Palo Alto Networks Cortex SOAR Zero Trust Snapshot and User Lockout Playbooks

Free integration setupWe’ll install and validate this for you.

Book a setup call

Support Statement

DISCLAIMER

This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.

---

Overview

SecOps automation is a key requirement to combat the never-ending threats to corporate data. Palo Alto Cortex SOAR enables playbooks and automation to reduce the time to detect and respond to cross-device threats. To support this automation, data from external security tools is vital to provide complete, accurate, and concise threat detection details that allow automation and SecOps teams to respond to threats across the corporate IT infrastructure.

Key Benefits

• This integration allows customers to upload a playbook that protects storage by leveraging Superna's Zero Trust API and Cyber Storage capabilities.
• Integrates with the native YAML playbook definition file and can be customized for your environment.

Solution Overview

Superna Defender Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR, and XDR platforms. Automation begins with data that summarizes the threat and places that information into a SOAR to be acted on by SecOps teams running playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers.

Solution Configuration in Cortex XSOAR and Defender Zero Trust

Prerequisites

• Installed Superna Security Edition
• License key for the Zero Trust API, or a Security Edition subscription
• Installed Cortex XSOAR
• Eyeglass API token — log in to the Eyeglass VM as admin, go to eyeglass rest API, click Create new token, provide a name (for example, Zero Trust), and copy the token for use in the steps below
• Completed the Zero Trust integration with Cortex XSOAR — see the Cortex XSOAR Zero Trust Alarm Integration guide

Configuration Steps for Snapshot and User Lockout Playbooks

1. Log in to Cortex and open the Playbooks tab.
2. Download the YAML playbook definition files:
   • Superna_Zero_Trust_Snapshot.yml
   • Superna_Zero_Trust_User_Lockout.yml
   • Superna_Zero_Trust_Request_User_Storage_Lockout.yml
   • Superna_Zero_Trust_Request_User_Storage_UnLockout.yml
3. Click the Upload button to upload each playbook to the library.

Configure the Snapshot Playbook

1. Open the snapshot playbook in the editor.
2. Click the HTTPv2 box to edit the details, then click Edit Playbook:
   • Replace the IP address with the IP address of your Eyeglass VM.
   • Replace the api_key value with a valid token from your Eyeglass VM.
3. Click OK, then click Save Playbook to save the changes.
4. Test the playbook by clicking the Debugger Panel, then click Run.
5. A successful API call returns an HTTP 201 response code — the HTTPv2 box should show green and the debugger HTTP request section should show status 201.

Configure the User Lockout Playbook

note

This playbook depends on incidents created by the Superna Zero Trust webhook integration. It automatically extracts the userID from the incident and does not require manual input. The accepted syntax for userID is domain\username or user@domainname.

1. Open the user lockout playbook in the editor and click Edit Playbook.
2. Click the Playbook Triggered code block.
3. Locate the apiurl key and click it to open the editor.
4. Edit the IP address and change it to the hostname or IP address of your Eyeglass VM.
5. Click the green check mark, then click OK.
6. Click Save for this code block.
7. Click the HTTPv2 code block and replace the API token with a valid token from your Eyeglass deployment.
8. Click Save Playbook.

To test the playbook:

1. Click the Debugger Panel.
2. Ensure a test incident exists that was created by the Superna Zero Trust API integration with Cortex and contains the custom incident field for the userID.
3. Set the test data to use one of the webhook triggers.
4. Click Run.
5. A successful execution shows green code blocks — expand the debugger data to confirm the HTTP response code shows 201, indicating the lockout job was started successfully.

Configure the Request User Storage Lockout or Unlock Playbook

This playbook prompts for a username and can be used with any third-party playbook or workflow that requires Cyber Storage user lockout services. The accepted syntax for userID is domain\username or user@domainname. Apply the same modifications to the unlock playbook to enable the unlock workflow configuration.

1. Open the playbook in the editor and click Edit Playbook.
2. Click the Playbook Triggered code block and edit the IP address to the hostname or IP address of your Eyeglass VM. Click Save when done.
3. Click the HTTPv2 code block:
   • Edit the HTTP headers section to input the API token created from the prerequisites.
   • Click Save.
4. To test: click the Debugger Panel, select Playground for test data, and click Run.
5. Enter a userID — for example, domain\userid or user@domainname.
6. Verify all code blocks show green and confirm the HTTP response code is 201.

Use Cases for These Playbooks

• Snapshot Playbook — Run this playbook for any incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data, and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access to root-cause what data was affected by a security incident.

• User Lockout Playbook — Run this playbook for any Superna Zero Trust created alerts. When lockout mode in Superna Security Edition is not enabled, this playbook allows SecOps teams to decide when a user lockout should occur, moving the responsibility of data protection decisions from the storage team to the SecOps team.

• User Request Storage Lockout Playbook — Offers an input prompt to accept the userID that should be locked out of storage. Run this playbook in any SecOps workflow where the threat to data is elevated, as a proactive step to prevent data destruction, or when employees are leaving the company or have been terminated.

• User Request Storage Unlock Playbook — Offers an input prompt to accept the userID that should be unlocked from storage. Run this playbook in any SecOps workflow to remove a storage lockout for a previously restricted user.