Palo Alto Networks Panorama Cloud Device

Configure a Palo Alto Networks Panorama cloud device to receive IOCs from Threat Command.

The following table shows IOC pull characteristics:

CharacteristicDescription
IOC typesDomains, IP addresses, and URLs.
IOC group limitationEach IOC group can contain only one type of IOC. For multiple types, create multiple IOC groups.
Device IOC limitThe device is limited to 250,000 IOCs.

Add a Palo Alto Networks Panorama cloud device to Threat Command

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a Palo Alto Networks Panorama cloud device to pull IOCs

After a device has been added, you must enable the pulling of IOCs by the Palo Alto Networks Panorama device from te Threat Command.

Before you begin, ensure:

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

Palo Alto Panorama uses External Dynamic Lists (EDL) to pull IOCs from Rapid7. You must create EDLs for each IOC type (domain, IP address, or URL, then, you create a security policy to use the EDL to pull IOCs.

The two-step process is described in the following procedures.

To create Palo Alto External Dynamic Lists:

The create EDL process is identical for each type of IOC.

  1. Log in to the Palo Alto Networks dashboard via HTTPS.
  2. Choose Objects > External Dynamic Lists.
  3. Click Add to create a new EDL:
    1. Type a name for the EDL.
      This name will be used in the following step.
    2. From the Type field, select a type: IP ListDomain List, or URL List.
      The type must match the type in the IOC group.
    3. In the Source field, paste the entire value from the Threat Command IOC Group URL. temporary placeholder
    4. In the URL that you pasted, replace "https://api.intsights.com" with "https://[accountID]:[API key]@api.intsights.com"
    5. Click OK.
    6. Click Commit.
      Continue to the section for your IOC type:

Import URLs (EDL of type URL List)

  1. From the Palo Alto main menu, choose Objects > Security Profiles > URL Filtering.
  2. Click Add.
  3. In the URL Filtering Profile  dialog, type a name.
  4. In the External Dynamic URL Lists section, select the EDL created for URLs and click OK.
  5. From Policies > Security, click Add.
  6. In the Security Policy Rule dialog, type a name for the new policy.
    The Rule Type  should be universal (default).
  7. In the Source tab, select Any  and select Source Zone.
    temporary placeholder
  8. In the Destination tab, select any  from the drop-down list, and mark DESTINATION ZONE.
    temporary placeholder
  9. In the Application tab, select Any.
  10. In the Service/URL Category  tab, click Add.
    temporary placeholder
  11. From the list that opens, in the External Dynamic Lists  section, select the EDL that was created for URLs.
  12. Click OK.
  13. From Policies > Security, select the new policy, then click Enable on the bottom menu.
  14. Click Commit.

When IOCs are present, you can see them at Objects > External Dynamic Lists. Select the EDL and look in the List Entries And Exceptions  tab: temporary placeholder

Import IP addresses (EDL of type IP List)

  1. From the Palo Alto main menu, choose Policies > Security.
  2. Click Add.
  3. In the Security Policy Rule  dialog, type a name for the new policy.
    The Rule Type  should be universal (default).
  4. In the Source tab, select SOURCE ZONE  and Any  above it**.**
  5. In the Destination tab, click Add.
  6. From the list that opens, in the External Dynamic Lists  section, select the IP List EDL from the drop-down.
  7. In the Application tab, select Any.
  8. In the Service/URL Category  tab, click Any  for URL CATEGORY  and for SERVICE.
  9. Click OK.
  10. From Policies > Security, select the new policy, then click Enable on the bottom menu.
  11. Click Commit.

When IOCs are present, you can see them at Objects > External Dynamic Lists. Select the EDL and look in the List Entries And Exceptions  tab: temporary placeholder

Import domains (EDL of type Domains List)

  1. From the Palo Alto main menu, choose Objects > Security Profiles > Anti-Spyware.
  2. Select the strict profile, then click Clone, and OK.
  3. Click the new profile.
  4. In the Anti-Spyware Profile  dialog, type a name over the cloned name.
  5. In the DNS Policies  tab, select the EDL for domains, then click OK.
  6. From the main menu, choose Policies > Security.
  7. Click Add.
  8. In the Security Policy Rule dialog, type a name for the new policy.
    The Rule Type  should be universal (default).
  9. In the Source tab, select Any  for SOURCE ZONE.
    temporary placeholder
  10. In the Destination tab, select any  from the drop-down list and select ZONE.
    Also click Any for ADDRESS  and select any in DEVICE.
    temporary placeholder
  11. In the Application tab, select Any.
  12. In the Service/URL Category  tab, select Any  from the drop-down list.
  13. In the Actions tab, in the Profile Setting  section, for Profile Type, select Profiles.
  14. For Anti-Spyware, select the Anti-Spyware profile that you created (the one that you cloned from another).
    temporary placeholder
  15. Click OK.
  16. From Policies > Security, select the new policy, then click Enable on the bottom menu.
  17. Click Commit.

When IOCs are present, you can see them at Objects > External Dynamic Lists. Select the EDL and look in the List Entries And Exceptions  tab: temporary placeholder