NetWitness NextGen and Palo Alto Networks Integration Guide. NetWitness Corporation

Transcription

1 NetWitness NextGen and Palo Alto Networks Integration Guide NetWitness Corporation

2 Table of Contents Introduction... 3 Creating a NetWitness URI from Palo Alto Networks Data... 4 Appendix A: Uniform Resource Identifier (URI)... 7 Appendix B: PAN OS Log Link Appendix C: SIEMLink

3 Introduction Palo Alto Networks next generation firewalls provide policy based visibility and control over applications users and threats. Leveraging their firewall technology improves your security posture and provides excellent visibility into your infrastructure. Combining that visibility with the industry leading forensic capabilities of NetWitness NextGen, provides you with detailed insight into your network and enables fast and reliable incident resolution. NetWitness NextGen was designed from inception to be able to easily integrate with existing security and network technologies. This guide provides instruction on how to integrate NetWitness Investigator and Palo Alto Networks. Upon completion of this guide, you should be able to configure Palo Alto Networks firewalls to pass a custom URI that the user can leverage to pivot into Investigator for further session analysis. To accomplish this, you will need to be familiar with the following features: Uniform Resource Identifier (URI) A programmatic feature that provides a simple and extensible way of launching NetWitness NextGen applications using the nw:// and nws:// operators. Complete documentation for the NetWitness URI can be found in Appendix A. PAN-OS Log Link A feature of Palo Alto Networks OS 3.1 for providing links from log data to external systems. The links will show up at the bottom of the log detail page in the log viewer and they will open the constructed URI. Further documentation on PAN- OS Log-Link can be found in Appendix B. The supported versions for this document are NetWitness NextGen 9.0 and Palo Alto Networks OS

4 Creating a NetWitness URI from Palo Alto Networks Data The first step when setting up an integration link is to decide what information you want to see in Investigator. The following table shows the correlation between Palo Alto Networks data and NetWitness metadata. PAN Data Element src dst sport dport NetWitness Metadata ip.src ip.dst tcp.srcport or udp.srcport** tcp.dstport or udp.dstport** **This field depends on the PAN proto field. If proto=udp, then use udp.srcport, etc Knowing that, let s say that you wanted to be able to see an IP s activity for the last day when they show up on a certain log. Let s start with the NetWitness URI. From our previous reading, we know that the basic template is as follows: nw://<host name>?collection=<collection Name>&time=<time range>&name=<name>&where=<where clause>&sessions=<session total>&history=<history tag> Since we re using SSL on all of our devices, we ll change the operator at the beginning and add the hostname information. For this example, I will be using a remote collection named Soundwave on a Concentrator also named Soundwave: nws:// soundwave:50005/?collection= SOUNDWAVE%3A50005&time=<time range>&name=<name>&where=<where clause>&sessions=<session total>&history=<history tag> You ll notice the %3A in between the collection name and port. This is the : symbol after URL encoding. You will be required to encode any special characters after the hostname portion of the URI. There are multiple sites online that can assist you with URL encoding. Next we need to add a time range and a name to be displayed in Investigator. Since we want to see activity for the last day, we will use the last 24 hours of collection time. To keep things simple, we will just use the source IP address for the name. nws://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of +Collection+Time&name= {src}&where=<where clause>&sessions=<session total>&history=<history tag> Since we re interested in a time range rather than a finite number of sessions for this query, we ll delete the session count (sessions=<session total>). That leaves us with the where and history clauses. For the where clause, we want to see the activity of the source IP, so we will 4

5 add an argument mapping the PAN source IP ({src}) to the NetWitness source IP (ip.src). The history tag is used to show the name of the drill when you look in the History menu in Investigator. In this case the name we are using should suffice, so we will drop it altogether. nws://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of +Collection+Time&name={src}&where=ip.src%3D{src} This URI could be enhanced by showing not only the traffic where the source IP is the originator, but all traffic to and from the source IP listed in the Log Detail. You can add to a where clause by using an and (&&) or an or ( ) connector. Don t forget to encode the special characters! Here is an example of adding an or connector to show all traffic to and from our source IP. nws://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of +Collection+Time&name={src}&where=%28ip.src%3D{src}%7C%7Cip.dst%3D{src}%29 Note1: The and & or connectors can also be useful if you want to see traffic from one IP to another, or if you wanted to add a specific port. Note2: When using multiple arguments in a where clause, you should always enclose your arguments in parentheses. Don t forget to encode! Now that we have our URI, let s log into the Palo Alto Networks Device and enter it in. SSH into the device using your credentials. From there, use the configure command to get to the proper prompt. The proper syntax for entering the URI is: set deviceconfig system log-link NW_Source_IP_Last_24 url nws://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of +Collection+Time&name={src}&where=ip.src%3D{src}%7C%7Cip.dst%3D{src} If you paste this in, you will have to cursor back and hit Ctrl+V before entering the? into the SSH window. After the command is successfully entered, you can save the configuration using the commit command. You should now be able to pivot directly from Palo Alto Networks Log Detail window into NetWitness Investigator! So let s take a look at the Log Link integration in action. First, we need to select a record to examine. 5

