Harvesting Actionable Security Intelligence From Palo Alto Networks Botnet Report

     Buried deep within the Palo Alto Networks firewall is a mini correlation engine that normally doesn't seem to get much attention. This correlation engine produces a daily "botnet report" (monitoring->botnet report) containing machines exhibiting strange behavior (HTTP connections to an IP instead of domain, downloading executable content, connecting to domains categorized as malware, connecting to a newly registered domain, etc). The best part is there is also a scoring system (1 the lowest - 4 the highest) for risk, so if you don't want to wade through (potentially) hundreds of alerts, you can focus on just the highest. In my environment, I like to focus on anything 3 or above. Over the years, this report has been so useful that we've actually integrated it into our SOC workflow by leveraging the PAN API.
     If you're looking to leverage every last bit of your security investment from your Palo Alto Networks firewall, you will be pleasantly surprised by the botnet report. The BASH script below will automatically harvest and email only the highest level of alerts to an email of your choice for further analysis! Enjoy.

 #!/bin/bash
######################################################################################## # Author: Matthew Myrick # Date Created: 20131007 # Date Modified: 20131020 # Purpose: This script will pull the botnet information from ALL Pans and create # trac tickets for anything with a confidence of more than 2. # Usage: ./pan_botnet_trac.sh # # Dependencies: # API keys and PAN IP's must be current/accurate. ######################################################################################### #SINCE ONLY NEWER VERSIONS OF BASH SUPPORT ASSOCIATIVE ARRAYS, I OPTED NOT TO USE THEM...FOR PORTABILITY REASONS #DEFINE PALO ALTO FIREWALLS: ASH="10.xx.xx.xx" BNE="10.xx.xx.xx" #DEFINE PALO ALTO FIREWALL KEYS: ASHkey="enterkey" BNEkey="enterkey" #PUT ALL FIREWALLS IN AN ARRAY SO WE CAN ITERATE! BOXES=( $ASH $BNE ) KEYS=( $ASHkey $BNEkey ) #SETUP DESCRIPTION FOR HEADER: DATE=`/bin/date --date=yesterday +"%Y%m%d"` DESC="PALO_ALTO_BOTNET_REPORT-"$DATE #echo $DESC #LOOP THROUGH PANS: #GET THE SIZE OF THE ARRAY TOTAL=${#BOXES[*]} #ITERATE THROUGH FIREWALLS, COLLECTING REPORTS AND CHECKING FOR CONFIDENCE > 2 for (( i=0; i<=$(( $TOTAL -1 )); i++ )) do #echo "Connecting to ${BOXES[$i]} " /usr/bin/curl -s -k "https://${BOXES[$i]}/api/?type=report&reporttype=predefined&reportname=botnet&key=${KEYS[$i]}" | awk -F '[<>]' '{if ($3 > 2) print $3,$7,$11,$19,$23}' >> /tmp/pan_botnet.txt #####TO SEE FULL OUTPUT UNCOMMENT THE LINE BELOW #/usr/bin/curl -s -k "https://${BOXES[$i]}/api/?type=report&reporttype=predefined&reportname=botnet&key=${KEYS[$i]}" #TEST="/usr/bin/curl -s -k https://${BOXES[$i]}/api/?type=report&reporttype=predefined&reportname=botnet&key=${KEYS[$i]}" #echo $TEST done #PRINT/EMAIL TEMP FILE ONLY IF THERE IS DATA #/bin/cat /tmp/pan_botnet.txt if [ -s /tmp/pan_botnet.txt ]; then #ADD HEADER TO FILE /bin/sed -i '1iConfidence(4=Highest) Source Reason:' /tmp/pan_botnet.txt /bin/sed -i "1i$DESC" /tmp/pan_botnet.txt #EMAIL FILE TO TRAC /bin/mail -s "Palo Alto Daily Botnet Report" blah@stuff.com < /tmp/pan_botnet.txt fi #REMOVE THE TEMP FILE /bin/rm -f /tmp/pan_botnet.txt