This utility is provided to enable Systems Engineers to load hashes from failed Ixia and/or Spirent security tests. It will then process the hashes against the Palo Alto Networks Threat Intelligence Cloud to determine the reason why the hash was not found/blocked/inidcated in the passing results.
It interfaces with both Autofocus (pull) and ELK (optional push) API interfaces.
The only supported way to run TORT is to run the docker container:
docker run -p 8088:80 paloaltonetworks/pan-tort:latest
Once the container is up and running - point your browser to http://localhost:8088
Login is paloalto/tort
NOTE: This does not support pushing the results to ELK - yet
To push the results to your ELK instance, you must have a .panrc in your home directory with the following entries (at minimum)
ELASTICSEARCH_HOST = "<ip of elasticsearch host>"
ELASTICSEARCH_PORT = "<port - default es install port is 9200>"
Optionally you can also add your API key to the .panrc as well:
AUTOFOCUS_API_KEY = "<api_key>"
Once you have that in place you can start the container by mounting the .panrc inside the container
docker run -p 8088:80 -v ~/.panrc:/.panrc paloaltonetworks/pan-tort:latest
If you added the AF API key, you don't have to type it in anymore. :)