[ASM] EXPANDR-5997 (#30209) (#30302)

* init

* update

* init

* RN

* bump

* add conditon statements

* update wording

* Unescape JSON views

* Unscape JSON continued

* change inet address for pan-os-security-policy-match command

* Apply suggestions from code review



---------

Co-authored-by: johnnywilkes <[email protected]>
Co-authored-by: bigeasyj <[email protected]>
Co-authored-by: ShirleyDenkberg <[email protected]>

Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment_README.md

@@ -1,7 +1,9 @@
 Given an IP address, port, and protocol of a service, this playbook enriches on-prem integrations to find the related firewall rule and other related information.
 
 Conditions:
-This is currently limited to standalone firewalls for PAN-OS.
+- Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW).
+- !pan-os-security-policy-match fails if any firewall is disconnected (Panorama).
+- Matching on different rules for different firewalls not supported (Panorama).
 
 ## Dependencies
 
@@ -22,8 +24,9 @@ This playbook does not use any sub-playbooks.
 
 ### Commands
 
-* pan-os-list-rules
 * pan-os-security-policy-match
+* pan-os-platform-get-device-groups
+* pan-os-list-rules
 * pan-os-show-device-version
 
 ## Playbook Inputs

Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation.yml

@@ -5,30 +5,32 @@ description: |-
   This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures.
 
