Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAN-OS - DNS Sinkhole #27700

Merged
merged 16 commits into from Aug 9, 2023
Merged

PAN-OS - DNS Sinkhole #27700

merged 16 commits into from Aug 9, 2023

Conversation

idovandijk
Copy link
Contributor

@idovandijk idovandijk commented Jun 25, 2023
edited

Status

Ready

Related Issues

fixes: https://jira-hq.paloaltonetworks.local/browse/CIAC-2793

Description

  • Added a new playbook that creates a DNS sinkhole using PAN-OS NGFW.
  • Added a new playbook that adds an anti-spyware security profile to a rule in a safe manner and outputs the profile that is applied to the rule at the end of the playbook execution.
  • Added a test playbook for the playbook that adds an anti-spyware profile to a rule.

Screenshots

PAN-OS_-_DNS_Sinkhole
PAN-OS_-Add_Anti-Spyware_Security_Profile_To_Rule-_Safely

Minimum version of Cortex XSOAR

6.8.0

Does it break backward compatibility?

No

@tomer-pan
Copy link
Contributor

@idovandijk Great work!

Please review my comments:

  • In policy match, maybe use "application" instead of "destination-port"
  • SecurityProfileName - Maybe don't allow overwriting
  • Get the tags of the existing rules - should only be run on the rules found from the policy match
  • PAN-OS - Add Anti-Spyware Security Profile To Rule - description of output says "rule" instead of profile
  • When creating a rule manually, need to apply the profile to it too
  • PAN-OS - Add Anti Spyware playbook - under "Apply Profile", verify the context path
  • Support multiple DNS signatures as inputs

@AdiPeret
Copy link
Contributor

AdiPeret commented Jul 23, 2023 via email

@dorschw dorschw reopened this Jul 24, 2023
@melamedbn
Copy link
Contributor

image

The conditional task is a bit confusing, you're asking if something is available but all of the options aren't related to the quest itself, or might be related but the title is missing context.

@idovandijk
Copy link
Contributor Author

PR is ready for merge and waiting for tech docs

@idovandijk idovandijk mentioned this pull request Aug 8, 2023
Merged
ShirleyDenkberg
ShirleyDenkberg reviewed Aug 9, 2023
View reviewed changes
Packs/PAN-OS/Playbooks/PAN-OS_-_Add_Anti-Spyware_Security_Profile_To_Rule.yml
version: -1
name: Can a new anti-spyware profile be applied?
description: |-
Checks whether the rule can have the anti spyware profile applied to it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Checks whether the rule can have the anti spyware profile applied to it.
Checks whether the rule can have the anti-spyware profile applied to it.

Packs/PAN-OS/Playbooks/PAN-OS_-_Add_Anti-Spyware_Security_Profile_To_Rule.yml
Checks whether the rule can have the anti spyware profile applied to it.
There are 4 different possible scenarios:
1. It has no profile, so the specified profile can be applied.
2. It has a profile, but it should not be overwritten with a new anti spyware profile.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. It has a profile, but it should not be overwritten with a new anti spyware profile.
2. It has a profile, but it should not be overwritten with a new anti-spyware profile.

Packs/PAN-OS/Playbooks/PAN-OS_-_Add_Anti-Spyware_Security_Profile_To_Rule.yml
1. It has no profile, so the specified profile can be applied.
2. It has a profile, but it should not be overwritten with a new anti spyware profile.
3. It has a security profile group, and the anti-spyware profile specified can be added to that group.
4. It has a security profile group, but the anti-spyware profile can be applied only if the group doesn't already have an anti spyware profile in it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. It has a security profile group, but the anti-spyware profile can be applied only if the group doesn't already have an anti spyware profile in it.
4. It has a security profile group, but the anti-spyware profile can be applied only if the group doesn't already have an anti-spyware profile in it.

Packs/PAN-OS/Playbooks/PAN-OS_-_Add_Anti-Spyware_Security_Profile_To_Rule.yml
id: 345b0c42-ac77-4ffc-8b5e-1db0146cbbc0
version: -1
name: Overwrite with / Add our profile to the security profile group
description: Please modify the security profile group, and add the Anti-Spyware security profile called ${inputs.SecurityProfileName}. If there's already an anti-spyware security profile configured there, please overwrite it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description: Please modify the security profile group, and add the Anti-Spyware security profile called ${inputs.SecurityProfileName}. If there's already an anti-spyware security profile configured there, please overwrite it.
description: Modify the security profile group, and add the Anti-Spyware security profile called ${inputs.SecurityProfileName}. If there's already an anti-spyware security profile configured there, overwrite it.

Packs/PAN-OS/Playbooks/PAN-OS_-_Add_Anti-Spyware_Security_Profile_To_Rule.yml

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations

Packs/PAN-OS/Playbooks/PAN-OS_-_Extract_IPs_From_Traffic_Logs_To_Sinkhole_README.md Outdated Show resolved Hide resolved
Packs/PAN-OS/Playbooks/PAN-OS_-_Extract_IPs_From_Traffic_Logs_To_Sinkhole_README.md Outdated Show resolved Hide resolved
Packs/PAN-OS/ReleaseNotes/2_0_0.md Outdated Show resolved Hide resolved
Packs/PAN-OS/ReleaseNotes/2_0_0.md Outdated Show resolved Hide resolved
Packs/PAN-OS/ReleaseNotes/2_0_0.md Outdated Show resolved Hide resolved
@ShirleyDenkberg
Copy link
Contributor

@melamedbn @michalgold @AdiPeret @ostolero @tomer-pan Doc review completed.

idovandijk and others added 2 commits August 9, 2023 14:28
@idovandijk @ShirleyDenkberg
Apply suggestions from tech docs
3046d4c 
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
@idovandijk
Merge branch 'master' into pan-os-dns-sinkhole
2c8f756
@idovandijk idovandijk merged commit aa63ff8 into master Aug 9, 2023
14 checks passed
@idovandijk idovandijk deleted the pan-os-dns-sinkhole branch August 9, 2023 15:23
xsoar-bot pushed a commit to xsoar-contrib/content that referenced this pull request Oct 5, 2023
@idovandijk @ShirleyDenkberg @xsoar-bot
PAN-OS - DNS Sinkhole (demisto#27700)
57e375a 
* Added playbooks, tests, images, and formatted

* fixed conf.json and updated playbook description

* Fixed validation issues in both playbooks

* Added READMEs and release notes

* Removed old files, added new files, docs, pb images, and new RN. Also formatted all files. Added test playbook too.

* Updated playbook with fixes, pb image, and pb readme

* Fixed test configurations for playbooks

* Fixed test configuration in conf.json to use FW and not Panorama

* Apply suggestions from tech docs

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShirleyDenkberg ShirleyDenkberg ShirleyDenkberg left review comments

@melamedbn melamedbn melamedbn approved these changes

@michalgold michalgold Awaiting requested review from michalgold

@AdiPeret AdiPeret Awaiting requested review from AdiPeret

@ostolero ostolero Awaiting requested review from ostolero

@tomer-pan tomer-pan Awaiting requested review from tomer-pan

Assignees

@ShirleyDenkberg ShirleyDenkberg

Labels
docs-approved
Projects
None yet
Milestone
No milestone
7 participants
@idovandijk @tomer-pan @AdiPeret @melamedbn @ShirleyDenkberg @content-bot @dorschw