Palo Alto Networks IoT
IoT by Palo Alto Networks Pack.#
This Integration is part of theThis is the Palo Alto Networks IoT integration (previously Zingbox). This integration was integrated and tested with the Banff release of Palo Alto Networks IoT.
#
Get your Palo Alto Networks IoT Access KeysThis integration requires that API access be configured. To obtain the Access Key ID and Secret Access Key, refer to the Palo Alto Networks IoT API User Guide.
#
Configure Palo Alto Networks IoT in CortexParameter | Description | Required |
---|---|---|
url | Palo Alto Networks IoT Security Portal URL (e.g. https://example.iot.paloaltonetworks.com\) | True |
tenant_id | Tenant ID | True |
access_key_id | Access Key ID | True |
secret_access_key | Secret Access Key | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
first_fetch | First fetch time | False |
max_fetch | Maximum number of incidents per fetch | False |
fetch_alerts | Fetch IoT Alerts | False |
fetch_vulns | Fetch IoT Vulnerabilities | False |
api_timeout | The timeout for querying APIs | False |
incidentType | Incident type | False |
isFetch | Fetch incidents | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
iot-security-get-deviceIoT get device command - get a single device's details.
#
Base Commandiot-security-get-device
#
InputArgument Name | Description | Required |
---|---|---|
id | The device uid (mac address) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
PaloAltoNetworksIoT.Device | unknown | Device details. |
PaloAltoNetworksIoT.Device.hostname | String | The hostname of the device. |
PaloAltoNetworksIoT.Device.ip_address | String | The IP address of the device. |
PaloAltoNetworksIoT.Device.profile_type | String | The device profile type: Non_IoT vs IoT. |
PaloAltoNetworksIoT.Device.profile_vertical | String | The device profile vertical. |
PaloAltoNetworksIoT.Device.category | String | The device category |
PaloAltoNetworksIoT.Device.profile | String | The device profile. |
PaloAltoNetworksIoT.Device.last_activity | Date | The last activity timestamp of the device. |
PaloAltoNetworksIoT.Device.long_description | String | The long description of the device. |
PaloAltoNetworksIoT.Device.vlan | Number | The device VLAN ID. |
PaloAltoNetworksIoT.Device.site_name | String | The site which the device is in. |
PaloAltoNetworksIoT.Device.risk_score | Number | The device risk score. |
PaloAltoNetworksIoT.Device.risk_level | String | The device risk level: Low, Medium, High, Critical |
PaloAltoNetworksIoT.Device.subnet | String | The device subnet. |
PaloAltoNetworksIoT.Device.first_seen_date | Date | The first seen date of the device. |
PaloAltoNetworksIoT.Device.confidence_score | Number | The device confidence score. |
PaloAltoNetworksIoT.Device.deviceid | Date | The device ID. |
PaloAltoNetworksIoT.Device.location | String | The device location. |
PaloAltoNetworksIoT.Device.vendor | String | The device vendor. |
PaloAltoNetworksIoT.Device.model | String | The device model. |
PaloAltoNetworksIoT.Device.description | String | The device description. |
PaloAltoNetworksIoT.Device.asset_tag | String | The device asset tag (e.g. a sticky label at the bottom of the device). |
PaloAltoNetworksIoT.Device.os_group | String | The device OS group. |
PaloAltoNetworksIoT.Device.Serial_Number | String | The device serial number. |
PaloAltoNetworksIoT.Device.DHCP | String | Whether the device is in DHCP model: Valid values are Yes or No. |
PaloAltoNetworksIoT.Device.wire_or_wireless | String | Is the device wired or wireless. |
PaloAltoNetworksIoT.Device.department | String | The device department. |
PaloAltoNetworksIoT.Device.Switch_Port | Number | The port of the switch this device is connected to. |
PaloAltoNetworksIoT.Device.Switch_Name | String | The name of the switch this device is connected to. |
PaloAltoNetworksIoT.Device.Switch_IP | String | The IP of the switch this device is connected to. |
PaloAltoNetworksIoT.Device.Access_Point_IP | String | The IP of the access point this device is connected to. |
PaloAltoNetworksIoT.Device.Access_Point_Name | String | The name of the access point this device is connected to. |
