Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:http_calls [2020/05/30 15:35] – bstafford
+++ paloaltonetworks:configuration:http_calls [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== HTTP Server Calls ======
 You can use the HTTP Server profiles to allow your PAN-OS appliance to send messages to Slack and Teams.
 ===== Slack =====
-[[https://live.paloaltonetworks.com/t5/log-forwarding-articles/pan-os-8-0-http-log-integration-with-slack/ta-p/172093|This page]] has details on how to configure Slack integration.
+[[https://live.paloaltonetworks.com/t5/log-forwarding-articles/pan-os-8-0-http-log-integration-with-slack/ta-p/172093|This page]] has details on how to configure Slack integration. Manage existing Apps [[https://api.slack.com/apps|here]] (There should be an option for 'Incoming Webhooks').
 [[https://api.slack.com/reference/surfaces/formatting|This page]] contains formatting information for Slack messages.
+==== Test Slack Web Hook ====
 Slack give you the following test command. Replace the full URL with your web hook URL
 <code>curl -X POST -H 'Content-type: application/json' --data '{"text":"Hello, World!"}' https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests</code>
@@ Line 12: / Line 14: @@
 <code>curl -X POST -H "Content-type:application/json" --data "{\"text\":\"HelloWorld\"}" https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests</code>
+==== PAN-OS Options for HTTP Requests ====
+  - On ''Device > Server Profiles > HTTP'' create a new server profile.
+  - Add a new server with the following values
+    * **Name** : hooks.slack (or anything you like)
+    * **Address** : hooks.slack.com
+    * **Protocol** : HTTPS
+    * **Port** : 443
+    * **TLS Version** : 1.2
+    * **Certificate Profile** : None
+    * **HTTP Method** : POST
+    * **Username** : Blank
+    * **Password** : Blank
+  - You then set a payload format. You can create a seperate server profile for each type of message though if you want to get very specific. Each payload format consists of the following
+    * **Name** : describe the action (e.g. //alert-on-login//)
+    * **URI Format** : /services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
+    * **HTTP Headers** :
+      * **Header** : content-type
+      * **Value** : application/json
+    * **Payload** : <code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "Title to put above the text. Can contain variables.",
+            "fallback": "Text to put in the pop up notifications.",
+            "text": "Main message. You can add in variables as listed below using the $ sign before the name.\n.e.g. $opaque.",
+            "color": "danger"
+        }
+    ]
+}</code>
+=== System Logs ===
+^ Variable Name ^ Example Output ^
+| actionflags | 0x0 |
+| cef-formatted-receive_time | May 30 2020 15:45:12 GMT |
+| cef-formatted-time_generated | May 30 2020 15:45:12 GMT |
+| cef-number-of-severity | 10 |
+| device_name | palo-hostname |
+| device_type |  |
+| dg_hier_level_1 | 0 |
+| dg_hier_level_2 | 0 |
+| dg_hier_level_3 | 0 |
+| dg_hier_level_4 | 0 |
+| eventid | private-key-export |
+| module | general |
+| number-of-severity | 5 |
+| object |  |
+| opaque | Private key cert-ca-root was exported by user admin |
+| receive_time | 2020/05/30 16:45:12 |
+| sdwan_cluster |  |
+| sdwan_site |  |
+| sender_sw_version | 9.1.2 |
+| seqno | 71859 |
+| serial | 007051000051457 |
+| severity | critical |
+| subtype | crypto |
+| time_generated | 2020/05/30 16:45:12 |
+| typevsys | SYSTEM |
+| vsys |  |
+| vsys_id | 0 |
+| vsys_name | |
+=== Threat Logs ===
+^ Variable Name ^ Example Output ^
+|action | reset both |
+|actionflags | 0x2000000000000000 |
+|app | web-browsing |
+|assoc_id | 0 |
+|category | low-risk |
+|cef-formatted-receive_time| May 30 2020 09:17:24 GMT |
+|cef-formatted-time_generated| May 30 2020 09:17:24 GMT |
