Integrate Prisma Cloud with Cortex XSOAR
Table of Contents
Integrate Prisma Cloud with Cortex XSOAR
Learn how to integrate Prisma™ Cloud with Cortex XSOAR (formerly Demisto
®
) to send alerts and enable multi-step automated remediation using Cortex XSOAR playbooks.With the Prisma™ Cloud and Cortex XSOAR (formerly Demisto) outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR. This integration enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multi-step workflows for incident management of your cloud resources; this is an alternative to the pull-based integration that you can configure from Cortex XSOAR.
Using the policy ID in the alert, Cortex XSOAR categorizes the alert as a specific incident type. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR. The current list of incident types are: AWS CloudTrail Misconfiguration, AWS EC2 Instance Misconfiguration, AWS IAM Policy Misconfiguration, Azure AKS Misconfiguration, Azure Network Misconfiguration, Azure SQL Misconfiguration, Azure Storage Misconfiguration, GCP Compute Engine Misconfiguration, GCP Kubernetes Engine Misconfiguration, and Prisma Cloud. If the policy ID is not categorized to a specific incident type, it is automatically mapped to the generic Prisma Cloud incident type. Every incident type is mapped to a Cortex XSOAR layout and associated with a playbook to enable autoremediation of the violating resource, except for the generic Prisma Cloud incident type.
On autoremediation, Prisma Cloud performs a scan that detects that the issue is resolved and marks the alert as resolved.
Currently, this integration does not support the use of notification templates and Prisma Cloud does not receive state change notifications from Cortex XSOAR after it resolves an open alert.
Enable the Cortex XSOAR Integration on Prisma Cloud
Set up Cortex XSOAR as an external integration on Prisma Cloud. If you have a firewall or cloud Network Security Group between the internet and Cortex XSOAR, you must ensure network reachability and Enable Access to the Prisma Cloud Console.
For the push-based integration, you must use Cortex XSOAR version 5.0.0 and the latest Prisma Cloud content pack.
- Log in to Prisma Cloud and select .
- . A modal wizard opens where you can add the Cortex integration.
- EnterIntegration NameandDescription.
- Enter yourCortex XSOAR Instance FQDN/IPaddress.If you are adding a Cortex XSOAR instance that is part of a multi-tenant deployment, enter the tenant URL without the protocol (http or https).
- Enter theAPI Keyassociated with the Cortex XSOAR administrative user account.The API key you provide must belong to a Cortex XSOAR administrative user who has read-write permissions, which are required to enable this push-based integration. Within Cortex XSOAR, navigate toSettings > Integrations > API KeysandGet Your Key.
- ClickNextand thenTest.
- Savethe integration.After you set up the integration successfully, you can use the Get Status link in to periodically check the integration status.
- Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to Cortex XSOAR. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
- Get your Prisma Cloud Access Key.If you do not have an access key, see Create and Manage Access Keys. You need the Access Key ID and Secret Key ID to complete the integration on Cortex XSOAR.
Set Up the Integration on Cortex XSOAR
Before you can view Prisma Cloud alerts as incidents on Cortex XSOAR, you need to install the
Prisma Cloud by Palo Alto Networks
content pack from the Marketplace
. The content pack includes the incident fields required for this push-based integration. When you have the content pack, the classifier, incident types, and layouts are available automatically.Cortex XSOAR maps Prisma Cloud alerts to out-of-the-box incident types such as AWS CloudTrail Misconfiguration, AWS EC2 Instance Misconfiguration, AWS IAM Policy Misconfiguration, Azure AKS Misconfiguration, Azure Network Misconfiguration, Azure SQL Misconfiguration, Azure Storage Misconfiguration, GCP Compute Engine Misconfiguration, GCP Kubernetes Engine Misconfiguration, and Prisma Cloud. If the policy ID is not categorized to a specific incident type, it is automatically mapped to the generic Prisma Cloud incident type by default. The out-of-box, Incident Classifier & Mapping is required for classifying incidents to the correct incident type and mapping the fields in the Prisma Cloud alert payload to the Cortex XSOAR incident fields. When an incident is created, the playbook attached to the incident type automatically executes.
Find all the Cortex XSOAR playbooks that are available to support remediation on Prisma Cloud for example Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration and Prisma Cloud Remediation - GCP VPC Network Misconfiguration; search for
playbook-PCR_
.If you want to use the pull-based integration from Cortex XSOAR, see Cortex documentation. In a pull-based integration, you must enable the instance to
Fetches incidents
.
- Log in to Cortex XSOAR and select .
- Search forPrisma Cloud by Palo Alto Networkscontent pack andInstall.
- Enable the connection between Cortex XSOAR and Prisma Cloud.
- Navigate to .
- Click the triple dot button at the upper right and selectAPI Endpoint Mapping.
- In the row forPrisma Cloud, select:
- Classifier—Prisma Cloud App - Classifier
- Mapper (Incoming)—Prisma Cloud App - Incoming Mapper
- Save.
- (Optional) Enable the connection between Cortex XSOAR and Prisma Cloud by Adding an instance.
- Navigate to .
- Search forPrisma Cloud (RedLock)andAdd Instance.
- Complete the set up.
- Provide aNamefor the Prisma Cloud instance you are integrating (the name must be unique from other Integrations within Cortex XSOAR).
- SelectDo not Fetch.
- TheServer URLthat corresponds to the API endpoint for the Prisma Cloud instance, and your access key and secret keys as username and password.If you access your Prisma Cloud instance at https://app2.eu.prismacloud.io, the API endpoint is https://api2.eu.prismacloud.io
- Testthe instance.
- Save & Exit.
- (Optional) Review the classification mapping for incident types.When Prisma Cloud pushes alerts to the Cortex XSOAR endpoint, the alerts are classified under thePrisma Cloud App - Classifierin .
You can view the names of playbooks associated with each incident type are in . You can view the actual playbooks under thePlaybookstab.
- View incidents on Cortex XSOAR.Verify that the integration is working as expected and that Prisma Cloud alerts display as incidents and are mapped to specific incident types.
- (Optional) Create additional classification and mapping rules and incident layouts to classify Prisma Cloud alerts to distinct incident types on Cortex XSOAR.Cortex XSOAR includes a few incident types for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for autoremediation. Refer to the Cortex XSOAR documentation for detailed instructions about customizing your incident types, creating different classifications, mapping and layouts for Prisma Cloud alerts, and to associate different playbooks to take action and enable incident resolution for other cloud platforms. Refer to the Cortex XSOAR GitHub repository for some sample packs.