   Conditions:
-  This is currently limited to stand-alone firewalls for PAN-OS.
+  - Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW).
+  - Multiple rules with the same name in different device-groups not supported (Panorama).
+  - !pan-os-list-services will fail if there are no services in a specific device-group (Panorama).
 starttaskid: "0"
 tasks:
   "0":
     id: "0"
-    taskid: d31ed4f9-0882-4ce6-86d4-a68c1e4eec34
+    taskid: 573237c6-7130-41ce-8653-2294f0b6ac94
     type: start
     task:
-      id: d31ed4f9-0882-4ce6-86d4-a68c1e4eec34
+      id: 573237c6-7130-41ce-8653-2294f0b6ac94
       version: -1
       name: ""
       iscommand: false
       brand: ""
       description: ''
     nexttasks:
       '#none#':
-      - "1"
+      - '5'
     separatecontext: false
     continueonerrortype: ""
     view: |-
       {
         "position": {
           "x": 460,
-          "y": -140
+          "y": -460
         }
       }
     note: false
@@ -40,10 +42,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "1":
     id: "1"
-    taskid: d2aa5e89-700a-42fb-88a9-40f887476577
+    taskid: 22c135e5-6fc0-4464-87da-f8c0ae25220b
     type: regular
     task:
-      id: d2aa5e89-700a-42fb-88a9-40f887476577
+      id: 22c135e5-6fc0-4464-87da-f8c0ae25220b
       version: -1
       name: pan-os-list-rules
       description: Returns a list of predefined Security Rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want).
@@ -53,7 +55,7 @@ tasks:
       brand: Panorama
     nexttasks:
       '#none#':
-      - "2"
+      - '8'
     scriptarguments:
       rulename:
         complex:
@@ -64,7 +66,7 @@ tasks:
       {
         "position": {
           "x": 460,
-          "y": 10
+          "y": -140
         }
       }
     note: false
@@ -74,15 +76,16 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerror: true
   "2":
     id: "2"
-    taskid: 712db883-230a-4a69-83db-53391b6b80f2
+    taskid: 6db7e419-5848-487b-8eba-03db46a125bc
     type: playbook
     task:
-      id: 712db883-230a-4a69-83db-53391b6b80f2
+      id: 6db7e419-5848-487b-8eba-03db46a125bc
       version: -1
       name: PAN-OS - Block Destination Service
-      description: This playbook blocks a destination IP and service (TCP or UDP port) by creating a rule for a specific device group on PAN-OS.
+      description: 'This playbook blocks a destination IP and service (TCP or UDP port) by creating a rule for a specific device group on PAN-OS. '
       playbookName: PAN-OS - Block Destination Service
       type: playbook
       iscommand: false
@@ -124,6 +127,12 @@ tasks:
           accessor: From
       WhereRule:
         simple: top
+      DeviceGroup:
+        complex:
+          root: inputs.DeviceGroup
+      SecondaryDeviceGroup:
+        complex:
+          root: inputs.SecondaryDeviceGroup
     separatecontext: true
     continueonerrortype: ""
     loop:
@@ -135,7 +144,7 @@ tasks:
       {
         "position": {
           "x": 460,
-          "y": 190
+          "y": 400
         }
       }
     note: false
@@ -147,10 +156,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "4":
     id: "4"
-    taskid: 933a2a81-89cf-47c9-8901-07fb3ab8bbb8
+    taskid: d74fd530-00ae-4377-8dbf-8681f4a7a605
     type: title
     task:
-      id: 933a2a81-89cf-47c9-8901-07fb3ab8bbb8
+      id: d74fd530-00ae-4377-8dbf-8681f4a7a605
       version: -1
       name: Complete
       type: title
@@ -163,7 +172,176 @@ tasks:
       {
         "position": {
           "x": 460,
-          "y": 360
+          "y": 590
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  '5':
+    id: '5'
+    taskid: 58615c42-a7f4-4159-8412-b7095c9854c0
+    type: condition
+    task:
+      id: 58615c42-a7f4-4159-8412-b7095c9854c0
+      version: -1
+      name: Is DeviceGroup specified?
+      description: Checks if DeviceGroup input is specified because of different !pan-os-list-rule commands for standalone firewall vs Panorama.
+      type: condition
+      iscommand: false
+      brand: ''
+    nexttasks:
+      '#default#':
+      - '1'
+      yes:
+      - '6'
+    separatecontext: false
+    conditions:
+    - label: yes
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.DeviceGroup
+            iscontext: true
+    continueonerrortype: ''
+    view: |-
+      {
+        "position": {
+          "x": 460,
+          "y": -340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  '6':
+    id: '6'
+    taskid: 54b86def-75f3-4fe8-8779-4fbec1d42728
+    type: regular
+    task:
+      id: 54b86def-75f3-4fe8-8779-4fbec1d42728
+      version: -1
+      name: pan-os-list-rules (pre-rulebase)
+      description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want).
+      script: Panorama|||pan-os-list-rules
+      type: regular
+      iscommand: true
+      brand: Panorama
+    nexttasks:
+      '#none#':
+      - '7'
+    scriptarguments:
+      device-group:
+        complex:
+          root: inputs.DeviceGroup
+      pre_post:
+        simple: pre-rulebase
+      rulename:
+        complex:
+          root: inputs.RuleName
+    separatecontext: false
+    continueonerror: true
+    continueonerrortype: ''
+    view: |-
+      {
+        "position": {
+          "x": 890,
+          "y": -140
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  '7':
+    id: '7'
+    taskid: a918e4e4-2ea8-4d70-883d-5265ce5be25d
+    type: regular
+    task:
+      id: a918e4e4-2ea8-4d70-883d-5265ce5be25d
+      version: -1
+      name: pan-os-list-rules (post-rulebase)
+      description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want).
+      script: Panorama|||pan-os-list-rules
+      type: regular
+      iscommand: true
+      brand: Panorama
+    nexttasks:
+      '#none#':
+      - '8'
+    scriptarguments:
+      device-group:
+        complex:
+          root: inputs.DeviceGroup
+      pre_post:
+        simple: post-rulebase
+      rulename:
+        complex:
+          root: inputs.RuleName
+    separatecontext: false
+    continueonerror: true
+    continueonerrortype: ''
+    view: |-
+      {
+        "position": {
+          "x": 890,
+          "y": 20
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  '8':
+    id: '8'
+    taskid: c9013687-cd7c-4bf3-8c8b-89c45aa03d07
+    type: condition
+    task:
+      id: c9013687-cd7c-4bf3-8c8b-89c45aa03d07
+      version: -1
+      name: Was rule information found?
+      description: Check if firewall rule information was found.
+      type: condition
+      iscommand: false
+      brand: ''
+    nexttasks:
+      '#default#':
+      - '4'
+      yes:
+      - '2'
+    separatecontext: false
+    conditions:
+    - label: yes
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Panorama.SecurityRule
+                accessor: Name
+            iscontext: true
+    continueonerrortype: ''
+    view: |-
+      {
+        "position": {
+          "x": 460,
+          "y": 190
         }
       }
     note: false
@@ -178,10 +356,10 @@ view: |-
     "linkLabelsPosition": {},
     "paper": {
       "dimensions": {
-        "height": 565,
-        "width": 380,
+        "height": 1115,
+        "width": 810,
         "x": 460,
-        "y": -140
+        "y": -460
       }
     }
   }
@@ -215,7 +393,19 @@ inputs:
   required: true
   description: Port number of the service.
   playbookInputQuery:
+- key: DeviceGroup
+  value: {}
+  required: false
+  description: Device group of the firewall rule to lookup.
+  playbookInputQuery:
+- key: SecondaryDeviceGroup
+  value: {}
+  required: false
+  description: If the rule, address and service are created in the "Shared" location, we need to know what device groups we can push to because it isn't possible to push to the "Shared" location.
+  playbookInputQuery:
 outputs: []
 tests:
 - No tests (auto formatted)
 fromversion: 6.8.0
+contentitemexportablefields:
+  contentitemfields: {}

Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation_README.md

@@ -1,7 +1,9 @@
 This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures.
 
 Conditions:
-This is currently limited to stand-alone firewalls for PAN-OS.
+- Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW).
+- Multiple rules with the same name in different device-groups not supported (Panorama).
+- !pan-os-list-services will fail if there are no services in a specific device-group (Panorama).
 
 ## Dependencies
 
@@ -33,6 +35,8 @@ This playbook does not use any scripts.
 | RemoteIP | IP address of the service. | alert.remoteip | Required |
 | RemoteProtocol | Protocol of the service. | alert.appid | Required |
 | RemotePort | Port number of the service. | alert.remoteport | Required |
+| DeviceGroup | Device group of the firewall rule to lookup. |  | Optional |
+| SecondaryDeviceGroup | If the rule, address and service are created in the "Shared" location, we need to know what device-groups we can push to because it isn't possible to push to the "Shared" location. |  | Optional |
 
 ## Playbook Outputs