Reporting

Export Splunk Results and push to Palo Alto API to populate a dynamic group

scottroymcse
New Member

I am using the asset discovery app to run nmap scans on my network. I am able to collect the results based on specific Operating Systems and should be able to export the results. I want to take these results (host IPs) to then push to a dynamic group on a Palo Alto firewall using its API.

Has anyone had any experience doing this? I recall the older version of the PAN App was able to do this, however the results were contained in this app.

0 Karma

btorresgil
Builder

Use one of the special commands in the app. For dynamic address groups, you're probably looking for the pantag command.

https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/wiki/Special-Searchbar-Commands

0 Karma

btorresgil
Builder

You can remove tags by adding action=rem to the command. If the tag doesn't exist and you try to remove it, you may get an error, but it can be safely ignored.

0 Karma

scottroymcse
New Member

Brian, Thanks for reaching out. Tags are use in the PAN 6.x stream, just need to upgrade to 6.x to take advantage.

How can I dynamically remove items from the dyn-obj group?

As I am actively scanning and creating a list to be pushed, is there a way to clear out the existing objects on the PAN and then push the new objects compiled from the splunk search without having to know what already exists in the dyn-obj list to begin with?

0 Karma

monzy
Communicator

i have not tried this. but here are some thoughts.

the PAN app accomplishes the config change by way of a custom command, panupdate. this command calls a script, panChange.py. you could:

1) install and configure the PAN app; provide credentials and information on your firewalls

2) create a search that pipes the nmap indexed IP's to panupdate. e.g.

<search to get nmap results> | rename <nmap ip field> AS addrip| panupdate device="<your firewall IP Address>" devicegroup="<device group of your firewall>"action="add" group=""

a big advantage of installing the app is that your firewall credentials are stored encrypted.

if you don't want to install the PAN app and just use the script as your own custom command, you can find it here: https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/master/bin/panChange.py . there are comments in the python script that will help you navigate through the misc options.

if you choose to create your own custom command by copying the panChange.py, you will also need to add a commands.conf and searchbnf.conf file in $SPLUNK_home/etc/apps//local . recognize that if you choose to go down this path, you will be storing credentials for your firewall in clear text in this python script.

for more detail on custom commands, take a look at: http://blogs.splunk.com/2014/04/14/building-custom-search-commands-in-python-part-i-a-simple-generat...

0 Karma

scottroymcse
New Member

my syntax seems to work as planned however fails to push to the PANs due to the devicegroup= requirement. I don't have Panaroma but trying to push directly to the PANs itself.

2014-05-01 11:21:09,025 -0600 WARNING panoramaUserUpdate:134 - Traceback (most recent call last):
File "/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panoramaUserUpdate.py", line 129, in getKey
sm = re.search(r"success",result).group(0)
AttributeError: 'NoneType' object has no attribute 'group'

Without the devicegroup, the logs state that I haven't specified the IP address of the Panorama device.

0 Karma

scottroymcse
New Member

Thank you for responding, this was the detail I was looking for. I'll give it a try this morning when I'm back on the office and let you know how it goes.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...