Posts by jnetz

Sure, I can speak to the PaloAlto Integrations.

The firewall integration has the following:

Pros

-----

Reduces time to implement FW rules to milliseconds

Easy to implement using ATD and Palo's dynamic block lists (setup in under an hour)

Cons

-----

Palo does not recognize if there are repeat rules (ie has the IP address already been blocked in other rules?)

Palo does not understand FQDNs in rules and requires IP addresses. Otherwise, the fqdn would be a valid indicator as well

The WildFire integration has the following:

Pros

----

Reduces time to implement controls around malicious convictions from Wildfire into your ENS endpoint (milliseconds)

Adds visibility into the WildFire detection in your McAfee/DXL ecosystems

Cons

---

Wildfire uses a static analysis image

Wildfire cloud provides ALL convictions in the last 24 hours, not just your tenant's. This is a bug I filed with Palo Alto almost 2 years ago. Not sure where it is now. Maybe it's considered a feature?

Anyway, hope this helps.

-Jesse

Very cool update. Thanks, guys!

jnetz added a new solution:

Quote

This flow pulls all systems from ePO and creates a set difference with all systems from AD. Each AD computer is evaluated based on FQDN and Hostname to identify if it already exists in ePO. The same process occurs for all systems in ePO with AD. The result is an HTML table with all of the results.

Prerequisites

• The OpenDXL and McAfee ePolicy Orchestrator (ePO) DXL modules have been added to the Node-RED palette.
• A DXL client has been configured in Node-RED (see Client Configuration).
• An ePO DXL service is running and available on the DXL fabric. If version 5.0 or later of the DXL ePO extensions are installed on your ePO server, an ePO DXL service should already be running on the fabric. If you are using an earlier version of the DXL ePO extensions, you can use the ePO DXL Python Service.
• The Node-RED DXL client is authorized to invoke the ePO DXL service, and the user that is connecting to the ePO server (within the ePO DXL service) has permission to execute the "system.applyTag" remote command (see Client Authorization).
• Following Node-RED modules installed in palette:
  • node-red-contrib-activedirectory: A Node-RED nodes collection for Microsoft Active Directory which allows us to query AD for current computers.
  • node-red-contrib-tableify: A Node-RED node which converts JSON into readable HTML for HTTP output.

The output appears as follows:

Here is the Node-RED flow content for this solution:

