Skip to main content

Prisma Cloud Compute by Palo Alto Networks

Download With Dependencies

Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.

Prisma Cloud Compute

This pack includes Cortex XSIAM content.

Overview

This integration lets you import Palo Alto Networks - Prisma Cloud Compute alerts into Cortex XSOAR.

Use Cases

Manage Prisma Cloud Compute alerts in Cortex XSOAR.
You can create new playbooks, or extend the default ones, to analyze alerts, assign tasks based on your analysis, and open tickets on other platforms.

Configure Prisma Cloud Compute

Configure Prisma Cloud Compute to send alerts to Cortex XSOAR by creating an alert profile.

  1. Log in to your Prisma Cloud Compute console. On new Prisma Cloud versions, go to Runtime Security.
  2. Navigate to Manage > Alerts.
  3. Create a new alert profile by clicking Add Profile.
  4. Provide a name, select Cortex from the provider list, and select XSOAR under Application.
  5. Select the alert triggers. Alert triggers specify which alerts are sent to Cortex XSOAR.
  6. Click Save to save the alert profile.

Configure Cortex XSOAR

  1. Navigate to Settings > Integrations > Instances.
  2. Search for Prisma Cloud Compute.
  3. Click Add instance to create and configure a new integration.
    • Name: Name for the integration.
    • Fetches incidents: Configures this integration instance to fetch alerts from Prisma Cloud Compute.
    • Prisma Cloud Compute Console URL: URL address of your Prisma Cloud Compute console. Copy the address from the alert profile created in Prisma Cloud Compute, or under Runtime Security copy the address from System > Utilities > Path to Console.
    • Prisma Cloud Compute Project Name (if applies): If using projects in Prisma Cloud Compute, enter the project name here. Copy the project name from the alert profile created in Prisma Cloud Compute.
    • Trust any certificate (not secure): Skips verification of the CA certificate (not recommended).
    • Use system proxy settings: Uses the system's proxy settings.
    • Credentials: Prisma Cloud Compute login credentials.
    • Prisma Cloud Compute CA Certificate: CA Certificate used by Prisma Cloud Compute. Copy the certificate from the alert profile created in Prisma Cloud Compute.
  4. Click Test to validate the integration.
  5. Click Done to save the integration.

Using the integration and scripts

The integration ships with four default playbooks:

  • Prisma Cloud Compute - Audit Alert v3
  • Prisma Cloud Compute - Cloud Discovery Alert
  • Prisma Cloud Compute - Compliance Alert
  • Prisma Cloud Compute - Vulnerability Alert

Three of the above playbooks (all except Audit Alert v3) contain a single script. The script in each playbook encode the raw JSON alerts into Cortex XSOAR objects that can then be used in the playbooks. The scripts are:

  • PrismaCloudComputeParseComplianceAlert
  • PrismaCloudComputeParseVulnerabilityAlert
  • PrismaCloudComputeParseCloudDiscoveryAlert

To better understand how playbooks and scripts interoperate, consider the Prisma Cloud Compute - Vulnerability Alert playbook.

  • When the playbook is triggered, a task called Parse Vulnerability Alert runs.
  • The task runs the PrismaCloudComputeParseVulnerabilityAlert script, which takes the prismacloudcomputerawalertjson field of the incident (the raw JSON alert data) as input.

image

  • Click outputs to see how the script transformed the raw JSON input into a Cortex XSOAR object.

image

At this point, you can add tasks that extend the playbook to check and respond to alerts depending on the properties of the Cortex XSOAR object.

Audit Alert v3 playbook

This playbook is not similar to the other three playbooks. It is a default playbook for parsing and enrichment of Prisma Cloud Compute audit alerts.

The playbook has the following sections:

Enrichment:

  • Image details
  • Similar container events
  • Owner details
  • Vulnerabilities
  • Compliance details
  • Forensics
  • Defender logs

Remediation:

  • Block Indicators - Generic v3
  • Cloud Response - Generic
  • Manual Remediation

Currently, the playbook supports incidents created by Runtime and WAAS triggers.

