Following Microsoft Office 365 Connectivity Principles with Prisma Access & Cortex XSOAR
Microsoft outlines their connectivity principles to ensure optimal connectivity to Office 365 resources. By utilizing Cortex XSOAR with Prisma Access, these principles can be followed without continued manual effort. You can read more on Microsoft’s 365 Connectivity Principles here.
Please note that following these principles will allow all IP addresses and URLs in the feeds and bypass some of them from inspection. Organizations should carefully review the feed contents to ensure policy compliance.
We will start our configuration in the XSOAR console, note that a Threat Intelligence Management license is required. From the menu on the left, select Settings.
Cortex XSOAR Navigation Menu
On the settings page, ensure Servers & Services is selected from the Integrations tab. In the search box, type “Office 365”
The Office 365 feed should appear in the results, click Add Instance.
Cortex XSOAR Settings Integration Page
On the Office 365 Feed configuration window, enter a name for the feed. Make note of this feed name for later use. All of the default settings can be kept unless you have a specific need to change them. Click Done.
Office 365 Configuration Dialog Box
Now that we have configured the Office 365 feed, we will configure the external dynamic list service to use with Prisma Access.
Back on the Servers & Services Settings page, type “EDL” in the search box. The option for Palo Alto Networks PAN-OS EDL Service should appear. Click Add Instance on the right side of the page.
Cortex XSOAR Settings Integrations Menu
We will start by creating the EDL for Office 365 URLs to use in our Optimize/Allow traffic handling policy. From the PAN-OS EDL configuration window, enter a name for the EDL feed and the following Indicator Query:
sourceBrands:"Office 365 Feed" and (type:Domain or type:DomainGlob) and (office365category:Optimize or office365category:Allow)
NOTE: the sourceBrands section must match the name of you entered for the Office 365 feed. In our example we used “Office 365 Feed.”
Enter a unique port number in the Listen Port field, other settings can be left as default unless you have a need to modify them.
Repeat the EDL configuration three more times for using the following queries. This will configure additional feeds for Optimize/Allow handling IP addresses, Default handling for URLs, and Default handling for IP addresses. Don’t forget to modify your queries with the correct name for your Office 365 feed and use unique ports for each feed.
Optimize / Allow
sourceBrands:"Office 365 Feed" and (type:CIDR or type:IPv6CIDR) and (office365category:Optimize or office365category:Allow)
sourceBrands:"Office 365 Feed" and (type:Domain or type:DomainGlob) and office365category:Default
sourceBrands:"Office 365 Feed" and (type:CIDR or type:IPv6CIDR) and office365category:Default
Once these feeds have been configured, you can preview them by visiting the address of your Cortex XSOAR server and the port number you configured. Here is a snippet from the Allow/Optimize URL feed:
Repeat these steps to create a policy for Default URLs, selecting the Default URL EDL list on the Service/URL Category Tab. On the Actions Tab you can also specify security profiles for Default traffic.
On the Destination Tab, click Add on the left and add your UnTrust zone. In the Destination Address section, click Add and add your Office 365 IP Allow Optimize EDL to the policy rule. Next, click the Actions Tab:
You should now have 2 Decryption policies for Office 365. Ensure they are above your primary decrypt policy to ensure proper application.
Panorama Decryption Policy Page
Click Commit > Commit and Push at the top left:
Panorama Commit Options Menu
Now that you have configured the EDLs and the policies, you should see log entries for the EDL jobs if you navigate to the Monitor tab. Ensure you select Logs > System from the left side. Note that logs may take a few minutes to populate.