0
10.4.6
Yokohama, Xanadu, Washington DC, Vancouver Patch 4, Vancouver
The Security Operations Palo Alto Networks® Next-Generation Firewall (NGFW) integration allows Security Operations Center (SOC) Analysts to block malicious IP addresses, URLs, and domains. The SOC Analyst creates entries for an External Dynamic List (EDL), or block list, from observables determined to be malicious on ServiceNow Security Incident Response (SIR) incidents.
The main features of the integration include the following:
- Flexibility to create multiple External Dynamic Lists (EDLs) that apply to the different firewall (FW) deny or allow policies. This flexibility enables more detailed reporting on submitted sites. For example, phishing, malware, and allow-listed sites.
- Tagging ServiceNow incidents that contain EDL entries by observable type (URL, domain, IP address).
- Configuring EDL expiration periods to maintain EDL list size by automatically expiring or removing older entries.
- Searching for and removing EDL entries or migrating EDL entries between EDL lists.
- Linking EDL entries to observable records and SIR incidents that include threat intelligence results to determine why an IP, URL, or domain is being blocked.
Changed:
- Migration of Workflows to Flow Designer flows.
The following Security Incident Response plugins must be installed and activated:
- Security Incident Response (com.snc.security_incident)
- Security Support Orchestration (com.snc.secops.orchestration)
Default Palo Alto Networks Next-Generation Firewall workflow:
- Palo alto networks NGFW launcher
- Palo alto networks NGFW - block request
List of script includes:
- PANFWEDLIntegrationUtils
- PANObsTypeValidator
- PANFWEDLImplementationSync
- PANFWEDLAjax
Modules:
- Firewall EDL Entries
- Notifications
- EDL Entry Finding Sources
- Firewall EDL Configuration
Role:
- sn_sec_panfw.api_account_access
Tables:
- Firewall External Dynamic List (sn_sec_panfw_edl_list)
- Firewall EDL Entry (sn_sec_panfw_edl_entry)
- Firewall Entry Finding Source (sn_sec_entry_finding_source
Approval Notifications:
- PAN approval request to add entry
- PAN approval request to remove entry
Scheduled Job:
- Check expiration of the EDL entry
The scope(s) used:
- sn_sec_panfw