SendAllPANWIoTAssetsToSIEM
Retrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server.
python · IoT 3rd Party Integrations by Palo Alto Networks (Deprecated)
Source
import demistomock as demisto from CommonServerPython import * SIEM_INSTANCE = demisto.args().get("syslog_sender_instance") PANW_IOT_INSTANCE = demisto.args().get("panw_iot_3rd_party_instance") VULNERABILITIES_FIELDS_MAP = [ ("ip", "dvc="), ("deviceid", "dvcmac="), ("name", "dvchost="), ("profile", "cs1Label=Profile cs1="), ("display_profile_category", "cs2Label=Category cs2="), ("profile_vertical", "cs3Label=ProfileVertical cs3="), ("vendor", "cs4Label=Vendor cs4="), ("model", "cs5Label=Model cs5="), ("vlan", "cs6Label=Vlan cs6="), ("site_name", "cs7Label=Site cs7="), ("risk_score", "cs8Label=RiskScore cs8="), ("risk_level", "cs9Label=RiskLevel cs9="), ("subnet", "cs10Label=Subnet cs10="), ("vulnerability_name", "cs11Label=vulnerabilityName cs11="), ("detected_date", "cs12Label=DetectionDate cs12="), ("remediate_instruction", "cs13Label=RemediateInstructions cs13="), ("remediate_checkbox", "cs14Label=RemediateCheckbox cs14="), ("first_seen_date", "cs15Label=FirstSeenDate cs15="), ("confidence_score", "cs16Label=ConfidenceScore cs16="), ("os", "cs17Label=OsGroup cs17="), ("os/firmware_version", "cs18Label=OsFirmwareVersion cs18="), ("osCombined", "cs19Label=OsSupport cs19="), ("OS_End_of_Support", "cs20Label=OsEndOfSupport cs20="), ("Serial_Number", "cs21Label=SerialNumber cs21="), ("endpoint_protection", "cs22Label=EndpointProtection cs22="), ("NetworkLocation", "cs23Label=NetworkLocation cs23="), ("AET", "cs24Label=AET cs24="), ("DHCP", "cs25Label=DHCP cs25="), ("wire_or_wireless", "cs26Label=WireOrWireless cs26="), ("SMB", "cs27Label=SMB cs27="), ("Switch_Port", "cs28Label=SwitchPort cs28="), ("Switch_Name", "cs29Label=SwitchName cs29="), ("Switch_IP", "cs30Label=SwitchIp cs30="), ("services", "cs31Label=Services cs31="), ("is_server", "cs32Label=IsServer cs32="), ("NAC_profile", "cs33Label=NAC_Profile cs33="), ("NAC_profile_source", "cs34Label=NAC_ProfileSource cs34="), ("Access_Point_IP", "cs35Label=AccessPointIp cs35="), ("Access_Point_Name", "cs36Label=AccessPointName cs36="), ("SSID", "cs37Label=SSID cs37="), ("Authentication_Method", "cs38Label=AuthMethod cs38="), ("Encryption_Cipher", "cs39Label=EncryptionCipher cs39="), ("AD_Username", "cs40Label=AD_Username cs40="), ("AD_Domain", "cs41Label=AD_Domain cs41="), ("Applications", "cs42Label=Applications cs42="), ("Tags", "cs43Label=Tags cs43="), ] DEVICE_FIELDS_MAP = [ ("ip_address", "dvc="), ("mac_address", "dvcmac="), ("hostname", "dvchost="), ("profile", "cs1Label=Profile cs1="), ("category", "cs2Label=Category cs2="), ("profile_type", "cs3Label=ProfileType cs3="), ("vendor", "cs4Label=Vendor cs4="), ("model", "cs5Label=Model cs5="), ("vlan", "cs6Label=Vlan cs6="), ("site_name", "cs7Label=Site cs7="), ("risk_score", "cs8Label=RiskScore cs8="), ("risk_level", "cs9Label=RiskLevel cs9="), ("subnet", "cs10Label=Subnet cs10="), ("number_of_critical_alerts", "cs11Label=NumCriticalAlerts cs11="), ("number_of_warning_alerts", "cs12Label=NumWarningAlerts cs12="), ("number_of_caution_alerts", "cs13Label=NumCautionAlerts cs13="), ("number_of_info_alerts", "cs14Label=NumInfoAlerts cs14="), ("first_seen_date", "cs15Label=FirstSeenDate cs15="), ("confidence_score", "cs16Label=ConfidenceScore cs16="), ("os_group", "cs17Label=OsGroup cs17="), ("os/firmware_version", "cs18Label=OsFirmwareVersion cs18="), ("OS_Support", "cs19Label=OsSupport cs19="), ("OS_End_of_Support", "cs20Label=OsEndOfSupport cs20="), ("Serial_Number", "cs21Label=SerialNumber cs21="), ("endpoint_protection", "cs22Label=EndpointProtection cs22="), ("NetworkLocation", "cs23Label=NetworkLocation cs23="), ("AET", "cs24Label=AET