Learn how to integrate Prisma Cloud with Demisto to send
alerts and enable multi-step automated remediation using Demisto
playbooks.
With the Prisma Cloud and Demisto outbound
or push-based integration, you can send a Prisma Cloud alert that
is generated on a policy violation, as an incident to Demisto. The
alert is mapped to an incident type on Demisto and associated with
a playbook to enable auto-remediation of the violating resource.
For an incident type, the Prisma Cloud alert payload is mapped to
a Demisto layout that specifies the incident fields for data classification
and mapping on Demisto. Upon auto-remediation, in a subsequent scan,
Prisma Cloud detects that the issue is resolved and the alert is
marked as resolved.
This push-based integration enables your
security operations team to define custom playbooks or use the out-of-the-box
playbooks on Demisto to create multi-step workflows for incident
management of your cloud resources, and is an alternative to the pull-based integration that
you can configure from Demisto.
In this beta, the use of notification
templates are not supported, and Prisma Cloud does not receive state
change notifications from Demisto when an open alert is resolved.
Set up Demisto as an external integration
on Prisma Cloud. For the push-based integration, your Demisto instance
must be version 5.0.0 and have content version 19.10.2.
Log in to Prisma Cloud and select
Settings
Integrations
+Add New
.
Set the
Integration Type
as
Demisto
(Beta)
.
Enter a meaningful
Integration Name
and
a
Description
.
Enter your
Demisto Instance FQDN/IP
address.
Enter the
API Key
associated with
the Demisto administrative user account.
The API key you provide must belong to an Demisto administrative
user who has read/write permissions. Read-write permissions are
required to enable this push-based integration.
Click
Next
and then click
Test
.
Save
the integration.
After you set up the integration, the status indicates
whether Prisma Cloud is connected to Demisto.
Before you can view Prisma Cloud alerts as
incidents on Demisto, you need the Content Version: 19.10.2 or later.
The content version includes the incident fields required for this
push-based integration.
On Demisto, a Prisma Cloud alert is
mapped as
Prisma Cloud
Incident Type. You
must add this incident type manuallyFor this incident type, Demisto
provides an out-of-the-box,
Incident Layout
that includes
generic details about all the relevant incident fields for Prisma
Cloud incidents. It also provides the
Incident Classifier & Mapping
that
is required to classify all incidents generated from this integration
as Prisma Cloud incident type, and to map the fields in the Prisma
Cloud alert payload to the Demisto incident fields. incident layout
and incident classifier and mapping required to enable remediation
using Demisto playbooks
The playbooks that are available to
support remediation are:
Prisma Cloud Remediation
- AWS CloudTrail is not enabled on the account
Prisma Cloud Remediation - AWS security groups allows internet
traffic To TCP port
Prisma Cloud Remediation - AWS inactive users For more than
30 days
Install Demisto content version: 19.10.2 on your
Demisto instance version: 5.0.0.
19.10.2 is the minimum content version that includes the
Prisma Cloud incident fields required for this push-based integration.
You can see the incident fields on
Settings
Advanced
Fields
.
Download the layout and classifier mappings for Prisma
Cloud.
In order to use the incident fields that are pushed through
the content update, you need to add a new incident type.
Select
Settings
Advanced
Incident Types
.
Create a
New Incident Type
and name
it
Prisma Cloud
and
Save
.
Select the Incident Type and
Edit Layout
to
Import
the
layout you downloaded earlier.
Map the Prisma Cloud alert data to the classification
rules defined on Demisto.
Select
Setting
Integrations
Classification & Mapping
Demisto
REST API
Import existing classification &
mapping
to align the labels in the alert
data payload from Prisma Cloud with Demisto labels.
(
Optional
) Create additional classification
and mapping, and incident layouts to classify Prisma Cloud alerts
to distinct incident types on Demisto.
Demisto includes one incident type for Prisma Cloud to
which you can associate one of the AWS playbooks (listed above)
for auto-remediation. Refer to the Demisto documentation for
detailed instructions to customize your incident types, create different
classification, mapping and layout for Prisma Cloud alerts and associate
different playbooks to take action and enable incident resolution
for other cloud platforms.
View incidents on Demisto.
Verify that the integration is working as expected, and
Prisma Cloud alerts are displayed as incidents.
