-
Notifications
You must be signed in to change notification settings - Fork 2
/
doc.go
66 lines (55 loc) · 2.74 KB
/
doc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/*
Package xdrgateway provides the tools needed to create an alert pipeline ingestion into Palo Alto Network Cortex XDR
The API type provides methods to implement a HTTP API to ingest third party alerts into XDR.
Not only provides HTTP handlers for receiving alerts sent using POST but also implements a synchonous ingestion pipeline that
will enforce Cortex XDR ingestion quotas.
The API requires a XDRClient and a Parser instances. The Parser interface defines the methods to convert
the []byte data received by the API in its ingestion endpoint into a valid *Alert
type Parser interface {
Parse(data []byte) (*Alert, error)
DumpPayloadLayout() []byte
}
Ingestion(w http.ResponseWriter, r *http.Request) is the most important method provided by API. It is a ready-to-consume
http handler to process POST request containing third party alerts.
Look at the provided examplex to see an implementation parsing alerts generated by the HTTP Log Forwarding PAN-OS feature.
Ready-to-consume PAN-OS to Cortex XDR implementation
This repository contains a standalone application example (/cmd/server.go) that can be used to cover the use case of PAN-OS threat alerts
being ingested into Cortex XDR for small or highly distributed environments that do not qualify for Cortex Data Lake
The example application can be run as a compact container application (FROM distroless/static). It binds the HTTP server into the port provided in
the PORT environmental variable (defaults to 8080) which means it can run in almost any container managed service.
docker build -t xdrgw https://github.com/xhoms/xdrgateway.git#main
docker run --rm -p 8080:8080 \
-e API_KEY="O4Bw...wEX" \
-e API_KEY_ID="36" \
-e FQDN="myxdr.xdr.us.paloaltonetworks.com" \
-e PSK="hello" \
xdrgw
2021/02/18 12:30:11 nonce set to EEH4PO4BQY42YSFEY2X2F4KYDKFZKJPCB7NGRET7FMX7QNXXGV4NWD5FJQU7P7MS
2021/02/18 12:30:11 endpoint set to https://api-illicium-industrial.xdr.us.paloaltonetworks.com/public_api/v1/alerts/insert_parsed_alerts/
2021/02/18 12:30:11 starting http service on port 8081
PAN-OS to Cortex XDR alert ingestion Gateway
--------------------------------------------
version: v0.1.4 2021-02-18T12:28+00:00
- Send PAN_OS alerts to /in using HTTP POST
- The endpoint /stats provides runtime statistics
- Use the following payload in the HTTP Log Forwarding feature
{
"src": "$src",
"sport": $sport,
"dst": "$dst",
"dport": $dport,
"time_generated": "$time_generated",
"rule": "$rule",
"serial": "$serial",
"sender_sw_version": "$sender_sw_version",
"subtype": "$subtype",
"threat_name": "$threat_name",
"severity": "$severity",
"action": "$action"
}
---annex---
$misc
2021/02/18 12:30:11 starting ticker goroutine
2021/02/18 12:30:11 starting sender goroutine
*/
package xdrgateway