Security Orchestration with the AlienApp for Palo Alto Networks Next-Generation Firewall

September 14, 2017  |  Jeff Olen

At AlienVault, we’re passionate about simplifying the way organizations detect and respond to today’s ever-evolving threat landscape. Our USM Anywhere™ solution is built upon a highly extensible platform that includes a growing collection of AlienApps™, extending the threat detection and security orchestration capabilities of USM Anywhere to other security tools that your IT team uses, providing a consolidated approach to threat detection and response.

We recently released a new AlienApp for Palo Alto Networks® Next-Generation Firewalls. The app collects raw logs from Palo Alto Networks next-generation firewalls, which are designed to safely enable applications and prevent modern threats by identifying all network traffic based on applications, users, content and devices. The AlienApp for Palo Alto Networks Next-Generation Firewalls provides the data to USM Anywhere for analysis, delivering additional threat detection and visibility to reduce the mean time to detect threats.

The AlienApp also includes automated response actions so that metadata of threats detected by USM Anywhere, such as the IP address of the attacking system, can be manually or automatically forwarded to the next-generation firewall for enforcement. Let’s take a closer look at the capabilities of the AlienApp for Palo Alto Networks Next-Generation Firewalls, and see how it can help you close the loop faster between threat detection and response.

Make Firewall Data Actionable

Firewalls provide a wealth of data on both inbound and outbound network traffic that can help security analysts understand communications trends as well as uncover threats as they occur. As a result, collecting log data from firewalls has become a cornerstone of any robust security monitoring program. Additionally, compliance can be a driver for firewall log collection, with regulations, like PCI DSS, outlining specific requirements in this area. Palo Alto Networks next-generation firewalls allow for the creation of comprehensive, precise security policies, allowing organizations to safely enable applications while preventing modern threats.

Data from the next-generation firewall is collected via syslog, parsed and normalized, and then correlated with data from your network and assets, as well as with AlienVault’s best-in-class threat intelligence. By adding more context to the data, USM Anywhere can help identify additional threats and empower the analyst to take action.

As an example, USM Anywhere can use the next-generation firewall log data to help you identify a possible brute force attack. Here’s an example of a USM Anywhere alarm generated after repeated login attempts are followed by a successful login:

alienvault and palo alto next generation firewall

This may be an indicator of a real attack, or the activity may prove to be benign; but with USM Anywhere, there’s no need to connect to the next-generation firewall or the targeted system to view log files. Instead, you can use the USM Anywhere console to view both relevant and actionable alarms, and drill into more detailed information.

Close the Loop Between Threat Detection and Response

Let’s presume that, upon inspection, you determine it’s not simply a forgetful user trying different passwords, but rather a bad actor trying to authenticate into your network. The first step in the response is likely blocking the source IP address at the firewall. The AlienApp for Palo Alto Networks Next-Generation Firewalls includes integrated orchestration actions that streamline and accelerate the time to response. Let’s look at how this works.

When reviewing the details of the brute force attack alarm from the USM Anywhere interface, you can choose the “Select Action” menu button to find the available actions related to Palo Alto Networks next-generation firewalls.

brute force attack detected by USM Anywhere

The “Tag alarm sources” action will send the suspicious source IP address directly to the Palo Alto Networks next-generation firewall for enforcement. The tag name can be specified so that the appropriate policy with that tag can be applied by the next-generation firewall. With just a few clicks, the first step of the response is complete.

Automate Response

USM Anywhere also provides the ability to create an orchestration rule to fully automate a response. In the brute force use case, there may be certain scenarios where it is desirable to send the block request automatically, without intervention and review by the security analyst. For example, an organization without operations in China may want to automatically block any brute force attempt coming from an IP address in China.

For this scenario, a simple orchestration rule can be created with the appropriate matching conditions for the alarm, along with an automated response action that will send the source IP address to the Palo Alto Networks next-generation firewall with the tag of “China” applied. A policy rule can then be created within the firewall to automatically add any IP address sent with that tag to the block list.


These use cases demonstrate the value of integrating USM Anywhere with Palo Alto Networks next-generation firewalls. By providing additional threat visibility and security orchestration capabilities, the AlienApp for Palo Alto Networks Next-Generation Firewalls helps you with detection and response.

Try It for Yourself

The AlienApp for Palo Alto Networks Next-Generation Firewalls is included for all USM Anywhere customers at no extra charge, and joins a growing family of AlienApps that includes Microsoft Office 365, Google G Suite, Cisco Umbrella, Carbon Black, and others. Start a free 14-day trial of USM Anywhere today to see how AlienApps can help your organization work more efficiently to reduce the time between threat detection and response.

Share this with others

Get price Free trial