Code: Node-RED Flow

1. [
2. {
3. "id": "8567a683.e88fa8",
4. "type": "tab",
5. "label": "AD Compare - Systems",
6. "disabled": false,
7. "info": ""
8. },
9. {
10. "id": "ed499ab9.4e71c8",
11. "type": "change",
12. "z": "8567a683.e88fa8",
13. "name": "Set searchText request parameter",
14. "rules": [
15. {
16. "t": "set",
17. "p": "searchText",
18. "pt": "msg",
19. "to": "",
20. "tot": "str"
21. },
22. {
23. "t": "set",
24. "p": "searchNameOnly",
25. "pt": "msg",
26. "to": "false",
27. "tot": "bool"
28. }
29. ],
30. "action": "",
31. "property": "",
32. "from": "",
33. "to": "",
34. "reg": false,
35. "x": 280,
36. "y": 240,
37. "wires": [
38. [
39. "e786bb00.42681"
40. ]
41. ]
42. },
43. {
44. "id": "e786bb00.42681",
45. "type": "dxl-epo-system-find",
46. "z": "8567a683.e88fa8",
47. "name": "",
48. "client": "fa339fae.d0c24",
49. "searchNameOnly": "",
50. "epoUniqueId": "",
51. "returnType": "obj",
52. "x": 300,
53. "y": 340,
54. "wires": [
55. [
56. "734f8e6d.22c438"
57. ]
58. ]
59. },
60. {
61. "id": "df0735e3.1be5d",
62. "type": "query",
63. "z": "8567a683.e88fa8",
64. "name": "Get AD Machines",
65. "url": "ldap://<<HOST>>",
66. "baseDN": "dc=example,dc=com",
67. "x": 430,
68. "y": 500,
69. "wires": [
70. [
71. "1740f61d.f63ec2"
72. ]
73. ]
74. },
75. {
76. "id": "734f8e6d.22c438",
77. "type": "change",
78. "z": "8567a683.e88fa8",
79. "name": "",
80. "rules": [
81. {
82. "t": "set",
83. "p": "epo_systems",
84. "pt": "global",
85. "to": "payload",
86. "tot": "msg"
87. },
88. {
89. "t": "set",
90. "p": "payload",
91. "pt": "msg",
92. "to": "(objectCategory=computer)",
93. "tot": "str"
94. },
95. {
96. "t": "set",
97. "p": "ad_attributes",
98. "pt": "msg",
99. "to": "{\"user\":[\"displayName\",\"dNSHostName\"]}",
100. "tot": "json"
101. }
102. ],
103. "action": "",
104. "property": "",
105. "from": "",
106. "to": "",
107. "reg": false,
108. "x": 360,
109. "y": 420,
110. "wires": [
111. [
112. "df0735e3.1be5d"
113. ]
114. ]
115. },
116. {
117. "id": "1740f61d.f63ec2",
118. "type": "change",
119. "z": "8567a683.e88fa8",
120. "name": "",
121. "rules": [
122. {
123. "t": "set",
124. "p": "payload.ad_systems",
125. "pt": "global",
126. "to": "payload.other",
127. "tot": "msg"
128. },
129. {
130. "t": "set",
131. "p": "ad_systems",
132. "pt": "msg",
133. "to": "ad_systems",
134. "tot": "global"
135. },
136. {
137. "t": "set",
138. "p": "epo_systems",
139. "pt": "msg",
140. "to": "epo_systems",
141. "tot": "global"
142. }
143. ],
144. "action": "",
145. "property": "",
146. "from": "",
147. "to": "",
148. "reg": false,
149. "x": 500,
150. "y": 580,
151. "wires": [
152. [
153. "25f79878.5976b"
154. ]
155. ]
156. },
157. {
158. "id": "25f79878.5976b",
159. "type": "function",
160. "z": "8567a683.e88fa8",
161. "name": "Set Diff",
162. "func": "/* \nSearch through each set and identify systems in AD not in ePO. And, identify systems in ePO and not in AD\"\n*/\nmsg.ad_count = msg.ad_systems.length;\nmsg.epo_count = msg.epo_systems.length;\nmsg.debuga = [];\n\nmsg.payload.ad_alone = [];\nmsg.payload.epo_alone = [];\n//Find all AD systems not in ePO\nfor (var i = 0; i < msg.ad_count; i++) {\n match_found = false;\n for (var j=0; j < msg.epo_count; j++){\n if(msg.ad_systems[i].dNSHostName && msg.epo_systems[j][\"EPOComputerProperties.IPHostName\"])\n {\n if (msg.ad_systems[i].dNSHostName.toUpperCase() === msg.epo_systems[j][\"EPOComputerProperties.IPHostName\"].toUpperCase())\n {\n //The current AD system is in the ePO systems\n match_found = true;\n \n }else if(msg.ad_systems[i].dNSHostName.substring(0,msg.ad_systems[i].dNSHostName.indexOf('.')).toUpperCase()=== msg.epo_systems[j][\"EPOComputerProperties.IPHostName\"].toUpperCase())\n {\n //The current AD system is in the ePO systems\n match_found = true;\n }\n }\n }\n \n if (msg.ad_systems[i].dNSHostName && match_found === false)\n {\n msg.payload.ad_alone.push(msg.ad_systems[i].dNSHostName);\n }\n}\n\n//Find all ePO systems not in AD\nfor (var i = 0; i < msg.epo_count; i++) {\n match_found = false;\n for (var j=0; j < msg.ad_count; j++){\n