PaloAltoNetworksIoT.Device.SSID | String | The SSID of the wireless network this device is connected to. |
PaloAltoNetworksIoT.Device.MAC | Date | The device MAC address. |
PaloAltoNetworksIoT.Device.display_tags | String | The user tags of the device. |
PaloAltoNetworksIoT.Device.mac_address | String | The device MAC address. |
#
Command Exampleiot-security-get-device id=00:0f:e5:04:14:4c
#
Human Readable OutputAD_Domain | AD_Username | AET | Access_Point_IP | Access_Point_Name | Applications | Authentication_Method | CMMS_Category | CMMS_Source | CMMS_State | DHCP | EAP_Method | Encryption_Cipher | External_Inventory_Sync_Field | MAC | NAC_Auth_Info | NAC_Auth_State | NAC_profile | NAC_profile_source | NetworkLocation | SMB | SSID | Serial_Number | Source | Switch_IP | Switch_Name | Switch_Port | Synced_With_Third-Party | Time_Synced_With_Third-Party | WIFI_Auth_Status | WIFI_Auth_Timestamp | asset_tag | category | confidence_score | department | description | deviceid | display_tags | endpoint_protection | endpoint_protection_vendor | first_seen_date | hostname | in_use | ip_address | is_server | last_activity | location | long_description | mac_address | model | number_of_caution_alerts | number_of_critical_alerts | number_of_info_alerts | number_of_warning_alerts | os/firmware_version | os_combined | os_group | parent_mac | profile | profile_type | profile_vertical | risk_level | risk_score | services | site_name | source | subnet | vendor | vlan | wire_or_wireless |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
00:0f:e5:04:14:4c | Monitored | Physical Security | 94 | 00:0f:e5:04:14:4c | not_protected | 2020-08-13T07:21:02.000Z | 00:0f:e5:04:14:4c | 10.70.112.20 | 2020-08-18T19:26:05.000Z | 00:0f:e5:04:14:4c | 0 | 0 | 0 | 0 | Access Control Device | IoT | Facility | Low | 10 | test-katherine-0821 | 10.0.0.0/8 | HID Global/Mercury Security |
#
iot-security-list-devicesIoT list devices command
#
Base Commandiot-security-list-devices
#
InputArgument Name | Description | Required |
---|---|---|
offset | The offset in the pagination. | Optional |
limit | The maximum size of the list of the devices. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PaloAltoNetworksIoT.DeviceList | unknown | List of devices. |
#
Command Exampleiot-security-list-devices offset=0 limit=2
#
Human Readable OutputAD_Domain | AD_Username | AET | Access_Point_IP | Access_Point_Name | Applications | Authentication_Method | CMMS_Category | CMMS_Source | CMMS_State | DHCP | EAP_Method | Encryption_Cipher | External_Inventory_Sync_Field | MAC | NAC_Auth_Info | NAC_Auth_State | NAC_profile | NAC_profile_source | NetworkLocation | SMB | SSID | Serial_Number | Source | Switch_IP | Switch_Name | Switch_Port | Synced_With_Third-Party | Time_Synced_With_Third-Party | WIFI_Auth_Status | WIFI_Auth_Timestamp | asset_tag | category | confidence_score | department | description | deviceid | display_tags | endpoint_protection | endpoint_protection_vendor | first_seen_date | hostname | in_use | ip_address | is_server | last_activity | location | long_description | mac_address | model | number_of_caution_alerts | number_of_critical_alerts | number_of_info_alerts | number_of_warning_alerts | os/firmware_version | os_combined | os_group | parent_mac | profile | profile_type | profile_vertical | risk_level | risk_score | services | site_name | source | subnet | vendor | vlan | wire_or_wireless |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Monitored | Smartphone | 90 | 356582100001420 | not_protected | 2020-08-11T01:45:31.000Z | 356582100001420 | 1.0.2.2 | 2020-08-11T00:09:02.000Z | 356582100001420 | iPhone 11 (A2223) | 0 | 0 | 0 | 0 | iOS | iOS | Apple iPhone 11 (A2223) | IoT | Traditional IT | Low | 21 | test | uknown | ||||||||||||||||||||||||||||||||||||||||||||||
Monitored | Smartphone | 90 | 356582100001430 | not_protected | 2020-08-11T01:48:05.000Z | 356582100001430 | 1.0.3.2 | 2020-08-11T00:09:02.000Z | 356582100001430 | iPhone 11 (A2223) | 0 | 0 | 0 | 0 | iOS | iOS | Apple iPhone 11 (A2223) | IoT | Traditional IT | Low | 21 | test | uknown |
#
iot-security-list-alertsIoT list alerts.
