Palo Alto Networks and WDATP ad-hoc integration

Microsoft

Integrate your Palo Alto Networks firewall alerts directly into WDATP machine timeline and alert queue

image.png 5 Minutes

image.pngLow complexity

alert.png

Firewall and IPS/IDS are common tools in every organization’s security toolbox. While those tools can proficiently detect suspicious connections to command and control servers (C2 server) from a client machine, actionable alerts that pinpoint the process which created the connection are not surfaced for security teams to investigate and respond to.

 

In this blog we’ll demonstrate how to integrate Palo Alto Networks Next-Gen Firewall alerts with Windows Defender ATP to leverage the power of their detections to identify actionable alerts. Palo Alto Networks Next-Gen Firewall has an API which allows Palo Alto’s customers to get alerts from the alerts log of both the firewall and WildFire sandbox. You can choose to use the API to get information from a specific firewall appliance or use the same API with Palo Alto Networks Panorama which allows you to get the alerts from all of your Palo Alto Networks Next-Gen Firewall and WildFire appliances.

 

You can get the full documentation of the Palo Alto Networks API here.

 

Let’s start 

It is only 3 simple steps that will get you the desired integration:

  • Step 1: Settings in Palo Alto Networks Next-Gen Firewall.
    • Read-only API role creation
    • User creation and role assignment
    • Update the sample script
  • Step 2:  Windows Defender ATP settings:
    • Add API permissions.
  • Step 3: Test runs
    • WildFire alert
    • Firewall alert

 

Step 1 - Settings in Palo Alto Networks Next-Gen Firewall: 

To get the alerts from Palo Alto Networks Next-Gen Firewall we first need to create a user on the firewall with the required permissions:

 

  1. Open the Palo Alto Networks Next-Gen Firewall administration console.
  2. Login as a privileged user.
  3. Go to Device > Admin Role > Add.role1.jpg
  4. Give a name to the role and remove all the permissions on all tabs except from “Log” permission under XML-API tab then click OK.role2.jpg
  5. Go to Device > Administrators > Add.role3.jpg
  6. Enter a name and a password, choose “Role Based” in the administrator type settings and in the profile’s field chose the role we created.admin1.jpg
  7. Important!!! Click Commit on the right upper corner.admin2.jpg

Done! you have successfully added a user with the required permissions.

Note: since many organizations leave the firewall with the default self-signed certificate, I’ve added a bypass in the script (published by PoshKazun on Github).

If your firewall is set with a trusted certificate you can change the “trustSelfSignCertificate” parameter to false.

 

Download the Powershell script attached to this blog and save it in the same folder you save the Get-Token.ps1 script from the Hello world blog and modify the “#### required information from step 1 #####” section

 

A typical section may look like:

 

$firewallURL = "https://TheUrlToYourFireallMgmtConsole"

$username = "theNewUserWeCreated"

$password = "NewUserPassword"

$alertQueryTimeframe = 30

$minimumAlertSeverity = "medium"

 

Done! you successfully complete the required steps to use Palo Alto Networks API


 

Step 2: Settings in Windows Defender ATP

In this step, we will add the required permissions to Windows Defender ATP.

we will add the permission to the application we set in the Hello World blog. If you didn’t setup an application yet, you need to follow the hello world 3 short steps to create one.

 

First, we need to add the permission “Run advance queries” and “Read and write all alerts”

  1. Open the Azure portal. 
  2. Navigate to Azure Active Directory > App registrations
  3. Under All Apps, find and select the application, for example, ContosoSIEMConnector. 
  4. Navigate to Settings > Required permissions > Enable Access
  5. Select the checkbox for “Run advance queries” and “Read and write alert” application permission.wdatp1.jpg
  6. Click Save and Grant Permissions.

Done! you successfully added the required permission to windows Defender ATP.

 

 

Step 3: Test runs

WildFire Alert

Download Palo Alto Networks Wildfire test file and create an alert in WDATP Portal.

 

Firewall Alert

Create a fake suspicious network connection and create an alert in WDATP Portal.

  • Open your browser and navigate to

https://testing.com/book.html?default=<script>alert(XSS test)</script>

  • Wait 5 minutes and run the powershell script.

 

Note: if your firewall policy action for vulnerabilities set to “Reset-both”, then the firewall will reset the connection before it starts. In that case, you will not find a network connection telemetry in WDATP portal.

 

 

Now open WDATP portal and look for the alerts. You should find Palo Alto Network firewall alert and Palo Alto Networks Wildfire alerts in WDATP alert queue.