if(msg.ad_systems[j].dNSHostName && msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"])\n {\n if (msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"].toUpperCase() === msg.ad_systems[j].dNSHostName.toUpperCase())\n {\n //The current ePO system is ad systems\n match_found = true;\n \n }else if(msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"].substring(0,msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"].indexOf('.')).toUpperCase() === msg.ad_systems[j].dNSHostName.toUpperCase())\n {\n //The current ePO system is in the ad systems\n match_found = true;\n }else if(msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"].toUpperCase() === msg.ad_systems[j].dNSHostName.substring(0,msg.ad_systems[j].dNSHostName.indexOf('.')).toUpperCase())\n {\n //The current ePO system is in the ad systems\n match_found = true;\n }\n }\n }\n \n if (msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"] && match_found === false)\n {\n msg.payload.epo_alone.push(msg.epo_systems[i][\"EPOComputerProperties.IPHostName\"]);\n }\n}\n\n\nreturn msg;",
163. "outputs": 1,
164. "noerr": 0,
165. "x": 580,
166. "y": 660,
167. "wires": [
168. [
169. "42f441dd.d229a"
170. ]
171. ]
172. },
173. {
174. "id": "d1048efb.8743d",
175. "type": "http response",
176. "z": "8567a683.e88fa8",
177. "name": "",
178. "statusCode": "",
179. "headers": {},
180. "x": 770,
181. "y": 900,
182. "wires": []
183. },
184. {
185. "id": "ab41af78.3595f8",
186. "type": "http in",
187. "z": "8567a683.e88fa8",
188. "name": "",
189. "url": "/epo/adcompare",
190. "method": "get",
191. "upload": false,
192. "swaggerDoc": "",
193. "x": 180,
194. "y": 160,
195. "wires": [
196. [
197. "ed499ab9.4e71c8"
198. ]
199. ]
200. },
201. {
202. "id": "42f441dd.d229a",
203. "type": "change",
204. "z": "8567a683.e88fa8",
205. "name": "",
206. "rules": [
207. {
208. "t": "delete",
209. "p": "payload.other",
210. "pt": "msg"
211. },
212. {
213. "t": "delete",
214. "p": "payload.groups",
215. "pt": "msg"
216. },
217. {
218. "t": "delete",
219. "p": "payload.users",
220. "pt": "msg"
221. }
222. ],
223. "action": "",
224. "property": "",
225. "from": "",
226. "to": "",
227. "reg": false,
228. "x": 680,
229. "y": 740,
230. "wires": [
231. [
232. "6e63550f.4e2dbc"
233. ]
234. ]
235. },
236. {
237. "id": "6e63550f.4e2dbc",
238. "type": "tableify",
239. "z": "8567a683.e88fa8",
240. "name": "",
241. "before": "This is a list of AD systems not found in ePO. And, a list of ePO systems not found in AD.",
242. "after": "",
243. "tableStyle": "",
244. "theadStyle": "",
245. "tbodyStyle": "",
246. "trStyle": "",
247. "tdStyle": "",
248. "x": 740,
249. "y": 820,
250. "wires": [
251. [
252. "d1048efb.8743d"
253. ]
254. ]
255. },
256. {
257. "id": "2e19ef8b.201fe",
258. "type": "comment",
259. "z": "8567a683.e88fa8",
260. "name": "Create https listener",
261. "info": "",
262. "x": 390,
263. "y": 120,
264. "wires": []
265. },
266. {
267. "id": "ab8df7c2.522b48",
268. "type": "comment",
269. "z": "8567a683.e88fa8",
270. "name": "Set properties for the Find systems node",
271. "info": "",
272. "x": 560,
273. "y": 200,
274. "wires": []
275. },
276. {
277. "id": "8d637bf4.30c1a",
278. "type": "comment",
279. "z": "8567a683.e88fa8",
280. "name": "Extract ALL ePO systems",
281. "info": "",
282. "x": 570,
283. "y": 320,
284. "wires": []
285. },
286. {
287. "id": "ca0cf131.87add",
288. "type": "comment",
289. "z": "8567a683.e88fa8",
290. "name": "Assign global value from payload. And, prepare payload and ad_attributes to perform AD Search",
291. "info": "",
292. "x": 830,
293. "y": 420,
294. "wires": []
295. },
296. {
297. "id": "5b0ec24c.f8cf4c",
298. "type": "comment",
299. "z": "8567a683.e88fa8",
300. "name": "Perform a set difference on AD and ePO systems",
301. "info": "",
302. "x": 880,
303. "y": 660,
304. "wires": []
305. },
306. {
307. "id": "826f20db.23d3b8",
308. "type": "comment",
309. "z": "8567a683.e88fa8",
310. "name": "Convert the JSON results into HTML for rendering",
311. "info": "",
312. "x": 1030,
313. "y": 800,
314. "wires": []
315. }
316. ]

