Integrate Prisma Cloud with Cortex XSOAR
Learn how to integrate Prisma™ Cloud with Cortex XSOAR (formerly Demisto
®) to send alerts and enable multi-step automated remediation using Cortex XSOAR playbooks.
With the Prisma™ Cloud and Cortex XSOAR (formerly Demisto) outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR. Cortex XSOAR maps the alert to an incident type and associates it with a playbook to enable autoremediation of the violating resource. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR. After autoremediation, Prisma Cloud performs a scan that detects that the issue is resolved and marks the alert as resolved.
This push-based integration enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multistep workflows for incident management of your cloud resources; this is an alternative to the pull-based integration that you can configure from Cortex XSOAR.
Currently, this integration does not support the use of notification templates and Prisma Cloud does not receive state change notifications from Cortex XSOAR after it resolves an open alert.
Enable the Cortex XSOAR Integration on Prisma Cloud
Set up Cortex XSOAR as an external integration on Prisma Cloud. For the push-based integration, you must use Cortex XSOAR version 5.0.0 and content release version 19.10.2 or later.
- Log in to Prisma Cloud and select.SettingsIntegrations+Add New
- Set theIntegration TypetoDemisto (Beta).
- Enter a meaningfulIntegration Nameand aDescription.
- Enter yourDemisto Instance FQDN/IPaddress.If you are adding a Cortex XSOAR instance that is part of a multi-tenant deployment, enter the tenant URL without the protocol (http or https).
- Enter theAPI Keyassociated with the Cortex XSOAR administrative user account.The API key you provide must belong to a Cortex XSOAR administrative user who has read-write permissions,
- ClickNextand thenTest.
- Savethe integration.After you set up the integration, the status indicates whether Prisma Cloud is connected to Cortex XSOAR.
- Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to Cortex XSOAR. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
Set Up the Integration on Cortex XSOAR
Before you can view Prisma Cloud alerts as incidents on Cortex XSOAR, you need content release 19.10.2 or a later version. The content release includes the incident fields required for this push-based integration.
On Cortex XSOAR, a Prisma Cloud alert is mapped to the
Prisma Cloudincident type. You must add this incident type manually. For this incident type, Cortex XSOAR provides an out-of-box,
Incident Layoutthat includes generic details about all relevant incident fields for Prisma Cloud incidents. Cortex XSOAR also provides the
Incident Classifier & Mappingthat is required for classifying all incidents generated by this integration as a Prisma Cloud incident type and to map the fields in the Prisma Cloud alert payload to the Cortex XSOAR incident fields. Incident layout and incident classifier and mapping required to enable remediation using Cortex XSOAR playbooks.
The playbooks that are available to support remediation are:
- Prisma Cloud Remediation - AWS CloudTrail is not enabled on the account
- Prisma Cloud Remediation - AWS security groups allow internet traffic To TCP port
- Prisma Cloud Remediation - AWS inactive users for more than 30 days
- Install Cortex XSOAR content release 19.10.2 or a later version on your Cortex XSOAR 5.0.0 instance.19.10.2 is the minimum content release version that includes the Prisma Cloud incident fields required for this push-based integration. You can see the incident fields on.SettingsAdvancedFields
- Create a new incident type for Prisma Cloud.
- Select.SettingsAdvancedIncident Types
- Create aNew Incident Typeand name itPrisma CloudandSaveyour changes.
- Select theIncident TypeandEdit LayouttoImportthe layout you downloaded earlier.
- Map the Prisma Cloud alert data to the classification rules defined on Cortex XSOAR.Selectto align the labels in the alert data payload from Prisma Cloud with Cortex XSOAR labels.SettingIntegrationsClassification & MappingCortex XSOAR REST APIImport existing classification & mapping
- (Optional) Create additional classification and mapping rules and incident layouts to classify Prisma Cloud alerts to distinct incident types on Cortex XSOAR.Cortex XSOAR includes one incident type for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for autoremediation. Refer to the Demisto documentation for detailed instructions customizing your incident types, creating different classifications, mapping and layouts for Prisma Cloud alerts, and to associate different playbooks to take action and enable incident resolution for other cloud platforms.
- View incidents on Cortex XSOAR.Verify that the integration is working as expected and that Prisma Cloud alerts display as incidents. .
Recommended For You
Recommended videos not found.