====== HTTP Server Calls ======
You can use the HTTP Server profiles to allow your PAN-OS appliance to send messages to Slack and Teams.
===== Slack =====
[[https://live.paloaltonetworks.com/t5/log-forwarding-articles/pan-os-8-0-http-log-integration-with-slack/ta-p/172093|This page]] has details on how to configure Slack integration. Manage existing Apps [[https://api.slack.com/apps|here]] (There should be an option for 'Incoming Webhooks').
[[https://api.slack.com/reference/surfaces/formatting|This page]] contains formatting information for Slack messages.
==== Test Slack Web Hook ====
Slack give you the following test command. Replace the full URL with your web hook URL
curl -X POST -H 'Content-type: application/json' --data '{"text":"Hello, World!"}' https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
On Windows, we have to change the command to the following
curl -X POST -H "Content-type:application/json" --data "{\"text\":\"HelloWorld\"}" https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
==== PAN-OS Options for HTTP Requests ====
- On ''Device > Server Profiles > HTTP'' create a new server profile.
- Add a new server with the following values
* **Name** : hooks.slack (or anything you like)
* **Address** : hooks.slack.com
* **Protocol** : HTTPS
* **Port** : 443
* **TLS Version** : 1.2
* **Certificate Profile** : None
* **HTTP Method** : POST
* **Username** : Blank
* **Password** : Blank
- You then set a payload format. You can create a seperate server profile for each type of message though if you want to get very specific. Each payload format consists of the following
* **Name** : describe the action (e.g. //alert-on-login//)
* **URI Format** : /services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
* **HTTP Headers** :
* **Header** : content-type
* **Value** : application/json
* **Payload** : {
"attachments": [
{
"pretext": "$time_generated",
"title": "Title to put above the text. Can contain variables.",
"fallback": "Text to put in the pop up notifications.",
"text": "Main message. You can add in variables as listed below using the $ sign before the name.\n.e.g. $opaque.",
"color": "danger"
}
]
}
=== System Logs ===
^ Variable Name ^ Example Output ^
| actionflags | 0x0 |
| cef-formatted-receive_time | May 30 2020 15:45:12 GMT |
| cef-formatted-time_generated | May 30 2020 15:45:12 GMT |
| cef-number-of-severity | 10 |
| device_name | palo-hostname |
| device_type | |
| dg_hier_level_1 | 0 |
| dg_hier_level_2 | 0 |
| dg_hier_level_3 | 0 |
| dg_hier_level_4 | 0 |
| eventid | private-key-export |
| module | general |
| number-of-severity | 5 |
| object | |
| opaque | Private key cert-ca-root was exported by user admin |
| receive_time | 2020/05/30 16:45:12 |
| sdwan_cluster | |
| sdwan_site | |
| sender_sw_version | 9.1.2 |
| seqno | 71859 |
| serial | 007051000051457 |
| severity | critical |
| subtype | crypto |
| time_generated | 2020/05/30 16:45:12 |
| typevsys | SYSTEM |
| vsys | |
| vsys_id | 0 |
| vsys_name | |
=== Threat Logs ===
^ Variable Name ^ Example Output ^
|action | reset both |
|actionflags | 0x2000000000000000 |
|app | web-browsing |
|assoc_id | 0 |
|category | low-risk |
|cef-formatted-receive_time| May 30 2020 09:17:24 GMT |
|cef-formatted-time_generated| May 30 2020 09:17:24 GMT |
|cef-number-of-severity| 6 |
|cloud | |
|contenttype | |
