Prisma Access, XSOAR and Office 365

L2 Linker

Microsoft Office 365 with Prisma Access and Cortex XSOAR.png

 

Following Microsoft Office 365 Connectivity Principles with
Prisma Access & Cortex XSOAR

 

Microsoft outlines their connectivity principles to ensure optimal connectivity to Office 365 resources. By utilizing Cortex XSOAR with Prisma Access, these principles can be followed without continued manual effort. You can read more on Microsoft’s 365 Connectivity Principles here.

 

Please note that following these principles will allow all IP addresses and URLs in the feeds and bypass some of them from inspection. Organizations should carefully review the feed contents to ensure policy compliance.

 

We will start our configuration in the XSOAR console, note that a Threat Intelligence Management license is required. From the menu on the left, select Settings.

 

Cortex XSOAR Navigation MenuCortex XSOAR Navigation Menu

On the settings page, ensure Servers & Services is selected from the Integrations tab. In the search box, type “Office 365”

 

The Office 365 feed should appear in the results, click Add Instance.

Cortex XSOAR Settings Integration PageCortex XSOAR Settings Integration Page

On the Office 365 Feed configuration window, enter a name for the feed. Make note of this feed name for later use.  All of the default settings can be kept unless you have a specific need to change them. Click Done.

 

Office 365 Configuration Dialog BoxOffice 365 Configuration Dialog Box

 

 

Now that we have configured the Office 365 feed, we will configure the external dynamic list service to use with Prisma Access.

 

Back on the Servers & Services Settings page, type “EDL” in the search box. The option for Palo Alto Networks PAN-OS EDL Service should appear. Click Add Instance on the right side of the page.

 

Cortex XSOAR Settings Integrations MenuCortex XSOAR Settings Integrations Menu

We will start by creating the EDL for Office 365 URLs to use in our Optimize/Allow traffic handling policy. From the PAN-OS EDL configuration window, enter a name for the EDL feed and the following Indicator Query:

 

sourceBrands:"Office 365 Feed" and (type:Domain or type:DomainGlob) and (office365category:Optimize or office365category:Allow)

 

NOTE: the sourceBrands section must match the name of you entered for the Office 365 feed. In our example we used “Office 365 Feed.”

 

Enter a unique port number in the Listen Port field, other settings can be left as default unless you have a need to modify them.

 

Palo Alto Networks PAN-OS EDL Configuration Dialog BoxPalo Alto Networks PAN-OS EDL Configuration Dialog Box

Repeat the EDL configuration three more times for using the following queries. This will configure additional feeds for Optimize/Allow handling IP addresses, Default handling for URLs, and Default handling for IP addresses. Don’t forget to modify your queries with the correct name for your Office 365 feed and use unique ports for each feed.

 

Optimize / Allow

IPs:

sourceBrands:"Office 365 Feed" and (type:CIDR or type:IPv6CIDR) and (office365category:Optimize or office365category:Allow)

 

Default

URL:

sourceBrands:"Office 365 Feed" and (type:Domain or type:DomainGlob) and office365category:Default

 

IPs:

sourceBrands:"Office 365 Feed" and (type:CIDR or type:IPv6CIDR) and office365category:Default

 

Once these feeds have been configured, you can preview them by visiting the address of your Cortex XSOAR server and the port number you configured. Here is a snippet from the Allow/Optimize URL feed:

 

 

officeapps.live.com
*.officeapps.live.com
officeapps.live.com
*.officeapps.live.com
officeapps.live.com
*.officeapps.live.com
officeapps.live.com
*.officeapps.live.com
online.office.com
*.online.office.com
msidentity.com
*.msidentity.com
officeapps.live.com
*.officeapps.live.com
manage.office.com
*.manage.office.com
lync.com
*.lync.com
msftidentity.com
*.msftidentity.com
teams.microsoft.com
*.teams.microsoft.com
portal.cloudappsecurity.com
*.portal.cloudappsecurity.com

 

 

Once you have verified that all four feeds are working as expected, switch to Panorama to complete this configuration.

 

From Panorama, navigate to Objects from the top menu:

Panorama Top Navigation MenuPanorama Top Navigation Menu

On the left menu, select External Dynamic Lists:

Panorama Object Left Navigation MenuPanorama Object Left Navigation Menu

From the External Dynamic Lists page, click Add at the bottom left.

