Palo Alto Networks - Malware Remediation
This Playbook is part of the PANW Comprehensive Investigation Pack.#
Performs malicious IOC remediation using Palo Alto Networks integrations.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- PAN-OS - Block URL - Custom URL Category
- PAN-OS - Block IP - Static Address Group
- PAN-OS DAG Configuration
- PAN-OS - Block IP and URL - External Dynamic List
- PAN-OS - Block Domain - External Dynamic List
- Traps Quarantine Event
- PAN-OS - Block IP - Custom Block Rule
- Traps Blacklist File
- Add Indicator to Miner - Palo Alto MineMeld
- Traps Isolate Endpoint
Integrations#
This playbook does not use any integrations.
Scripts#
This playbook does not use any scripts.
Commands#
This playbook does not use any commands.
Playbook Inputs#
| Name | Description | Default Value | Source | Required |
|---|---|---|---|---|
| DAG | Whether the Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. Specify the Dynamic Address Group tag name for IP address handling. | - | - | Optional |
| CustomURLCategory | Whether the Palo Alto Networks Panorama or Firewall Custom URL Categories are used. Specify the category name for URL handling. | - | - | Optional |
| CustomBlockRule | Whether the Palo Alto Networks Panorama or Firewall Custom block rules are used. To use the Custom Block Rules select "True". | False | - | Optional |
| IPListName | Whether the Palo Alto Networks Panorama or Firewall External Dynamic Lists, are used for IP Blocking. Specify the EDL name for IP address handling. | - | - | Optional |
| IP | The malicious IP Addresses to block. | Address | IP | Optional |
| URL | The malicious URLs to block. | Data | URL | Optional |
| LogForwarding | The Panorama log forwarding object name. | - | - | Optional |
| StaticAddressGroup | Whether the Palo Alto Networks Panorama or Firewall Static address groups are used. Specify the Static IP address group name for IP address handling. | - | - | Optional |
| Miner | Whether the Palo Alto Networks Minemeld is used. Specify the Miner name to update the malicious indicators. | - | - | Optional |
| AutoCommit | Whether to commit the configuration automatically. Choose "Yes" to commit automatically. Choose "No" to commit manually. | No | - | Optional |
| URLListName | Whether the Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for URL Blocking. Specify the EDL name for URL handling. | - | - | Optional |
| EDLServerIP | Whether the Palo Alto Networks Panorama or Firewall External Dynamic Lists are used. The IP address of the web server on which the files are stored. The web server IP address is configured in the integration instance. | - | - | Optional |
| Traps | Whether the Palo Alto Networks Traps remediation will take place. Can be, "Yes" or "No". | - | - | Optional |
| EndpointId | The Traps Endpoint ID to isolate. | - | - | Optional |
| EventId | The Traps event ID to perform file quarantine on. | - | - | Optional |
| SHA256 | The SHA256 file hash to blacklist using Traps. | SHA256 | File | Optional |
| DomainListName | Whether the Palo Alto Networks Panorama or Firewall External Dynamic Lists, are used for domain blocking. Specify the EDL name for domain handling. | - | - | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
