ExtraHop has partnered with Palo Alto Networks to create an integrated solution that enables you to automatically remediate security threats in real time. This integration leverages the detection and open data stream capabilities of the ExtraHop Discover appliance to identify devices that are exhibiting unusual behavior and then send a list of IP addresses to the firewall to quarantine.
This integration requires configuration on the Palo Alto firewall to set up the address group and firewall policies, including the actions the firewall should take for the IP addresses sent from the Discover appliance. You can configure these settings through the firewall Web UI or programmatically through the Palo Alto API.
On the ExtraHop side, you must configure an ODS target for the firewall, upload this bundle to the Discover appliance, and add the specific detections or alerts you want to monitor to one or both of the triggers in the bundle.
The triggers extract device IP addresses from the alerts or detections that you specified, and then sends the IP addresses to the firewall through ODS. The address objects are created in the Palo Alto firewall, and then added to the pre-configured address group.
The bundle contains a status dashboard to display the blocked IP addresses, as well as the alerts and detections that generated the event.
Download the bundle here, and let us know if you have any questions!