From 4d3274e4e3076885838c0d39ac0e4e26ddd2a309 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 16 Oct 2024 11:30:56 +0200 Subject: [PATCH 1/3] feat(Integration): add documentation about PaloAlto Prisma Access --- .../paloalto_prisma_access.md | 140 ++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 141 insertions(+) create mode 100644 docs/integration/categories/network_security/paloalto_prisma_access.md diff --git a/docs/integration/categories/network_security/paloalto_prisma_access.md b/docs/integration/categories/network_security/paloalto_prisma_access.md new file mode 100644 index 000000000..ebd77cf75 --- /dev/null +++ b/docs/integration/categories/network_security/paloalto_prisma_access.md @@ -0,0 +1,140 @@ +uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 +name: Palo Alto Prisma Access +type: intake + +## Overview + +Palo Alto Prisma Access is a cloud-delivered security platform that provides secure access to applications and data, using a scalable network to protect users and devices across all locations. It integrates advanced threat prevention and access controls to ensure consistent security policies. + +- **Vendor**: Palo Alto +- **Supported environment**: On Premise +- **Version compatibility**: +- **Detection based on**: Telemetry +- **Supported application or feature**: Traffic, Threat and WildFire Malicious + +## Specification + +### Prerequisites + +- **Resource**: + - Self-managed syslog forwarder + + OR + + - Palo Alto Strata Logging + +- **Network**: + - Outbound traffic allowed +- **Permissions**: + - Administrator rights on Palo Alto Firewall + - Root access to the Linux server with the syslog forwarder + +### Transport Protocol/Method + +- **Indirect Syslog** + +### Logs details + +- **Supported functionalities**: See section [Overview](#overview) +- **Supported type(s) of structure**: CSV, CEF +- **Supported verbosity level**: Informational + +!!! Note + Log levels are based on the taxonomy of [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424). Adapt according to the terminology used by the editor. + +## Step-by-Step Configuration Procedure +### Instruction on Sekoia + +{!_shared_content/integration/intake_configuration.md!} + +### Instructions on the 3rd Party Solution + +#### Option A - Forward events through a Syslog Forwarder + +##### Configure a Syslog server profile + +1. In the GUI, go to `Device > Serve Profiles > Syslog`. +2. Click `Add` and enter a name for the profile such as `Syslog server`. +3. If the firewall has more than one virtual system (vsys), select the `Location` (vsys or `Shared`) where this profile is available. +4. Click `Add` and enter the information that the firewall requires to connect to it: + + - Name — Unique name for the server profile. + - Syslog Server — IP address or fully qualified domain name (FQDN) of the syslog server. + - Transport — Select TCP. + - Port — Select the default is TCP on port 514. + - Format — Select the syslog message format to use: IETF + - Facility — Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field. + +5. Click `OK` to save the server profile. + +##### Configure syslog forwarding for Network logs + +1. Select `Objects > Log Forwarding`, click `Add`, and enter a `Name` to identify the profile. +2. For each log type (here Traffic, Threat and WileFire Malicious) and each severity level, select the `Syslog server` profile and click `OK`. +3. Select `Policies > Security` and select a policy rule. +4. Select the `Actions` tab and select the `Log Forwarding` profile you created. +5. In the `Profile Type` drop-down, select `Profiles` or `Groups`, and then select the security profiles or `Group Profiles` required to trigger log generation and forwarding. +6. Select `Log At Session End` check boxes, and click `OK`. + +!!! Warning + Log At Session Start consumes more resources than logging only at the session end. In most cases, you only Log At Session End. Enable both Log At Session Start and Log At Session End only for troubleshooting, for long-lived tunnel sessions such as GRE tunnels (you can't see these sessions in the ACC unless you log at the start of the session), and to gain visibility into Operational Technology/Industrial Control Systems (OT/ICS) sessions, which are also long-lived sessions. + +For detailed information about configuring a log forwarding profile and assigning the profile to a policy rule, see [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/configure-log-forwarding#id1443a62b-8a0b-41db-a08d-5df934bf0ffc_idd40c0d1a-7191-4616-9573-f02a99352eae) + +##### Configure syslog forwarding for System, Configuration, GlobalProtect, HIP Match, and User-ID logs. + +1. In the GUI, go to `Device > Log Settings`. +2. Click each Severity level (High and Critical if also fine), select the `Syslog server` profile, and click `OK`. + +Please follow [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/configure-log-forwarding#id1443a62b-8a0b-41db-a08d-5df934bf0ffc_idd40c0d1a-7191-4616-9573-f02a99352eae) from the official Palo Alto documentation for more information. + +{!