6 Next, click the Details icon to see the Traffic Log Details page. In the bottom left corner, you should see the name of the Log-Link that we created. Click on that link and it should bring up your Investigator window. You may be prompted for a password depending on how your authentication is configured. 6

7 Appendix A: Uniform Resource Identifier (URI) NetWitness Investigator supports programmatic use of Uniform Resource Identifiers (URI). It allows a user the capability of launching programmatically into NetWitness Investigator from an external application. Upon Investigator installation the nw:// and nws:// URI schemes are registered on the workstation. An example of this functionality can be demonstrated by right-click and copy the URL from Investigator breadcrumb area (middle top) and then paste the URL into Internet Explorer, which will then launch Investigator to the query location. The URL can also be run from command line by copying the URL into Start > Run with the syntax for launching the URL as a parameter for Nwinvestigator.exe, Nw://<host name>?collection=<collection Name>&time=<time range>&name=<name>&where=<where clause>. A full example of a URL looks like the following: nw://demo Collection?collection=Demo+Collection&time=All+Data&more-states=&more-allstates=&name= &where=ip.src%3D &sessions=1&history=collection% 3DDemo+Collection%26time%3DAll+Data The base syntax is in the following scheme in non-ssl or SSL format: Without SSL enabled: nw://<host name>? With SSL: nws://<host name>? Note: The server you are requesting data from must have SSL enabled to use the SSL scheme. Base URI Syntax In the Navigation View, which is the central mechanism for drilling into the extracted metadata, every click has a URL behind it tracked in the breadcrumb box at the middle-top of the interface. The base syntax is as follows for the URL: Nw://<host name>?collection=<collection Name>&time=<time range>&name=<name>&where=<where clause>&sessions=<session total>&history=<history tag> <host name> = Concentrator host name:port in the case of a remote collection <host name> = local collection name in the case of a local collection Below are examples of various URLs and syntax guidelines copied directly from the Investigator breadcrumb input box. Please note the URLs may be encoded. 7

8 Figure 5. Navigation View In the Navigation View, the following is an example of the scheme for a remote collection and a local collection drill. Example of a remote collection drill nw://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of+collecti on+time&more-states=&more-allstates=&name=%22suspicious_possible_malicious_http_redirect%22&where=ip.src%3d %26%26+alert%3D%22suspicious_possible_malicious_http_redirect%22&sessions=289& history=collection%3dsoundwave%3a50005%26time%3dlast+24+hours+of+collection+ti me%7ccollection%3dsoundwave%3a50005%26time%3dlast+24+hours+of+collection+ti me%26more-states%3d%26more-allstates%3d%26name%3d %26where%3dip.src%3d %26sessions%3d

9 Example of a local collection drill nw://analyst1?collection=analyst1&time=all+data&more-states=&more-allstates=&name=http&where=service%3d80&sessions=345&history=collection%3danalyst1% 26time%3DAll+Data Base URL Parameters Time ranges can be used to set up parameters for data collection. The acceptable values of these parameters are listed below for that piece of the URL. 1) time = time range of the query Allowable values: a) Today b) Today 12 AM to 5:59 AM c) Today 6 AM to 1159 AM d) Today 12 PM to 5:59 PM e) Today 6 PM to 11:59 PM f) Yesterday g) This Week h) Last Week i) Last 6 Hours of Collection Time j) Last 12 Hours of Collection Time k) Last 24 Hours of Collection Time l) Last 2 Days of Collection Time m) Last 5 Days of Collection Time n) Last 7 Days of Collection Time o) All Data p) Any custom range (i.e Feb-04 9:15 AM to 2010-Feb-04 1:15 PM ) 2) Name= what appears in the Breadcrumb Window in Investigator. Should be formed such that it makes sense to the user when viewing the link within Investigator 3) Where = where clause according to the SDK doc with all operators URL encoded 4) Sessions = number of sessions that exist for the drill with the last drill value 5) History= what appears in the History drop down in Investigator Session List View The session list view will display a representation of all the sessions that correspond to the drill form the Navigation View. 9

