Palo Alto Networks IoT

This is the Palo Alto Networks IoT integration (previously Zingbox). This integration was integrated and tested with the Banff release of Palo Alto Networks IoT

Configure Palo Alto Networks IoT on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Palo Alto Networks IoT.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlPalo Alto Networks IoT Security Portal URL (e.g. https://example.iot.paloaltonetworks.com\)True
tenant_idTenant IDTrue
access_key_idAccess Key IDTrue
secret_access_keySecret Access KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
first_fetchFirst fetch timeFalse
max_fetchMaximum number of incidents per fetchFalse
fetch_alertsFetch IoT AlertsFalse
fetch_vulnsFetch IoT VulnerabilitiesFalse
api_timeoutThe timeout for querying APIsFalse
incidentTypeIncident typeFalse
isFetchFetch incidentsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

iot-security-get-device


IoT get device command - get a single device's details.

Base Command

iot-security-get-device

Input

Argument NameDescriptionRequired
idThe device uid (mac address)Required

Context Output

PathTypeDescription
PaloAltoNetworksIoT.DeviceunknownDevice details.
PaloAltoNetworksIoT.Device.hostnameStringThe hostname of the device.
PaloAltoNetworksIoT.Device.ip_addressStringThe IP address of the device.
PaloAltoNetworksIoT.Device.profile_typeStringThe device profile type: Non_IoT vs IoT.
PaloAltoNetworksIoT.Device.profile_verticalStringThe device profile vertical.
PaloAltoNetworksIoT.Device.categoryStringThe device category
PaloAltoNetworksIoT.Device.profileStringThe device profile.
PaloAltoNetworksIoT.Device.last_activityDateThe last activity timestamp of the device.
PaloAltoNetworksIoT.Device.long_descriptionStringThe long description of the device.
PaloAltoNetworksIoT.Device.vlanNumberThe device VLAN ID.
PaloAltoNetworksIoT.Device.site_nameStringThe site which the device is in.
PaloAltoNetworksIoT.Device.risk_scoreNumberThe device risk score.
PaloAltoNetworksIoT.Device.risk_levelStringThe device risk level: Low, Medium, High, Critical
PaloAltoNetworksIoT.Device.subnetStringThe device subnet.
PaloAltoNetworksIoT.Device.first_seen_dateDateThe first seen date of the device.
PaloAltoNetworksIoT.Device.confidence_scoreNumberThe device confidence score.
PaloAltoNetworksIoT.Device.deviceidDateThe device ID.
PaloAltoNetworksIoT.Device.locationStringThe device location.
PaloAltoNetworksIoT.Device.vendorStringThe device vendor.
PaloAltoNetworksIoT.Device.modelStringThe device model.
PaloAltoNetworksIoT.Device.descriptionStringThe device description.
PaloAltoNetworksIoT.Device.asset_tagStringThe device asset tag (e.g. a sticky label at the bottom of the device).
PaloAltoNetworksIoT.Device.os_groupStringThe device OS group.
PaloAltoNetworksIoT.Device.Serial_NumberStringThe device serial number.
PaloAltoNetworksIoT.Device.DHCPStringWhether the device is in DHCP model: Valid values are Yes or No.
PaloAltoNetworksIoT.Device.wire_or_wirelessStringIs the device wired or wireless.
PaloAltoNetworksIoT.Device.departmentStringThe device department.
PaloAltoNetworksIoT.Device.Switch_PortNumberThe port of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Switch_NameStringThe name of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Switch_IPStringThe IP of the switch this device is connected to.
PaloAltoNetworksIoT.Device.Access_Point_IPStringThe IP of the access point this device is connected to.
PaloAltoNetworksIoT.Device.Access_Point_NameStringThe name of the access point this device is connected to.
PaloAltoNetworksIoT.Device.SSIDStringThe SSID of the wireless network this device is connected to.
PaloAltoNetworksIoT.Device.MACDateThe device MAC address.
PaloAltoNetworksIoT.Device.display_tagsStringThe user tags of the device.
PaloAltoNetworksIoT.Device.mac_addressStringThe device MAC address.

