorama URL Category '{0}'.format(category) |
General |
Search Logs
Search logs in Palo Alto Networks Panorama based on the query.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
|
Log Type
|
DDL | Traffic | Yes | Specify which log type should be returned. Possible values: Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, HIP Match, IP Tag, User ID, Tunnel Inspection, Configuration, System, Authentication. |
|
Query
|
String | N/A | No | Specify what query filter should be used to return logs. |
|
Max Hours Backwards
|
Integer | N/A | No | Specify the amount of hours from where to fetch logs. |
|
Max Logs to Return
|
Integer | 50 | No | Specify how many logs to return. The maximum is 1000. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
< logs
cou
nt
=
"1"
progress=
"100"
>
< e
ntr
y
logid=
"28889"
>
< domai
n
> 0
< /domai
n
>
< receive_
t
ime
> 2020
/
07
/
06
13
:
51
:
19
< /receive_
t
ime
>
< serial
> 007051000096801
< /serial
>
< seq
n
o
> 21467
< /seq
n
o
>
< ac
t
io
nfla
gs
> 0
x
0
< /ac
t
io
nfla
gs
>
< is
-
loggi
n
g
-
service
> n
o</is
-
loggi
n
g
-
service
>
< t
ype>THREAT</
t
ype
>
< sub
t
ype>spyware</sub
t
ype
>
< co
nf
ig_ver
> 0
< /co
nf
ig_ver
>
< t
ime_ge
nerate
d
> 2020
/
07
/
06
13
:
51
:
10
< /
t
ime_ge
nerate
d
>
< src
> 192.0.2.1
< /src
>
< ds
t
> 203.0.113.254
< /ds
t
>
< natsr
c
> 198.51.100.4
< /
natsr
c
>
< nat
ds
t
> 203.0.113.254
< /
nat
ds
t
>
< rule>i
ns
ide
t
o
ou
ts
ide</rule>
< srcloc
code=
"192.0.2.0-192.0.2.255"
cc=
"192.0.2.0-192.0.2.255"
> 192.0.2.0-192.0.2.255
< /srcloc
>
< ds
tl
oc
code=
"United States"
cc=
"US"
> U
n
i
te
d
S
tates
< /ds
tl
oc
>
< app>ms
-
upda
te
< /app
>
< vsys>vsys
1
< /vsys
>
< fr
om>i
ns
ide</
fr
om
>
< t
o>Ou
ts
ide</
t
o
>
< i
n
bou
n
d_i
f>et
her
net
1
/
2
< /i
n
bou
n
d_i
f
>
< ou
t
bou
n
d_i
f>et
her
net
1
/
1
< /ou
t
bou
n
d_i
f
>
< logse
t>l
og
f
orward
1
< /logse
t
>
< t
ime_received
> 2020
/
07
/
06
13
:
51
:
10
< /
t
ime_received
>
< sessio
n
id
> 2348
< /sessio
n
id
>
< repea
t
c
nt
> 1
< /repea
t
c
nt
>
< spor
t
> 56761
< /spor
t
>
< dpor
t
> 80
< /dpor
t
>
< nats
por
t
> 45818
< /
nats
por
t
>
< nat
dpor
t
> 80
< /
nat
dpor
t
>
< fla
gs
> 0
x
80403000
< /
fla
gs
>
< fla
g
-
pcap>yes</
fla
g
-
pcap
>
< fla
g
-
fla
gged
> n
o</
fla
g
-
fla
gged
>
< fla
g
-
proxy
> n
o</
fla
g
-
proxy
>
< fla
g
-
url
-
de
n
ied
> n
o</
fla
g
-
url
-
de
n
ied
>
< fla
g
-
nat
> yes</
fla
g
-
nat
>
< cap
t
ive
-
por
tal>n
o</cap
t
ive
-
por
tal
>
< n
o
n
-
s
t
d
-
dpor
t>n
o</
n
o
n
-
s
t
d
-
dpor
t
>
< transa
c
t
io
n>n
o</
transa
c
t
io
n
>
< pb
f
-
c
2
s
> n
o</pb
f
-
c
2
s
>
< pb
f
-
s
2
c
> n
o</pb
f
-
s
2
c
>
< te
mporary
-
ma
t
ch>yes</
te
mporary
-
ma
t
ch
>
< sym
-
re
turn>n
o</sym
-
re
turn
>
< decryp
t
-
mirror
> n
o</decryp
t
-
mirror
>
< crede
nt
ial
-
de
te
c
te
d
> n
o</crede
nt
ial
-
de
te
c
te
d
>
< fla
g
-
mp
t
cp
-
se
t>n
o</
fla
g
-
mp
t
cp
-
se
t
>
< fla
g
-
tunnel
-
i
ns
pec
te
d
> n
o</
fla
g
-
tunnel
-
i
ns
pec
te
d
>
< fla
g
-
reco
n
-e
xcluded
> n
o</
fla
g
-
reco
n
-e
xcluded
>
< fla
g
-
w
f
-
cha
nnel>n
o</
fla
g
-
w
f
-
cha
nnel
>
< pk
tl
og
> 1594032670-2348.
