Activate Palo Alto PAN-OS L1 Package

Is there an I&W for Palo Alto PAN-OS L1?

 

Im using an L1 I&W for another product and most of the base rules correspond but I need a product specific version to capture non-generic rules as well as the correct Device Group and Device Type.

 

 

 

 

 

 

 

 

Parents
  • Thanks Prentice!  Couple things:

    1. Are you or John aware of any other customers developing this package?  I dont want to duplicate work
    2. I am currently using the Imperva WAF I&W as that was a copy I had lying around
    3. I'll attach the I&W here
    4. So far I have the following filters built from the attached I&W and which specifically identifies the events used for these filters:
      1. System and Service Changes*: lines 4, 9 (should be made into a single filter?), 11, 13
      2. System and Service Errors*: lines 17 (should be made into a single filter?), 18 (should be made into a single filter?), 25
      3. User/Group Management*: line 31
      4. User/Host Authentication*: lines 49, 50
      5. URL Category*: lines 51-80
      6. *Column O indicates that I have actual events to analyze, P indicates the name that I used for the filter, Q indicates that I have written the filter, R indicates that the actual filter logic is available in I&W for analysis
    5. I expect to have the following additional stimulus response filters created this week:
      1. Various User Auth/Mgmt: lines 27, 29, 31, 37 and others as are possible to generate
    6. What I need to build rules off of filters from above categories 1-4:
      1. Specific string to use for Column F in attached I&W "Device Group"
      2. Specific string to use for Column G in attached I&W "Device Type"
      3. Confirmation that the string to use for Column H should not change
    7. What I need to build rules off of filters from above category 5:
      1. Column values for C-N
      2. I have sent this request over to my team as well since some of this may be site specific alerting based on corporate policy
    8. Attached also is some Palo Alto PAN-OS docs

    Let me know if you need anything further, I can do a Webex if you'd like.  Shoot me over an invite anytime. 

    -Mary

    Core_Filters.JPG

    URL_Filters.JPG

Reply
  • Thanks Prentice!  Couple things:

    1. Are you or John aware of any other customers developing this package?  I dont want to duplicate work
    2. I am currently using the Imperva WAF I&W as that was a copy I had lying around
    3. I'll attach the I&W here
    4. So far I have the following filters built from the attached I&W and which specifically identifies the events used for these filters:
      1. System and Service Changes*: lines 4, 9 (should be made into a single filter?), 11, 13
      2. System and Service Errors*: lines 17 (should be made into a single filter?), 18 (should be made into a single filter?), 25
      3. User/Group Management*: line 31
      4. User/Host Authentication*: lines 49, 50
      5. URL Category*: lines 51-80
      6. *Column O indicates that I have actual events to analyze, P indicates the name that I used for the filter, Q indicates that I have written the filter, R indicates that the actual filter logic is available in I&W for analysis
    5. I expect to have the following additional stimulus response filters created this week:
      1. Various User Auth/Mgmt: lines 27, 29, 31, 37 and others as are possible to generate
    6. What I need to build rules off of filters from above categories 1-4:
      1. Specific string to use for Column F in attached I&W "Device Group"
      2. Specific string to use for Column G in attached I&W "Device Type"
      3. Confirmation that the string to use for Column H should not change
    7. What I need to build rules off of filters from above category 5:
      1. Column values for C-N
      2. I have sent this request over to my team as well since some of this may be site specific alerting based on corporate policy
    8. Attached also is some Palo Alto PAN-OS docs

    Let me know if you need anything further, I can do a Webex if you'd like.  Shoot me over an invite anytime. 

    -Mary

    Core_Filters.JPG

    URL_Filters.JPG

Children
No Data