Digital Resilience Pays Off
How resilient is your organization? Learn how to mature your digital resilience with this free guide.
Automation with Palo Alto Networks and Phantom
By
Splunk
Palo Alto Networks and Phantom combine best-in-class protection with best-in-class security automation and orchestration, offering increased advanced threat visibility and protection that is fully synchronized across the security environment.
Palo Alto Networks can be quickly integrated with the Phantom Platform using Phantom Apps for AutoFocus threat intelligence, PA Series network firewalls, Panorama centralized management, and WildFire file analysis.
Phantom Apps for Palo Alto Networks automation actions like:
- AutoFocus threat intelligence – hunt for file, IP address, and domain intelligence
- PA Series network firewalls – block/unblock IP addresses, applications, and URLs
- Panorama centralized management – block/unblock IP addresses, applications, and URLs
- WildFire file analysis – detonate a file, get a report about a file, download a file, and get a PCAP of the file’s communications
Palo Alto Networks and Phantom increase productivity with uses cases like these:
Use Case 1: Detect and Respond to Malware Infection with C2 Connectivity
Challenge: Shorten response time associated with discovery of an endpoint infected with malware and established C2.
Solution: Analyst to deploy a Playbook on Phantom platform which automates the investigation and containment phases through interaction with Palo Alto Networks Applications.
Response: Deploy a Playbook which covers the following steps:
- Detect C2 on PAN Firewall which sends an event to Splunk
- Splunk forwards an event for Phantom to automate
- Playbook connects to vSphere to get a memory snapshot of the VM
- Playbook uses Volatility to find the malware in the memory dump and extract the process associated with the threat
- Playbook then automates a file detonation in PAN WildFire
- With a positive return from WildFire, the Playbook deploys a firewall rule to PAN firewall to block connections associated with the destination IP address of the C2 connection
- Playbook then can execute a termination of the application and/or VM
Use Case 2: Detect and Respond to Suspicious Email
Challenge: Shorten response time associated with a phishing investigation.
Solution: Analyst to deploy a Playbook on Phantom platform which automates the investigation and containment phases through interaction with Palo Alto Networks Applications.
Response: Deploy a Playbook which covers the following steps:
- Potentially malicious email with file attachment forwarded to SOC for investigation
- Playbook automates file detonation from attachment to PAN WildFire
- With a positive return, Playbook will block the file hash in Windows Server
- Playbook automates a URL reputation
- With a positive return, playbook will deploy a URL filtering rule to PAN firewall
- Delete email on Exchange server
Interested in seeing how Phantom and Palo Alto Networks can help your organization? Get the free Phantom Community Edition.
----------------------------------------------------
Thanks!
CP Morey
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