+|cef-number-of-severity| 6 |
+|cloud | |
+|contenttype | |
+|contentver | AppThreat-8278-6109 |
+|device_name | palo-hostname |
+|dg_hier_level_1| 0 |
+|dg_hier_level_2| 0 |
+|dg_hier_level_3| 0 |
+|dg_hier_level_4| 0 |
+|direction | server-to-client |
+|dport | 80 |
+|dst | 1.2.3.4 |
+|dst_uuid | |
+|dstloc | Germany |
+|dstuser | |
+|dynusergroup_name | |
+|file_url | |
+|filedigest | |
+|filetype | |
+|flags | 0x402000|
+|from | sz-trusted |
+|http2_connection | 0 |
+|http_headers | |
+|http_method | |
+|imei | 0 |
+|imsi | 0 |
+|inbound_if | ethernet1/2 |
+|logset | default |
+|misco | eicar.como |
+|monitortag | |
+|natdport | 80 |
+|natdst | 213.211.198.58 |
+|natsport | 20376 |
+|natsrc | 10.1.1.11 |
+|number-of-severity | 3 |
+|outbound_if | ethernet1/1 |
+|padding | 0 |
+|parent_session_id | 0 |
+|parent_start_time | |
+|pcap_id | 0 |
+|ppid | 4294967295 |
+|proto | tcp |
+|receive_time | 2020/05/30 10:17:24|
+|recipient | |
+|referer | |
+|repeatcnt | 4 |
+|reportid | 0 |
+|rule | default-all |
+|rule_uuid | e10221de-c22a-4dc8-22ff-222eff1f222e |
+|sender_sw_version | 9.1.2 |
+|seqno | 2799 |
+|serial | 001122334455667 |
+|sessionid | 719 |
+|severity | medium |
+|sig_flags | 0x0 |
+|sport | 49387 |
+|src | 10.1.1.1 |
+|src_uuid ||
+|srcloc | 10.0.0.0-10.255.255.255|
+|srcuser | |
+|subject | |
+|subtype | vulnerability |
+|thr_category | code-execution |
+|threatid | Eicar File Detected(39040) |
+|time_generated | 2020/05/30 10:21:57 |
+|time_received | 2020/05/30 10:21:57 |
+|to | sz-untrust |
+|tunnel | N/A |
+|tunnelid | 0 |
+|type | THREAT |
+|url_category_list | |
+|url_idx | 1 |
+|user_agent | |
+|vsys_id | 1 |
+|vsys_id | 1 |
+|vsys_name | |
+|xff | |
+==== Example Message Payloads ====
+=== Config - Alert on Commit ===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "$time_generated COMMIT STARTED",
+            "fallback": "$time_generated $admin committed configuration to $device_name",
+            "text": "$time_generated $admin committed configuration to $device_name (Job #$seqno)\n----------",
+            "color": "good"
+        }
+    ]
+}</code>
+=== System - Alert on Admin Login===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "Admin Login on $device_name",
+            "fallback": "Admin Login on $device_name",
+            "text": "$time_generated\n$opaque",
+        }
+    ]
+}</code>
+=== System - Critical Event===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "$time_generated $severity system event $eventid on $device_name",
+            "fallback": "Critical System Event",
+            "text": "----------\n$opaque\n----------",
+            "color": "danger"
+        }
+    ]
+}</code>
+=== System - VPN Down ===
+<code>{
+    "attachments": [
+        {
+            "fallback": "$time_generated VPN ALERT $object VPN tunnel is DOWN on $device_name",
+            "pretext": "$time_generated",
+            "title": "VPN tunnel DOWN",
+            "text": "$opaque on $device_name",
+            "color": "danger"
+        }
+    ]
+}</code>
+=== System - VPN Up ===
+<code>{
+    "attachments": [
+        {
+            "fallback": "$time_generated VPN ALERT $object VPN tunnel is UP on $device_name",
+            "pretext": "$time_generated",
+            "title": "VPN tunnel UP",
+            "text": "$opaque on $device_name",
+            "color": "good"
+        }
+    ]
+}</code>
+=== Threat - Alert on Threat Detected ===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "Threat Detected",
+            "fallback": "THREAT - $severity $thr_category threat detected.",
+            "text": "----------\n*$device_name* detected a *$severity* $thr_category $subtype\n*Threat ID*: $threatid\n*Action*: $action\n*Direction*: $direction\n*Source*: $src\nDestination: $dst\n*Application*: $app\n$time_generated\n----------",
+            "color": "danger"
+        }
+    ]
+}</code>