#
Base Commandiot-security-list-alerts
#
InputArgument Name | Description | Required |
---|---|---|
start_time | The start time in the format of ISO 8601 in UTC, e.g. 2018-11-06T08:56:41Z. | Optional |
offset | The offset in the pagination. | Optional |
limit | The maximum size of the list of the alerts. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PaloAltoNetworksIoT.Alerts | unknown | List of alerts. |
#
Command Exampleiot-security-list-alerts offset=0 limit=2
#
Human Readable Outputcategory | date | description | deviceid | hostname | id | inspectorid | internal_hostname | msg | name | profile | reason_history | resolved | serviceLevel | severity | severityNumber | siteid | tenantid | type | zb_ticketid |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Network Security Equipment | 2020-08-26T06:11:04.000Z | The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks. | d4:f4:be:b0:c3:10 | 5f463c8703a2260700a99dbf | 012501000732 | severity: low<br>taggedBy: PolicyAlert<br>userPolicy: false<br>alertType: security risk<br>localDeviceRole: initiator<br>values: {'label': 'user agent', 'value': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041'}<br>localProfile: Palo Alto Networks Device<br>description: The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks.<br>recommendation: {"content": ["Update the browser to the latest version", "If browser usage on the device is authorized and essential, use a URL-filtering tool to block connections to known malicious websites or update firewall policy rules to permit connections only to designated websites.", "Check network traffic coming to and from the device on the device details page and enable trusted behavior by applying an ACL (access control list) to restrict nonessential traffic."]}<br>alertKey: 24072002d4:f4:be:b0:c3:10analytics-outdated-chrome<br>anomalyMap: {"application": 1}<br>generationTimestamp: 1598438532757<br>autoPublish: true<br>name: Outdated Chrome version used by IoT device<br>localip: 192.168.58.56<br>fromip: 192.168.58.56<br>id: ObDMsWG0<br>ruleid: analytics-outdated-chrome<br>status: publish<br>toURL: UNKNOWN URL<br>hostname: unknown | Outdated Chrome version used by IoT device | Palo Alto Networks Device | no | low | 2 | 0 | policy_alert | alert-ObDMsWG0 | |||||
IT Server | 2020-08-26T02:09:43.000Z | This event indicates a brute force attack through multiple login attempts to an SSH server. | 00:25:90:92:82:2a | 5f45c4a52f31500800a47fc7 | 012501003437 | taggedBy: PolicyAlert<br>values: {'label': 'device profile', 'value': 'Super Micro Computer'},<br>{'label': 'client port', 'value': 34904},<br>{'label': 'threat ID', 'value': 40015},<br>{'label': 'threat category', 'value': 'brute-force'},<br>{'label': 'threat type', 'value': 'vulnerability'},<br>{'label': 'number of occurrences', 'value': 2},<br>{'label': 'alert source', 'value': 'Firewall'},<br>{'label': 'firewall name', 'value': 'SJC-Eng-5260-fw1'},<br>{'label': 'firewall action', 'value': 'Raised an alert'},<br>{'label': 'firewall inbound interface', 'value': 'vlan'},<br>{'label': 'firewall outbound interface', 'value': 'vlan'}<br>localProfile: Super Micro Computer<br>localDeviceLabels: Attacker<br>description: This event indicates a brute force attack through multiple login attempts to an SSH server.