pcap</pk
tl
og
>
< pro
t
o
> t
cp</pro
t
o
>
< ac
t
io
n>alert
< /ac
t
io
n
>
< tunnel
> N/A</
tunnel
>
< t
paddi
n
g
> 0
< /
t
paddi
n
g
>
< cpaddi
n
g
> 0
< /cpaddi
n
g
>
< rule_uuid
> 9
f
1
bcd
9
d
-0e
bc
-4815-87
cd
-
b
377e0
b
4817
f
< /rule_uuid
>
< dg_hier_level_
1>11
< /dg_hier_level_
1
>
< dg_hier_level_
2>0
< /dg_hier_level_
2
>
< dg_hier_level_
3>0
< /dg_hier_level_
3
>
< dg_hier_level_
4>0
< /dg_hier_level_
4
>
< device_
na
me>PA
-
VM</device_
na
me
>
< vsys_id
> 1
< /vsys_id
>
< tunnel
id_imsi
> 0
< /
tunnel
id_imsi
>
< pare
nt
_sessio
n
_id
> 0
< /pare
nt
_sessio
n
_id
>
< t
hrea
t
id>Suspicious
HTTP
Evasio
n
Fou
n
d</
t
hrea
t
id
>
< t
id
> 14984
< /
t
id
>
< repor
t
id
> 0
< /repor
t
id
>
< ca
te
gory>compu
ter
-
a
n
d
-
i
nternet
-
i
nf
o</ca
te
gory
>
< severi
t
y>i
nf
orma
t
io
nal
< /severi
t
y
>
< direc
t
io
n
> clie
nt
-
t
o
-
server</direc
t
io
n
>
< url_idx
> 1
< /url_idx
>
< paddi
n
g
> 0
< /paddi
n
g
>
< pcap_id
> 1206408081198547007
< /pcap_id
>
< co
ntent
ver>AppThrea
t
-0-0
< /co
ntent
ver
>
< sig_
fla
gs
> 0
x
0
< /sig_
fla
gs
>
< t
hr_ca
te
gory>spyware</
t
hr_ca
te
gory
>
< assoc_id
> 0
< /assoc_id
>
< ppid
> 4294967295
< /ppid
>
< h
tt
p
2
_co
nne
c
t
io
n
> 0
< /h
tt
p
2
_co
nne
c
t
io
n
>
< misc
> 3.
tlu
.dl.delivery.mp.microso
ft
.com/
f
iles
trea
mi
n
gservice/
f
iles/
0
< /misc
>
< tunnel
id
> 0
< /
tunnel
id
>
< imsi/
>
< mo
n
i
t
or
ta
g/
>
< imei/
>
< /e
ntr
y
>
< /logs
>
Case wall
The action should not fail nor stop a playbook execution:
if successful and returned at least one log (is_success = true): print "Successfully listed {0} logs. Used query: '{1}' ".format(log_type)
if successful, but no logs(is_success = false): print "No {0} logs were found. Used query: '{1}' ".format(log_type, query)
If incorrect query (response status = error) (is_success=false):
print "Action wasn't able to list logs. Reason: {0}".format(response/msg)
The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to the server, other:
print "Error executing action "Search Logs". Reason: {0}''.format(error.Stacktrace)
Name:Traffic Logs
Columns:
- Receive Time (mapped as receive_time)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- Action (mapped as action)
- Type (mapped as subtype)
- Application (mapped as app)
Name:Threat Logs
Columns:
- Receive Time (mapped as receive_time)
- Description (mapped as threatID)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- Name (mapped as misc)
- Type (mapped as subtype)
- Severity (mapped as severity)
CSV Case Wall
(URL Filtering)
Name:URL Filtering Logs
Columns:
- Receive Time (mapped as receive_time)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- URL (mapped as misc)
- Category (mapped as category)
- Severity (mapped as severity)
- Action (mapped as action)
CSV Case Wall
(Wildfire Submissions)
Name:Wildfire Submission Logs
Columns:
- Receive Time (mapped as receive_time)
- Description (mapped as threatID)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- Name (mapped as misc)
- Type (mapped as subtype)
- Severity (mapped as severity)
- Action (mapped as action)
- Hash (mapped as filedigest)
- File Type (mapped as filetype)
CSV Case Wall
(Data Filtering)
Name:Data Filtering Logs
Columns:
