You can use the HTTP Server profiles to allow your PAN-OS appliance to send messages to Slack and Teams.
This page has details on how to configure Slack integration. Manage existing Apps here (There should be an option for 'Incoming Webhooks').
This page contains formatting information for Slack messages.
Slack give you the following test command. Replace the full URL with your web hook URL
curl -X POST -H 'Content-type: application/json' --data '{"text":"Hello, World!"}' https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
On Windows, we have to change the command to the following
curl -X POST -H "Content-type:application/json" --data "{\"text\":\"HelloWorld\"}" https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests
Device > Server Profiles > HTTP create a new server profile.{
"attachments": [
{
"pretext": "$time_generated",
"title": "Title to put above the text. Can contain variables.",
"fallback": "Text to put in the pop up notifications.",
"text": "Main message. You can add in variables as listed below using the $ sign before the name.\n.e.g. $opaque.",
"color": "danger"
}
]
}
| Variable Name | Example Output |
|---|---|
| actionflags | 0x0 |
| cef-formatted-receive_time | May 30 2020 15:45:12 GMT |
| cef-formatted-time_generated | May 30 2020 15:45:12 GMT |
| cef-number-of-severity | 10 |
| device_name | palo-hostname |
| device_type | |
| dg_hier_level_1 | 0 |
| dg_hier_level_2 | 0 |
| dg_hier_level_3 | 0 |
| dg_hier_level_4 | 0 |
| eventid | private-key-export |
| module | general |
| number-of-severity | 5 |
| object | |
| opaque | Private key cert-ca-root was exported by user admin |
| receive_time | 2020/05/30 16:45:12 |
| sdwan_cluster | |
| sdwan_site | |
| sender_sw_version | 9.1.2 |
| seqno | 71859 |
| serial | 007051000051457 |
| severity | critical |
| subtype | crypto |
| time_generated | 2020/05/30 16:45:12 |
| typevsys | SYSTEM |
| vsys | |
| vsys_id | 0 |
| vsys_name |
| Variable Name | Example Output |
|---|---|
| action | reset both |
| actionflags | 0x2000000000000000 |
| app | web-browsing |
| assoc_id | 0 |
| category | low-risk |
| cef-formatted-receive_time | May 30 2020 09:17:24 GMT |
| cef-formatted-time_generated | May 30 2020 09:17:24 GMT |
| cef-number-of-severity | 6 |
| cloud | |
| contenttype | |
| contentver | AppThreat-8278-6109 |
| device_name | palo-hostname |
| dg_hier_level_1 | 0 |
| dg_hier_level_2 | 0 |
| dg_hier_level_3 | 0 |
| dg_hier_level_4 | 0 |
| direction | server-to-client |
| dport | 80 |
| dst | 1.2.3.4 |
| dst_uuid | |
| dstloc | Germany |
| dstuser | |
| dynusergroup_name | |
| file_url | |
| filedigest | |
| filetype | |
| flags | 0x402000 |
| from | sz-trusted |
| http2_connection | 0 |
| http_headers | |
| http_method | |
| imei | 0 |
| imsi | 0 |
| inbound_if | ethernet1/2 |
| logset | default |
| misco | eicar.como |
| monitortag | |
| natdport | 80 |
| natdst | 213.211.198.58 |
| natsport | 20376 |
| natsrc | 10.1.1.11 |
| number-of-severity | 3 |
| outbound_if | ethernet1/1 |
| padding | 0 |
| parent_session_id | 0 |
| parent_start_time | |
| pcap_id | 0 |
| ppid | 4294967295 |
| proto | tcp |
| receive_time | 2020/05/30 10:17:24 |
| recipient | |
| referer | |
| repeatcnt | 4 |
| reportid | 0 |
| rule | default-all |
| rule_uuid | e10221de-c22a-4dc8-22ff-222eff1f222e |
| sender_sw_version | 9.1.2 |
| seqno | 2799 |
| serial | 001122334455667 |
| sessionid | 719 |
| severity | medium |
| sig_flags | 0x0 |
| sport | 49387 |
| src | 10.1.1.1 |
| src_uuid | |
| srcloc | 10.0.0.0-10.255.255.255 |
| srcuser | |
| subject | |
| subtype | vulnerability |
| thr_category | code-execution |
| threatid | Eicar File Detected(39040) |
| time_generated | 2020/05/30 10:21:57 |
| time_received | 2020/05/30 10:21:57 |
| to | sz-untrust |
| tunnel | N/A |
| tunnelid | 0 |
| type | THREAT |
| url_category_list | |
| url_idx | 1 |
| user_agent | |
| vsys_id | 1 |
| vsys_id | 1 |
| vsys_name | |
| xff | |
{
"attachments": [
{
"pretext": "$time_generated",
"title": "$time_generated COMMIT STARTED",
"fallback": "$time_generated $admin committed configuration to $device_name",
"text": "$time_generated $admin committed configuration to $device_name (Job #$seqno)\n----------",
"color": "good"
}
]
}
{
"attachments": [
{
"pretext": "$time_generated",
"title": "Admin Login on $device_name",
"fallback": "Admin Login on $device_name",
"text": "$time_generated\n$opaque",
}
]
}
{
"attachments": [
{
"pretext": "$time_generated",
"title": "$time_generated $severity system event $eventid on $device_name",
"fallback": "Critical System Event",
"text": "----------\n$opaque\n----------",
"color": "danger"
}
]
}
{
"attachments": [
{
"fallback": "$time_generated VPN ALERT $object VPN tunnel is DOWN on $device_name",
"pretext": "$time_generated",
"title": "VPN tunnel DOWN",
"text": "$opaque on $device_name",
"color": "danger"
}
]
}
{
"attachments": [
{
"fallback": "$time_generated VPN ALERT $object VPN tunnel is UP on $device_name",
"pretext": "$time_generated",
"title": "VPN tunnel UP",
"text": "$opaque on $device_name",
"color": "good"
}
]
}
{
"attachments": [
{
"pretext": "$time_generated",
"title": "Threat Detected",
"fallback": "THREAT - $severity $thr_category threat detected.",
"text": "----------\n*$device_name* detected a *$severity* $thr_category $subtype\n*Threat ID*: $threatid\n*Action*: $action\n*Direction*: $direction\n*Source*: $src\nDestination: $dst\n*Application*: $app\n$time_generated\n----------",
"color": "danger"
}
]
}