cs24="), ("DHCP", "cs25Label=DHCP cs25="), ("wire_or_wireless", "cs26Label=WireOrWireless cs26="), ("SMB", "cs27Label=SMB cs27="), ("Switch_Port", "cs28Label=SwitchPort cs28="), ("Switch_Name", "cs29Label=SwitchName cs29="), ("Switch_IP", "cs30Label=SwitchIp cs30="), ("services", "cs31Label=Services cs31="), ("is_server", "cs32Label=IsServer cs32="), ("NAC_profile", "cs33Label=NAC_Profile cs33="), ("NAC_profile_source", "cs34Label=NAC_ProfileSource cs34="), ("Access_Point_IP", "cs35Label=AccessPointIp cs35="), ("Access_Point_Name", "cs36Label=AccessPointName cs36="), ("SSID", "cs37Label=SSID cs37="), ("Authentication_Method", "cs38Label=AuthMethod cs38="), ("Encryption_Cipher", "cs39Label=EncryptionCipher cs39="), ("AD_Username", "cs40Label=AD_Username cs40="), ("AD_Domain", "cs41Label=AD_Domain cs41="), ("Applications", "cs42Label=Applications cs42="), ("Tags", "cs43Label=Tags cs43="), ("os_combined", "cs44Label=os_combined cs44="), ] def convert_device_map_to_cef(device_map): """ Converts a PANW IoT device map to CEF syslog format. param device_map: PANW IoT device map containing device attributes """ cef = "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|" for t in DEVICE_FIELDS_MAP: input_field = t[0] output_field = t[1] val = device_map.get(input_field, "") if output_field and val: cef += str(output_field) + str(val) + " " return cef def convert_alert_to_cef(alert): """ Converts a PANW IoT alert to CEF syslog format. param alert: PANW IoT alert containing alert attributes """ if alert is not None and "msg" in alert and "status" in alert["msg"] and alert["msg"]["status"] == "publish": msg = alert["msg"] cef = "CEF:0|PaloAltoNetworks|PANWIOT|1.0|PaloAltoNetworks Alert:policy_alert|" if "name" in alert: cef += alert["name"] + "|" if "severityNumber" in alert: cef += str(alert["severityNumber"]) + "|" if "deviceid" in alert: cef += f"dvcmac={alert['deviceid']} " if "fromip" in msg: cef += f"src={msg['fromip']} " if "toip" in msg: cef += f"dst={msg['toip']} " if "hostname" in msg: cef += f"shost={msg['hostname']} " if "toURL" in msg: cef += f"dhost={msg['toURL']} " if "id" in msg: cef += f"fileId={msg['id']} " cef += "fileType=alert " if "date" in alert: cef += f"rt={str(msg['id'])} " if "generationTimestamp" in msg: cef += f"deviceCustomDate1={str(msg['generationTimestamp'])} " description = None values = [] if "description" in alert: description = alert["description"] if "values" in msg: values = msg["values"] cef += f"cs1Label=Description cs1={description} " cef += f"cs2Label=Values cs2={str(values)} " return cef else: return None def convert_vulnerability_to_cef(vulnerability): """ Converts a PANW IoT vulnerability to CEF syslog format. param device_map: PANW IoT vulnerability containing vulnerability attributes """ risk_level_map = {"Critical": "10", "High": "6", "Medium": "3", "Low": "1"} cef = "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|vulnerability|" if "vulnerability_name" in vulnerability: cef += vulnerability["vulnerability_name"] + "|" if "risk_level" in vulnerability: if vulnerability["risk_level"] in risk_level_map: cef += risk_level_map[vulnerability["risk_level"]] + "|" else: cef += "1|" # default severity for t in VULNERABILITIES_FIELDS_MAP: input_field = t[0] output_field = t[1] # print input_field, output_field val = vulnerability.get(input_field, "") if output_field and val: cef += str(output_field) + str(val) + " " return cef def convert_single_asset_to_cef(asset, asset_type): """ Converts the given asset of type asset_type to CEF syslog format. param asset: Single PANW IoT cloud discovered asset. param asset_type: type of asset (device, alert or vulnerability). """ if asset_type == "alert": return convert_alert_to_cef(asset) elif asset_type == "vulnerability": return