Posts by jnetz

    Sure, I can speak to the PaloAlto Integrations.

    The firewall integration has the following:



    Reduces time to implement FW rules to milliseconds

    Easy to implement using ATD and Palo's dynamic block lists (setup in under an hour)



    Palo does not recognize if there are repeat rules (ie has the IP address already been blocked in other rules?)

    Palo does not understand FQDNs in rules and requires IP addresses. Otherwise, the fqdn would be a valid indicator as well

    The WildFire integration has the following:



    Reduces time to implement controls around malicious convictions from Wildfire into your ENS endpoint (milliseconds)

    Adds visibility into the WildFire detection in your McAfee/DXL ecosystems



    Wildfire uses a static analysis image

    Wildfire cloud provides ALL convictions in the last 24 hours, not just your tenant's. This is a bug I filed with Palo Alto almost 2 years ago. Not sure where it is now. Maybe it's considered a feature?

    Anyway, hope this helps.


    jnetz added a new solution:

    This is some of the coolest stuff I've seen for OpenDXL. The possibilities are endless. Thank you guys sooo much!!!

    1) Deploy OpenDXL Node-Red Docker

    2) Provision

    3) Install some Node packages

    4) Implement an ePO search

    Took about 3 minutes to do what used to take about 30.


    UPDATE: It appears that lack of resources on @amgkcgc's TIE VM (2GB) may have caused the TIE server to become overloaded and failed to respond or created an error response when replying to the TIE get_file_reputation call. So far, increasing system resources seems to have resolved the issue.

    In examining the output from WF's XML, all values are set appropriately and we were not witnessing null/empty SHA256 values.


    Humbly, I admit that I never thought about this particular case. But the fact that if you wait and run it again in a few hours you get results, then it tells me that there is either a nill case where the key/value pair is missing from PAN's response... or the results are missing all together.

    I'll private message you to help troubleshoot before suggesting a fix.

    camlow325 thanks for the suggestion. Based on what we find out, that may just work ;)

    Hi Raidu,

    This violates SSL best practice as it shares the unique key among all of the endpoints. You could automate the provisioning process.

    python -m dxlclient provisionconfig config myserver client1 -u myuser -p mypass



    jnetz added a new solution:

    OK - I see. This error exists because its expecting GTI to be available. Please enable GTI in your TIE policy. I'll update to handle the exception more gracefully.

    Another option here, without knowing the full use case, could be to use a unique TOPIC to associate with the systems in question. Topics can be ephemeral, so setting them up based on a particular situation, related to only the systems in question is lightweight and easy to do ;)

    jnetz added a new solution:


    Customers are regularly challenged by having made multiple high dollar investments in disjointed best of breed solutions. As such, point-to-point integration is usually required to bridge the gap in architectures offering synergistic value to the organization. And, since WildFire is a very popular sandbox technology from PaloAlto Networks that many customers employ, this module integrates the value of WildFire sandboxing technologies, cloud or on premise appliances, with the effective threat mitigation at the endpoint offered by McAfee's Threat Intelligence Exchange (TIE).

    Icon by Vecteezy licensed under Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0).

    jnetz added a new solution:

    jnetz added a new solution:


    QChat (Quick Chat) is a chat room service leveraging the OpenDXL event invocation capabilities to create small, light-weight, and interactive chat rooms for use by incident responders and SOC personnel.

    QChat leverages event invocation to broadcast real-time messages across the channel utilizing DXL's message topics. Authentication can be controlled through topic authorization, or left open for discretionary access to the channel. Topics are dynamically generated when the first participant enters the channel. Each subsequent participant will sit on that topic. Some benefits include but are not limited to: ephemeral, moderator free, encrypted, high speed and always connected, infrastructure free, and already integrated into existing connected platform for quick actions during high-stress incident response activities.