10 Figure 6. Session View Session List View Syntax The syntax has to be in the following format with examples listed below of a remote collection drill and a local collection drill for the URL. Nw://<host name>?collection=<collection Name>&time=<time range>&view=session&name=<name>&where=<where clause>&sessions=<session total>&history=<history tag> Example of a remote collection drill nw://soundwave:50005/?collection=soundwave%3a50005&sessions=289&time=today&mor e-states=&more-allstates=&view=session&name=sessions+for+%22cnn.disqus.com%22&where=ip.src%3d %26%26+alert%3D%22suspicious_possible_malicious_http_redirect%22+%26%26+alias. host%3d%22cnn.disqus.com%22&history=collection%3dsoundwave%3a50005%26time%3 DLast+24+Hours+of+Collection+Time%7Ccollection%3DSOUNDWAVE%3A50005%26time%3 DLast+24+Hours+of+Collection+Time%26more-states%3D%26more-allstates%3D%26name%3D %26where%3Dip.src%3D %26sessions%3D524 3%7Ccollection%3DSOUNDWAVE%3A50005%26more-states%3D%26more-allstates%3D%26name%3D%22suspicious_possible_malicious_http_redirect%22%26where%3Di p.src%3d %26%26+alert%3d%22suspicious_possible_malicious_http_redirect%22 %26sessions%3D289%26time%3DToday 10

11 Example of a local collection drill nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&view=session&name=sessions+for+%22download.windowsupdate.com%22&where=s ervice%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%22&history=collecti on%3danalyst1%26time%3dall+data%7ccollection%3danalyst1%26time%3dall+data%26m ore-states%3d%26more-allstates%3d%26name%3dhttp%26where%3dservice%3d80%26sessions%3d345 Content View The content view displays content for a particular session. Figure 7. Content View Content View Syntax The following is the syntax format that needs to be used for the URL in the content view along with the acceptable render types. Nw://<host name>?collection=<collection Name>&time=<time range>& where=<where clause>&view=content&name= Content+for+Session+%23<session ID>&sessionid=<session ID>&allpackets=<true or false>&render=<render type> 11

12 Allowable render types: 1) Hex 2) Packets 3) Web 4) Mail 5) IM 6) VoIP 7) Details The following list the examples of the hex view, packets view, web view, mail view, IM view, VoIP view and details view. The basic syntax is the same except for the render type. Examples: Hex nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=hex Packet View nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=packets Mail View nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=mail Web View nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=web 12

13 IM View nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=im Audio View nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=voip Details nw://analyst1?collection=analyst1&time=all+data&sessions=345&more-states=&more-allstates=&where=service%3d80+%26%26+alias.host%3d%22download.windowsupdate.com%2 2&view=content&name=Content+for+Session+%23121&sessionid=121&allpackets=false&rend er=details Search View Search View is the mechanism for locating individual sessions with specified string values or regular expressions. Figure 8. Search View Search View Syntax 13

14 The following is the syntax format that needs to be used for the URL in the search view along with the acceptable render types. Nw://<host name>?collection=<collection Name>&time=<time range>&name=<name>&where=<where clause>&view=searchresults&regex=<on=1,off=1>&ci=<on=1,off=1>&ds=<on=1,off=1>&sm=< on=1,off=1>&sp=<on=1,off=1>&export=<on=1,off=1>&exportfile=<export file name>&hashpcapfiles=<on=1,off=1>&destiscoll=<local Collection Name>&history=<History Tag> Search View Parameters Time ranges can be used to set up parameters for data collection. The acceptable values of these parameters are listed below for that piece of the URL. 1. time = time range of the query Allowable values: a. Today b. Today 12 AM to 5:59 AM c. Today 6 AM to 1159 AM d. Today 12 PM to 5:59 PM e. Today 6 PM to 11:59 PM f. Yesterday g. This Week h. Last Week i. Last 6 Hours of Collection Time j. Last 12 Hours of Collection Time k. Last 24 Hours of Collection Time l. Last 2 Days of Collection Time m. Last 5 Days of Collection Time n. Last 7 Days of Collection Time o. All Data p. Any custom range (i.e Feb-04 9:15 AM to 2010-Feb-04 1:15 PM ) 2. Name= what appears in the Breadcrumb Window in Investigator. Should be formed such that it makes sense to the user when viewing the link within Investigator 3. Where = where clause according to the SDK doc with all operators URL encoded 4. Regex= Enable or disable 5. Ci= Enable or disable Case Insensitivity 6. Ds= Enable or disable Decode Sessions 7. Sm= Enable or disable Search Metadata 8. Sp= Enable or disable Search Content 9. Export= Enable or disable exporting 10. Exportfile= File type of the export file to be created, only works if Export is enabled a. Allowable values i. pcap ii. payload iii. payload1 iv. payload2 14

