Integrate Prisma Cloud with Cortex XSOAR
Learn how to integrate Prisma™ Cloud with Cortex XSOAR (formerly Demisto
®) to send alerts and enable multi-step automated remediation using Cortex XSOAR playbooks.
With the Prisma™ Cloud and Cortex XSOAR (formerly Demisto) outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR. This integration enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multi-step workflows for incident management of your cloud resources; this is an alternative to the pull-based integration that you can configure from Cortex XSOAR.
Using the policy ID in the alert, Cortex XSOAR categorizes the alert as a specific incident type. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR. The current list of incident types are: AWS CloudTrail Misconfiguration, AWS EC2 Instance Misconfiguration, AWS IAM Policy Misconfiguration, and Prisma Cloud. If the policy ID is not categorized to a specific incident type, it is automatically mapped to the generic Prisma Cloud incident type. Every incident type is mapped to a Cortex XSOAR layout and associated with a playbook to enable autoremediation of the violating resource, except for the generic Prisma Cloud incident type.
On autoremediation, Prisma Cloud performs a scan that detects that the issue is resolved and marks the alert as resolved.
Currently, this integration does not support the use of notification templates and Prisma Cloud does not receive state change notifications from Cortex XSOAR after it resolves an open alert.
Enable the Cortex XSOAR Integration on Prisma Cloud
Set up Cortex XSOAR as an external integration on Prisma Cloud. If you have a firewall or cloud Network Security Group between the internet and Cortex XSOAR, you must add the NAT Gateway IP Addresses for Prisma Cloud to the allow list and enable the connection to Prisma Cloud.
For the push-based integration, you must use Cortex XSOAR version 5.0.0 and content release version 19.10.2 or later.
- Log in to Prisma Cloud and select.SettingsIntegrations+Add New
- Set theIntegration TypetoCortex XSOAR.
- Enter a meaningfulIntegration Nameand aDescription.
- Enter yourCortex XSOAR Instance FQDN/IPaddress.If you are adding a Cortex XSOAR instance that is part of a multi-tenant deployment, enter the tenant URL without the protocol (http or https).
- Enter theAPI Keyassociated with the Cortex XSOAR administrative user account.The API key you provide must belong to a Cortex XSOAR administrative user who has read-write permissions, which are required to enable this push-based integration. Within Cortex XSOAR, navigate toSettings > Integrations > API KeysandGet Your Key.
- ClickNextand thenTest.
- Savethe integration.After you set up the integration, the status indicates whether Prisma Cloud is connected to Cortex XSOAR.
- Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to Cortex XSOAR. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
- Get your Prisma Cloud Access Key.
Set Up the Integration on Cortex XSOAR
Before you can view Prisma Cloud alerts as incidents on Cortex XSOAR, you need content release 19.10.2 or a later version. The content release includes the incident fields required for this push-based integration. When you have the content release, the Classifier, incident types, and layouts are available automatically.
Cortex XSOAR maps Prisma Cloud alerts to out-of-the-box incident types such as AWS CloudTrail Misconfiguration, AWS EC2 Instance Misconfiguration, AWS IAM Policy Misconfiguration, GCP Compute Engine Misconfiguration, and Prisma Cloud. The out-of-box,
Incident Layoutsmap the Prisma Cloud alert data to the classification rules. These layouts provide the
Incident Classifier & Mappingthat is required for classifying incidents to the correct incident type and mapping the fields in the Prisma Cloud alert payload to the Cortex XSOAR incident fields. When an incident is created, the playbook attached to the incident type automatically executes.
Find all the Cortex XSOAR playbooks that are available to support remediation on Prisma Cloud for example Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration and Prisma Cloud Remediation - GCP VPC Network Misconfiguration; search for
- Install Cortex XSOAR content release 19.10.2 or a later version on your Cortex XSOAR 5.0.0 or later instance.19.10.2 is the minimum content release version that includes the Prisma Cloud incident fields required for this push-based integration. You can see the incident fields on.SettingsAdvancedFields
- Enable the connection between Cortex XSOAR and Prisma Cloud.
- Navigate to.SettingsIntegrationsServers&Services
- Search forPrisma CloudandAdd Instance.
- Complete the set up.Provide aNamefor the Prisma Cloud instance you are integrating (the name must be unique from other Integrations within cortex XSOAR), theServer URLthat corresponds to the API endpoint for the Prisma Cloud instance, and your access key and secret keys as username and password.If you access your Prisma Cloud instance at https://app2.eu.prismacloud.io, the API endpoint is https://api2.eu.prismacloud.io
- Review the classification mapping for incident types.and the playbooks associated with each incident type are inWhen Prisma Cloud pushes alerts to the Cortex XSOAR endpoint, the alerts are classified under thePrisma Cloud App(/prismacloud app) path, and listed inSettingsIntegrationsClassification MappingSettingsIntegrationsAdvancedIncident Types
- View incidents on Cortex XSOAR.Verify that the integration is working as expected and that Prisma Cloud alerts display as incidents and are mapped to specific incident types..
- (Optional) Create additional classification and mapping rules and incident layouts to classify Prisma Cloud alerts to distinct incident types on Cortex XSOAR.Cortex XSOAR includes a few incident types for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for autoremediation. Refer to the Cortex XSOAR documentation for detailed instructions about customizing your incident types, creating different classifications, mapping and layouts for Prisma Cloud alerts, and to associate different playbooks to take action and enable incident resolution for other cloud platforms. Refer to the Cortex XSOAR GitHub repository for some sample packs.
Recommended For You
Recommended videos not found.