_shared_content/integration/forwarder_configuration.md!} + +### Option B - Forward events through Palo Alto Strata Logging + +#### Configure Palo Alto Prisma Access + +1. In the GUI, go to `Objects > Log Forwarding`. +2. Click `Add`, and enter a `Name` to identify the profile. +3. For each log type (here Traffic, Threat and WileFire Malicious), check the box `Cortex Data Lake` in the Forward Method and click `OK`. +4. Select `Policies > Security` and select a policy rule. +5. Select the `Actions` tab and select the `Log Forwarding` profile you created. +6. In the `Profile Type` drop-down, select `Profiles` or `Groups`, and then select the security profiles or `Group Profiles` required to trigger log generation and forwarding. +7. Select both of the `Log at Session Start` and `Log At Session End` check boxes, and click `OK`. + +#### Configure Palo Alto Strata Logging + +1. On the Strata Logging console, got to `Log Forwarding` +2. Create a new HTTPS Profiles +3. Enter a `Name` to identify the profile and set the URL to `https://intake.sekoia.io/jsons?status_code=200` +4. In the Client Authorization section, select `Basic Authorization` as Type, fill `Username` with any string (e.g. `sekoiaio`) and `Password` with your **intake key** (see step "Instruction on Sekoia") +5. Click `Test Connection` then click `Next` +6. Select `Array JSON` as Payload Format +7. In `Filters`, add log sources to forward: + + | Log Source | Log Type | + | ------------- | -------------- | + | Common Logs | System | + | Common Logs | Configuration | + | Network Logs | Authentication | + | Network Logs | Decryption | + | Network Logs | DNS Security | + | Network Logs | File | + | Network Logs | GlobalProtect | + | Network Logs | HIP Match | + | Network Logs | IPtag | + | Network Logs | SCTP | + | Network Logs | Threat | + | Network Logs | Traffic | + | Network Logs | Tunnel | + | Network Logs | URL | + | Network Logs | UserID | + +8. Click `Save` + +{!_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630_sample.md!} + +{!_shared_content/integration/detection_section.md!} + +{!_shared_content/operations_center/detection/generated/suggested_rules_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.md!} +{!_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md!} diff --git a/mkdocs.yml b/mkdocs.yml index 4349aab59..d8f7f570f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -477,6 +477,7 @@ nav: - OGO Shield WAF: integration/categories/network_security/ogo_shield.md - Olfeo Secure Web Gateway: integration/categories/network_security/olfeo_secure_web_gateway.md - Palo Alto Next-Generation Firewall: integration/categories/network_security/paloalto.md + - Palo Alto Prisma access: integration/categories/network_security/paloalto_prisma_access.md - Security Scorecard Vunerability Assessment Scanner: integration/categories/network_security/securityscorecard_vas.md - SonicWall Firewall: integration/categories/network_security/sonicwall_fw.md - SonicWall SMA: integration/categories/network_security/sonicwall_sma.md From e78a7e4cdec1e05361a66d1e781d3ccbc579541d Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 16 Oct 2024 11:37:37 +0200 Subject: [PATCH 2/3] fix(Integration): remove syslog forwarding --- .../paloalto_prisma_access.md | 49 +------------------ 1 file changed, 1 insertion(+), 48 deletions(-) diff --git a/docs/integration/categories/network_security/paloalto_prisma_access.md b/docs/integration/categories/network_security/paloalto_prisma_access.md index ebd77cf75..1ef832917 100644 --- a/docs/integration/categories/network_security/paloalto_prisma_access.md +++ b/docs/integration/categories/network_security/paloalto_prisma_access.md @@ -17,10 +17,6 @@ Palo Alto Prisma Access is a cloud-delivered security platform that provides sec ### Prerequisites - **Resource**: - - Self-managed syslog forwarder - - OR - - Palo Alto Strata Logging - **Network**: @@ -47,50 +43,7 @@ Palo Alto Prisma Access is a cloud-delivered security platform that provides sec {!_shared_content/integration/intake_configuration.md!} -### Instructions on the 3rd Party Solution - -#### Option A - Forward events through a Syslog Forwarder - -##### Configure a Syslog server profile - -1. In the GUI, go to `Device > Serve Profiles > Syslog`. -2. Click `Add` and enter a name for the profile such as `Syslog server`. -3. If the firewall has more than one virtual system (vsys), select the `Location` (vsys or `Shared`) where this profile is available. -4. Click `Add` and enter the information that the firewall requires to connect to it: - - - Name — Unique name for the server profile. - - Syslog Server — IP address or fully qualified domain name (FQDN) of the syslog server. - - Transport — Select TCP. - - Port — Select the default is TCP on port 514. - - Format — Select the syslog message format to use: IETF - - Facility — Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field. - -5. Click `OK` to save the server profile. - -##### Configure syslog forwarding for Network logs - -1. Select `Objects > Log Forwarding`, click `Add`, and enter a `Name` to identify the profile. -2. For each