Skip to main content

Palo Alto Networks IoT

This Integration is part of the IoT by Palo Alto Networks Pack.#

This is the Palo Alto Networks IoT integration (previously Zingbox). This integration was integrated and tested with the Banff release of Palo Alto Networks IoT.

Get your Palo Alto Networks IoT Access Keys#

This integration requires that API access be configured. To obtain the Access Key ID and Secret Access Key, refer to the Palo Alto Networks IoT API User Guide.

Configure Palo Alto Networks IoT in Cortex#

ParameterDescriptionRequired
urlPalo Alto Networks IoT Security Portal URL (e.g. https://example.iot.paloaltonetworks.com\)True
tenant_idTenant IDTrue
access_key_idAccess Key IDTrue
secret_access_keySecret Access KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
first_fetchFirst fetch timeFalse
max_fetchMaximum number of incidents per fetchFalse
fetch_alertsFetch IoT AlertsFalse
fetch_vulnsFetch IoT VulnerabilitiesFalse
api_timeoutThe timeout for querying APIsFalse
incidentTypeIncident typeFalse
isFetchFetch incidentsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

iot-security-get-device#


IoT get device command - get a single device's details.

Base Command#

iot-security-get-device

Input#

Argument NameDescriptionRequired
idThe device uid (mac address)Required

Context Output#

PathTypeDescription
PaloAltoNetworksIoT.DeviceunknownDevice details.
PaloAltoNetworksIoT.Device.hostnameStringThe hostname of the device.
PaloAltoNetworksIoT.Device.ip_addressStringThe IP address of the device.
PaloAltoNetworksIoT.Device.profile_typeStringThe device profile type: Non_IoT vs IoT.
PaloAltoNetworksIoT.Device.profile_verticalStringThe device profile vertical.
PaloAltoNetworksIoT.Device.categoryStringThe device category
PaloAltoNetworksIoT.Device.profileStringThe device profile.
PaloAltoNetworksIoT.Device.last_activityDateThe last activity timestamp of the device.
PaloAltoNetworksIoT.Device.long_descriptionStringThe long description of the device.
PaloAltoNetworksIoT.Device.vlanNumberThe device VLAN ID.
PaloAltoNetworksIoT.Device.site_nameStringThe site which the device is in.
PaloAltoNetworksIoT.Device.risk_scoreNumberThe device risk score.
PaloAltoNetworksIoT.Device.risk_levelStringThe device risk level: Low, Medium, High, Critical
PaloAltoNetworksIoT.Device.subnetStringThe device subnet.
PaloAltoNetworksIoT.Device.first_seen_dateDateThe first seen date of the device.
PaloAltoNetworksIoT.Device.confidence_scoreNumberThe device confidence score.
PaloAltoNetworksIoT.Device.deviceidDateThe device ID.
PaloAltoNetworksIoT.Device.locationStringThe device location.
PaloAltoNetworksIoT.Device.vendorStringThe device vendor.
PaloAltoNetworksIoT.Device.modelStringThe device model.
PaloAltoNetworksIoT.Device.descriptionStringThe device description.
PaloAltoNetworksIoT.Device.asset_tagStringThe device asset tag (e.g. a sticky label at the bottom of the device).
PaloAltoNetworksIoT.Device.os_groupStringThe device OS group.
PaloAltoNetworksIoT.Device.Serial_NumberStringThe device serial number.
PaloAltoNetworksIoT.Device.DHCPStringWhether the device is in DHCP model: Valid values are Yes or No.
PaloAltoNetworksIoT.Device.wire_or_wirelessStringIs the device wired or wireless.
PaloAltoNetworksIoT.Device.departmentStringThe device department.
PaloAltoNetworksIoT.Device.Switch_PortNumberThe port of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Switch_NameStringThe name of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Switch_IPStringThe IP of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Access_Point_IPStringThe IP of the access point this device is connected to.
PaloAltoNetworksIoT.Device.Access_Point_NameStringThe name of the access point this device is connected to.
PaloAltoNetworksIoT.Device.SSIDStringThe SSID of the wireless network this device is connected to.
PaloAltoNetworksIoT.Device.MACDateThe device MAC address.
PaloAltoNetworksIoT.Device.display_tagsStringThe user tags of the device.
PaloAltoNetworksIoT.Device.mac_addressStringThe device MAC address.