<br>recommendation: {"content": ["Enable brute-force login protection by setting a maximum limit for the number of unsuccessful login attempts the device will accept before refusing further attempts.", "If unauthorized users tried to log in, block the IP addresses from which they made their attempts.", "Avoid using the manufacturer's default credentials or the same text string as both the username and password.", "Strengthen the login username and password for the ssh application."]}<br>anomalyMap: {"payload": 2}<br>generationTimestamp: 1598407836500<br>remoteHostMetadata: {'deviceIds': ['10.0.16.245'], 'ip': '10.0.16.245', 'connections': [{'app': 'ssh', 'port': 22, 'ipProto': 'tcp'}], 'network': 'internal'}<br>toip: 10.0.16.245<br>fromip: 10.0.6.174<br>id: KbYbFjYw<br>severity: medium<br>threatid: 40015<br>userPolicy: false<br>alertType: vulnerability<br>localDeviceRole: initiator<br>appName: ssh<br>alertKey: 2407200200:25:90:92:82:2aanalytics-evt-threat-attacker40015<br>remoteHostLabels: Victim<br>autoPublish: true<br>isAttempt: false<br>forensicData: {"search": {"iotdevid": "00:25:90:92:82:2a", "threatid": 40015, "remoteIPAddr": ["10.0.16.245"], "appName": "ssh", "tenantid": "24072002", "isClient": "Yes", "reverse": true, "timestamp": 1598407783000, "isLocal": true, "direction": "client to server"}, "addFields": {"rxPkts": "packets", "txPkts": "packets"}}<br>name: SSH User Authentication Brute Force Attempt<br>localip: 10.0.6.174<br>threatCategory: brute-force<br>ruleid: analytics-evt-threat-attacker<br>status: publish<br>toURL: UNKNOWN URL<br>hostname: unknown | SSH User Authentication Brute Force Attempt | Super Micro Computer | no | medium | 3 | 0 | policy_alert | alert-KbYbFjYw |
#
iot-security-list-vulnsIoT list Vulnerabilities.
#
Base Commandiot-security-list-vulns
#
InputArgument Name | Description | Required |
---|---|---|
start_time | The start time in the format of ISO 8601 in UTC, e.g. 2018-11-06T08:56:41Z. | Optional |
offset | The offset in the pagination. | Optional |
limit | The maximum size of the list of the vulnerabilities. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
PaloAltoNetworksIoT.Vulns | unknown | List of vulnerabilities. |
#
Command Exampleiot-security-list-vulns limit=2 offset=0
#
Human Readable Outputasset_tag | date | detected_date | deviceid | display_profile_category | ip | model | name | os | osCombined | profile | profile_vertical | reason_history | remediate_checkbox | remediate_instruction | remediate_workorder | risk_level | risk_score | siteName | siteid | sn | ticketAssignees | ticketState | vendor | vulnerability_name | zb_ticketid |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2020-07-16T09:18:21.000Z | 2020-08-20T23:59:59.000Z | 64:16:7f:77:45:c9 | Video Audio Conference | 10.72.32.237 | Trio8800 | Polycom_64167f7745c9 | Embedded | Embedded | Polycom Video Conferencing Device | Office | Low | 26 | test | 0 | Polycom | Vulnerability Test - Medium | vuln-65046ad8 | ||||||||
2020-07-22T19:18:32.000Z | 2020-08-20T23:59:59.000Z | 64:16:7f:76:64:c6 | Video Audio Conference | 10.72.33.195 | Trio8800 | Polycom_64167f7664c6 | Embedded | Embedded | Polycom Device | Office | Low | 26 | test | 0 | Polycom | Vulnerability Test - Medium | vuln-8cc12cd4 |
#
iot-security-resolve-alertResolving an IoT alert.
#
Base Commandiot-security-resolve-alert
#
InputArgument Name | Description | Required |
---|---|---|
id | The alert ID | Required |
reason | The alert resolution reason. | Optional |
reason_type | The alert resolution reason type (No Action Needed, Issue Mitigated). | Optional |
#
Context OutputThere is no context output for this command.
