AlienVault® USM Anywhere™

AlienApp for Palo Alto Networks Orchestration

The AlienApp for Palo Alto Networks provides a set of orchestration actions that you can use to quickly send IP addresses to the firewallVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. as a response to threats identified by USM Anywhere. You can also send IP addresses to Palo Alto Dynamic Address Groups. The AlienApp uses standard HTTP requests to the Palo Alto PAN-OS API to register tags. Each such tag contains the source or destination address (or the FQDN) of the event or alarm used to launch the action or that triggered the orchestration rule.

Important: Using the AlienApp for Palo Alto Networks orchestration actions requires that the AlienApp is enabled on a deployed USM Anywhere Sensor with configured integration to your Palo Alto Networks product. For more information, see Configuring the AlienApp for Palo Alto Networks .

As USM Anywhere surfaces eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually tagging source and destination hosts in the Palo Alto firewall for enforcement purposes, you can use the AlienApp for Palo Alto Networks orchestration actions to enforce protection based on the information associated with the event or alarm.

Action Function

Tag Destination IP Address from Rule

Run this action to tag destination IP Address in the connected Palo Alto Networks device.

Tag Destination IP Address to Dynamic Address Group from Rule

Run this action to tag destination IP Address and add it to a Dynamic Address Group in the connected Palo Alto Networks device.

Tag Source IP Address from Rule

Run this action to tag source IP Address in the connected Palo Alto Networks device.

Tag Source IP Address to Dynamic Address Group from Rule

Run this action to tag source IP Address and add it to a Dynamic Address Group in the connected Palo Alto Networks device.

Upon launch of the action, USM Anywhere sends a request to the Palo Alto Networks PAN-OS API to add one of the following identifiers to its Object database and to tag it according to the value specified in the action or rule.

  • IPv4 address
  • IPv6 address
  • FQDN

Important: By default, changes affecting PAN-OS firewall configurations require activation through a commit. The object (host) tag requests sent by AlienApp for Palo Alto Networks are not activated until you or another Palo Alto administrator commits them. In the PAN-OS web UI, you can filter pending changes by user account or location and then preview, validate, or commit only those changes. For more information about committing these changes, refer to the PAN-OS documentation.

If a specified tag does not already exist in the Palo Alto device, the action also creates the new tag. The tag creation does not require a commit in the Palo Alto environment.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Available Apps tab

  3. On the AlienApps page, click the Palo Alto Networks tile.

    Click the Palo Alto Networks tile

  4. If you have more than one sensor, select the sensor where the AlienApp is enabled.
  5. Click the Actions tab to display information for the supported actions.
  6. Click the History tab to display information about the executed orchestration actions.

    View the history of executed Palo Alto orchestration actions

    Dynamic Address Group Tagging

    In order to use the Dynamic Address Group actions, you need to have a Dynamic Address Group created in your Palo Alto