Command Example#

iot-security-get-device id=00:0f:e5:04:14:4c

Human Readable Output#

AD_DomainAD_UsernameAETAccess_Point_IPAccess_Point_NameApplicationsAuthentication_MethodCMMS_CategoryCMMS_SourceCMMS_StateDHCPEAP_MethodEncryption_CipherExternal_Inventory_Sync_FieldMACNAC_Auth_InfoNAC_Auth_StateNAC_profileNAC_profile_sourceNetworkLocationSMBSSIDSerial_NumberSourceSwitch_IPSwitch_NameSwitch_PortSynced_With_Third-PartyTime_Synced_With_Third-PartyWIFI_Auth_StatusWIFI_Auth_Timestampasset_tagcategoryconfidence_scoredepartmentdescriptiondeviceiddisplay_tagsendpoint_protectionendpoint_protection_vendorfirst_seen_datehostnamein_useip_addressis_serverlast_activitylocationlong_descriptionmac_addressmodelnumber_of_caution_alertsnumber_of_critical_alertsnumber_of_info_alertsnumber_of_warning_alertsos/firmware_versionos_combinedos_groupparent_macprofileprofile_typeprofile_verticalrisk_levelrisk_scoreservicessite_namesourcesubnetvendorvlanwire_or_wireless
00:0f:e5:04:14:4cMonitoredPhysical Security9400:0f:e5:04:14:4cnot_protected2020-08-13T07:21:02.000Z00:0f:e5:04:14:4c10.70.112.202020-08-18T19:26:05.000Z00:0f:e5:04:14:4c0000Access Control DeviceIoTFacilityLow10test-katherine-082110.0.0.0/8HID Global/Mercury Security

iot-security-list-devices#


IoT list devices command

Base Command#

iot-security-list-devices

Input#

Argument NameDescriptionRequired
offsetThe offset in the pagination.Optional
limitThe maximum size of the list of the devices.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksIoT.DeviceListunknownList of devices.

Command Example#

iot-security-list-devices offset=0 limit=2

Human Readable Output#

AD_DomainAD_UsernameAETAccess_Point_IPAccess_Point_NameApplicationsAuthentication_MethodCMMS_CategoryCMMS_SourceCMMS_StateDHCPEAP_MethodEncryption_CipherExternal_Inventory_Sync_FieldMACNAC_Auth_InfoNAC_Auth_StateNAC_profileNAC_profile_sourceNetworkLocationSMBSSIDSerial_NumberSourceSwitch_IPSwitch_NameSwitch_PortSynced_With_Third-PartyTime_Synced_With_Third-PartyWIFI_Auth_StatusWIFI_Auth_Timestampasset_tagcategoryconfidence_scoredepartmentdescriptiondeviceiddisplay_tagsendpoint_protectionendpoint_protection_vendorfirst_seen_datehostnamein_useip_addressis_serverlast_activitylocationlong_descriptionmac_addressmodelnumber_of_caution_alertsnumber_of_critical_alertsnumber_of_info_alertsnumber_of_warning_alertsos/firmware_versionos_combinedos_groupparent_macprofileprofile_typeprofile_verticalrisk_levelrisk_scoreservicessite_namesourcesubnetvendorvlanwire_or_wireless
MonitoredSmartphone90356582100001420not_protected2020-08-11T01:45:31.000Z3565821000014201.0.2.22020-08-11T00:09:02.000Z356582100001420iPhone 11 (A2223)0000iOSiOSApple iPhone 11 (A2223)IoTTraditional ITLow21testuknown
MonitoredSmartphone90356582100001430not_protected2020-08-11T01:48:05.000Z3565821000014301.0.3.22020-08-11T00:09:02.000Z356582100001430iPhone 11 (A2223)0000iOSiOSApple iPhone 11 (A2223)IoTTraditional ITLow21testuknown

iot-security-list-alerts#


IoT list alerts.

Base Command#

iot-security-list-alerts

Input#

Argument NameDescriptionRequired
start_timeThe start time in the format of ISO 8601 in UTC, e.g. 2018-11-06T08:56:41Z.Optional
offsetThe offset in the pagination.Optional
limitThe maximum size of the list of the alerts.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksIoT.AlertsunknownList of alerts.

