Playbook of the Week: Automate NGFW Management with Cortex XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

How to automate NGFW management using Cortex XSOARHow to automate NGFW management using Cortex XSOARBy Danil Vilenchik, Sr. Technical Program Manager

 

Today’s security operations centers (SOCs) are plagued with lengthy investigation times and security teams are often drowning in repeatable, manual tasks. Combine these challenges with the tedious and time-consuming task of firewall management, and it's no wonder that more than one-third of IT professionals are considering quitting their job in the next six months.

 

Fortunately, there are solutions that exist to help automate many of the SOC’s most common processes, relieving some of the burden faced by security analysts. In this post, we’ll take a deeper look into the PAN-OS by Palo Alto Networks content pack for Cortex XSOAR, which assists in managing firewall objects, rules and policies as well as the firewall instances themselves. This helps create a safer browsing environment and block unwanted traffic flowing into and out of organizations.

 

What is PAN-OS?

 

PAN-OS is the software that runs all Palo Alto Networks® next-generation firewalls. By leveraging the key technologies that are built into PAN-OS natively (App-ID, Content-ID, Device-ID, and User-ID) you can have complete visibility and control of the applications in use across all users and devices in all locations. Because inline ML and application and threat signatures automatically reprogram firewalls with the latest intelligence, all traffic on your network is free of known and unknown threats.

 

Benefits of the PAN-OS content pack

 

The PAN-OS content pack for Cortex XSOAR enables SOC teams to create and manage security rules, update security policies, make sure devices and policies meet security best practices and take action when needed for device management. Over 250 manual commands can be executed from the XSOAR CLI and 18 generic playbooks help automate security and network operations. Utilizing Cortex XSOAR to control and manage network security operations consolidates security tools and many of the out-of-the-box commands can be used to further build playbooks to eliminate manual actions.

 

Integrating PAN-OS with XSOAR helps to automate many of the time-consuming tasks associated with firewall operation and management, freeing up SOC teams to work on more critical security issues.

 

See Cortex XSOAR and PAN-OS in action

 

Let’s look at how Cortex XSOAR and PAN-OS can automate basic remediation steps.

 

When a new malicious IP or URL indicator is detected in Cortex XSOAR, it automatically triggers a playbook that adds the malicious indicator to a block list. The playbook first checks to see if the address already exists in the block list, and if not, the indicator is added.

 

PAN-OS - Block IP - Static Address Group playbookPAN-OS - Block IP - Static Address Group playbook

 

This may seem like a simple task that can be performed manually, but in reality, when analysts are flooded with many tasks and pending investigations, it becomes critical to remove items from their list of actions. Cortex XSOAR can help! Automating processes is one of the key pillars of SOAR solutions. Real threats won’t go ignored or even missed, and indicators can be quickly found within your environment to follow up with further investigation.

 

Threat-hunting made easy with XSOAR and PAN-OS

 

XSOAR can automatically run through your PAN-OS logs each time a new IOC is detected.

 

Proactive hunting is important to keep your environment safe, and as daily security incidents and escalations flood the SOC, high-tier analysts and engineers will no longer have to waste their time running queries on FW logs.

 

PAN-OS Query Logs For Indicators playbookPAN-OS Query Logs For Indicators playbook

 

Each malicious file (hash), URL and IP fetched into XSOAR is automatically queried by this playbook in up to six different logs in your PAN-OS instance, including Wildfire malware protection engine, threat, traffic, data and more.

 

Palo Alto Networks offers a whole suite of best-of-breed security solutions. Implementing the PAN-OS by Palo Alto Networks content pack in your standard workflows can save time that is normally wasted on basic manual actions and allow your security personnel to focus on other responsibilities, shorten SLAs and increase SOC efficiency.

 

For more information on the PAN-OS by Palo Alto Networks content pack, refer to the developer article here. If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page. Please suggest ideas or vote for others.

 

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.

2 Comments
  • 6157 Views
  • 2 comments
  • 0 Likes
Register or Sign-in
Labels