#
Command Exampleiot-security-resolve-alert id="5e73ecb3eff46f80a7cdc57a" reason=test reason_type="No Action Needed"
#
iot-security-resolve-vulnResolving an IoT vulnerability.
#
Base Commandiot-security-resolve-vuln
#
InputArgument Name | Description | Required |
---|---|---|
id | The vulnerability ID. | Required |
full_name | The vulnerability full name. | Required |
reason | The vulnerability resolution reason. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Exampleiot-security-resolve-vuln full_name=CVE-2019-10960 id=vuln-b12d4f0a reason=test
#
iot-security-get-device-by-ipIoT get device command - get a single device's details.
#
Base Commandiot-security-get-device-by-ip
#
InputArgument Name | Description | Required |
---|---|---|
ip | The device ip (ip address). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
PaloAltoNetworksIoT.Device | unknown | Device details. |
PaloAltoNetworksIoT.Device.hostname | String | The hostname of the device. |
PaloAltoNetworksIoT.Device.ip_address | String | The IP address of the device. |
PaloAltoNetworksIoT.Device.profile_type | String | The device profile type: Non_IoT vs IoT. |
PaloAltoNetworksIoT.Device.profile_vertical | String | The device profile vertical. |
PaloAltoNetworksIoT.Device.category | String | The device category |
PaloAltoNetworksIoT.Device.profile | String | The device profile. |
PaloAltoNetworksIoT.Device.last_activity | Date | The last activity timestamp of the device. |
PaloAltoNetworksIoT.Device.long_description | String | The long description of the device. |
PaloAltoNetworksIoT.Device.vlan | Number | The device VLAN ID. |
PaloAltoNetworksIoT.Device.site_name | String | The site which the device is in. |
PaloAltoNetworksIoT.Device.risk_score | Number | The device risk score. |
PaloAltoNetworksIoT.Device.risk_level | String | The device risk level: Low, Medium, High, Critical |
PaloAltoNetworksIoT.Device.subnet | String | The device subnet. |
PaloAltoNetworksIoT.Device.first_seen_date | Date | The first seen date of the device. |
PaloAltoNetworksIoT.Device.confidence_score | Number | The device confidence score. |
PaloAltoNetworksIoT.Device.deviceid | Date | The device ID. |
PaloAltoNetworksIoT.Device.location | String | The device location. |
PaloAltoNetworksIoT.Device.vendor | String | The device vendor. |
PaloAltoNetworksIoT.Device.model | String | The device model. |
PaloAltoNetworksIoT.Device.description | String | The device description. |
PaloAltoNetworksIoT.Device.asset_tag | String | The device asset tag (e.g. a sticky label at the bottom of the device). |
PaloAltoNetworksIoT.Device.os_group | String | The device OS group. |
PaloAltoNetworksIoT.Device.Serial_Number | String | The device serial number. |
PaloAltoNetworksIoT.Device.DHCP | String | Whether the device is in DHCP model: Valid values are Yes or No. |
PaloAltoNetworksIoT.Device.wire_or_wireless | String | Is the device wired or wireless. |
PaloAltoNetworksIoT.Device.department | String | The device department. |
PaloAltoNetworksIoT.Device.Switch_Port | Number | The port of the switch this device is connected to. |
PaloAltoNetworksIoT.Device.Switch_Name | String | The name of the switch this device is connected to. |
PaloAltoNetworksIoT.Device.Switch_IP | String | The IP of the switch this device is connected to. |
PaloAltoNetworksIoT.Device.Access_Point_IP | String | The IP of the access point this device is connected to. |
PaloAltoNetworksIoT.Device.Access_Point_Name | String | The name of the access point this device is connected to. |
PaloAltoNetworksIoT.Device.SSID | String | The SSID of the wireless network this device is connected to. |
PaloAltoNetworksIoT.Device.MAC | Date | The device MAC address. |
PaloAltoNetworksIoT.Device.display_tags | String | The user tags of the device. |
PaloAltoNetworksIoT.Device.mac_address | String | The device MAC address. |