https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137015#M97688 <P>Hello,</P> <P>&nbsp;</P> <P>In some use-cases, we may want to have the following features:</P> <P>&nbsp;</P> <UL> <LI>Filtering - Maybe a list of search strings that if matched are excluded from the output <UL> <LI>Use-Case: URL lists for O365 are very messy, and sometimes we don't trust all the output given by MS. &nbsp;We may want to filter certain URLs from getting added to the output</LI> </UL> </LI> <LI>Notification - Knowledge of new additions/removals to an output via email, syslog, HTTP call, or whatever other notification framework fits best with the project (I do see there are logs in the Log tab, but I am not sure exactly the meaning, and/or if anything can be done with these logs) <UL> <LI>Use-Case: Some lists may need to be monitored closely, particularly lists that do not change often or have significant impact in the environment. &nbsp;</LI> </UL> </LI> <LI>Approval - Approve changes before they are added to an output <UL> <LI>Use-Case: Similarly with O365, we may want to approve the changes rather than trust them by default. &nbsp;Some vetting process may be done by the admin, and they would decide to add something to the filter or approve the changes</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>Would this be some kind of processor node that handles these?</P> <P>&nbsp;</P> <P>Is there something I am missing that is already doing this or maybe doing it in a different way than I have framed it up?</P> <P>&nbsp;</P> <P>Thanks</P> <P>~ Andrew</P> Wed, 11 Jan 2017 17:01:51 GMT andrew.stanton 2017-01-11T17:01:51Z https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137015#M97688 <P>Hello,</P> <P>&nbsp;</P> <P>In some use-cases, we may want to have the following features:</P> <P>&nbsp;</P> <UL> <LI>Filtering - Maybe a list of search strings that if matched are excluded from the output <UL> <LI>Use-Case: URL lists for O365 are very messy, and sometimes we don't trust all the output given by MS. &nbsp;We may want to filter certain URLs from getting added to the output</LI> </UL> </LI> <LI>Notification - Knowledge of new additions/removals to an output via email, syslog, HTTP call, or whatever other notification framework fits best with the project (I do see there are logs in the Log tab, but I am not sure exactly the meaning, and/or if anything can be done with these logs) <UL> <LI>Use-Case: Some lists may need to be monitored closely, particularly lists that do not change often or have significant impact in the environment. &nbsp;</LI> </UL> </LI> <LI>Approval - Approve changes before they are added to an output <UL> <LI>Use-Case: Similarly with O365, we may want to approve the changes rather than trust them by default. &nbsp;Some vetting process may be done by the admin, and they would decide to add something to the filter or approve the changes</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>Would this be some kind of processor node that handles these?</P> <P>&nbsp;</P> <P>Is there something I am missing that is already doing this or maybe doing it in a different way than I have framed it up?</P> <P>&nbsp;</P> <P>Thanks</P> <P>~ Andrew</P> Wed, 11 Jan 2017 17:01:51 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137015#M97688 andrew.stanton 2017-01-11T17:01:51Z https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137515#M97689 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/33044">@andrew.stanton</a>,</P> <P>all your points are extremely good. A manual approval workflow and notifications is something we are planning to add and we have started thinking about it. As a starting point how would you like to handle notifications ? email ? Slack ?</P> <P>&nbsp;</P> <P>About filtering, you can use whitelists or infilters feature of nodes to filter out specific URLs.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> Sat, 14 Jan 2017 06:07:09 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137515#M97689 lmori 2017-01-14T06:07:09Z https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137976#M97690 <P>standard internal corporate SMTP would likely be a good starting point</P> <P>maybe syslog as well</P> <P>i would adhere to similar methodologies as the firewall software for continuity, but your development resources are probably different than for PAN-OS.&nbsp;I don't know much about RSS, but would that be a good idea? HTTP callout? SNMP trap would probably be unnecessary and never adopted.</P> <P>&nbsp;</P> <P>Do you have an example on the filtering with whitelists or infilters feature or point me to another document?</P> <P>&nbsp;</P> <P>Thanks<BR />~ Andrew</P> Tue, 17 Jan 2017 22:13:05 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/137976#M97690 andrew.stanton 2017-01-17T22:13:05Z https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/198916#M97691 <P>I echo the suggestions below. If there was also a robust API, this might be able to be scripted external to MM, but even just a syslog would be useful to create at least the notification.&nbsp;</P> Tue, 06 Feb 2018 00:37:03 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-notification-approval-processing-capability/m-p/198916#M97691 jgeyer 2018-02-06T00:37:03Z