|contentver | AppThreat-8278-6109 |
|device_name | palo-hostname |
|dg_hier_level_1| 0 |
|dg_hier_level_2| 0 |
|dg_hier_level_3| 0 |
|dg_hier_level_4| 0 |
|direction | server-to-client |
|dport | 80 |
|dst | 1.2.3.4 |
|dst_uuid | |
|dstloc | Germany |
|dstuser | |
|dynusergroup_name | |
|file_url | |
|filedigest | |
|filetype | |
|flags | 0x402000|
|from | sz-trusted |
|http2_connection | 0 |
|http_headers | |
|http_method | |
|imei | 0 |
|imsi | 0 |
|inbound_if | ethernet1/2 |
|logset | default |
|misco | eicar.como |
|monitortag | |
|natdport | 80 |
|natdst | 213.211.198.58 |
|natsport | 20376 |
|natsrc | 10.1.1.11 |
|number-of-severity | 3 |
|outbound_if | ethernet1/1 |
|padding | 0 |
|parent_session_id | 0 |
|parent_start_time | |
|pcap_id | 0 |
|ppid | 4294967295 |
|proto | tcp |
|receive_time | 2020/05/30 10:17:24|
|recipient | |
|referer | |
|repeatcnt | 4 |
|reportid | 0 |
|rule | default-all |
|rule_uuid | e10221de-c22a-4dc8-22ff-222eff1f222e |
|sender_sw_version | 9.1.2 |
|seqno | 2799 |
|serial | 001122334455667 |
|sessionid | 719 |
|severity | medium |
|sig_flags | 0x0 |
|sport | 49387 |
|src | 10.1.1.1 |
|src_uuid ||
|srcloc | 10.0.0.0-10.255.255.255|
|srcuser | |
|subject | |
|subtype | vulnerability |
|thr_category | code-execution |
|threatid | Eicar File Detected(39040) |
|time_generated | 2020/05/30 10:21:57 |
|time_received | 2020/05/30 10:21:57 |
|to | sz-untrust |
|tunnel | N/A |
|tunnelid | 0 |
|type | THREAT |
|url_category_list | |
|url_idx | 1 |
|user_agent | |
|vsys_id | 1 |
|vsys_id | 1 |
|vsys_name | |
|xff | |
==== Example Message Payloads ====
=== Config - Alert on Commit ===
{
"attachments": [
{
"pretext": "$time_generated",
"title": "$time_generated COMMIT STARTED",
"fallback": "$time_generated $admin committed configuration to $device_name",
"text": "$time_generated $admin committed configuration to $device_name (Job #$seqno)\n----------",
"color": "good"
}
]
}
=== System - Alert on Admin Login===
{
"attachments": [
{
"pretext": "$time_generated",
"title": "Admin Login on $device_name",
"fallback": "Admin Login on $device_name",
"text": "$time_generated\n$opaque",
}
]
}
=== System - Critical Event===
{
"attachments": [
{
"pretext": "$time_generated",
"title": "$time_generated $severity system event $eventid on $device_name",
"fallback": "Critical System Event",
"text": "----------\n$opaque\n----------",
"color": "danger"
}
]
}
=== System - VPN Down ===
{
"attachments": [
{
"fallback": "$time_generated VPN ALERT $object VPN tunnel is DOWN on $device_name",
"pretext": "$time_generated",
"title": "VPN tunnel DOWN",
"text": "$opaque on $device_name",
"color": "danger"
}
]
}
=== System - VPN Up ===
{
"attachments": [
{
"fallback": "$time_generated VPN ALERT $object VPN tunnel is UP on $device_name",
"pretext": "$time_generated",
"title": "VPN tunnel UP",
"text": "$opaque on $device_name",
"color": "good"
}
]
}
=== Threat - Alert on Threat Detected ===
{
"attachments": [
{
"pretext": "$time_generated",
"title": "Threat Detected",
"fallback": "THREAT - $severity $thr_category threat detected.",
"text": "----------\n*$device_name* detected a *$severity* $thr_category $subtype\n*Threat ID*: $threatid\n*Action*: $action\n*Direction*: $direction\n*Source*: $src\nDestination: $dst\n*Application*: $app\n$time_generated\n----------",
"color": "danger"
}
]
}