Panorama External Dynamic Lists Page OptionsPanorama External Dynamic Lists Page Options

On the External Dynamic Lists window, input a name for the list. Select URL List for the type and input the address and port number of your Optimize/Allow URL feed.

 

Please note you may need to configure a certificate profile depending on your feed configuration in XSOAR. Learn how to configure certificate profiles here.

Panorama Add External Dynamic List Dialog Box URL Allow OptimizePanorama Add External Dynamic List Dialog Box URL Allow Optimize

Click OK. Repeat this process for the URL Default feed:
Panorama Add External Dynamic List Dialog Box URL DefaultPanorama Add External Dynamic List Dialog Box URL Default

Next, we will add the IP based feeds. Click Add again from the bottom left:

Panorama External Dynamic Lists Page OptionsPanorama External Dynamic Lists Page Options

On the External Dynamic Lists window, input a name for the feed. Ensure the IP List type is selected and input the address and port number of your IP optimize/allow feed.

Panorama Add External Dynamic List Dialog Box IP Allow OptimizePanorama Add External Dynamic List Dialog Box IP Allow Optimize

Click OK. Repeat this process for the IP Default feed:

Panorama Add External Dynamic List Dialog Box IP DefaultPanorama Add External Dynamic List Dialog Box IP Default

Once completed, verify that you have four different lists with four different port numbers:

Panorama External Dynamic Lists PagePanorama External Dynamic Lists Page

Next we will configure policies to use these EDLs. Click Policies from the top menu:

Panorama Top Navigation Menu Dashboard TabPanorama Top Navigation Menu Dashboard Tab

Ensure that Security > Pre Rules is selected on the left:

Panorama Policies Left Navigation MenuPanorama Policies Left Navigation Menu

Click Add at the bottom left:

Panorama Security Pre Rules OptionsPanorama Security Pre Rules Options

Input a name for the policy rule, then click the source tab.

Panorama Add Security Policy Rule Dialog Box - General TabPanorama Add Security Policy Rule Dialog Box - General Tab

On the Source Tab, click Add and add your Trusted zone to the policy rule. Next, click the Destination Tab:

Panorama Add Security Policy Rule Dialog Box - Source TabPanorama Add Security Policy Rule Dialog Box - Source Tab

On the Destination Tab, click Add and add your UnTrust zone to the policy rule. Next, click the Service/URL Category Tab:

Panorama Add Security Policy Rule Dialog Box - Destination TabPanorama Add Security Policy Rule Dialog Box - Destination Tab

On the Service/URL Category Tab, click Add. Add the Office 365 URL Allow Optimize feed and then click the Actions Tab.

Panorama Add Security Policy Rule Dialog Box - Service/URL Category TabPanorama Add Security Policy Rule Dialog Box - Service/URL Category Tab

Verify the Action setting is set to Allow and configure log forwarding if desired. Click OK.

Panorama Add Security Policy Rule Dialog Box - Actions TabPanorama Add Security Policy Rule Dialog Box - Actions Tab

Repeat these steps to create a policy for Default URLs, selecting the Default URL EDL list on the Service/URL Category Tab. On the Actions Tab you can also specify security profiles for Default traffic.

Panorama Add Security Policy Rule Dialog Box - Service/URL Category TabPanorama Add Security Policy Rule Dialog Box - Service/URL Category Tab

Panorama Add Security Policy Rule Dialog Box - Actions Tab for AllowPanorama Add Security Policy Rule Dialog Box - Actions Tab for Allow

Next we will create policies for our IP based EDL feeds. Click Add at the bottom left of the Policies page.

Panorama Security Pre Rules OptionsPanorama Security Pre Rules Options

Input a name for the policy rule, then click the source tab.

Panorama Add Security Policy Rule Dialog Box - Allow Optimize IPPanorama Add Security Policy Rule Dialog Box - Allow Optimize IP

On the Source Tab, click Add and add your Trusted zone to the policy rule. Next, click the Destination Tab:

Panorama Add Security Policy Rule Dialog Box - Source Tab for TrustPanorama Add Security Policy Rule Dialog Box - Source Tab for Trust

On the Destination Tab, click Add on the left and add your UnTrust zone. In the Destination Address section, click Add and add your Office 365 IP Allow Optimize EDL to the policy rule. Next, click the Actions Tab:

Panorama Add Security Policy Rule Dialog Box - Destination Tab for UntrustPanorama Add Security Policy Rule Dialog Box - Destination Tab for Untrust

Verify the Action setting is set to Allow and configure log forwarding if desired. Click OK.

