[OSCD Initiative] Add response for PaloAltoNGFW

[Konakin]

Add new responce for PaloAltoNGFW:

1. Block external IP address
2. Block internal IP address
3. Block external domain
4. Block internal domain
5. Block external URL
6. Block internal URL
7. Block port external communication
8. Block port internal communication
9. Unblock blocked IP
10. Unblock blocked domain
11. Unblock blocked port

[yugoslavskiy]

Hello @Konakin! Thank you for your contribution!

Could you please list the names of the Security Rules that you will use for the responder per Response Action?

[Konakin]

Hello @yugoslavskiy.
I change logic response and created rules for ip, domain and users. I am going to create pull request today.

I have problems only with url and i want describe about this in next pull request.

And i think, I finish rule for port on Tuesday.

[Konakin]

Hello @yugoslavskiy.

I added new commit. In this commit contains rule for ip, domain and user. Build logic:

1. Security engineer add response in to responders folder and python script need be executable;

2. Next step configure cortex:
   2.1. Add setting for PaloAltoNGFW (hostname, user and password);
   2.2. Add setting for the hive (url and api key).
   2.3 If you have security rule, you can add name in field with name "name_security_rule". (it's not obligatory)

3. Run responce in the hive with type field:
   3.1. for user - "user-agent";
   3.2 for ip - "ip";
   3.3 for domain - "hostname";

4. When start response:
   4.1 Script connect to the hive and get field with IOC.
   4.2 Script connect to PaloAltoNGFW and gets:
   4.2.1 If ip and domain - AddressObject for add IOC. And AddressGroup for add IOC List.
   4.2.2 If user - script don't work if user not in PaloAltoNGFW.

5. Script add security rules with IOC:
   5.1 If ip and domain add AddressGroup in security rule field "destination" PaloAltoNGFW.
   5.2 If user add user list in security rule field "source_user" PaloAltoNGFW.

[Konakin]

I have promblem with rule for url, because i don't known how delete ioc in url_list. When i send comand with changed url list and updated CustomUrlCategory, i get request with error text:

"panos.errors.PanDeviceXapiError: Black list internal URL -> list 'http://google.ru' is invalid. custom-url-category entry has to be type specified
Black list internal URL -> list is invalid"

but class panos.objects.CustomUrlCategory don't contains field to specify custom-url-category.

[Konakin]

And how i wrote earlier, i will end response for port block\unblock with security rule on Tuesday, because it is looks like response for ip or domain.

[Konakin]

hello.

i completed response for port.

i created bug report for panos.objects.CustomUrlCategory. (See #285)

[yugoslavskiy]

Hello @Konakin!

Sorry I probably wrote a message but didn't send it.
I have a question about pre-configured Security Rules' names for each response action that you've chosen.
I assume, they could be:

1. Block external IP address: thehive_block_external_ip_address
2. Block internal IP address: thehive_block_internal_ip_address
3. Block external domain: thehive_block_external_domain
4. Block internal domain: thehive_block_internal_domain
5. Block external URL: thehive_block_external_url
6. Block internal URL: thehive_block_internal_url
7. Block port external communication: thehive_block_port_external_communication
8. Block port internal communication: thehive_block_port_internal_communication

Could you please describe how did you implement that?

[Konakin]

Hello, @yugoslavskiy.

Security Rules creation logic for response:

1. Connect to Firewall.
   Code:
   firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)

2. Update rules base.
   Code:
   rulebase = panos.policies.Rulebase(); fw.add(rulebase); panos.policies.SecurityRule.refreshall(rulebase)

3. Set paramters for security rules:
   desired_rule_params = { "name": self.name_security_rule, "description": "Block internal IP address", "type": "interzone", "action": "deny", 'destination': "Black list internal IP", 'service': "Black list external port", 'source_user': user_list }
   where:

field is:
3.1 'destination' for set AddressGroup for domain or ip address.
3.2 'service' for set ServiceGroup for port
3.3 'source_user' for add user
3.4 'name' for set name security rule
3.5 "type" for set external or internal communications
3.6 "action" for set how do if rule will be activited

4. Add rule in Firewall:
   new_rule = panos.policies.SecurityRule(**desired_rule_params); rulebase.add(new_rule); new_rule.apply()

[Konakin]

but I think if the engineer set name custom rule (not thehive_block_*) in field name_security_rule in cortex setting response, the script will overwrite setting security rules. i will fix this in next release.

[Konakin]

I want to change logic create rules:

1. If an engineer has secuirty rule and she\he want to add block ip, user, domain, port with help response cortex.
   For this need to save the settings engineer secuirty rule. (save parameters security rules what added earlier).

2. If engineer don't have secuirty rule (she\he don't set name security rule in setting response cortex). Response cortex will add new security rule with name default. And engineer will remain change importance position.

[Konakin]

I changed response for custom rules. Now rules attributes will be save.

[jeromeleonard]

Hello,

we merged this PR. Please consider translating the readme file from RU to EN and allow everyone to access the content.

Thanks.