15 v. xml vi. nwd 11. HashPCapFiles= Enable or Disable hash file creation on the export files. Only works if Export is enabled 12. DestIsColl= Local Collection name of the Collection that is created when exporting search results to a Local Collection 13. History=What appears in the History drop down in Investigator Example: nw://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of+collecti on+time&sessions=2&more-states=&more-allstates=&where=feed.category%3d%22honeynet%22+%26%26+did%3d%22nw9decoder%22& view=searchresults&name=search+for+%22netwitness%22&search=netwitness&regex=0&ci= 1&ds=1&sm=1&sp=1&export=0&exportFile=&hashPcapFiles=0&destIsColl=&history=collection %3DSOUNDWAVE%3A50005%26time%3DLast+24+Hours+of+Collection+Time%7Ccollection %3DSOUNDWAVE%3A50005%26time%3DLast+24+Hours+of+Collection+Time%26morestates%3D%26more-allstates%3D%26name%3D%22honeynet%22%26where%3Dfeed.category%3D%22honeynet%2 2%26sessions%3D2%7Ccollection%3DSOUNDWAVE%3A50005%26time%3DLast+24+Hours +of+collection+time%26sessions%3d2%26more-states%3d%26more-allstates%3d%26view%3dsession%26name%3dsessions+for+%22nw9decoder%22%26where% 3Dfeed.category%3D%22honeynet%22+%26%26+did%3D%22nw9decoder%22%7Ccollection %3DSOUNDWAVE%3A50005%26time%3DLast+24+Hours+of+Collection+Time%26sessions% 3D2%26more-states%3D%26more-allstates%3D%26where%3Dfeed.category%3D%22honeynet%22+%26%26+did%3D%22nw9dec oder%22%26name%3dcontent+search%26view%3dsearch The supported field category, element name, data type and description are provided in the following table for constructing the URL. CATEGORY NAME ELEMENT DATA TYPE DESCRIPTION Network session ID UInt64 Session ID time TimeT Start Time size UInt32 Size Network(continued) eth.src MAC Ethernet Source Address eth.dst MAC Ethernet Target Address 15

16 eth.type UInt16 Ethernet Protocol ip.proto UInt8 IP Protocol ip.src IPv4 Source IP Address ip.dst IPv4 Destination IP Address ipv6.src IPv6 Source IPv6 Address ipv6.dst IPv6 Target IPv6 Address ipv6.proto IPv6 IPv6 Protocol tcp.srcport UInt16 TCP Source Port tcp.dstport UInt16 TCP Destination Port udp.srcpor UInt16 UDP Source Port udp.dstport UInt16 UDP Target Port CATEGORY NAME ELEMENT DATA TYPE DESCRIPTION Application service UInt16 Service Type Entities action Text Action Event (login, logoff, sendfrom, sendto, get, put, delete, attach, print) username Text User Account Text Address filename Text Filename resource handle Text Resource Handle Entities (continued) database Text Database name group Text Group Channel 16

17 Alias Records alias.ip IPv4 IP Address Alias Record alias.host Text Hostname Record content Text Content Type fullname Text Fullname Properties nickname Text Nickname buddy Text Buddy Name client Text Client Application server Text Server Application Password Text Password cookie Text Cookie Response Text Response referrer Text Referer created Text Created modified Text Modified generator Text Generated message Text Message subject Text Subject attachment Text Subject Properties (continued) crypto Text Crypto Key 17

18 org Text Organization orig_ip Text Originating IP Address link Text Link renewal Text Renewal dns Text Dns address Text Address subnet Text Subnet sql Text Sql Query sqlresponse Text Sql Response create Text Create invite Text Invite crc Text 32bit CRC Hash md5 Text MD5 Hash phone Text Phone Number device Text Device Name signature Text Signature alertid Text Alert ID sourcefile Text Source File Properties (continued) found Text Found match Text Match 18

19 encapsulated Text Encapsulated data_chan Text Data Channel proxy Text Proxy Name 19