Panorama Add Security Policy Rule Dialog Box - Actions TabPanorama Add Security Policy Rule Dialog Box - Actions Tab

Repeat these steps to create a policy for Default IPs, selecting the Default IP EDL list on the Destination Tab. On the Actions Tab you can also specify security profiles for Default traffic.

Panorama Add Security Policy Rule Dialog Box - DestinationPanorama Add Security Policy Rule Dialog Box - Destination

Panorama Add Security Policy Rule Dialog Box - ActionsPanorama Add Security Policy Rule Dialog Box - Actions

Once done, you should have four newly created policies for Office 365 traffic. Ensure the policies are near the top of the list so they will be applied appropriately.

Panorama Security Policies PagePanorama Security Policies Page

Next we will bypass the Allow/Optimize URLs and IP addresses from SSL Decryption. On the left menu, click Decryption > Pre Rules:

Panorama Policies Left MenuPanorama Policies Left Menu

Click Add at the bottom left:

Panorama Decryption Pre Rules OptionsPanorama Decryption Pre Rules Options

Input a name for your decryption policy rule and then click the Source tab:

Panorama Add Decryption Policy Dialog Box - General Tab Office 365 URLsPanorama Add Decryption Policy Dialog Box - General Tab Office 365 URLs

Add your Trusted zone to the Source Zone section and then click the Destination tab:

Panorama Add Decryption Policy Dialog Box - Source TabPanorama Add Decryption Policy Dialog Box - Source Tab

On the Destination tab, add your UnTrust zone to the Destination Zone section and then click the Service/URL Category tab.

Panorama Add Decryption Policy Dialog Box - Destination TabPanorama Add Decryption Policy Dialog Box - Destination Tab

On the Service/URL Category tab, add your Office 365 Optimize/Allow EDL under URL Category, then click Options:

Panorama Add Decryption Policy Dialog Box - Service/URL Category TabPanorama Add Decryption Policy Dialog Box - Service/URL Category Tab

On the options page, ensure that No Decrypt is selected and click OK.

Panorama Add Decryption Policy Dialog Box - Options TabPanorama Add Decryption Policy Dialog Box - Options Tab

Click Add again on the bottom left to create the policy for IPs.

Panorama Decryption Pre Rules OptionsPanorama Decryption Pre Rules Options

Input a name for your decryption policy rule and then click the Source tab:

Panorama Add Decryption Policy Dialog Box - General Tab Office 365 IPsPanorama Add Decryption Policy Dialog Box - General Tab Office 365 IPs

Add your Trusted zone to the Source Zone section and then click the Destination tab:

Panorama Add Decryption Policy Dialog Box - Source TabPanorama Add Decryption Policy Dialog Box - Source Tab

On the Destination tab, add your UnTrust zone to the Destination Zone section and your IP Optimize/Allow to the Destination Address section, then click the Options:

Panorama Add Decryption Policy Dialog Box - Destination Tab for UntrustPanorama Add Decryption Policy Dialog Box - Destination Tab for Untrust

On the options page, ensure that No Decrypt is selected and click OK.

Panorama Add Decryption Policy Dialog Box - Options TabPanorama Add Decryption Policy Dialog Box - Options Tab

You should now have 2 Decryption policies for Office 365. Ensure they are above your primary decrypt policy to ensure proper application.

Panorama Decryption Policy PagePanorama Decryption Policy Page

Click Commit > Commit and Push at the top left:

Panorama Commit Options MenuPanorama Commit Options Menu

Now that you have configured the EDLs and the policies, you should see log entries for the EDL jobs if you navigate to the Monitor tab. Ensure you select Logs > System from the left side. Note that logs may take a few minutes to populate.

Panorama Monitor Tab - System Logs PagePanorama Monitor Tab - System Logs Page

1,701 Views
Ask Questions Get Answers Join the Live Community
Labels