Integrate Prisma Cloud with Cortex XSOAR

Learn how to integrate Prisma™ Cloud with Cortex XSOAR (formerly Demisto
®
) to send alerts and enable multi-step automated remediation using Cortex XSOAR playbooks.
With the Prisma™ Cloud and Cortex XSOAR (formerly Demisto) outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR. This integration enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multi-step workflows for incident management of your cloud resources; this is an alternative to the pull-based integration that you can configure from Cortex XSOAR.
Using the policy ID in the alert, Cortex XSOAR categorizes the alert as a specific incident type. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR. The current list of incident types are: AWS CloudTrail Misconfiguration, AWS EC2 Instance Misconfiguration, AWS IAM Policy Misconfiguration, and Prisma Cloud. If the policy ID is not categorized to a specific incident type, it is automatically mapped to the generic Prisma Cloud incident type. Every incident type is mapped to a Cortex XSOAR layout and associated with a playbook to enable autoremediation of the violating resource, except for the generic Prisma Cloud incident type.
On autoremediation, Prisma Cloud performs a scan that detects that the issue is resolved and marks the alert as resolved.
Currently, this integration does not support the use of notification templates and Prisma Cloud does not receive state change notifications from Cortex XSOAR after it resolves an open alert.

Enable the Cortex XSOAR Integration on Prisma Cloud

Set up Cortex XSOAR as an external integration on Prisma Cloud. If you have a firewall or cloud Network Security Group between the internet and Cortex XSOAR, you must whitelist the NAT Gateway IP Addresses for Prisma Cloud to enable the connection to Prisma Cloud.
For the push-based integration, you must use Cortex XSOAR version 5.0.0 and content release version 19.10.2 or later.
  1. Log in to Prisma Cloud and select
    Settings
    Integrations
    +Add New
    .
  2. Set the
    Integration Type
    to
    Cortex XSOAR
    .
  3. Enter a meaningful
    Integration Name
    and a
    Description
    .
  4. Enter your
    Cortex XSOAR Instance FQDN/IP
    address.
    If you are adding a Cortex XSOAR instance that is part of a multi-tenant deployment, enter the tenant URL without the protocol (http or https).
  5. Enter the
    API Key
    associated with the Cortex XSOAR administrative user account.
    The API key you provide must belong to a Cortex XSOAR administrative user who has read-write permissions, which are required to enable this push-based integration. Within Cortex XSOAR, navigate to
    Settings > Integrations > API Keys
    and
    Get Your Key
    .
    demisto-integration-prisma-cloud.png
  6. Click
    Next
    and then
    Test
    .
  7. Save
    the integration.
    After you set up the integration, the status indicates whether Prisma Cloud is connected to Cortex XSOAR.
    demisto-integration-status-prisma-cloud.png
  8. Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to Cortex XSOAR. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
  9. Get your Prisma Cloud Access Key.
    If you do not have an access key, see Create and Manage Access Keys. You need the Access Key ID and Secret Key ID to complete the integration on Cortex XSOAR.

Set Up the Integration on Cortex XSOAR

Before you can view Prisma Cloud alerts as incidents on Cortex XSOAR, you need content release 19.10.2 or a later version. The content release includes the incident fields required for this push-based integration. When you have the content release, the Classifier, incident types, and layouts are available automatically.
Cortex XSOAR maps Prisma Cloud alerts to out-of-the-box incident types such as AWS CloudTrail Misconfiguration, AWS EC2 Instance Misconfiguration, AWS IAM Policy Misconfiguration, GCP Compute Engine Misconfiguration, and Prisma Cloud. The out-of-box,
Incident Layouts
map the Prisma Cloud alert data to the classification rules. These layouts provide the
Incident Classifier & Mapping
that is required for classifying incidents to the correct incident type and mapping the fields in the Prisma Cloud alert payload to the Cortex XSOAR incident fields. When an incident is created, the playbook attached to the incident type automatically executes.
Find all the Cortex XSOAR playbooks that are available to support remediation on Prisma Cloud for example Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration and Prisma Cloud Remediation - GCP VPC Network Misconfiguration; search for
playbook-PrismaCloudRemediation_
.
If you want to use the pull-based integration from Cortex XSOAR, see Cortex documentation. In a pull-based integration, you must enable the instance to
Fetches incidents
.
demisto-integration-pull-based-prisma-cloud.png
  1. Install Cortex XSOAR content release 19.10.2 or a later version on your Cortex XSOAR 5.0.0 or later instance.
    19.10.2 is the minimum content release version that includes the Prisma Cloud incident fields required for this push-based integration. You can see the incident fields on
    Settings
    Advanced
    Fields
    .
  2. Enable the connection between Cortex XSOAR and Prisma Cloud.
    1. Navigate to
      Settings
      Integrations
      Servers&Services
      .
    2. Search for
      Prisma Cloud
      and
      Add Instance
      .
    3. Complete the set up.
      Provide a
      Name
      for the Prisma Cloud instance you are integrating (the name must be unique from other Integrations within cortex XSOAR), the
      Server URL
      that corresponds to the API endpoint for the Prisma Cloud instance, and your access key and secret keys as username and password.
      If you access your Prisma Cloud instance at https://app2.eu.prismacloud.io, the API endpoint is https://api2.eu.prismacloud.io
  3. Review the classification mapping for incident types.
    When Prisma Cloud pushes alerts to the Cortex XSOAR endpoint, the alerts are classified under the
    Prisma Cloud App
    (
    /prismacloud app
    ) path, and listed in
    Settings
    Integrations
    Classification Mapping
    demisto-integration-path.png
    and the playbooks associated with each incident type are in
    Settings
    Integrations
    Advanced
    Incident Types
    demisto-integration-prisma-cloud-incident-playbooks.png
  4. View incidents on Cortex XSOAR.
    Verify that the integration is working as expected and that Prisma Cloud alerts display as incidents and are mapped to specific incident types.
    demisto-integration-prisma-cloud-alerts.png
    .
  5. (
    Optional
    ) Create additional classification and mapping rules and incident layouts to classify Prisma Cloud alerts to distinct incident types on Cortex XSOAR.
    Cortex XSOAR includes a few incident types for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for autoremediation. Refer to the Cortex XSOAR documentation for detailed instructions about customizing your incident types, creating different classifications, mapping and layouts for Prisma Cloud alerts, and to associate different playbooks to take action and enable incident resolution for other cloud platforms. Refer to the Cortex XSOAR GitHub repository for some sample packs.

Recommended For You