Command Example#

iot-security-list-alerts offset=0 limit=2

Human Readable Output#

categorydatedescriptiondeviceidhostnameidinspectoridinternal_hostnamemsgnameprofilereason_historyresolvedserviceLevelseverityseverityNumbersiteidtenantidtypezb_ticketid
Network Security Equipment2020-08-26T06:11:04.000ZThe usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks.d4:f4:be:b0:c3:105f463c8703a2260700a99dbf012501000732severity: low<br>taggedBy: PolicyAlert<br>userPolicy: false<br>alertType: security risk<br>localDeviceRole: initiator<br>values: {'label': 'user agent', 'value': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041'}<br>localProfile: Palo Alto Networks Device<br>description: The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks.<br>recommendation: {"content": ["Update the browser to the latest version", "If browser usage on the device is authorized and essential, use a URL-filtering tool to block connections to known malicious websites or update firewall policy rules to permit connections only to designated websites.", "Check network traffic coming to and from the device on the device details page and enable trusted behavior by applying an ACL (access control list) to restrict nonessential traffic."]}<br>alertKey: 24072002d4:f4:be:b0:c3:10analytics-outdated-chrome<br>anomalyMap: {"application": 1}<br>generationTimestamp: 1598438532757<br>autoPublish: true<br>name: Outdated Chrome version used by IoT device<br>localip: 192.168.58.56<br>fromip: 192.168.58.56<br>id: ObDMsWG0<br>ruleid: analytics-outdated-chrome<br>status: publish<br>toURL: UNKNOWN URL<br>hostname: unknownOutdated Chrome version used by IoT devicePalo Alto Networks Devicenolow20policy_alertalert-ObDMsWG0
IT Server2020-08-26T02:09:43.000ZThis event indicates a brute force attack through multiple login attempts to an SSH server.00:25:90:92:82:2a5f45c4a52f31500800a47fc7012501003437taggedBy: PolicyAlert<br>values: {'label': 'device profile', 'value': 'Super Micro Computer'},<br>{'label': 'client port', 'value': 34904},<br>{'label': 'threat ID', 'value': 40015},<br>{'label': 'threat category', 'value': 'brute-force'},<br>{'label': 'threat type', 'value': 'vulnerability'},<br>{'label': 'number of occurrences', 'value': 2},<br>{'label': 'alert source', 'value': 'Firewall'},<br>{'label': 'firewall name', 'value': 'SJC-Eng-5260-fw1'},<br>{'label': 'firewall action', 'value': 'Raised an alert'},<br>{'label': 'firewall inbound interface', 'value': 'vlan'},<br>{'label': 'firewall outbound interface', 'value': 'vlan'}<br>localProfile: Super Micro Computer<br>localDeviceLabels: Attacker<br>description: This event indicates a brute force attack through multiple login attempts to an SSH server.<br>recommendation: {"content": ["Enable brute-force login protection by setting a maximum limit for the number of unsuccessful login attempts the device will accept before refusing further attempts.", "If unauthorized users tried to log in, block the IP addresses from which they made their attempts.", "Avoid using the manufacturer's default credentials or the same text string as both the username and password.", "Strengthen the login username and password for the ssh application."]}<br>anomalyMap: {"payload": 2}<br>generationTimestamp: 1598407836500<br>remoteHostMetadata: {'deviceIds': ['10.0.16.245'], 'ip': '10.0.16.245', 'connections': [{'app': 'ssh', 'port': 22, 'ipProto': 'tcp'}], 'network': 'internal'}<br>toip: 10.0.16.245<br>fromip: 10.0.6.174<br>id: KbYbFjYw<br>severity: medium<br>threatid: 40015<br>userPolicy: false<br>alertType: vulnerability<br>localDeviceRole: initiator<br>appName: ssh<br>alertKey: 2407200200:25:90:92:82:2aanalytics-evt-threat-attacker40015<br>remoteHostLabels: Victim<br>autoPublish: true<br>isAttempt: false<br>forensicData: {"search": {"iotdevid": "00:25:90:92:82:2a", "threatid": 40015, "remoteIPAddr": ["10.0.16.245"], "appName": "ssh", "tenantid": "24072002", "isClient": "Yes", "reverse": true, "timestamp": 1598407783000, "isLocal": true, "direction": "client to server"}, "addFields": {"rxPkts": "packets", "txPkts": "packets"}}<br>name: SSH User Authentication Brute Force Attempt<br>localip: 10.0.6.174<br>threatCategory: brute-force<br>ruleid: analytics-evt-threat-attacker<br>status: publish<br>toURL: UNKNOWN URL<br>hostname: unknownSSH User Authentication Brute Force AttemptSuper Micro Computernomedium30policy_alertalert-KbYbFjYw

iot-security-list-vulns#


IoT list Vulnerabilities.

Base Command#

iot-security-list-vulns

Input#

Argument NameDescriptionRequired
start_timeThe start time in the format of ISO 8601 in UTC, e.g. 2018-11-06T08:56:41Z.Optional
offsetThe offset in the pagination.Optional
limitThe maximum size of the list of the vulnerabilities.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksIoT.VulnsunknownList of vulnerabilities.