Troubleshooting

If any alerts are missing in Cortex XSOAR, check the status of the integration:

image

Prisma Cloud Compute

This pack includes Cortex XSIAM content.

Overview

This integration lets you import Palo Alto Networks - Prisma Cloud Compute alerts into Cortex XSIAM.

Use Cases

Manage Prisma Cloud Compute alerts in Cortex XSIAM.
You can create new playbooks, or extend the default ones, to analyze alerts, assign tasks based on your analysis, and open tickets on other platforms.

Configure Prisma Cloud Compute

Configure Prisma Cloud Compute to send alerts to Cortex XSIAM by creating an alert profile.

  1. Log in to your Prisma Cloud Compute console. On new Prisma Cloud versions, go to Runtime Security.
  2. Navigate to Manage > Alerts.
  3. Create a new alert profile by clicking Add Profile.
  4. Provide a name, select Cortex from the provider list, and select XSOAR under Application.
  5. Select the alert triggers. Alert triggers specify which alerts are sent to Cortex XSIAM.
  6. Click Save to save the alert profile.

Configure Cortex XSIAM

  1. Navigate to Settings > Integrations > Instances.
  2. Search for Prisma Cloud Compute.
  3. Click Add instance to create and configure a new integration.
    • Name: Name for the integration.
    • Fetches incidents: Configures this integration instance to fetch alerts from Prisma Cloud Compute.
    • Prisma Cloud Compute Console URL: URL address of your Prisma Cloud Compute console. Copy the address from the alert profile created in Prisma Cloud Compute, or under Runtime Security copy the address from System > Utilities > Path to Console.
    • Prisma Cloud Compute Project Name (if applies): If using projects in Prisma Cloud Compute, enter the project name here. Copy the project name from the alert profile created in Prisma Cloud Compute.
    • Trust any certificate (not secure): Skips verification of the CA certificate (not recommended).
    • Use system proxy settings: Uses the system's proxy settings.
    • Credentials: Prisma Cloud Compute login credentials.
    • Prisma Cloud Compute CA Certificate: CA Certificate used by Prisma Cloud Compute. Copy the certificate from the alert profile created in Prisma Cloud Compute.
  4. Click Test to validate the integration.
  5. Click Done to save the integration.

Using the integration and scripts

The integration ships with four default playbooks:

  • Prisma Cloud Compute - Audit Alert v3
  • Prisma Cloud Compute - Cloud Discovery Alert
  • Prisma Cloud Compute - Compliance Alert
  • Prisma Cloud Compute - Vulnerability Alert

Three of the above playbooks (all except Audit Alert v3) contain a single script. The script in each playbook encode the raw JSON alerts into Cortex XSIAM objects that can then be used in the playbooks. The scripts are:

  • PrismaCloudComputeParseComplianceAlert
  • PrismaCloudComputeParseVulnerabilityAlert
  • PrismaCloudComputeParseCloudDiscoveryAlert

To better understand how playbooks and scripts interoperate, consider the Prisma Cloud Compute - Vulnerability Alert playbook.

  • When the playbook is triggered, a task called Parse Vulnerability Alert runs.
  • The task runs the PrismaCloudComputeParseVulnerabilityAlert script, which takes the prismacloudcomputerawalertjson field of the incident (the raw JSON alert data) as input.

image

  • Click outputs to see how the script transformed the raw JSON input into a Cortex XSIAM object.

image

At this point, you can add tasks that extend the playbook to check and respond to alerts depending on the properties of the Cortex XSIAM object.

Audit Alert v3 playbook

This playbook is not similar to the other three playbooks. It is a default playbook for parsing and enrichment of Prisma Cloud Compute audit alerts.

The playbook has the following sections:

Enrichment:

  • Image details
  • Similar container events
  • Owner details
  • Vulnerabilities
  • Compliance details
  • Forensics
  • Defender logs

Remediation:

  • Block Indicators - Generic v3
  • Cloud Response - Generic
  • Manual Remediation

Currently, the playbook supports incidents created by Runtime and WAAS triggers.

Troubleshooting

If any alerts are missing in Cortex XSIAM, check the status of the integration:

image

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedSeptember 23, 2020
Last ReleaseMarch 20, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.