Command Example

iot-security-get-device id=00:0f:e5:04:14:4c

Human Readable Output

AD_DomainAD_UsernameAETAccess_Point_IPAccess_Point_NameApplicationsAuthentication_MethodCMMS_CategoryCMMS_SourceCMMS_StateDHCPEAP_MethodEncryption_CipherExternal_Inventory_Sync_FieldMACNAC_Auth_InfoNAC_Auth_StateNAC_profileNAC_profile_sourceNetworkLocationSMBSSIDSerial_NumberSourceSwitch_IPSwitch_NameSwitch_PortSynced_With_Third-PartyTime_Synced_With_Third-PartyWIFI_Auth_StatusWIFI_Auth_Timestampasset_tagcategoryconfidence_scoredepartmentdescriptiondeviceiddisplay_tagsendpoint_protectionendpoint_protection_vendorfirst_seen_datehostnamein_useip_addressis_serverlast_activitylocationlong_descriptionmac_addressmodelnumber_of_caution_alertsnumber_of_critical_alertsnumber_of_info_alertsnumber_of_warning_alertsos/firmware_versionos_combinedos_groupparent_macprofileprofile_typeprofile_verticalrisk_levelrisk_scoreservicessite_namesourcesubnetvendorvlanwire_or_wireless
00:0f:e5:04:14:4cMonitoredPhysical Security9400:0f:e5:04:14:4cnot_protected2020-08-13T07:21:02.000Z00:0f:e5:04:14:4c10.70.112.202020-08-18T19:26:05.000Z00:0f:e5:04:14:4c0000Access Control DeviceIoTFacilityLow10test-katherine-082110.0.0.0/8HID Global/Mercury Security

iot-security-list-devices


IoT list devices command

Base Command

iot-security-list-devices

Input

Argument NameDescriptionRequired
offsetThe offset in the pagination.Optional
limitThe maximum size of the list of the devices.Optional

Context Output

PathTypeDescription
PaloAltoNetworksIoT.DeviceListunknownList of devices.

Command Example

iot-security-list-devices offset=0 limit=2

Human Readable Output

AD_DomainAD_UsernameAETAccess_Point_IPAccess_Point_NameApplicationsAuthentication_MethodCMMS_CategoryCMMS_SourceCMMS_StateDHCPEAP_MethodEncryption_CipherExternal_Inventory_Sync_FieldMACNAC_Auth_InfoNAC_Auth_StateNAC_profileNAC_profile_sourceNetworkLocationSMBSSIDSerial_NumberSourceSwitch_IPSwitch_NameSwitch_PortSynced_With_Third-PartyTime_Synced_With_Third-PartyWIFI_Auth_StatusWIFI_Auth_Timestampasset_tagcategoryconfidence_scoredepartmentdescriptiondeviceiddisplay_tagsendpoint_protectionendpoint_protection_vendorfirst_seen_datehostnamein_useip_addressis_serverlast_activitylocationlong_descriptionmac_addressmodelnumber_of_caution_alertsnumber_of_critical_alertsnumber_of_info_alertsnumber_of_warning_alertsos/firmware_versionos_combinedos_groupparent_macprofileprofile_typeprofile_verticalrisk_levelrisk_scoreservicessite_namesourcesubnetvendorvlanwire_or_wireless
MonitoredSmartphone90356582100001420not_protected2020-08-11T01:45:31.000Z3565821000014201.0.2.22020-08-11T00:09:02.000Z356582100001420iPhone 11 (A2223)0000iOSiOSApple iPhone 11 (A2223)IoTTraditional ITLow21testuknown
MonitoredSmartphone90356582100001430not_protected2020-08-11T01:48:05.000Z3565821000014301.0.3.22020-08-11T00:09:02.000Z356582100001430iPhone 11 (A2223)0000iOSiOSApple iPhone 11 (A2223)IoTTraditional ITLow21testuknown

iot-security-list-alerts


IoT list alerts.

