topic Re: PBF for Office 365 in General Topics

PBF for Office 365

rrunge1 — Tue, 17 May 2016 18:06:14 GMT

Hi all,

One of our startegic customer is requesting the possibility to route just the O365 traffic to a specific link and after researching about this I think that the best is using MineMeld to automatically feed a list of application IP adrress but I did't find any documentation describing how to perform this.

Any of you have used the MineMeld to monitor the O365 address and imput this into PANW and can share some details with me?

Thank you and regards,

Re: PBF for Office 365

lmori — Thu, 19 May 2016 14:17:46 GMT

We at least one customer using PBF with IP list dynamically downloaded via DBL to route O365 traffic over a specific link. They are not using MineMeld yet, but its predecessor https://panwdbl.appspot.com.

So yes, I would definitely test and use MineMeld for this scenario.

Re: PBF for Office 365

rrunge1 — Thu, 19 May 2016 14:28:23 GMT

Imori, can you share how they are using DBL to do this?

@lmori wrote:

We at least one customer using PBF with IP list dynamically downloaded via DBL to route O365 traffic over a specific link. They are not using MineMeld yet, but its predecessor https://panwdbl.appspot.com.

So yes, I would definitely test and use MineMeld for this scenario.

Re: PBF for Office 365

lmori — Mon, 23 May 2016 07:44:17 GMT

Hi rrunge1,

you can use a DBL as target for the PBF rule. DBL is populated with O365 IP addresses by O365 Miners.

luigi

Re: PBF for Office 365

rrunge1 — Tue, 24 May 2016 21:52:46 GMT

@lmori wrote:

Hi rrunge1,

you can use a DBL as target for the PBF rule. DBL is populated with O365 IP addresses by O365 Miners.

luigi

Luigi,

I created the miner using the prototype Office365.O365 but apparently there are some IPs missing in the default list comparing from: https://support.content.office.net/en-us/static/O365IPAddresses.xml aren't part of Office365.O365 miner.

I tried to customize the prototype using the address above and could collect more than 1000 indicators from the xml but the processor doesn't understand the format.

Re: PBF for Office 365

lmori — Wed, 25 May 2016 08:45:52 GMT

Hi rrunge1,

Microsoft splits the IP addresses and URLs used for O365 in 17 different lists, one for each O365 service.

Each service has a corresponding Miner in MineMeld. If you want to gather all the IPs you need all the Miners. Basically your graph should look like this one:

You can download the config here:

https://paloaltonetworks.box.com/s/4ubmkgrq72a8mdd24j733ddqdgbkyvv4

To use it you should:

- upload the file to the VM via SCP or SFTP (you can use Filezilla on Windows)

- login into the VM via SSH

- and then

$ sudo -u minemeld cp office365-config.yml /opt/minemeld/local/config/committed-config.yml
$ sudo service minemeld restart

luigi

Re: PBF for Office 365

rrunge1 — Mon, 30 May 2016 17:52:50 GMT

Thanks Luigi, i's working now!

Re: PBF for Office 365

lmori — Wed, 01 Jun 2016 08:11:43 GMT

Great ! Thanks for letting me know !

Re: PBF for Office 365

chirss — Tue, 27 Sep 2016 00:25:26 GMT

Is this safe without overwriting the other configurations in place?

Re: PBF for Office 365

lmori — Tue, 27 Sep 2016 09:08:23 GMT

Hi chirsf,

you should merge the 2 configs by hand:

- sudo -u minemeld vi /opt/minemeld/local/config/committed-config.yml

- the config format is straightforward, it's basically a list of nodes:

nodes:
    node1:
        [...]
    node2:
        [...]

- you should append the list of nodes from the O365 config files to the list of nodes of the current committed-config:

nodes:
    node1:
        [...]
    node2:
        [...]
    o365:
        [...]
    ...

- restart minemeld service "sudo service minemeld restart"

Re: PBF for Office 365

chirss — Tue, 27 Sep 2016 15:57:00 GMT

So just delete the nodes: entry and then cat file >> otherfile ?

Re: PBF for Office 365

lmori — Tue, 27 Sep 2016 17:07:26 GMT

yes, that should work 🙂

Re: PBF for Office 365

chirss — Tue, 27 Sep 2016 19:34:02 GMT

So the fun part is it shows up in the nodes section, but not in the config. It does work and does pull the data down.

Re: PBF for Office 365

chirss — Tue, 27 Sep 2016 20:58:09 GMT

Aha I had to hit load. All good now.

Is that file the only thing you really need to restore the system should you have to reimage or rebuild?

Re: PBF for Office 365

lmori — Tue, 27 Sep 2016 21:21:35 GMT

All the information you need to rebuild the instance is stored under /opt/minemeld/local/config.

You may also want to backup local/data (after stopping minemeld-engine) if you want to save the current set of indicators.

Re: PBF for Office 365

rkoenig — Sat, 19 Nov 2016 00:03:29 GMT

Thanks for adding the ability to easily modify the config! Cut and paste and all done. Everything looks good so far!