PAN-OS 8.0 HTTP Log Integration with Slack
This document assumes that you have already created a Slack team. This sample integration was done with a free Slack account.
Once you have created your Slack team, login to your slack account and add an “Incoming Webhooks” custom integration on the slack website. During that configuration, you will select the channel where the message will be broadcast (#general in this example). You will also receive a Webhook URL, and an opportunity to customize the Name and Icon for the source of the message.
Here’s a screenshot of the Incoming Webhooks configuration on the slack website:
Next, configure an HTTP Server Profile in PAN-OS 8.0. Use the first part of the Webhooks URL in the “Address” field. In this example, it is “hooks.slack.com” using HTTPS on 443 with the POST HTTP method. Username/Password are not required for this particular integration.
Personally, I was interested in specific “system” events, so this document focuses on the system-level logs. Similar integrations could easily be done with traffic, threat, and/or URL logs.
This is what the System format looks like:
In the URI Format box, provide the URI portion of the Slack-provided Incoming Webhooks URL, beginning with /service
The content-type must be application/json
Leave the Parameters field blank.
The Payload input box accepts the default Slack-preferred JSON format as documented here: https://api.slack.com/incoming-webhooks
No additional escaping is required to add the PAN-OS provided variables to the payload. In this example, I’m using a rich-formatted “attachments” message from Slack, although the basic format works perfectly as well.
Here are two samples that you should be able to cut and paste:
Rich Format Message:
"fallback": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------",
"text": "$time_generated: <https://pa0.example.com|pa0> reports $severity $subtype event:\n$opaque",
Simple Format Message:
"text": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------"
Since I was mainly interested in system-level events, I tied it all together in the Device / Log Settings tab. I haven’t narrowed-down exactly what I want to see in the slack channel, but for the purposes of this test, I wanted to see non-informational ha or crypto events, so used the following system log filter:
(( subtype eq ha ) or (subtype eq crypto)) and ( severity neq informational )
I matched that with the “Slack System Event 1” created earlier. The configuration looks like this:
Here’s what I see on my desktop in the Slack app when I initiate a manual HA state change via the PAN-OS GUI:
Looks good on the phone too: Created by Jared Valentine - Systems Engineer
For this example, I am using HTTP log forwarding along with IFTTT to get a push notification on my iPhone every time there is a Critical Threat event.
Install IFTTT and sign up for an account on your desktop at ifttt.com
Once you are logged in through your browser, go to https://ifttt.com/maker and connect Maker to your account. Next, click on the settings icon, and follow the link to your Maker URL
Take note of the example URL, as it contains your API key.
Create a new IFTTT applet
Click on the My Applets menu item, then click the New Applet button. The first half of the applet is If This – click on “+this” and search for the Maker service. Under the Maker service, select the Web Request Trigger and configure it as shown below
Complete your applet by setting the action to a Notification
Configure the firewall log forwarding settings
Create a new HTTP log server profile. Add a new server, setting the Address to maker.ifttt.com. Configure the server to use either HTTP or HTTPS, and set the HTTP Method to POST. Under Payload Format, edit the Threat format as shown below
The URL format should be set to:
trigger/Critical_Threat/with/key/<<YOUR KEY HERE>>
Note – this is from the URL you got from the Maker service settings in step 1.
Set the Payload to:
Then send a Test log – your IFTTT app should notify you at this point.
Configure a log profile for critical threats to use the push service
Create a new log forwarding profile, or edit your existing one to forward Threat logs with the Filter set to (severity eq critical), then add your new HTTP server under forwarding method. Apply this log forwarding profile to any security policies with Threat Prevention to trigger push notifications automatically.
Created by Darren Rogers.