Base Command

iot-security-list-alerts

Input

Argument NameDescriptionRequired
start_timeThe start time in the format of ISO 8601 in UTC, e.g. 2018-11-06T08:56:41Z.Optional
offsetThe offset in the pagination.Optional
limitThe maximum size of the list of the alerts.Optional

Context Output

PathTypeDescription
PaloAltoNetworksIoT.AlertsunknownList of alerts.

Command Example

iot-security-list-alerts offset=0 limit=2

Human Readable Output

categorydatedescriptiondeviceidhostnameidinspectoridinternal_hostnamemsgnameprofilereason_historyresolvedserviceLevelseverityseverityNumbersiteidtenantidtypezb_ticketid
Network Security Equipment2020-08-26T06:11:04.000ZThe usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks.d4:f4:be:b0:c3:105f463c8703a2260700a99dbf012501000732severity: low<br>taggedBy: PolicyAlert<br>userPolicy: false<br>alertType: security risk<br>localDeviceRole: initiator<br>values: {'label': 'user agent', 'value': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041'}<br>localProfile: Palo Alto Networks Device<br>description: The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks.<br>recommendation: {"content": ["Update the browser to the latest version", "If browser usage on the device is authorized and essential, use a URL-filtering tool to block connections to known malicious websites or update firewall policy rules to permit connections only to designated websites.", "Check network traffic coming to and from the device on the device details page and enable trusted behavior by applying an ACL (access control list) to restrict nonessential traffic."]}<br>alertKey: 24072002d4:f4:be:b0:c3:10analytics-outdated-chrome<br>anomalyMap: {"application": 1}<br>generationTimestamp: 1598438532757<br>autoPublish: true<br>name: Outdated Chrome version used by IoT device<br>localip: 192.168.58.56<br>fromip: 192.168.58.56<br>id: ObDMsWG0<br>ruleid: analytics-outdated-chrome<br>status: publish<br>toURL: UNKNOWN URL<br>hostname: unknownOutdated Chrome version used by IoT devicePalo Alto Networks Devicenolow20policy_alertalert-ObDMsWG0
IT Server2020-08-26T02:09:43.000ZThis event indicates a brute force attack through multiple login attempts to an SSH server.00:25:90:92:82:2a5f45c4a52f31500800a47fc7012501003437taggedBy: PolicyAlert<br>values: {'label': 'device profile', 'value': 'Super Micro Computer'},<br>{'label': 'client port', 'value': 34904},<br>{'label': 'threat ID', 'value': 40015},<br>{'label': 'threat category', 'value': 'brute-force'},<br>{'label': 'threat type', 'value': 'vulnerability'},<br>{'label': 'number of occurrences', 'value': 2},<br>{'label': 'alert source', 'value': 'Firewall'},<br>{'label': 'firewall name', 'value': 'SJC-Eng-5260-fw1'},<br>{'label': 'firewall action', 'value': 'Raised an alert'},<br>{'label': 'firewall inbound interface', 'value': 'vlan'},<br>{'label': 'firewall outbound interface', 'value': 'vlan'}<br>localProfile: Super Micro Computer<br>localDeviceLabels: Attacker<br>description: This event indicates a brute force attack through multiple login attempts to an SSH server.<br>recommendation: {"content": ["Enable brute-force login protection by setting a maximum limit for the number of unsuccessful login attempts the device will accept before refusing further attempts.", "If unauthorized users tried to log in, block the IP addresses from which they made their attempts.", "Avoid using the manufacturer's default credentials or the same text string as both the username and password.", "Strengthen the login username and password for the ssh application."]}<br>anomalyMap: {"payload": 2}<br>generationTimestamp: 1598407836500<br>remoteHostMetadata: {'deviceIds': ['10.0.16.245'], 'ip': '10.0.16.245', 'connections': [{'app': 'ssh', 'port': 22, 'ipProto': 'tcp'}], 'network': 'internal'}<br>toip: 10.0.16.245<br>fromip: 10.0.6.174<br>id: KbYbFjYw<br>severity: medium<br>threatid: 40015<br>userPolicy: false<br>alertType: vulnerability<br>localDeviceRole: initiator<br>appName: ssh<br>alertKey: 2407200200:25:90:92:82:2aanalytics-evt-threat-attacker40015<br>remoteHostLabels: Victim<br>autoPublish: true<br>isAttempt: false<br>forensicData: {"search": {"iotdevid": "00:25:90:92:82:2a", "threatid": 40015, "remoteIPAddr": ["10.0.16.245"], "appName": "ssh", "tenantid": "24072002", "isClient": "Yes", "reverse": true, "timestamp": 1598407783000, "isLocal": true, "direction": "client to server"}, "addFields": {"rxPkts": "packets", "txPkts": "packets"}}<br>name: SSH User Authentication Brute Force Attempt<br>localip: 10.0.6.174<br>threatCategory: brute-force<br>ruleid: analytics-evt-threat-attacker<br>status: publish<br>toURL: UNKNOWN URL<br>hostname: unknownSSH User Authentication Brute Force AttemptSuper Micro Computernomedium30policy_alertalert-KbYbFjYw