 

alert.png

And in machine timeline:

alerts.png

Recommendations:

We recommend scheduling the integration script to run every 20 minutes with alertQueryTimeframe set to 30 minutes to allow overlap.

 

Conclusion: 

While network protection solutions catch the threats in the network bottleneck, they still miss the context and the ability to remediate the endpoint. The combination of Palo Alto Networks firewall and WDATP creates a unique better-together value from detection to remediation. In future blogs we'll show you how to force AutoIR to automatically remediate the root of the threat.

 

You can follow these steps to create Windows Defender ATP's alerts from other security/SOAR/SIEM solutions.

 

Let us know if you are interested to integrate alerts from other sources. 

 

Thanks! 

@Haim Goldshtein, security software engineer, Windows Defender ATP  

@Dan Michelsonprogram manager, Windows Defender ATP  

@Ben Alfasi, software engineer, Windows Defender ATP  

13 Replies

People who tried or planning to try this integration, please share your experience with @Haim Goldshtein & @Dan Michelson.

@Haim Goldshtein is there a document for fortinet firewall to do the same?

@Jacques van Zijl This is now on our back log 🙂


 

@Dan Michelson Hi Dan, i see you can do the API for each switch but can you pull the info in from Panorma ( https://www.paloaltonetworks.com/products/management/panorama ) my customer more than 40 firewall sw...

 

Thank you

Hi @Jacques van Zijl

 

Yes you can, in the script you need to use the Panorama URL instead of the firewall URL and you will get the alerts from Panorama.

 

Thanks,

Haim

 

 

@Haim Goldshtein Fantastic thank you for the confirmation !

@Haim Goldshtein 

Where do you put the script ?

Is that in the App in azure or is it running on the clients ?

/Henrik

Hey, i cant seem ti get this to work. The script works fine, but noting comes to the ATP portal. What can be worng ?
Hi Everyone, first all, thanks for share this document. I did all steps as described, however when I ran the script to push events from Palo Alto to WDATP I received below error, note that malware test already were performed. ERROR: Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Corresponding WDATP event was not found Invoke-WebRequest : {"error":{"code":"429","message":"API calls quota exceeded! maximum allowed 15 per 00:01:00"}} At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:203 char:17 + $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertT ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:205 char:37 + $results = ($response.Content | ConvertFrom-Json).Results + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Corresponding WDATP event was not found Invoke-WebRequest : {"error":{"code":"429","message":"API calls quota exceeded! maximum allowed 15 per 00:01:00"}} At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:203 char:17 + $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertT ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:205 char:37 + $results = ($response.Content | ConvertFrom-Json).Results + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Corresponding WDATP event was not found Invoke-WebRequest : {"error":{"code":"429","message":"API calls quota exceeded! maximum allowed 15 per 00:01:00"}} At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:203 char:17 + $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertT ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:205 char:37 + $results = ($response.Content | ConvertFrom-Json).Results + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Corresponding WDATP event was not found Invoke-WebRequest : {"error":{"code":"429","message":"API calls quota exceeded! maximum allowed 15 per 00:01:00"}} At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:203 char:17 + $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertT ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:205 char:37 + $results = ($response.Content | ConvertFrom-Json).Results + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Corresponding WDATP event was not found Invoke-WebRequest : {"error":{"code":"429","message":"API calls quota exceeded! maximum allowed 15 per 00:01:00"}} At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:203 char:17 + $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertT ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\WDAP-PA-integration\WDAP-PA-integration.ps1:205 char:37 + $results = ($response.Content | ConvertFrom-Json).Results + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Corresponding WDATP event was not found

I am getting the exact same error.  Any suggestions?  @gsoriano 

@Haim Goldshtein @Dan Michelson , I followed these directions, and updated the queries to accomodate the schema changes in ATP, and yet I still get the same errors as other users who have posted here.  What are we doing wrong?  This was a massive waste of time to set up and configure if there is no one to answer queries?

This is the error that we're seeing "Corresponding WDATP event was not found"

Any chance anyone has actually made this work?  I'd be most appreciative of any tips/tricks as this would be most useful if we could get it to work.

@LauraPen can you please contact me at bealfasi@microsoft.com and we will investigate it together? 
Please attach your tenant ID to the mail.

The API Queries in the script need to be modified before this script will work. Microsoft has changed the scheme and the script does not reflect those changes.

 

This article highlights the changes, Advanced hunting data schema changes - Microsoft Tech Community

 

What you need to modify in the script is NetworkCommunicationEvents to DeviceNetworkEvents, MachineInfo  to DeviceInfo and EventTime to Timestamp.

 

After you perform the modifications, the script will work.