convert_vulnerability_to_cef(asset) else: return convert_device_map_to_cef(asset) def send_status_to_panw_iot_cloud(status, msg, asset_type): """ Reports status details back to PANW IoT Cloud. param status: Status (error, disabled, success) to be send to PANW IoT cloud. param msg: Debug message to be send to PANW IoT cloud. param asset_type: Type of asset (device, alert, vuln) associated with the status. """ resp = demisto.executeCommand( "panw-iot-3rd-party-report-status-to-panw", { "status": status, "message": msg, "integration_name": "siem", "playbook_name": "PANW IoT 3rd Party SIEM Integration - Bulk Export to SIEM", "asset_type": asset_type, "timestamp": int(round(time.time() * 1000)), "using": PANW_IOT_INSTANCE, }, ) if isError(resp[0]): err_msg = f'Error, failed to send status to PANW IoT Cloud - {resp[0].get("Contents")}' raise Exception(err_msg) def get_assets_from_panw_iot_cloud(offset, page_size, asset_type): """ Gets assets from PANW IoT cloud. param offset: Offset number for the asset list. param page_size: Page size of the response being requested. param asset_type: Type of asset (device, alert, vuln) to be retrieved. """ resp = demisto.executeCommand( "panw-iot-3rd-party-get-asset-list", {"asset_type": asset_type, "increment_type": None, "offset": offset, "pageLength": page_size, "using": PANW_IOT_INSTANCE}, ) if isError(resp[0]): err_msg = f'Error, could not get assets from PANW IoT Cloud - {resp[0].get("Contents")}' raise Exception(err_msg) return resp[0]["Contents"] def send_asset_syslog(cef): """ Sends the cef formated message as syslogs. param cef: The cef formated message to be sent as syslog. """ res = demisto.executeCommand("syslog-send", {"message": cef, "using": SIEM_INSTANCE}) if isError(res[0]): # We only get an error if configured syslog server address cant be resolved err_msg = f'Cant connect to SIEM server - {res[0].get("Contents")}' raise Exception(err_msg) def get_all_panw_iot_assets_and_send_to_siem(asset_type): """ Retrieves all assets from PANW IoT Cloud, 1000 assets at a time and sends it to the syslog server. param asset_type: Type of asset (device, alert, vuln). """ count = 0 offset = 0 page_size = 1000 if asset_type is None: raise TypeError("Invalid asset type. Asset type passed is null") asset_type_map = {"device": "Devices", "alert": "Alerts", "vulnerability": "Vulnerabilities"} while True: asset_list = get_assets_from_panw_iot_cloud(offset, page_size, asset_type) size = len(asset_list) for asset in asset_list: cef = convert_single_asset_to_cef(asset, asset_type) send_asset_syslog(cef) count += 1 if size >= page_size: offset += page_size else: break return f"Successfully sent total {count} {asset_type_map[asset_type]} to SIEM" def main(): asset_type = demisto.args().get("asset_type") try: status_msg = get_all_panw_iot_assets_and_send_to_siem(asset_type) except Exception as ex: send_status_to_panw_iot_cloud("error", str(ex), asset_type) return_error(str(ex)) send_status_to_panw_iot_cloud("success", status_msg, asset_type) return_results(status_msg) if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
Retrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | PANW IoT 3rd Party Integration, siem |
| Cortex XSOAR Version | 6.0.0 |
Dependencies
This script uses the following commands and scripts.
- syslog-send
- panw-iot-3rd-party-get-asset-list
- panw-iot-3rd-party-report-status-to-panw
- panw-iot-3rd-party-convert-assets-to-external-format
Inputs
| Argument Name | Description |
|---|---|
| asset_type | Type of asset. Can be “device”, “alert”, or “vulnerability”. |
| syslog_sender_instance | Name of the configured syslog sender integration instance. |
| panw_iot_3rd_party_instance | Name of the configured PANW Iot 3rd Party integration instance. |
Outputs
There are no outputs for this script.