Palo Alto Panorama
- Jonas Gonzalez
Panorama is the centralized management system for the Palo Alto Networks family of next-generation firewalls. It provides a single location from which you can oversee all applications, users, and content traversing your network, and then use this knowledge to create policies that protect and control the network.
Connect Palo Alto Panorama with Devo SOAR
Navigate to Automations > Integrations.
Search for Palo Alto Panorama.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
URL: URL to your Palo Alto Panorama instance.
API Key: The API key to connect to the Palo Alto Panorama.
After you've entered all the details, click Connect.
Actions for Palo Alto Panorama
Execute Panorama Command
Execute any panorama command supported in API.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Type | The request type. | Required |
XPath | Set location using xpath example, /config/predefined/application/entry[@name='hotmail']. | Required |
Log type | The type of log. | Required |
Report Type | The type of report. | Required |
Report Name | Name of report. | Required |
Category | Category parameter. | Required |
Cmd | Used for operations commands. Cmd specifies the xml struct that defines the command. | Required |
Command | Command to run. | Required |
Destination | Destination for command. | Required |
Element | New value of an object. | Required |
From | Start time. | Required |
To | End time. | Required |
Search Time | The time that the PCAP was received on the firewall. | Required |
Where | Specifies the type of a move operation. | Required |
Period | A time period e.g. last-24-hrs. | Required |
PCap ID | The PCap ID in threat log. | Required |
Serial Number | The serial number of the device. | Required |
Params | The rest of the parameters to API in JSON format. | Required |
Get Threat By Id
Get threat details by its id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Threat Id | Jinja-templated text containing threat id. | Required |
Output
A JSON object returning the status of the request.
{json}{
"result": {
"response": {
"status": "success",
"result": {
"entry": {
"id": "1030",
"name": "Seekmo Download .CAB",
"description": "This signature detects the runtime behavior of the spyware Seekmo.Seekmo is a 180Solutions adware variant that tracks user browsing activity and passes user information such as seach keywords to its controlling server, and generates advertisements according to that.",
"severity": "low",
"subtype": "Unknown",
"reference": {
"member": [
"http://www.spywareguide.com/product_show.php?id=28",
"http://www.bleepingcomputer.com/startups/seekmo-140.html"
]
}
}
}
},
"has_error": false,
"error": null
},
"stdout": "",
"stderr": ""
}
Release Notes
v3.0.0- Updated architecture to support IO via filesystemv2.1.1- Added new actionGet Threat By Id.v2.0.1- Added documentation link in the automation library.