-
Notifications
You must be signed in to change notification settings - Fork 2k
SLS - SCM GW Auth #44967
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
SLS - SCM GW Auth #44967
Changes from all commits
729d3ca
edb6b04
0bb575b
ecaf871
84ae2d0
039a29c
9ca0363
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,11 +1,10 @@ | ||||||
| ## Overview | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| Palo Alto Networks Strata Logging Service XSOAR Connector provides cloud-based, centralized log storage and aggregation for your on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR. | ||||||
| This integration was integrated and tested with version 2 of Strata Logging Service XSOAR Connector. | ||||||
|
|
||||||
|
|
||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Configure Strata Logging Service XSOAR Connector on Cortex XSOAR | ||||||
|
|
@@ -14,27 +13,28 @@ This integration was integrated and tested with version 2 of Strata Logging Serv | |||||
|
|
||||||
| 1. In the War Room, run the command `!GetLicenseID` to get the `license ID`. | ||||||
| 2. Go to __Settings__ > __ABOUT__ > __License__ to get the `Customer Name`. | ||||||
| 3. Go to the [HUB](https://apps.paloaltonetworks.com/apps) and login using your **Palo Alto Networks** credentials. | ||||||
| 3. Go to the [HUB](https://apps.paloaltonetworks.com/apps) and login using your **Palo Alto Networks** credentials. | ||||||
| 4. Under the `Cortex™ XSOAR` app select the relevant instance. If you don't have an active `Cortex™ XSOAR` app check out the Hub [Docs site](https://docs.paloaltonetworks.com/hub/hub-getting-started) to learn about app activation. | ||||||
| 5. Insert the `license ID` and the `Customer Name` in the required fields and complete the authentication process in order | ||||||
| to get the __Authentication Token__ __Registration ID__ __Encryption Key__ | ||||||
| 5. Insert the `license ID` and the `Customer Name` in the required fields and complete the authentication process in order | ||||||
| to get the __Registration ID__, __Encryption Key__, and __Client Secret__. | ||||||
| 6. Navigate to __Settings__ > __Integrations__ > __Servers & Services__. | ||||||
| 7. Search for Palo Alto Networks Cortex v2. | ||||||
| 8. Click __Add instance__ to create and configure a new integration instance. | ||||||
| * __Name__: A textual name for the integration instance. | ||||||
| * __Authentication Token__: From the authentication process | ||||||
| * __Registration ID__: From the authentication process | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * The token retrieval URL is inferred based on the tenant's FedRAMP status unless explicitly specified in the __Registration ID__ parameter in the format `REGISTRATION_ID@URL`. | ||||||
| * __Encryption Key__: From the authentication process | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __Client Secret__: From the authentication process | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __proxy__: Use system proxy settings | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __insecure__: Trust any certificate (not secure) | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __Fetch incidents__: Whether to fetch incidents or not | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __first_fetch_timestamp__: First fetch time (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __Severity of events to fetch (Firewall)__: Select from all,Critical,High,Medium,Low,Informational,Unused | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| * __Subtype of events to fetch (Firewall)__: Select from all,attack,url,virus,spyware,vulnerability,file,scan,flood,packet,resource,data,url-content,wildfire,extpcap,wildfire-virus,http-hdr-insert,http-hdr,email-hdr,spyware-dns,spyware-wildfire-dns,spyware-wpc-dns,spyware-custom-dns,spyware-cloud-dns,spyware-raven,spyware-wildfire-raven,spyware-wpc-raven,wpc-virus,sctp | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| 9. Click __Test__ to validate the URLs, token, and connection. | ||||||
| 9. Click __Test__ to validate the credentials and connection. | ||||||
|
|
||||||
| ## CDL Server - API Calls Caching Mechanism | ||||||
|
|
||||||
| The integration implements a caching mechanism for repetitive error when requesting access token from CDL server. | ||||||
| When the intgeration reaches the limit of allowed calls, the following error will be shown: | ||||||
|
|
||||||
|
|
@@ -46,4 +46,4 @@ The integration will re-attempt authentication if the command was called under t | |||||
| 2. First 48 hours - once in 10 minutes. | ||||||
| 3. After that every 60 minutes. | ||||||
|
|
||||||
| If you wish to try authenticating again, run the 'cdl-reset-authentication-timeout' command and retry. | ||||||
| If you wish to try authenticating again, run the 'cdl-reset-authentication-timeout' command and retry. | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.