log type (here Traffic, Threat and WileFire Malicious) and each severity level, select the `Syslog server` profile and click `OK`. -3. Select `Policies > Security` and select a policy rule. -4. Select the `Actions` tab and select the `Log Forwarding` profile you created. -5. In the `Profile Type` drop-down, select `Profiles` or `Groups`, and then select the security profiles or `Group Profiles` required to trigger log generation and forwarding. -6. Select `Log At Session End` check boxes, and click `OK`. - -!!! Warning - Log At Session Start consumes more resources than logging only at the session end. In most cases, you only Log At Session End. Enable both Log At Session Start and Log At Session End only for troubleshooting, for long-lived tunnel sessions such as GRE tunnels (you can't see these sessions in the ACC unless you log at the start of the session), and to gain visibility into Operational Technology/Industrial Control Systems (OT/ICS) sessions, which are also long-lived sessions. - -For detailed information about configuring a log forwarding profile and assigning the profile to a policy rule, see [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/configure-log-forwarding#id1443a62b-8a0b-41db-a08d-5df934bf0ffc_idd40c0d1a-7191-4616-9573-f02a99352eae) - -##### Configure syslog forwarding for System, Configuration, GlobalProtect, HIP Match, and User-ID logs. - -1. In the GUI, go to `Device > Log Settings`. -2. Click each Severity level (High and Critical if also fine), select the `Syslog server` profile, and click `OK`. - -Please follow [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/configure-log-forwarding#id1443a62b-8a0b-41db-a08d-5df934bf0ffc_idd40c0d1a-7191-4616-9573-f02a99352eae) from the official Palo Alto documentation for more information. - -{!_shared_content/integration/forwarder_configuration.md!} - -### Option B - Forward events through Palo Alto Strata Logging +### Forward events through Palo Alto Strata Logging #### Configure Palo Alto Prisma Access From dd65b42d08cad623fc2643ee940e9f5e5e915ac6 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 16 Oct 2024 12:09:40 +0200 Subject: [PATCH 3/3] fix(PaloAlto): fix the prisma access documentation --- .../paloalto_prisma_access.md | 25 ++++--------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/docs/integration/categories/network_security/paloalto_prisma_access.md b/docs/integration/categories/network_security/paloalto_prisma_access.md index 1ef832917..7288ae498 100644 --- a/docs/integration/categories/network_security/paloalto_prisma_access.md +++ b/docs/integration/categories/network_security/paloalto_prisma_access.md @@ -7,7 +7,7 @@ type: intake Palo Alto Prisma Access is a cloud-delivered security platform that provides secure access to applications and data, using a scalable network to protect users and devices across all locations. It integrates advanced threat prevention and access controls to ensure consistent security policies. - **Vendor**: Palo Alto -- **Supported environment**: On Premise +- **Supported environment**: Cloud - **Version compatibility**: - **Detection based on**: Telemetry - **Supported application or feature**: Traffic, Threat and WildFire Malicious @@ -18,26 +18,19 @@ Palo Alto Prisma Access is a cloud-delivered security platform that provides sec - **Resource**: - Palo Alto Strata Logging - -- **Network**: - - Outbound traffic allowed - **Permissions**: - - Administrator rights on Palo Alto Firewall - - Root access to the Linux server with the syslog forwarder + - Administrator rights on Palo Alto Stata Logging ### Transport Protocol/Method -- **Indirect Syslog** +- **HTTPS forwarding** ### Logs details - **Supported functionalities**: See section [Overview](#overview) -- **Supported type(s) of structure**: CSV, CEF +- **Supported type(s) of structure**: JSON - **Supported verbosity level**: Informational -!!! Note - Log levels are based on the taxonomy of [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424). Adapt according to the terminology used by the editor. - ## Step-by-Step Configuration Procedure ### Instruction on Sekoia @@ -45,15 +38,7 @@ Palo Alto Prisma Access is a cloud-delivered security platform that provides sec ### Forward events through Palo Alto Strata Logging -#### Configure Palo Alto Prisma Access - -1. In the GUI, go to `Objects > Log Forwarding`. -2. Click `Add`, and enter a `Name` to identify the profile. -3. For each log type (here Traffic, Threat and WileFire Malicious), check the box `Cortex Data Lake` in the Forward Method and click `OK`. -4. Select `Policies > Security` and select a policy rule. -5. Select the `Actions` tab and select the `Log Forwarding` profile you created. -6. In the `Profile Type` drop-down, select `Profiles` or `Groups`, and then select the security profiles or `Group Profiles` required to trigger log generation and forwarding. -7. Select both of the `Log at Session Start` and `Log At Session End` check boxes, and click `OK`. +Palo Alto Prima Access forwards all logs to the Strata Logging Service. #### Configure Palo Alto Strata Logging