Set Up Adaptive Response
Use the pantag command to share context from Splunk to the firewall for automated remediation.
This webinar explains the concept of automated remediation and demonstrates a case study of a real customer using this technique with Splunk and Palo Alto Networks today:
Share context with Dynamic Address Groups
Tagging an IP address means setting metadata or context on the firewall for that IP, which causes it to be added to corresponding Dynamic Address Groups in the firewall security policy. For example, you could create a rule in the security policy that blocks any IP address with the tag 'bad-actor'. Initially, no IP addresses would be blocked, but you can create a search in Splunk for criteria that represents a problem device, and trigger a tagging of that IP address with the 'bad-actor' tag. The firewall would add the IP address to the Dynamic Address Group in the policy automatically and begin blocking the IP.
Blocking a bad actor is just the beginning, and you aren't limited to allow or deny as your options. You could tag an IP address for additional scrutiny by the Threat Prevention engine, or as a known trusted server to be given additional permissions. The behaviors are defined by your security policy, and how you treat IP addresses with specific tags.
Command reference: pantag
Webinar that explains the concept of automated remediation and demonstrates a case study of a real customer using this technique with Splunk and Palo Alto Networks today:
Video from a session at Ignite 2015 explains Dynamic Address Groups in more detail with several use cases including asset management:
Configure Adaptive Response
To use Adaptive Response or the custom searchbar commands, please configure the Add-on with credentials for your Firewall or Panorama.
To configure credentials, navigate to the Add-on, click the Palo Alto Networks menu in the top left of the App, and click Configuration.
To configure Add-on 3.x, navigate to the Splunk App Manager. Find the Add-on (Palo Alto Networks Add-on for Splunk) in the list and on the right side click Set up.
Enter the credentials for your Firewall or Panorama and name the credentials "Firewall". Only one set of credentials can be entered with this name. The credentials are encrypted by Splunk and used for the following features:
- Sync user login events with User-ID
- Share context with Dynamic Address Groups
- Update metadata from content packs
Optional: Create a Splunk User on Firewall/Panorama
Optionally, you can create a user for Splunk on the firewall or Panorama, and reduce the user's role to just what is required. The permissions needed depend on which features will be used.
|Commands: pantag, panuserupdate||User-ID Agent|
|Alert Action - Tag to Dynamic Address List||User-ID Agent|
|Command: pancontentpack with PAN-OS < 8.0||Configuration|
|Command: pancontentpack with PAN-OS >= 8.0||Configuration and Operational Requests|