- Receive Time (mapped as receive_time)
- Description (mapped as threatID)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- Name (mapped as misc)
- Type (mapped as subtype)
- Severity (mapped as severity)
- Action (mapped as action)
CSV Case Wall
(HIP Match)
Name:HIP Match Logs
Columns:
- Receive Time (mapped as receive_time)
- IP (mapped as src)
- HIP (mapped as matchname)
- Repeat Count(mapped as repeatcnt)
- Device Name (mapped as device_name)
CSV Case Wall
(IP Tag)
Name:IP Tag Logs
Columns:
- Receive Time (mapped as receive_time)
- IP (mapped as ip)
- Tag Name (mapped as tag_name)
- Device Name (mapped as device_name)
- Event ID (mapped as event_id)
CSV Case Wall
(User ID)
Name:User ID Match Logs
Columns:
- Receive Time (mapped as receive_time)
- IP (mapped as ip)
- User (mapped as user)
- Device Name (mapped as device_name)
- Type (mapped as subtype)
CSV Case Wall
(Tunnel Inspection)
Name:Tunnel Inspection Logs
Columns:
- Receive Time (mapped as receive_time)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- Application (mapped as app)
- Type (mapped as subtype)
- Severity (mapped as severity)
- Action (mapped as action)
CSV Case Wall
(Configuration)
Name:Configuration Logs
Columns:
- Receive Time (mapped as receive_time)
- Command (mapped as cmd)
- Admin (mapped as admin)
- Device Name (mapped as device_name)
CSV Case Wall
(System)
Name:System Logs
Columns:
- Receive Time (mapped as receive_time)
- Device Name (mapped as device_name)
- Type (mapped as subtype)
- Severity (mapped as severity)
- Description (mapped as opaque)
CSV Case Wall
(Authentication)
Name:Authentication Logs
Columns:
- Receive Time (mapped as receive_time)
- Device Name (mapped as device_name)
- IP (mapped as ip)
- User (mapped as user)
- Type (mapped as subtype)
- Severity (mapped as severity)
- Description (mapped as desc)
Get Correlated Traffic Between IPs
Action returns correlated network traffic logs from Palo Alto Networks Panorama between the source IP address and the destination IP address.
Playbook recommendations
To automate the process of retrieving correlated traffic between two
IPs, use the Event.sourceAddress
attribute for the source IP address and Event.destinationAddress
for the destination IP address. This approach is
recommended for alerts that only have one Google SecOps event. In
other cases, unexpected results can happen.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
|
Source IP
|
CSV | N/A | Yes | Specify source IP that will be used to get traffic. |
|
Destination IP
|
CSV | N/A | Yes | Specify destination IP that will be used to get traffic. |
|
Max Hours Backwards
|
Integer | N/A | No | Specify the amount of hours from where to fetch logs. |
|
Max Logs to Return
|
Integer | 50 | No | Specify how many logs to return. The maximum is 1000. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON result
< logs
cou
nt
=
"1"
progress=
"100"
>
< e
ntr
y
logid=
"28889"
>
< domai
n
> 0
< /domai
n
>
< receive_
t
ime
> 2020
/
07
/
06
13
:
51
:
19
< /receive_
t
ime
>
< serial
> 007051000096801
< /serial
>
< seq
n
o
> 21467
< /seq
n
o
>
< ac
t
io
nfla
gs
> 0
x
0
< /ac
t
io
nfla
gs
>
< is
-
loggi
n
g
-
service
> n
o</is
-
loggi
n
g
-
service
>
< t
ype>THREAT</
t
ype
>
< sub
t
