Filtering, Notification, Approval processing capability

L2 Linker

Filtering, Notification, Approval processing capability

Hello,

 

In some use-cases, we may want to have the following features:

 

  • Filtering - Maybe a list of search strings that if matched are excluded from the output
    • Use-Case: URL lists for O365 are very messy, and sometimes we don't trust all the output given by MS.  We may want to filter certain URLs from getting added to the output
  • Notification - Knowledge of new additions/removals to an output via email, syslog, HTTP call, or whatever other notification framework fits best with the project (I do see there are logs in the Log tab, but I am not sure exactly the meaning, and/or if anything can be done with these logs)
    • Use-Case: Some lists may need to be monitored closely, particularly lists that do not change often or have significant impact in the environment.  
  • Approval - Approve changes before they are added to an output
    • Use-Case: Similarly with O365, we may want to approve the changes rather than trust them by default.  Some vetting process may be done by the admin, and they would decide to add something to the filter or approve the changes

 

Would this be some kind of processor node that handles these?

 

Is there something I am missing that is already doing this or maybe doing it in a different way than I have framed it up?

 

Thanks

~ Andrew

L7 Applicator

Re: Filtering, Notification, Approval processing capability

Hi @andrew.stanton,

all your points are extremely good. A manual approval workflow and notifications is something we are planning to add and we have started thinking about it. As a starting point how would you like to handle notifications ? email ? Slack ?

 

About filtering, you can use whitelists or infilters feature of nodes to filter out specific URLs.

 

Thanks,

luigi

L2 Linker

Re: Filtering, Notification, Approval processing capability

standard internal corporate SMTP would likely be a good starting point

maybe syslog as well

i would adhere to similar methodologies as the firewall software for continuity, but your development resources are probably different than for PAN-OS. I don't know much about RSS, but would that be a good idea? HTTP callout? SNMP trap would probably be unnecessary and never adopted.

 

Do you have an example on the filtering with whitelists or infilters feature or point me to another document?

 

Thanks
~ Andrew

L0 Member

Re: Filtering, Notification, Approval processing capability

I echo the suggestions below. If there was also a robust API, this might be able to be scripted external to MM, but even just a syslog would be useful to create at least the notification. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!