Detailed List of Questions for Brian Prior to 2/21 Meeting

[neil-unomaha]

To make the best use of Brian's time: let's develop a list of questions to ask him. This will also give Brian the opportunity to review the questions prior to meeting.

[neil-unomaha]

Priority Item to Confirm

Does the University of Nebraska have the Palo Alto product AutoFocus?

• If so, the open source software tool MindMeld should already be available within the Palo Alto GUI because MindMeld is built in with the AutoFocus extension.
• If not, MindMeld is still an open source tool, available on GitHub by Palo Alto. More details here.

MindMeld might be exactly what we are looking for.

Here is a quote from this article that sums up MindMeld:

[MindMeld] can be used to continuously retrieve indicators from external sources, process them and produce new feeds that can be directly consumed by Palo Alto Networks platforms. Viceversa it can be used to continuously retrieve indicators from Palo Alto Networks platforms and produce feeds that can be consumed by trusted peers and 3rd party security platforms.

Goal for Capstone: Develop Middleware That Accomplishes Two Workflows:

Workflow 1: Pull from Palo Alto -> Push to CIF server

Steps

1. Using Panorama API, every ( x ) minutes, pull report which contains suspicious IPs
   • (possibly filter by threat level in this step, if possible, via custom report)
2. Save output from step 1 in a file
3. Parse file: only grab threats that are above ( x ) threat level
   • (unless custom report from step 1 already accomplished this)
4. Format parsed IPs into ingestable format for CIF
   • (either modify existing file or output changes to a different file)
5. Push file to CIF Server via CIF CLI

Workflow 2: Pull threat feed from CIF Server -> Push to Panorama

Steps

1. Using CIF CLI, every ( x ) minutes, pull threat feed from CIF server
2. Save output from step 1 to a file
3. Parse document: only grab threats that are above ( x ) threat level
4. Format parsed IPs into ingestable format for Panorama
5. Using Panorama API, commit threats to panorama so it can be pushed out to all Palo Alto network firewall devices

Topics and Implementation Details to Discuss with Brian

Ideally, to develop this middleware we would have a test environment that, as closely as possible, mirrors the existing production environment. We recognize there will be limitations.

• Is there an existing test environment that mirrors UNO's setup which includes Palo Alto and CIF? If so, can we access it? (We doubt it, but no harm in asking.)
• Can we get access to UNO's environment in order to develop a solution that fits into UNO's existing environment. (We doubt this as well, but might as well ask!)

Details to be discussed per involved technology

Palo Alto Details

• As indicated in this tutorial, in order to even access the Panorama API, an admin account should be created whose only purpose is to interact with the Panorama API. Then an API key needs to be generated.
  • Is this already accomplished?
• There exists a Pre-built API Browser for Palo Alto.
• As specified in the Panorama Documentation, there are three types of reports that can be created: dynamic, predefined, and custom reports. Likely we do not want a predefined report because that always pulls the last 24hrs.
  • Does a custom report already exist which only focuses on suspicious IP addresses?
  • If not, does custom report creation in Palo Alto allow this type of query? (it would significantly reduce the file size).
  • Unless it is already done, it is necessary to tinker around with Palo Alto reports in order to come up with the best strategy.
    • Can we get access to the Palo Alto report interface for UNO in order to explore custom reports and dynamic reports? Or:
    • Can a test environment be built for us with UNO's license? Or:
    • Can we get access to a copy of the output of the report you plan on using?
  • For pushing new policies to Palo Alto, the api documentation hints that the parameter of interest is commit-all.
  • Does your existing script use this at all?
  • Do you have any current experience pushing to Panorama via the API?
  • Is there a way we can test and confirm pushing new policies to UNO's Panorama?

CIF Server Details

We detailed in this github issue current roadblocks with setting up a local test environment with CIF4. Ultimately what the middleware needs to accomplish for CIF is the following:

• pulling threat feeds from CIF server
• pushing threat feeds to CIF server

Questions for CIF

• Can we access UNO's environment to practice pushing/pulling threat feeds
• Could you provide us a file with example threat feed output?

Miscellaneous Questions/Topics

• Can we go through your existing script together?
• How large is the file generated by pulling from the CIF Server threat feed?
• How large is the file generated by pulling a report from Palo Alto?
• Discussion to confirm CIF's scope/role and to confirm it actually does what we think it does.
• Is there an existing diagram of UNO's current network infrastructure?
  • For our capstone, we are looking for diagrams to help provide visuals of the project.

[TalonF]

• Do you pull any feeds from any other gathers such as BrightCloud or use any other URL filters that are external or do you only use what Palo Alto software sees every day.

[skyemakable]

My short notes from the meeting 2/24/20

Pulling data from other peers

• Puts into csv then PA pulls it in

  cif tokens - api keys

• .yml goes out to reach out data
• create groups on cif to know where data is coming from.
• yml for each bidirectional pair
• each uni has their own CIF server.

panhandler

• one creates series of files - front end for dnsipz?
• other set updated every 15 min

---

Goals

• setup what you have in v4
• reduce window to 15 min

• 5000 records per file with PA

  Ideas to get started

• Find out what web framework is being used in python with cif (Flask)
• v3, check out how it's working, get our own test instance of v4, identify problem points in v3, look into Flask plug-ins, etc.