Mar 16 2019 04:34 AM - edited Mar 17 2019 03:16 PM
Integrate your Palo Alto Networks firewall alerts directly into WDATP machine timeline and alert queue
5 Minutes
Low complexity
Firewall and IPS/IDS are common tools in every organization’s security toolbox. While those tools can proficiently detect suspicious connections to command and control servers (C2 server) from a client machine, actionable alerts that pinpoint the process which created the connection are not surfaced for security teams to investigate and respond to.
In this blog we’ll demonstrate how to integrate Palo Alto Networks Next-Gen Firewall alerts with Windows Defender ATP to leverage the power of their detections to identify actionable alerts. Palo Alto Networks Next-Gen Firewall has an API which allows Palo Alto’s customers to get alerts from the alerts log of both the firewall and WildFire sandbox. You can choose to use the API to get information from a specific firewall appliance or use the same API with Palo Alto Networks Panorama which allows you to get the alerts from all of your Palo Alto Networks Next-Gen Firewall and WildFire appliances.
You can get the full documentation of the Palo Alto Networks API here.
Let’s start
It is only 3 simple steps that will get you the desired integration:
Step 1 - Settings in Palo Alto Networks Next-Gen Firewall:
To get the alerts from Palo Alto Networks Next-Gen Firewall we first need to create a user on the firewall with the required permissions:
Done! you have successfully added a user with the required permissions.
Note: since many organizations leave the firewall with the default self-signed certificate, I’ve added a bypass in the script (published by PoshKazun on Github). If your firewall is set with a trusted certificate you can change the “trustSelfSignCertificate” parameter to false. |
Download the Powershell script attached to this blog and save it in the same folder you save the Get-Token.ps1 script from the Hello world blog and modify the “#### required information from step 1 #####” section
A typical section may look like:
$firewallURL = "https://TheUrlToYourFireallMgmtConsole"
$username = "theNewUserWeCreated"
$password = "NewUserPassword"
$alertQueryTimeframe = 30
$minimumAlertSeverity = "medium"
Done! you successfully complete the required steps to use Palo Alto Networks API
Step 2: Settings in Windows Defender ATP
In this step, we will add the required permissions to Windows Defender ATP.
we will add the permission to the application we set in the Hello World blog. If you didn’t setup an application yet, you need to follow the hello world 3 short steps to create one.
First, we need to add the permission “Run advance queries” and “Read and write all alerts”
Done! you successfully added the required permission to windows Defender ATP.
Step 3: Test runs
WildFire Alert
Download Palo Alto Networks Wildfire test file and create an alert in WDATP Portal.
Firewall Alert
Create a fake suspicious network connection and create an alert in WDATP Portal.
https://testing.com/book.html?default=<script>alert(XSS test)</script>
Note: if your firewall policy action for vulnerabilities set to “Reset-both”, then the firewall will reset the connection before it starts. In that case, you will not find a network connection telemetry in WDATP portal. |
Now open WDATP portal and look for the alerts. You should find Palo Alto Network firewall alert and Palo Alto Networks Wildfire alerts in WDATP alert queue.
And in machine timeline:
Recommendations:
We recommend scheduling the integration script to run every 20 minutes with alertQueryTimeframe set to 30 minutes to allow overlap.
Conclusion:
While network protection solutions catch the threats in the network bottleneck, they still miss the context and the ability to remediate the endpoint. The combination of Palo Alto Networks firewall and WDATP creates a unique better-together value from detection to remediation. In future blogs we'll show you how to force AutoIR to automatically remediate the root of the threat.
You can follow these steps to create Windows Defender ATP's alerts from other security/SOAR/SIEM solutions.
Let us know if you are interested to integrate alerts from other sources.
Thanks!
@Haim Goldshtein, security software engineer, Windows Defender ATP
@Dan Michelson, program manager, Windows Defender ATP
@Ben Alfasi, software engineer, Windows Defender ATP
Apr 07 2019 01:25 AM
People who tried or planning to try this integration, please share your experience with @Haim Goldshtein & @Dan Michelson.
May 02 2019 11:42 AM
@Haim Goldshtein is there a document for fortinet firewall to do the same?
May 31 2019 11:37 AM
Jun 01 2019 11:30 AM
@Dan Michelson Hi Dan, i see you can do the API for each switch but can you pull the info in from Panorma ( https://www.paloaltonetworks.com/products/management/panorama ) my customer more than 40 firewall sw...
Thank you
Jun 02 2019 02:08 AM
Yes you can, in the script you need to use the Panorama URL instead of the firewall URL and you will get the alerts from Panorama.
Thanks,
Haim
Jun 03 2019 10:26 AM
@Haim Goldshtein Fantastic thank you for the confirmation !
Jun 18 2019 05:49 AM
Where do you put the script ?
Is that in the App in azure or is it running on the clients ?
/Henrik
Jun 20 2019 01:37 AM
Aug 07 2019 03:06 PM
Sep 19 2019 04:17 PM
I am getting the exact same error. Any suggestions? @gsoriano
Jul 17 2020 05:05 AM
@Haim Goldshtein @Dan Michelson , I followed these directions, and updated the queries to accomodate the schema changes in ATP, and yet I still get the same errors as other users who have posted here. What are we doing wrong? This was a massive waste of time to set up and configure if there is no one to answer queries?
This is the error that we're seeing "Corresponding WDATP event was not found"
Any chance anyone has actually made this work? I'd be most appreciative of any tips/tricks as this would be most useful if we could get it to work.
Jul 19 2020 02:13 AM
@LauraPen can you please contact me at bealfasi@microsoft.com and we will investigate it together?
Please attach your tenant ID to the mail.
Oct 03 2021 06:19 AM
The API Queries in the script need to be modified before this script will work. Microsoft has changed the scheme and the script does not reflect those changes.
This article highlights the changes, Advanced hunting data schema changes - Microsoft Tech Community
What you need to modify in the script is NetworkCommunicationEvents to DeviceNetworkEvents, MachineInfo to DeviceInfo and EventTime to Timestamp.
After you perform the modifications, the script will work.