Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:http_calls [2020/05/30 15:41] – bstafford
+++ paloaltonetworks:configuration:http_calls [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== HTTP Server Calls ======
 You can use the HTTP Server profiles to allow your PAN-OS appliance to send messages to Slack and Teams.
 ===== Slack =====
-[[https://live.paloaltonetworks.com/t5/log-forwarding-articles/pan-os-8-0-http-log-integration-with-slack/ta-p/172093|This page]] has details on how to configure Slack integration.
+[[https://live.paloaltonetworks.com/t5/log-forwarding-articles/pan-os-8-0-http-log-integration-with-slack/ta-p/172093|This page]] has details on how to configure Slack integration. Manage existing Apps [[https://api.slack.com/apps|here]] (There should be an option for 'Incoming Webhooks').
 [[https://api.slack.com/reference/surfaces/formatting|This page]] contains formatting information for Slack messages.
@@ Line 14: / Line 15: @@
 ==== PAN-OS Options for HTTP Requests ====
+  - On ''Device > Server Profiles > HTTP'' create a new server profile.
+  - Add a new server with the following values
+    * **Name** : hooks.slack (or anything you like)
+    * **Address** : hooks.slack.com
+    * **Protocol** : HTTPS
+    * **Port** : 443
+    * **TLS Version** : 1.2
+    * **Certificate Profile** : None
+    * **HTTP Method** : POST
+    * **Username** : Blank
+    * **Password** : Blank
+  - You then set a payload format. You can create a seperate server profile for each type of message though if you want to get very specific. Each payload format consists of the following
+    * **Name** : describe the action (e.g. //alert-on-login//)
+    * **URI Format** : /services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
+    * **HTTP Headers** :
+      * **Header** : content-type
+      * **Value** : application/json
+    * **Payload** : <code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "Title to put above the text. Can contain variables.",
+            "fallback": "Text to put in the pop up notifications.",
+            "text": "Main message. You can add in variables as listed below using the $ sign before the name.\n.e.g. $opaque.",
+            "color": "danger"
+        }
+    ]
+}</code>
 === System Logs ===
+^ Variable Name ^ Example Output ^
+| actionflags | 0x0 |
+| cef-formatted-receive_time | May 30 2020 15:45:12 GMT |
+| cef-formatted-time_generated | May 30 2020 15:45:12 GMT |
+| cef-number-of-severity | 10 |
+| device_name | palo-hostname |
+| device_type |  |
+| dg_hier_level_1 | 0 |
+| dg_hier_level_2 | 0 |
+| dg_hier_level_3 | 0 |
+| dg_hier_level_4 | 0 |
+| eventid | private-key-export |
+| module | general |
+| number-of-severity | 5 |
+| object |  |
+| opaque | Private key cert-ca-root was exported by user admin |
+| receive_time | 2020/05/30 16:45:12 |
+| sdwan_cluster |  |
+| sdwan_site |  |
+| sender_sw_version | 9.1.2 |
+| seqno | 71859 |
+| serial | 007051000051457 |
+| severity | critical |
+| subtype | crypto |
+| time_generated | 2020/05/30 16:45:12 |
+| typevsys | SYSTEM |
+| vsys |  |
+| vsys_id | 0 |
+| vsys_name | |
 === Threat Logs ===
 ^ Variable Name ^ Example Output ^
@@ Line 22: / Line 85: @@
 |assoc_id | 0 |
 |category | low-risk |
-|cef-formatted-receive_time| May 30 2020 09:|17:24 GMT |
+|cef-formatted-receive_time| May 30 2020 09:17:24 GMT |
 |cef-formatted-time_generated| May 30 2020 09:17:24 GMT |
 |cef-number-of-severity| 6 |
@@ Line 101: / Line 164: @@
 |vsys_name | |
 |xff | |
+==== Example Message Payloads ====
+=== Config - Alert on Commit ===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "$time_generated COMMIT STARTED",
+            "fallback": "$time_generated $admin committed configuration to $device_name",
+            "text": "$time_generated $admin committed configuration to $device_name (Job #$seqno)\n----------",
+            "color": "good"
+        }
+    ]
+}</code>
+=== System - Alert on Admin Login===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "Admin Login on $device_name",
+            "fallback": "Admin Login on $device_name",
+            "text": "$time_generated\n$opaque",
+        }
+    ]
+}</code>
+=== System - Critical Event===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "$time_generated $severity system event $eventid on $device_name",
+            "fallback": "Critical System Event",
+            "text": "----------\n$opaque\n----------",
+            "color": "danger"
+        }
+    ]
+}</code>
+=== System - VPN Down ===
+<code>{
+    "attachments": [
+        {
+            "fallback": "$time_generated VPN ALERT $object VPN tunnel is DOWN on $device_name",
+            "pretext": "$time_generated",
+            "title": "VPN tunnel DOWN",
+            "text": "$opaque on $device_name",
+            "color": "danger"
+        }
+    ]
+}</code>
+=== System - VPN Up ===
+<code>{
+    "attachments": [
+        {
+            "fallback": "$time_generated VPN ALERT $object VPN tunnel is UP on $device_name",
+            "pretext": "$time_generated",
+            "title": "VPN tunnel UP",
+            "text": "$opaque on $device_name",
+            "color": "good"
+        }
+    ]
+}</code>
+=== Threat - Alert on Threat Detected ===
+<code>{
+    "attachments": [
+        {
+            "pretext": "$time_generated",
+            "title": "Threat Detected",
+            "fallback": "THREAT - $severity $thr_category threat detected.",
+            "text": "----------\n*$device_name* detected a *$severity* $thr_category $subtype\n*Threat ID*: $threatid\n*Action*: $action\n*Direction*: $direction\n*Source*: $src\nDestination: $dst\n*Application*: $app\n$time_generated\n----------",
+            "color": "danger"
+        }
+    ]
+}</code>