20 Appendix B: PAN OS Log Link There is a new feature in PAN-OS 3.1 for providing links from log data to external systems. The links will show up at the bottom of the log detail page in the log viewer and they will open the constructed URI. The fields of the log that are available for use in constructing the link URI are as follows: src - source IP address dst - destination IP address sport - source port dport - destination port proto - protocol recvtime_yyyy - year of receive time recvtime_mm - month of receive time recvtime_dd - day of receive time recvtime_hh - hour of receive time recvtime_mm - minute of receive time recvtime_ss - second of receive time elapsed - elapse time (session time in seconds. available for traffic log only, "" otherwise) direction - client-to-server or server-to-client (available for threat, data filtering and URL log only, "" otherwise) suser - source user duser - destination user szone - source zone dzone - destination zone ingress - ingress interface egress - egress interface These links are setup in the CLI from the configure prompt via the following CLI command: set deviceconfig system log-link <link name> url <link url> For example, you could create a link like this: set deviceconfig system log-link NW_Source_IP_Last_24 url nws://soundwave:50005/?collection=soundwave%3a50005&time=last+24+hours+of+collec tion+time&name={src}+last+24+hours&where=ip.src%3d{src}%7c%7cip.dst%3d{src}&histor y=collection Note: To get? to be accepted in the CLI, you need to do a CTRL-V. You can save these changes to the running configuration using the commit command. At this point you should see the link at the bottom of the log detail page. 20

21 Multiple links can be set and all will show up at the bottom of the log detail window so you could have various links using different portions of the log data as needed. 21

22 Appendix C: SIEMLink SIEMLink is another good way to integrate NetWitness Investigator with your Palo Alto Networks device. It is also a great way to integrate with other security appliances that use a Web based GUI. This appendix offers basic SIEMLink instructions. If you aren t familiar with SIEMLink, please check the NetWitness Community site for more information. SIEMLink is a breakthrough in network security monitoring innovation, enabling instant integration of NetWitness NextGen technology with existing enterprise security infrastructures. SIEMLink is compatible with any SIEM, log consolidator, I/T Search Engine, IDS/IPS, Firewall, NSM, CMF/DLP, sniffer, NBAD,etc. For flexibility, it is a Microsoft Windows system tray application that acts as a real-time translator between an external Web based application (e.g., a SIEM) and NetWitness NextGen. The tray application takes a screen scrape of an event string from any application and parses it to formulate a valid NetWitness query. Specifically, the application identifies Time and IP address data values in the string and constructs a request that automatically retrieves data for analysis through the NetWitness Investigator application. As an example, during an incident, an analyst using Cisco MARS identified a suspicious event in need of deeper analysis: An IIS Backslash Evasion was observed on Feb 15, 2008 at 7:20 PM EST, between the IP addresses and With a single highlight of the event text and a right-click, the analyst pivoted instantly to the network data for that alert. With the data instantly provided via SIEMLink, the staff determined from the content of the HTTP transaction that actual backslash evasion did not exist. This almost immediate resolution to the alert prompted a rapid modification to the IDS rule that had triggered the alert. The rule change, to reduce false-positives, cleared the incident out of the work queue in less than one minute. Figure 1. NetWItness SIEMLink with Cisco MARS 22

23 NetWitness SIEMLink supports three implementation modes that ultimately resolve to a highly-focused analysis of network traffic through the NetWitness NextGen infrastructure including internet browser, free form, and manual input. Via Internet Browser For use with any web-based console application, a user can simply highlight any event text, right-click, and Send to NetWitness with SIEMLink. For applications that disable right-click functionality, an IE toolbar button is also provided. SIEMLink automatically interprets and resolves that event and retrieves any data NetWitness may have around the event for analysis. Figure 2. Integration by Internet Browser within SourceFires defense Center Via Free Form Copy and Paste NetWitness SIEMLink can accept free form text for resolution and analysis, copied and pasted into it from any application containing text-based events, with or without a web browser interface. Users simply copy the text event string, right-click the tray icon, and paste it into the NetWitness NextGen infrastructure. 23

24 Figure 3. Copy and Paste Method Via Manual Input Finally, NetWitness SIEMLink supports manual input of parameters into its interface. There are three types of input for use with NetWitness NextGen: Collection (required) A dropdown box shows available servers in the Investigator configuration. The utility remembers the last selection. IP address (required) Any number of IP addresses may be entered for query. Time A time widget is provided to select a time period for query. Figure 4. Integration via Manual Input 24