ype>spyware</sub
t
ype
>
< co
nf
ig_ver
> 0
< /co
nf
ig_ver
>
< t
ime_ge
nerate
d
> 2020
/
07
/
06
13
:
51
:
10
< /
t
ime_ge
nerate
d
>
< src
> 192.0.2.3
< /src
>
< ds
t
> 198.51.100.254
< /ds
t
>
< natsr
c
> 203.0.113.4
< /
natsr
c
>
< nat
ds
t
> 198.51.100.254
< /
nat
ds
t
>
< rule>i
ns
ide
t
o
ou
ts
ide</rule>
< srcloc
code=
"192.0.2.0-192.0.2.255"
cc=
"192.0.2.0-192.0.2.255"
> 192.0.2.0-192.0.2.255
< /srcloc
>
< ds
tl
oc
code=
"United States"
cc=
"US"
> U
n
i
te
d
S
tates
< /ds
tl
oc
>
< app>ms
-
upda
te
< /app
>
< vsys>vsys
1
< /vsys
>
< fr
om>i
ns
ide</
fr
om
>
< t
o>Ou
ts
ide</
t
o
>
< i
n
bou
n
d_i
f>et
her
net
1
/
2
< /i
n
bou
n
d_i
f
>
< ou
t
bou
n
d_i
f>et
her
net
1
/
1
< /ou
t
bou
n
d_i
f
>
< logse
t>l
og
f
orward
1
< /logse
t
>
< t
ime_received
> 2020
/
07
/
06
13
:
51
:
10
< /
t
ime_received
>
< sessio
n
id
> 2348
< /sessio
n
id
>
< repea
t
c
nt
> 1
< /repea
t
c
nt
>
< spor
t
> 56761
< /spor
t
>
< dpor
t
> 80
< /dpor
t
>
< nats
por
t
> 45818
< /
nats
por
t
>
< nat
dpor
t
> 80
< /
nat
dpor
t
>
< fla
gs
> 0
x
80403000
< /
fla
gs
>
< fla
g
-
pcap>yes</
fla
g
-
pcap
>
< fla
g
-
fla
gged
> n
o</
fla
g
-
fla
gged
>
< fla
g
-
proxy
> n
o</
fla
g
-
proxy
>
< fla
g
-
url
-
de
n
ied
> n
o</
fla
g
-
url
-
de
n
ied
>
< fla
g
-
nat
> yes</
fla
g
-
nat
>
< cap
t
ive
-
por
tal>n
o</cap
t
ive
-
por
tal
>
< n
o
n
-
s
t
d
-
dpor
t>n
o</
n
o
n
-
s
t
d
-
dpor
t
>
< transa
c
t
io
n>n
o</
transa
c
t
io
n
>
< pb
f
-
c
2
s
> n
o</pb
f
-
c
2
s
>
< pb
f
-
s
2
c
> n
o</pb
f
-
s
2
c
>
< te
mporary
-
ma
t
ch>yes</
te
mporary
-
ma
t
ch
>
< sym
-
re
turn>n
o</sym
-
re
turn
>
< decryp
t
-
mirror
> n
o</decryp
t
-
mirror
>
< crede
nt
ial
-
de
te
c
te
d
> n
o</crede
nt
ial
-
de
te
c
te
d
>
< fla
g
-
mp
t
cp
-
se
t>n
o</
fla
g
-
mp
t
cp
-
se
t
>
< fla
g
-
tunnel
-
i
ns
pec
te
d
> n
o</
fla
g
-
tunnel
-
i
ns
pec
te
d
>
< fla
g
-
reco
n
-e
xcluded
> n
o</
fla
g
-
reco
n
-e
xcluded
>
< fla
g
-
w
f
-
cha
nnel>n
o</
fla
g
-
w
f
-
cha
nnel
>
< pk
tl
og
> 1594032670-2348.
pcap</pk
tl
og
>
< pro
t
o
> t
cp</pro
t
o
>
< ac
t
io
n>alert
< /ac
t
io
n
>
< tunnel
> N/A</
tunnel
>
< t
paddi
n
g
> 0
< /
t
paddi
n
g
>
< cpaddi
n
g
> 0
< /cpaddi
n
g
>
< rule_uuid
> 9
f
1
bcd
9
d
-0e
bc
-4815-87
cd
-
b
377e0
b
4817
f
< /rule_uuid
>
< dg_hier_level_
1>11
< /dg_hier_level_
1
>
< dg_hier_level_
2>0
< /dg_hier_level_
2
>
< dg_hier_level_
3>0
< /dg_hier_level_
3
>
< dg_hier_level_
4>0
< /dg_hier_level_
4
>
< device_
na
me>PA
-
VM</device_
na
me
>
< vsys_id
> 1
< /vsys_id
>
< tunnel
id_imsi
> 0
< /
tunnel
id_imsi
>
< pare
nt
_sessio
n
_id
> 0
< /pare
nt
_sessio
n
_id
>
< t
hrea
t
id>Suspicious
HTTP
Evasio
n
Fou
n
d</
t
hrea
t
id
>
< t
id
> 14984
< /
t
id
>
< repor
t
id
> 0
< /repor
t
id
>
< ca
te
gory>compu
ter
-
a
n
d
-
i
nternet
-
i
nf
o</ca
te
gory
>
< severi
t
y>i
nf
orma
t
io
nal
< /severi
t
y
>
< direc
t
io
n
> clie
nt
-
t
o
-
server</direc
t
io
n
>
< url_idx
> 1
< /url_idx
>
< paddi
n
g
> 0
< /paddi
n
g
>
< pcap_id
> 1206408081198547007
< /pcap_id
>
< co
ntent
ver>AppThrea
t
-0-0
< /co
ntent
ver
>
< sig_
fla
gs
> 0
x
0
< /sig_
fla
gs
>
< t
hr_ca
te
gory>spyware</
t
hr_ca
te
gory
>
< assoc_id
> 0
< /assoc_id
>
< ppid
> 4294967295
< /ppid
>
< h
tt
p
2
_co
nne
c
t
io
n
> 0
< /h
tt
p
2
_co
nne
c
t
io
n
>
< misc
> 3.
