Prisma Access customers, especially Service Providers, have to do significant manual work when creating new tenants and remote networks. We decided to join together and build an XSOAR playbook to automate this process. We also believe that XSOAR can automate not only alert response playbooks but also service management and provisioning playbooks. This XSOAR use case resonates with Network Security teams and shows the power of our products working together. We believe that XSOAR can help drive not only process efficiency but also drive more business for the company and our MSSP partners by identifying opportunities.

What it does

Playbook 1 - Prisma Access Multi-Tenant Creation

  • Automates the provisioning of Prisma Access tenants including remote networks and mobile users.
  • Integrates with ServiceNow to fetch order information and handle the request.

Service Management Dashboard

  • Queries and presents live information on Prisma Access service status in an easy to consume dashboard
  • Shows Prisma Access license information including remaining users and bandwidth in available license and currently provisioned users and bandwidth for each tenant.

Playbook 2 - Prisma Access Threat Response

  • Automates threat enrichment using Autofocus and PassiveTotal and enhances NGFW security profile threats detected by the Prisma Access firewall by fetching the threat logs from Cortex Data Lake.
    • Generates sales leads for the XDR/MDR team by escalating customers with recurring infections and threats detected on the network by the Prisma Access NGFW.

How we built it

  • We started collaborating on the main playbook, relying on Lookman's expertise with Service Providers and Prisma Access to identify the business logic required and built it into XSOAR.
  • We added more automation to retrieve the service IPs from the Prisma Access SSH integration so we can reduce manual handoffs within the process.
  • We discussed relevant data and metrics and divided some work to populate this data into our dashboard
  • We generated some logs through CDL and built a threat enrichment and response playbook to respond to it by changing the policy on the firewall.

Challenges we ran into

  • Prisma Access Cloud Plugin API limitations.
  • Testing environment for Prisma Access MultiTenant is difficult to get.
  • Finding the matching APIs for the Panorama UI actions we needed to automate.
  • Limited documentation for Prisma Access Cloud Plugin SSH commands.

Accomplishments that we're proud of

  • Real customer value to Service Providers and Enterprise customers (we already have SEs asking to use it for their customers).
  • Tested in a real customer environment.
  • Use case is applicable for Enterprise (non-multitenant) customers as well as Service Providers.
  • Enhances Service Provider offering of Prisma Access by reducing time-to-market for all parties (Palo Alto Networks, the Service Provider customer and the end customer).
  • Expanding XSOAR from SOC into a new use case family of Service Management Automation and the NetOps audience.
  • Automating end-to-end order to delivery process for service providers.
  • Automating the querying of Service IPs for the remote connection and providing details to the customer.
  • Our dashboard which shows service metrics as well as license information and tenant information.

What we learned

  • How to collaborate on new XSOAR use cases
  • How to use cool XSOAR features
  • How customers provision new tenants on Prisma Access
  • Prisma Access and Panorama API capabilities
  • How to contribute through the new marketplace UI

What's next for SASE Content Pack

  • Get feedback from customers and the content team to enhance the pack and offer it in the Marketplace.
  • Create an Enterprise playbook to help a large customer automate the creation of >1000 Remote Networks.
  • Collaborate with Prisma Access PMs to leverage more APIs and metrics and suggest useful API enhancements.
  • Deploy the SASE to MDR escalation flow (in our Threat Response Playbook) with customers to help them add XDR to existing SASE customers.
  • Add more service status and metrics to the dashboard.
  • Migrate the SSH-based Panorama gpcs plugin action to the new REST API once the Prisma Access v2 integration gets released.

Built With

  • autofocus
  • cortexdatalake
  • pan-os
  • panorama
  • passivetotal
  • prismaaccess
  • servicenow
Share this project: