New forms of sophisticated cybersecurity threats are continually emerging to target enterprises by utilizing multiple attack vectors and entry points. In this environment, understanding network and cloud traffic and displaying accuracy and agility during analysis and response become vital. Analysts need a platform that enables complete visibility over both cloud and network data and primes the SOC for scalable, standardized enrichment and remediation actions.
Users can now leverage Demisto’s security orchestration and automation capabilities with the Palo Alto Networks Application Framework to rapidly act on rich, relevant security data and accelerate incident response.
PAN Application Framework and Demisto integration features
- Create Demisto incidents and trigger playbooks in response to alerts from Palo Alto Networks Application Framework for enrichment, triage, and resolution.
- Leverage 160+ Demisto product integrations to enrich alerts from Palo Alto Networks Application Framework and coordinate response across security functions.
- Run 100s of commands (including for PAN products) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Fig 1: How Demisto connects with the Palo Alto Networks Application Framework and other PAN products
To learn more about Demisto's integrations with Palo Alto Networks, read our joint solution brief below
Accelerating remediation for network and cloud security alerts
If SOCs use different solutions for network/cloud visibility and incident response, it can be tough to track the lifecycle of an incident due to flitting between screens, fragmented information, and lack of single-window documentation.
If SOCs use the Palo Alto Networks Application Framework for security data visibility and Demisto Enterprise for security orchestration and automation respectively, they can automate incident creation and trigger playbooks in Demisto for specific alert types in the Application Framework. This playbook will orchestrate enrichment and response actions across the entire stack of products that a SOC uses in a single screen and seamless workflow.
For example, analysts can create tickets, quarantine endpoints, retrieve pcaps, and send emails as automatable playbook tasks.
Application Framework queries and commands can also be run in real-time from the War Room, enabling interactive investigation for complex incidents without the need to rework playbooks until the incident is dealt with.
Fig 2: Palo Alto Networks Application Framework commands with Demisto War Room
The Application Framework’s rich data coupled with Demisto playbooks can speed up incident triage and resolution. Analysts can get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
Apart from the Application Framework, Demisto also integrates with a host of Palo Alto Networks products such as AutoFocus, Panorama, and WildFire for automated and orchestrated incident response. Stay tuned for integration overviews focusing on these products in the near future.
If you're interested in exploring Demisto and its integrations further, you can download the Free Community Edition below.