This is an old revision of the document!

HTTP Server Calls

You can use the HTTP Server profiles to allow your PAN-OS appliance to send messages to Slack and Teams.

Slack

This page has details on how to configure Slack integration.

This page contains formatting information for Slack messages.

Test Slack Web Hook

Slack give you the following test command. Replace the full URL with your web hook URL

curl -X POST -H 'Content-type: application/json' --data '{"text":"Hello, World!"}' https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests

On Windows, we have to change the command to the following

curl -X POST -H "Content-type:application/json" --data "{\"text\":\"HelloWorld\"}" https://hooks.slack.com/services/A012BCDEFG3/B0123456ABC/ABCdef1234567890ZYXtests

PAN-OS Options for HTTP Requests

System Logs

Variable Name	Example Output
actionflags	0x0
cef-formatted-receive_time	May 30 2020 15:45:12 GMT
cef-formatted-time_generated	May 30 2020 15:45:12 GMT
cef-number-of-severity	10
device_name	palo-hostname
device_type
dg_hier_level_1	0
dg_hier_level_2	0
dg_hier_level_3	0
dg_hier_level_4	0
eventid	private-key-export
module	general
number-of-severity	5
object
opaque	Private key cert-ca-root was exported by user admin
receive_time	2020/05/30 16:45:12
sdwan_cluster
sdwan_site
sender_sw_version	9.1.2
seqno	71859
serial	007051000051457
severity	critical
subtype	crypto
time_generated	2020/05/30 16:45:12
typevsys	SYSTEM
vsys
vsys_id	0
vsys_name

Threat Logs

Variable Name	Example Output
action	reset both
actionflags	0x2000000000000000
app	web-browsing
assoc_id	0
category	low-risk
cef-formatted-receive_time	May 30 2020 09:17:24 GMT
cef-formatted-time_generated	May 30 2020 09:17:24 GMT
cef-number-of-severity	6
cloud
contenttype
contentver	AppThreat-8278-6109
device_name	palo-hostname
dg_hier_level_1	0
dg_hier_level_2	0
dg_hier_level_3	0
dg_hier_level_4	0
direction	server-to-client
dport	80
dst	1.2.3.4
dst_uuid
dstloc	Germany
dstuser
dynusergroup_name
file_url
filedigest
filetype
flags	0x402000
from	sz-trusted
http2_connection	0
http_headers
http_method
imei	0
imsi	0
inbound_if	ethernet1/2
logset	default
misco	eicar.como
monitortag
natdport	80
natdst	213.211.198.58
natsport	20376
natsrc	10.1.1.11
number-of-severity	3
outbound_if	ethernet1/1
padding	0
parent_session_id	0
parent_start_time
pcap_id	0
ppid	4294967295
proto	tcp
receive_time	2020/05/30 10:17:24
recipient
referer
repeatcnt	4
reportid	0
rule	default-all
rule_uuid	e10221de-c22a-4dc8-22ff-222eff1f222e
sender_sw_version	9.1.2
seqno	2799
serial	001122334455667
sessionid	719
severity	medium
sig_flags	0x0
sport	49387
src	10.1.1.1
src_uuid
srcloc	10.0.0.0-10.255.255.255
srcuser
subject
subtype	vulnerability
thr_category	code-execution
threatid	Eicar File Detected(39040)
time_generated	2020/05/30 10:21:57
time_received	2020/05/30 10:21:57
to	sz-untrust
tunnel	N/A
tunnelid	0
type	THREAT
url_category_list
url_idx	1
user_agent
vsys_id	1
vsys_id	1
vsys_name
xff

Example Message Payloads

Config - Alert on Commit

{
    "attachments": [
        {
            "pretext": "$time_generated",

            "title": "$time_generated COMMIT STARTED",
			
            "fallback": "$time_generated $admin committed configuration to $device_name",
			
            "text": "$time_generated $admin committed configuration to $device_name (Job #$seqno)\n----------",
			
            "color": "good"
        }
    ]
}

System

Threat - Alert on Threat Detected

{
    "attachments": [
        {
            "pretext": "$time_generated",

            "title": "Threat Detected",

            "fallback": "THREAT - $severity $thr_category threat detected.",

            "text": "----------\n*$device_name* detected a *$severity* $thr_category $subtype\n*Threat ID*: $threatid\n*Action*: $action\n*Direction*: $direction\n*Source*: $src\nDestination: $dst\n*Application*: $app\n$time_generated\n----------",

            "color": "danger"
        }
    ]
}

Saucepan

Table of Contents