Integrate Prisma Cloud with Cortex XSOAR

Learn how to integrate Prisma™ Cloud with Cortex XSOAR (formerly Demisto
) to send alerts and enable multi-step automated remediation using Cortex XSOAR playbooks.
With the Prisma™ Cloud and Cortex XSOAR (formerly Demisto) outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR. Cortex XSOAR maps the alert to an incident type and associates it with a playbook to enable autoremediation of the violating resource. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR. After autoremediation, Prisma Cloud performs a scan that detects that the issue is resolved and marks the alert as resolved.
This push-based integration enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multistep workflows for incident management of your cloud resources; this is an alternative to the pull-based integration that you can configure from Cortex XSOAR.
Currently, this integration does not support the use of notification templates and Prisma Cloud does not receive state change notifications from Cortex XSOAR after it resolves an open alert.

Enable the Cortex XSOAR Integration on Prisma Cloud

Set up Cortex XSOAR as an external integration on Prisma Cloud. For the push-based integration, you must use Cortex XSOAR version 5.0.0 and content release version 19.10.2 or later.
  1. Log in to Prisma Cloud and select
    +Add New
  2. Set the
    Integration Type
    Demisto (Beta)
  3. Enter a meaningful
    Integration Name
    and a
  4. Enter your
    Demisto Instance FQDN/IP
    If you are adding a Cortex XSOAR instance that is part of a multi-tenant deployment, enter the tenant URL without the protocol (http or https).
  5. Enter the
    API Key
    associated with the Cortex XSOAR administrative user account.
    The API key you provide must belong to a Cortex XSOAR administrative user who has read-write permissions,
  6. Click
    and then
  7. Save
    the integration.
    After you set up the integration, the status indicates whether Prisma Cloud is connected to Cortex XSOAR.
  8. Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to Cortex XSOAR. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)

Set Up the Integration on Cortex XSOAR

Before you can view Prisma Cloud alerts as incidents on Cortex XSOAR, you need content release 19.10.2 or a later version. The content release includes the incident fields required for this push-based integration.
On Cortex XSOAR, a Prisma Cloud alert is mapped to the
Prisma Cloud
incident type. You must add this incident type manually. For this incident type, Cortex XSOAR provides an out-of-box,
Incident Layout
that includes generic details about all relevant incident fields for Prisma Cloud incidents. Cortex XSOAR also provides the
Incident Classifier & Mapping
that is required for classifying all incidents generated by this integration as a Prisma Cloud incident type and to map the fields in the Prisma Cloud alert payload to the Cortex XSOAR incident fields. Incident layout and incident classifier and mapping required to enable remediation using Cortex XSOAR playbooks.
The playbooks that are available to support remediation are:
  • Prisma Cloud Remediation - AWS CloudTrail is not enabled on the account
  • Prisma Cloud Remediation - AWS security groups allow internet traffic To TCP port
  • Prisma Cloud Remediation - AWS inactive users for more than 30 days
  1. Install Cortex XSOAR content release 19.10.2 or a later version on your Cortex XSOAR 5.0.0 instance.
    19.10.2 is the minimum content release version that includes the Prisma Cloud incident fields required for this push-based integration. You can see the incident fields on
  2. Download the layout and classifier mappings for Prisma Cloud.
    Get the
    file from the Demisto GitHub repository.
    Get the Classifier Mappings from the
    file from the Demisto GitHub repository.
  3. Create a new incident type for Prisma Cloud.
    1. Select
      Incident Types
    2. Create a
      New Incident Type
      and name it
      Prisma Cloud
      your changes.
    3. Select the
      Incident Type
      Edit Layout
      the layout you downloaded earlier.
  4. Map the Prisma Cloud alert data to the classification rules defined on Cortex XSOAR.
    Classification & Mapping
    Import existing classification & mapping
    to align the labels in the alert data payload from Prisma Cloud with Cortex XSOAR labels.
  5. (
    ) Create additional classification and mapping rules and incident layouts to classify Prisma Cloud alerts to distinct incident types on Cortex XSOAR.
    Cortex XSOAR includes one incident type for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for autoremediation. Refer to the Demisto documentation for detailed instructions customizing your incident types, creating different classifications, mapping and layouts for Prisma Cloud alerts, and to associate different playbooks to take action and enable incident resolution for other cloud platforms.
  6. View incidents on Cortex XSOAR.
    Verify that the integration is working as expected and that Prisma Cloud alerts display as incidents.

Recommended For You