iot-security-list-vulns


IoT list Vulnerabilities.

Base Command

iot-security-list-vulns

Input

Argument NameDescriptionRequired
start_timeThe start time in the format of ISO 8601 in UTC, e.g. 2018-11-06T08:56:41Z.Optional
offsetThe offset in the pagination.Optional
limitThe maximum size of the list of the vulnerabilities.Optional

Context Output

PathTypeDescription
PaloAltoNetworksIoT.VulnsunknownList of vulnerabilities.

Command Example

iot-security-list-vulns limit=2 offset=0

Human Readable Output

asset_tagdatedetected_datedeviceiddisplay_profile_categoryipmodelnameososCombinedprofileprofile_verticalreason_historyremediate_checkboxremediate_instructionremediate_workorderrisk_levelrisk_scoresiteNamesiteidsnticketAssigneesticketStatevendorvulnerability_namezb_ticketid
2020-07-16T09:18:21.000Z2020-08-20T23:59:59.000Z64:16:7f:77:45:c9Video Audio Conference10.72.32.237Trio8800Polycom_64167f7745c9EmbeddedEmbeddedPolycom Video Conferencing DeviceOfficeLow26test0PolycomVulnerability Test - Mediumvuln-65046ad8
2020-07-22T19:18:32.000Z2020-08-20T23:59:59.000Z64:16:7f:76:64:c6Video Audio Conference10.72.33.195Trio8800Polycom_64167f7664c6EmbeddedEmbeddedPolycom DeviceOfficeLow26test0PolycomVulnerability Test - Mediumvuln-8cc12cd4

iot-security-resolve-alert


Resolving an IoT alert.

Base Command

iot-security-resolve-alert

Input

Argument NameDescriptionRequired
idThe alert IDRequired
reasonThe alert resolution reason.Optional
reason_typeThe alert resolution reason type (No Action Needed, Issue Mitigated).Optional

Context Output

There is no context output for this command.

Command Example

iot-security-resolve-alert id="5e73ecb3eff46f80a7cdc57a" reason=test reason_type="No Action Needed"

iot-security-resolve-vuln


Resolving an IoT vulnerability.

Base Command

iot-security-resolve-vuln

Input

Argument NameDescriptionRequired
idThe vulnerability ID.Required
full_nameThe vulnerability full name.Required
reasonThe vulnerability resolution reason.Optional

Context Output

There is no context output for this command.

Command Example

iot-security-resolve-vuln full_name=CVE-2019-10960 id=vuln-b12d4f0a reason=test