https://live.paloaltonetworks.com/t5/log-forwarding-articles/soc-duck/ta-p/281590 <DIV class="lia-message-template-content-zone"> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 1.jpg" style="width: 327px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20907i4A77ED4E8C0F2F98/image-dimensions/327x261/is-moderation-mode/true?v=v2" width="327" height="261" role="button" title="Duck 1.jpg" alt="Duck 1.jpg" /></span></STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 2.jpg" style="width: 371px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20908iCA9BFA9B6C3AD5DC/image-dimensions/371x262/is-moderation-mode/true?v=v2" width="371" height="262" role="button" title="Duck 2.jpg" alt="Duck 2.jpg" /></span></P> <P>&nbsp;</P> <P><STRONG>Description:</STRONG></P> <P><SPAN style="font-weight: 400;">Build your own visual alert DUCKhickey that integrates with the Palo Alto Networks platform using the HTTP Log Forwarding feature in PAN-OS 8.X and above. I configured the SOC Duck in the Black Hat NOC to trigger and light up with threat alerts. The alerts are configurable for how and when the SOC Duck is triggered.</SPAN></P> <P><BR /><BR /></P> <P><STRONG>Purpose:</STRONG></P> <P><SPAN style="font-weight: 400;">This is for experimental purposes only—to create a cool </SPAN><I><SPAN style="font-weight: 400;">thing</SPAN></I><SPAN style="font-weight: 400;">. This is not intended to be used in a production environment and is supported as best effort. If you happen to make this production ready or utilize this in your Operations Center, please let us know!</SPAN></P> <P><BR /><BR /></P> <P><STRONG>Components List:</STRONG></P> <P><SPAN style="font-weight: 400;">If you attended the Black Hat USA conference in 2019, then you would have received a kit of components from the Palo Alto Networks booth in the Expo Hall. If you want to build your own then here is what you will need to get started:</SPAN></P> <UL> <LI style="font-weight: 400;"><SPAN style="font-weight: 400;">Sacrificial Rubber Ducky</SPAN></LI> <LI style="font-weight: 400;"><SPAN style="font-weight: 400;">ESP32 Development Board</SPAN></LI> <LI style="font-weight: 400;"><SPAN style="font-weight: 400;">LEDs&nbsp;</SPAN></LI> <LI style="font-weight: 400;"><SPAN style="font-weight: 400;">Arduino IDE Open-source Software</SPAN></LI> </UL> <P><BR /><BR /></P> <P><STRONG>Getting Started:</STRONG></P> <P><SPAN style="font-weight: 400;">If you are brand new to Arduino and need a kick-start on how to get the things to connect </SPAN><A title="Arduino core for the ESP32 | GitHub | Palo Alto Networks" href="https://github.com/espressif/arduino-esp32" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">START HERE</SPAN></A><SPAN style="font-weight: 400;">.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="https://docs.espressif.com/projects/esp-idf/en/latest/get-started/" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">Official Documentation for ESP-IDF (Espressif IoT Development Framework)</SPAN></A></P> <P><BR /><BR /></P> <P><STRONG>Flash the Firmware:</STRONG></P> <P><SPAN style="font-weight: 400;">Once you are able to establish communication with your ESP32 development board then upload </SPAN><A title="Code for Black Hat Projects | GitHub | Palo Alto Network" href="https://github.com/PaloAltoNetworks/BlackHat" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">this firmware </SPAN></A><SPAN style="font-weight: 400;">to it. This will set up the ESP32 as an HTTP web server. Follow the README in order to get this set up successfully.</SPAN></P> <P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 3.jpg" style="width: 414px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20909i754DC1910523E00B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 3.jpg" alt="Duck 3.jpg" /></span><BR /><BR /></P> <P><STRONG>PAN-OS Configuration:</STRONG></P> <P><SPAN style="font-weight: 400;">Within the Palo Alto Networks web interface, navigate to </SPAN><STRONG>Device &gt; HTTP</STRONG><SPAN style="font-weight: 400;"> and add an HTTP Server Profile:</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 4.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20910iE4E5124BFB9B86ED/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 4.jpg" alt="Duck 4.jpg" /></span></P> <P><STRONG>Name: </STRONG><SPAN style="font-weight: 400;">Give it a wicked cool name or you can use what I have <span class="lia-unicode-emoji" title=":winking_face:">😉</span></SPAN></P> <P><STRONG>Address: </STRONG><SPAN style="font-weight: 400;">You will input the IP address that the ESP32 displays within the IDE serial monitor</SPAN></P> <P><STRONG>Protocol: </STRONG><SPAN style="font-weight: 400;">HTTP</SPAN></P> <P><STRONG>Port: </STRONG><SPAN style="font-weight: 400;">80</SPAN></P> <P><STRONG>TLS: </STRONG><SPAN style="font-weight: 400;">None</SPAN></P> <P><STRONG>Certificate Profile: </STRONG><SPAN style="font-weight: 400;">None</SPAN></P> <P><STRONG>HTTP Method: </STRONG><SPAN style="font-weight: 400;">GET</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">After this is complete, make sure to Test Server Connection to verify your configuration information is correct.