Display More

Display More

Added node red capabilities. Import nodered.json as a flow to get the same functionality. Modify the "Set Malshare API Key" node for your Malshare instance.

This is some of the coolest stuff I've seen for OpenDXL. The possibilities are endless. Thank you guys sooo much!!!

1) Deploy OpenDXL Node-Red Docker

2) Provision

3) Install some Node packages

4) Implement an ePO search

Took about 3 minutes to do what used to take about 30.

Great!

UPDATE: It appears that lack of resources on @amgkcgc's TIE VM (2GB) may have caused the TIE server to become overloaded and failed to respond or created an error response when replying to the TIE get_file_reputation call. So far, increasing system resources seems to have resolved the issue.

In examining the output from WF's XML, all values are set appropriately and we were not witnessing null/empty SHA256 values.

amgkcgc

Humbly, I admit that I never thought about this particular case. But the fact that if you wait and run it again in a few hours you get results, then it tells me that there is either a nill case where the key/value pair is missing from PAN's response... or the results are missing all together.

I'll private message you to help troubleshoot before suggesting a fix.

camlow325 thanks for the suggestion. Based on what we find out, that may just work

Hi Raidu,

This violates SSL best practice as it shares the unique key among all of the endpoints. You could automate the provisioning process.

python -m dxlclient provisionconfig config myserver client1 -u myuser -p mypass

Cheers,

-Jesse

Hello,

Did you provision your dxlclient.config? looks like no config file exists:

python -m dxlclient provisionconfig <CONFIG DIR> <ePO HOST> <CLIENT NAME>

Excited to see this. Thanks, team!

jnetz added a new solution:

Quote

Introduction

ATD-PANFW continuously listens for new ATD indicators discovered through any numerous means. Once discovered, IPs and domains which are convicted as malicious will be stored in the sqlite db. The sqlite db is dynamically generated on first use and automatically updated each use thereafter.

Simultaneously, ATD-PANFW creates 2 web urls ~/ip and ~/domain which can be used in PAN FW to create an External Dynamic Blocklist.

Startup

During startup, the code checks for the existence of the ips_domains.db database. If it does not exist, it is created. Then a connection is made to the DXL fabric and the client begins listening for new ATD IoCs.

_{Icons made by Smashicons from www.flaticon.com is licensed by CC 3.0 BY}

Display More

OK - I see. This error exists because its expecting GTI to be available. Please enable GTI in your TIE policy. I'll update to handle the exception more gracefully.

Another option here, without knowing the full use case, could be to use a unique TOPIC to associate with the systems in question. Topics can be ephemeral, so setting them up based on a particular situation, related to only the systems in question is lightweight and easy to do

jnetz added a new version:

Quote

The Wildfire TIE DXL Python application polls the Wildfire analysis data and updates TIE over the DXL fabric.

jnetz added a new solution:

Quote

Customers are regularly challenged by having made multiple high dollar investments in disjointed best of breed solutions. As such, point-to-point integration is usually required to bridge the gap in architectures offering synergistic value to the organization. And, since WildFire is a very popular sandbox technology from PaloAlto Networks that many customers employ, this module integrates the value of WildFire sandboxing technologies, cloud or on premise appliances, with the effective threat mitigation at the endpoint offered by McAfee's Threat Intelligence Exchange (TIE).

_{Icon by Vecteezy licensed under Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0).}

jnetz added a new version:

Quote

RIMalShare (Reputation Ingest - MalShare) employs Extract-Transform-Load (ETL) to import new threat indicators from malshare.com into your TIE Enterprise Reputations.

jnetz added a new solution:

Quote

RIMalShare (Reputation Ingest - MalShare) employs Extract-Transform-Load (ETL) to import new threat indicators from malshare.com into your TIE Enterprise Reputations. RI MalShare takes advantage of newly posted malware hashes submitted to the malshare.com repository. This provides Cyber System Administrators the ability to quickly inoculate all systems in their environment by making them aware of these critical updates.

Display More

jnetz added a new version:

Quote

QChat (Quick Chat) is a chat room service leveraging the OpenDXL event invocation capabilities to create small, light-weight, and interactive chat rooms for use by incident responders and SOC personnel.

jnetz added a new solution:

Quote

QChat (Quick Chat) is a chat room service leveraging the OpenDXL event invocation capabilities to create small, light-weight, and interactive chat rooms for use by incident responders and SOC personnel.

QChat leverages event invocation to broadcast real-time messages across the channel utilizing DXL's message topics. Authentication can be controlled through topic authorization, or left open for discretionary access to the channel. Topics are dynamically generated when the first participant enters the channel. Each subsequent participant will sit on that topic. Some benefits include but are not limited to: ephemeral, moderator free, encrypted, high speed and always connected, infrastructure free, and already integrated into existing connected platform for quick actions during high-stress incident response activities.