Palo Alto Networks Superna Zero Trust Snapshot, User Lockout Playbooks

• Playbook Integration with Palo Alto Cortex xSOAR
• Overview
• Key Benefits
• Support Statement
• Solution Overview
• Solution Configuration in Cortex xSoar and Defender Zero Trust
• Prerequisites
• Configuration Steps for Snapshot and User Lockout Playbooks
• Configure the Snapshot playbook
• Configure the User Lockout Playbook
• Configure the Request User Storage Lockout or Unlock Playbook
• Use Cases for these playbooks

Playbook Integration with Palo Alto Cortex xSOAR

Overview

SecOps Automation is a key requirement to combat the never ending threats to corporate data.   Palo Alto Cortex SOAR (Security orchestration, automation and response) platform enables playbooks and automation to  reduce the time to detect, respond to cross device threats.      To support this type of automation, data from external security tools is vital in order to provide complete accurate and concise threat detection and details to allow automation to and SecOps teams the ability to respond to threats across the corporate IT infrastructure.

Key Benefits

1. This integration allows customers to upload a playbook that protects storage by leveraging Superna's Zero Trust API and Cyber Storage Capabilities
2. Integrates with native playbook yaml definition file and easily customized for the environement. 

Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Solution Overview

Superna Defender Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR and XDR platforms.   Automation begins with data that summarizes the threat and places that information into a SOAR to be acted on by Secops and run playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers.   In order to allow a SOAR to act on the data from an external tool it is vital to field map data from one alert to the schema used within the SOAR.  This guide will cover basic field mapping used to push Zero Trust Ransomware Defender alerts into xSOAR

Solution Configuration in Cortex xSoar and Defender Zero Trust

Prerequisites

1. Installed Superna Security Edition
2. License key for the Zero Trust API or Subscription to Security Edition
3. Installed Cortex xSOAR 
4. Eyeglass API token
   1. Login to Eyeglass VM as admin --> eyeglass rest API --> Create new token --> provide a name for the token eg Zert Trust, copy the token to be used in the steps below. 
5. Followed the Zero Trust integration with Cortex xSOAR, See guide here.

Configuration Steps for Snapshot and User Lockout Playbooks

1. Login to Cortex and open the playbooks tab.
   1. Download the yml definition of the Snapshot playbook here.
   2. Download the yml definition of the User Lockout playbook here.
   3. Download the yml definition of the Request User storage lockout here
   4. Download the yml definition of the Request User unlock Storage here.
2. Click the upload button to upload the playbook to the library

Configure the Snapshot playbook

1. 
   
2. Click the Httpv2 box to edit the details and click the edit playbook button
   1.  replace the IP address with the correct IP of your Eyeglass VM.
   2. Replace the api_key value with a token that is correct for your Eyeglass VM.
   3.  
   4. Click the ok button once done.
   5. Click Save Playbook to save the changes.
3. Testing your playbook, by clicking the Debugger Panel, then Click the Run button.
   1.   
4. Successful API call will return 201 http response code, You can expand to see this in the Debugger.
   1.   The httpv2 Box should show green and the debugger http request section should show 201 status code.
   2.  
5. done.

Configure the User Lockout Playbook

1. Follow the Steps below. NOTE: This playbook depends on incidents that are created by Superna Zero Trust webhook integration.   This will allow automatic userid extraction from the incident and does not require any prompting to input the user id (domain\username or user@domainname).
2.  
3. Click the Edit Playbook button
   1. Now click the Playbook Triggered code block
   2.   
   3. The url will be visible in the apiurl key, click this to open the editor.
   4.  
   5. Edit the ip address and change to the hostname or ip address of your eyeglass VM.
   6. Click the green check mark and then click ok
   7. Then click save for this code block.
   8. Now click the httpv2 code block 
   9.  
   10. Replace the api token with a valid token from your Eyeglass deployment.
   11. Now click the save playbook.
   12.  
   13. Done.
4. To test your playbook, assuming the alert integration is already completed.    Follow these steps.
   1. Click the Debugger Panel
   2. Make sure you have a test incident created by the Superna Zero Trust API integration with Cortex that contains the custom incident field for the userID.
   3. Set the test data to use one of the webhook triggers.
   4.  
   5. Click the Run button
   6.   A successful execution will show green code blocks and expanding the debugger data to show the http response code should show an http 201 indicating the lockout job was started successfully.
   7.  
5. done. 

Configure the Request User Storage Lockout or Unlock Playbook

1. Overview:
   1. This playbook prompts for a user name and can be used with any 3rd party playbook or workflow that requires Cyber Storage user lockout services.
   2. Syntax for user id domain\username or user@domainname
   3. The unlock playbook option allows the same inputs with unlock workflow.  Make the same modifications to this playbook as defined below to enable the unlock playbook configuration.
2. Follow the steps below to configure.
   1.  
   2. Click Edit playbook button
   3. Click the Playbook Triggered code block and edit the ip address to a hostname or ip address specific to your environment.  This ip address is the Eyeglass VM.  Click save once done.
   4.   
   5. Click the httpv2 code block
      1. Edit the http headers section to input the api token created from the prerequisites.
      2.   
      3. Click save
3. How to test your playbook.  Click the Debugger panel, select playground for Test data.  Click run.
4. Enter a userid example domain\userid or user@domain name
5. Verify the code blocks all show green and expand the http response section and look for http response code of 201.
6. Done.

Use Cases for these playbooks

1. Snapshot PlayBook
   1. You can run this playbook for any incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access.  This is necessary to root cause what data was affected by a security incident.
2. User Lockout Playbook 
   1. You can run this playbook for any Superna Zero trust created alerts, as this playbook depends on the customer userID field to exists in the incident.    If lockout mode in Superna Security Edition is not enabled allowing Secops to decide when a user lockout should occur.  This moves the responsibility of data protection decisions to the Secops team versus the storage team. 
3. User Request Storage Lockout Playbook
   1. Offers an input question to accept the userID that should be locked out of storage. This playbook can be run by any Secops workflow where the threat to data is increased and a proactive step to ensure no data can be destroyed or it can be used as a step in a workflow when employees are leaving the company or have been terminated.
4. User Request Storage Unlock for a user Playbook
   1. Offers an input question to accept the userID that should be unlocked from the storage. This playbook can be run by any Secops workflow to allow a user that was previously locked out to have the lockout removed.