Automation with Palo Alto Networks and Phantom

Palo Alto Networks and Phantom combine best-in-class protection with best-in-class security automation and orchestration, offering increased advanced threat visibility and protection that is fully synchronized across the security environment.

Palo Alto Networks can be quickly integrated with the Phantom platform using Phantom Apps for AutoFocus threat intelligence, PA Series network firewalls, Panorama centralized management, and WildFire file analysis.

pan-and-phantom-overview

Phantom Apps for Palo Alto Networks automation actions like:

  • AutoFocus threat intelligence – hunt for file, IP address, and domain intelligence
  • PA Series network firewalls – block/unblock IP addresses, applications, and URLs
  • Panorama centralized management – block/unblock IP addresses, applications, and URLs
  • WildFire file analysis – detonate a file, get a report about a file, download a file, and get a PCAP of the file’s communications

Palo Alto Networks and Phantom increase productivity with uses cases like these:

Use Case 1: Detect and Respond to Malware Infection with C2 Connectivity

Challenge: Shorten response time associated with discovery of an endpoint infected with malware and established C2.

Solution: Analyst to deploy a Playbook on Phantom platform which automates the investigation and containment phases through interaction with Palo Alto Networks Applications.

Response: Deploy a Playbook which covers the following steps:

  1. Detect C2 on PAN Firewall which sends an event to Splunk
  2. Splunk forwards an event for Phantom to automate
  3. Playbook connects to vSphere to get a memory snapshot of the VM
  4. Playbook uses Volatility to find the malware in the memory dump and extract the process associated with the threat
  5. Playbook then automates a file detonation in PAN WildFire
  6. With a positive return from WildFire, the Playbook deploys a firewall rule to PAN firewall to block connections associated with the destination IP address of the C2 connection
  7. Playbook then can execute a termination of the application and/or VM

Use Case 2: Detect and Respond to Suspicious Email

Challenge: Shorten response time associated with a phishing investigation.

Solution: Analyst to deploy a Playbook on Phantom platform which automates the investigation and containment phases through interaction with Palo Alto Networks Applications.

Response: Deploy a Playbook which covers the following steps:

  1. Potentially malicious email with file attachment forwarded to SOC for investigation
  2. Playbook automates file detonation from attachment to PAN WildFire
  3. With a positive return, Playbook will block the file hash in Windows Server
  4. Playbook automates a URL reputation
  5. With a positive return, playbook will deploy a URL filtering rule to PAN firewall
  6. Delete email on Exchange server

Interested in seeing how Phantom and Palo Alto Networks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Phantom in action.

CP Morey
VP, Products & Marketing
Phantom