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Click the Tab for Payload Format</STRONG></P> <P><SPAN style="font-weight: 400;">You can choose any log type listed. The payload format will be the same for any log type you choose to configure.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 5.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20911i8EB4C5CABC4251C0/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 5.jpg" alt="Duck 5.jpg" /></span></P> <P><STRONG>Name: </STRONG><SPAN style="font-weight: 400;">Again, cool name or stick with mine</SPAN></P> <P><STRONG>URI Format: </STRONG><SPAN style="font-weight: 400;">This will be the URL path that you want triggered. ‘/alert’ is the default</SPAN></P> <P><STRONG><I>Note:</I></STRONG> <I><SPAN style="font-weight: 400;">If you want to add some security you can update the ‘/alert’ URI&nbsp; and add random characters into the URI. Example: ‘/HiS99s0aPeUNrWns/alert’. This will need to be updated within the .ino file (the firmware you loaded onto your SOC Duck) as well as in the URI Format in the PAN-OS web interface.</SPAN></I></P> <P><STRONG>HTTP Headers: </STRONG><SPAN style="font-weight: 400;">content-type</SPAN></P> <P><STRONG>Value: </STRONG><SPAN style="font-weight: 400;">text/html</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">Payload is left blank on purpose.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Click OK</STRONG></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">Repeat these steps for each log type you want to define.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 6.jpg" style="width: 975px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20912i16D6090DC3812D0A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 6.jpg" alt="Duck 6.jpg" /></span></P> <P><STRONG>Click OK</STRONG></P> <P>&nbsp;</P> <P><STRONG>Navigate to Objects &gt; Log Forwarding </STRONG><SPAN style="font-weight: 400;">and add a Log Forwarding Profile</SPAN></P> <P><SPAN style="font-weight: 400;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 7.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20913i9C62395AE8BFCDB2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 7.jpg" alt="Duck 7.jpg" /></span>&nbsp;</SPAN></P> <P><SPAN style="font-weight: 400;">Create the log forwarding profile match list. This is where you will configure the log type(s) that will trigger the SOC Duck. Attach the HTTP Server Profile that you created in the previous step here.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 8.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20914i2080EAD2F4EFF0F2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 8.jpg" alt="Duck 8.jpg" /></span></P> <P><SPAN style="font-weight: 400;">Repeat steps if you want to add additional filters. For my use case, I am filtering on threat logs with a high and critical severity as well as malicious WildFire verdicts.</SPAN></P> <P><STRONG>Click OK</STRONG></P> <P>&nbsp;</P> <P><STRONG>Navigate to Policies &gt; Security &gt;&nbsp; Security Policy Rule </STRONG><SPAN style="font-weight: 400;">you want to attach the Log Forwarding Profile to </SPAN><STRONG>&gt; Actions &gt; Log Setting</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 9.jpg" style="width: 975px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20915i24153FAAA90A1F37/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 9.jpg" alt="Duck 9.jpg" /></span><BR /><BR /></P> <P><STRONG>Click OK</STRONG></P> <P>&nbsp;</P> <P><STRONG>Commit Changes</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Duck 10.jpg" style="width: 561px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20916i54B63E868D601763/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Duck 10.jpg" alt="Duck 10.jpg" /></span></P> <P><SPAN style="font-weight: 400;">If all went well the log type and filter you defined should now trigger your SOC Duck!</SPAN></P> <P>&nbsp;</P> <P><STRONG>Written By: </STRONG><SPAN style="font-weight: 400;">Sandra Wenzel &amp; Dan Ward, Consulting Engineers for Palo Alto Networks</SPAN></P> </DIV> Tue, 13 Aug 2019 18:33:10 GMT Jamiefitzgerald 2019-08-13T18:33:10Z https://live.paloaltonetworks.com/t5/log-forwarding-articles/soc-duck/ta-p/281590 <P><SPAN style="font-weight: 400;">Build your own visual alert DUCKhickey that integrates with the Palo Alto Networks platform using the HTTP Log Forwarding feature in PAN-OS 8.X and above. I configured the SOC Duck in the Black Hat NOC to trigger and light up with threat alerts. The alerts are configurable for how and when the SOC Duck is triggered.</SPAN></P> Tue, 13 Aug 2019 18:33:10 GMT https://live.paloaltonetworks.com/t5/log-forwarding-articles/soc-duck/ta-p/281590 Jamiefitzgerald 2019-08-13T18:33:10Z