Integrate Prisma Cloud with Demisto (Beta)

Learn how to integrate Prisma Cloud with Demisto to send alerts and enable multi-step automated remediation using Demisto playbooks.
With the Prisma Cloud and Demisto outbound or push-based integration, you can send a Prisma Cloud alert that is generated on a policy violation, as an incident to Demisto. The alert is mapped to an incident type on Demisto and associated with a playbook to enable auto-remediation of the violating resource. For an incident type, the Prisma Cloud alert payload is mapped to a Demisto layout that specifies the incident fields for data classification and mapping on Demisto. Upon auto-remediation, in a subsequent scan, Prisma Cloud detects that the issue is resolved and the alert is marked as resolved.
This push-based integration enables your security operations team to define custom playbooks or use the out-of-the-box playbooks on Demisto to create multi-step workflows for incident management of your cloud resources, and is an alternative to the pull-based integration that you can configure from Demisto.
In this beta, the use of notification templates are not supported, and Prisma Cloud does not receive state change notifications from Demisto when an open alert is resolved.

Enable the Demisto Integration on Prisma Cloud

Set up Demisto as an external integration on Prisma Cloud. For the push-based integration, your Demisto instance must be version 5.0.0 and have content version 19.10.2.
  1. Log in to Prisma Cloud and select
    Settings
    Integrations
    +Add New
    .
  2. Set the
    Integration Type
    as
    Demisto (Beta)
    .
  3. Enter a meaningful
    Integration Name
    and a
    Description
    .
  4. Enter your
    Demisto Instance FQDN/IP
    address.
  5. Enter the
    API Key
    associated with the Demisto administrative user account.
    The API key you provide must belong to an Demisto administrative user who has read/write permissions. Read-write permissions are required to enable this push-based integration.
    demisto-integration-prisma-cloud.png
  6. Click
    Next
    and then click
    Test
    .
  7. Save
    the integration.
    After you set up the integration, the status indicates whether Prisma Cloud is connected to Demisto.
    demisto-integration-status-prisma-cloud.png
  8. Modify an existing Alert rule, or create a new Alert Rule to send Alert notifications to Demisto. See Send Prisma Cloud Alert Notifications to Third-Party Tools.

Set Up the Integration on Demisto

Before you can view Prisma Cloud alerts as incidents on Demisto, you need the Content Version: 19.10.2 or later. The content version includes the incident fields required for this push-based integration.
On Demisto, a Prisma Cloud alert is mapped as
Prisma Cloud
Incident Type. You must add this incident type manuallyFor this incident type, Demisto provides an out-of-the-box,
Incident Layout
that includes generic details about all the relevant incident fields for Prisma Cloud incidents. It also provides the
Incident Classifier & Mapping
that is required to classify all incidents generated from this integration as Prisma Cloud incident type, and to map the fields in the Prisma Cloud alert payload to the Demisto incident fields. incident layout and incident classifier and mapping required to enable remediation using Demisto playbooks
The playbooks that are available to support remediation are:
  • Prisma Cloud Remediation - AWS CloudTrail is not enabled on the account
  • Prisma Cloud Remediation - AWS security groups allows internet traffic To TCP port
  • Prisma Cloud Remediation - AWS inactive users For more than 30 days
  1. Install Demisto content version: 19.10.2 on your Demisto instance version: 5.0.0.
    19.10.2 is the minimum content version that includes the Prisma Cloud incident fields required for this push-based integration. You can see the incident fields on
    Settings
    Advanced
    Fields
    .
  2. Download the layout and classifier mappings for Prisma Cloud.
    Get the
    layout-details-Prisma_Cloud.json
    from the Demisto GitHubrepository.
    Get the Classifier Mappings from
    classifier-Prisma_Cloud.json
    from the Demisto GitHub repository.
  3. Create a new incident type for Prisma Cloud.
    In order to use the incident fields that are pushed through the content update, you need to add a new incident type.
    1. Select
      Settings
      Advanced
      Incident Types
      .
    2. Create a
      New Incident Type
      and name it
      Prisma Cloud
      and
      Save
      .
      demisto-integration-prisma-cloud-incident-type.png
    3. Select the Incident Type and
      Edit Layout
      to
      Import
      the layout you downloaded earlier.
      demisto-integration-import-layout.png
  4. Map the Prisma Cloud alert data to the classification rules defined on Demisto.
    Select
    Setting
    Integrations
    Classification & Mapping
    Demisto REST API
    Import existing classification & mapping
    to align the labels in the alert data payload from Prisma Cloud with Demisto labels.
    demisto-integration-import-classification-mapping.png
  5. (
    Optional
    ) Create additional classification and mapping, and incident layouts to classify Prisma Cloud alerts to distinct incident types on Demisto.
    Demisto includes one incident type for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for auto-remediation. Refer to the Demisto documentation for detailed instructions to customize your incident types, create different classification, mapping and layout for Prisma Cloud alerts and associate different playbooks to take action and enable incident resolution for other cloud platforms.
  6. View incidents on Demisto.
    Verify that the integration is working as expected, and Prisma Cloud alerts are displayed as incidents.
    demisto-integration-prisma-cloud-alerts.png
    .

Related Documentation