Command Example#

iot-security-list-vulns limit=2 offset=0

Human Readable Output#

asset_tagdatedetected_datedeviceiddisplay_profile_categoryipmodelnameososCombinedprofileprofile_verticalreason_historyremediate_checkboxremediate_instructionremediate_workorderrisk_levelrisk_scoresiteNamesiteidsnticketAssigneesticketStatevendorvulnerability_namezb_ticketid
2020-07-16T09:18:21.000Z2020-08-20T23:59:59.000Z64:16:7f:77:45:c9Video Audio Conference10.72.32.237Trio8800Polycom_64167f7745c9EmbeddedEmbeddedPolycom Video Conferencing DeviceOfficeLow26test0PolycomVulnerability Test - Mediumvuln-65046ad8
2020-07-22T19:18:32.000Z2020-08-20T23:59:59.000Z64:16:7f:76:64:c6Video Audio Conference10.72.33.195Trio8800Polycom_64167f7664c6EmbeddedEmbeddedPolycom DeviceOfficeLow26test0PolycomVulnerability Test - Mediumvuln-8cc12cd4

iot-security-resolve-alert#


Resolving an IoT alert.

Base Command#

iot-security-resolve-alert

Input#

Argument NameDescriptionRequired
idThe alert IDRequired
reasonThe alert resolution reason.Optional
reason_typeThe alert resolution reason type (No Action Needed, Issue Mitigated).Optional

Context Output#

There is no context output for this command.

Command Example#

iot-security-resolve-alert id="5e73ecb3eff46f80a7cdc57a" reason=test reason_type="No Action Needed"

iot-security-resolve-vuln#


Resolving an IoT vulnerability.

Base Command#

iot-security-resolve-vuln

Input#

Argument NameDescriptionRequired
idThe vulnerability ID.Required
full_nameThe vulnerability full name.Required
reasonThe vulnerability resolution reason.Optional

Context Output#

There is no context output for this command.

Command Example#

iot-security-resolve-vuln full_name=CVE-2019-10960 id=vuln-b12d4f0a reason=test

iot-security-get-device-by-ip#


IoT get device command - get a single device's details.

Base Command#

iot-security-get-device-by-ip

Input#

Argument NameDescriptionRequired
ipThe device ip (ip address).Required

Context Output#

PathTypeDescription
PaloAltoNetworksIoT.DeviceunknownDevice details.
PaloAltoNetworksIoT.Device.hostnameStringThe hostname of the device.
PaloAltoNetworksIoT.Device.ip_addressStringThe IP address of the device.
PaloAltoNetworksIoT.Device.profile_typeStringThe device profile type: Non_IoT vs IoT.
PaloAltoNetworksIoT.Device.profile_verticalStringThe device profile vertical.
PaloAltoNetworksIoT.Device.categoryStringThe device category
PaloAltoNetworksIoT.Device.profileStringThe device profile.
PaloAltoNetworksIoT.Device.last_activityDateThe last activity timestamp of the device.
PaloAltoNetworksIoT.Device.long_descriptionStringThe long description of the device.
PaloAltoNetworksIoT.Device.vlanNumberThe device VLAN ID.
PaloAltoNetworksIoT.Device.site_nameStringThe site which the device is in.
PaloAltoNetworksIoT.Device.risk_scoreNumberThe device risk score.
PaloAltoNetworksIoT.Device.risk_levelStringThe device risk level: Low, Medium, High, Critical
PaloAltoNetworksIoT.Device.subnetStringThe device subnet.
PaloAltoNetworksIoT.Device.first_seen_dateDateThe first seen date of the device.
PaloAltoNetworksIoT.Device.confidence_scoreNumberThe device confidence score.
PaloAltoNetworksIoT.Device.deviceidDateThe device ID.
PaloAltoNetworksIoT.Device.locationStringThe device location.
PaloAltoNetworksIoT.Device.vendorStringThe device vendor.
PaloAltoNetworksIoT.Device.modelStringThe device model.
PaloAltoNetworksIoT.Device.descriptionStringThe device description.
PaloAltoNetworksIoT.Device.asset_tagStringThe device asset tag (e.g. a sticky label at the bottom of the device).
PaloAltoNetworksIoT.Device.os_groupStringThe device OS group.
PaloAltoNetworksIoT.Device.Serial_NumberStringThe device serial number.
PaloAltoNetworksIoT.Device.DHCPStringWhether the device is in DHCP model: Valid values are Yes or No.
PaloAltoNetworksIoT.Device.wire_or_wirelessStringIs the device wired or wireless.
PaloAltoNetworksIoT.Device.departmentStringThe device department.
PaloAltoNetworksIoT.Device.Switch_PortNumberThe port of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Switch_NameStringThe name of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Switch_IPStringThe IP of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Access_Point_IPStringThe IP of the access point this device is connected to.
PaloAltoNetworksIoT.Device.Access_Point_NameStringThe name of the access point this device is connected to.
PaloAltoNetworksIoT.Device.SSIDStringThe SSID of the wireless network this device is connected to.
PaloAltoNetworksIoT.Device.MACDateThe device MAC address.
PaloAltoNetworksIoT.Device.display_tagsStringThe user tags of the device.
PaloAltoNetworksIoT.Device.mac_addressStringThe device MAC address.