tlu
.dl.delivery.mp.microso
ft
.com/
f
iles
trea
mi
n
gservice/
f
iles/
0
< /misc
>
< tunnel
id
> 0
< /
tunnel
id
>
< imsi/
>
< mo
n
i
t
or
ta
g/
>
< imei/
>
< /e
ntr
y
>
< /logs
>
Case wall
The action should not fail nor stop a playbook execution:
if successful for at least one pair(is_success = true): print "Successfully listed correlated logs for the following pairs of Source and Destination IPs:\n.{0} - {1}".format(source IP, destination IP.)
if unsuccessful for certain pairs or incomplete pairs (is_success = true): print "Unable to list correlated logs for the following pairs of Source and Destination IPs:\n.{0} - {1}".format(source IP, destination IP. In the incomplete pair, missing part should be replaced to "N/A")
if no logs for every pair(is_success =
false):
print "No correlated network traffic logs were found."
The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to the server, other:
print "Error executing action "Get Correlated Traffic Between IPs". Reason: {0}''.format(error.Stacktrace)
Name:Traffic Logs between {Source IP} and {Destination IP}
Columns:
- Receive Time (mapped as receive_time)
- Src IP (mapped as src)
- Dst IP (mapped as dst)
- Action (mapped as action)
- Type (mapped as subtype)
- Application (mapped as app)
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Configuring the connector .
Palo Alto Panorama - Threat Log Connector
Connector ingests threat logs based on the specified query filter and its parameters.
Connector permissions
For the connector to function properly, the following permissions are needed:
- Privacy (all)
- Tasks
- Global (all)
- Log
- Operational Requests
How to work with the Query Filter
connector parameter
The Query Filter
connector parameter lets you customize filters that are
used to ingest logs. By default, the connector uses a time filter and
severity filter, but it is possible to have more specific filters.
Example of a query used by the connector is as follows:
{time_filter} and {severity_filter} and {custom_query_filter}
The value you put in the Query Filter
connector parameter
is used in {custom_query_filter}. For example, if you specify the Query Filter
with the (subtype eq spyware)
attribute, the example of the
query is as follows:
(time_generated geq '2020/06/22 08:00:00') and (severity geq medium) and (subtype eq spyware)
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
|
Product Field Name
|
String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
|
Event Field Name
|
String | subtype | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name |
String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern |
String | .* | No | A regular expression pattern to run on the value found in the Default is .* to catch all and return the value unchanged. Used to let the user manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
|
Script Timeout (Seconds)
|
Integer | 180 | Yes | Timeout limit for the python process running the current script. |
|
API Root
|
String | https:// IP_ADDRESS
/api |
Yes | API root of Palo Alto Networks Panorama instance. |
|
Username
|
String | N/A | Yes | Username of the Palo Alto Networks Panorama account. |
|
Password
|
Password | N/A | Yes | Password of the Palo Alto Networks Panorama account. |
|
Query Filter
|
String | N/A | No | Specify additional filters in the query. |
|
Lowest Severity To Fetch
|
String | N/A | Yes | Lowest severity that will be used to fetch threat logs. Possible values: Informational, Low, Medium, High, Critical. |
|
Fetch Max Hours Backwards
|
Integer | 1 | No | Amount of hours from where to fetch logs. |
|
Max Logs To Fetch
|
Integer | 25 | No | How many logs to process per one connector iteration. |
|
Use whitelist as a blacklist
|
Checkbox | Unchecked | Yes | If enabled, the dynamic list will be used as a blocklist. |
|
Verify SSL
|
Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Palo Alto Networks Panorama server is valid. |
|
Proxy Server Address
|
String | N/A | No | The address of the proxy server to use. |
|
Proxy Username
|
String | N/A | No | The proxy username to authenticate with. |
|
Proxy Password
|
Password | N/A | No | The proxy password to authenticate with. |
Connector rules
The connector supports proxies.
Need more help? Get answers from Community members and Google SecOps professionals.
