Demisto 1st hand issues and my first playbook on my home lab

by | Mar 25, 2020 | Palo Alto, Security | 0 comments

Reading Time: 3 minutes

My first installation was done by download the OVA and not by installating the linux package.

1st issue encountered, in the welcome example they propose to do a !whois domainname in the dBOT. Well if you haven’t configured the integrations of whois, this won’t work. Solution : Settings / Integration / search for whois. Click add instance.

2nd issue I encountered when trying to configured the integration of ” Mail Sender” was a basic issue on the OS provided. The tasks and playbooks are run in Dockers. And they need to have the OS IP forwarding on. Just type as root the command : /sbin/sysctl net.ipv4.conf.all.forwarding

My 1st Playbook (forwarding an event from my Firewall to my email )

1st step is to get my PaloAltoNetworks PA220 to send logs to Demisto. Just point the syslog to the Demisto (Device / Server Profile / Syslog UDP 514) + create a Logging Profile

In Demisto, create the SYSLOG integration.

In the settings Integrations, add also an Email Sender (don’t forget to test with the test button)

Let’s now create a basic playbook with 3 content.

  • DeleteContext
  • GetAlertDetails (CreateArray)
  • Send-mail

Content of the send-mail task

Next step is to attach your playbook to your ingestion of events. In settings /Advanced / Incident Types – create New Incident Type linked to your playbook.

Then Re-click on your syslog instance and set the incident Type to your just created type

Let’s experiment 1st alert

I checked in the bulletin of relase notes of Palo Alto of a bad URL, so I knew how to generate a valid alert. (URL www.sehoo.com) which should trigger a DNS blackhole.

Under Incident, you should now see an incident and under the playbook columns, it should be linked to your “1st playbook”.

Open your incident, and under the tab Work Plan, you can get the context data (three vertical buttons / Context Data)

Hope it helps. I wish I could have read something similar a week ago. It was a but painfull to start.

Another tip. How to find the reference to the data you see in the contextual data ? just click on variable to get the name of variabl, or click on the value to get the value only.

= incident.details

to use this variable in the email use this format : ${incident.details}

1

Submit a Comment

Your email address will not be published. Required fields are marked *