Learn how to integrate Prisma™ Cloud with Cortex XSOAR
(formerly Demisto
®
) to send alerts and enable multi-step
automated remediation using Cortex XSOAR playbooks.
With the Prisma™ Cloud and Cortex XSOAR (formerly
Demisto) outbound or push-based integration, you can send a Prisma Cloud
alert generated by a policy violation to Cortex XSOAR. This integration
enables your Security operations team to define custom playbooks
or use the out-of-box playbooks on Cortex XSOAR to create multi-step
workflows for incident management of your cloud resources; this
is an alternative to the pull-based integration that
you can configure from Cortex XSOAR.
Using the policy ID in
the alert, Cortex XSOAR categorizes the alert as a specific incident
type. For an incident type, the Prisma Cloud alert payload is mapped
to a Cortex XSOAR layout that specifies the incident fields for
data classification and mapping on Cortex XSOAR. The current list of
incident types are: AWS CloudTrail Misconfiguration, AWS EC2 Instance
Misconfiguration, AWS IAM Policy Misconfiguration, and Prisma Cloud.
If the policy ID is not categorized to a specific incident type,
it is automatically mapped to the generic Prisma Cloud incident
type. Every incident type is mapped to a Cortex XSOAR layout and
associated with a playbook to enable autoremediation of the violating
resource, except for the generic Prisma Cloud incident type.
On
autoremediation, Prisma Cloud performs a scan that detects that
the issue is resolved and marks the alert as resolved.
Currently,
this integration does not support the use of notification templates
and Prisma Cloud does not receive state change notifications from Cortex
XSOAR after it resolves an open alert.
Enable the Cortex XSOAR Integration on Prisma Cloud
Set up Cortex XSOAR as an external integration
on Prisma Cloud. If you have a firewall or cloud Network Security
Group between the internet and Cortex XSOAR, you must add the NAT Gateway IP Addresses for Prisma Cloud to the
allow list and enable the connection to Prisma Cloud.
For
the push-based integration, you must use Cortex XSOAR version 5.0.0
and content release version 19.10.2 or later.
Log in to Prisma Cloud and select
Settings
Integrations
+Add New
.
Set the
Integration Type
to
Cortex
XSOAR
.
Enter a meaningful
Integration Name
and
a
Description
.
Enter your
Cortex XSOAR Instance FQDN/IP
address.
If you are adding a Cortex XSOAR instance that is part
of a multi-tenant deployment, enter the tenant URL without the protocol
(http or https).
Enter the
API Key
associated with
the Cortex XSOAR administrative user account.
The API key you provide must belong to a Cortex XSOAR administrative
user who has read-write permissions, which are required to enable
this push-based integration. Within Cortex XSOAR, navigate to
Settings
> Integrations > API Keys
and
Get Your Key
.
Click
Next
and then
Test
.
Save
the integration.
After you set up the integration, the status indicates
whether Prisma Cloud is connected to Cortex XSOAR.
If you do not have an access key, see Create and Manage Access Keys. You need
the Access Key ID and Secret Key ID to complete the integration
on Cortex XSOAR.
Before you can view Prisma Cloud alerts as
incidents on Cortex XSOAR, you need content release 19.10.2 or a
later version. The content release includes the incident fields
required for this push-based integration. When you have the content
release, the Classifier, incident types, and layouts are available
automatically.
Cortex XSOAR maps Prisma Cloud alerts to out-of-the-box
incident types such as AWS CloudTrail Misconfiguration, AWS EC2
Instance Misconfiguration, AWS IAM Policy Misconfiguration, GCP
Compute Engine Misconfiguration, and Prisma Cloud. The out-of-box,
Incident
Layouts
map the Prisma Cloud alert data to the classification
rules. These layouts provide the
Incident Classifier & Mapping
that
is required for classifying incidents to the correct incident type
and mapping the fields in the Prisma Cloud alert payload to the
Cortex XSOAR incident fields. When an incident is created, the playbook
attached to the incident type automatically executes.
Find
all the Cortex XSOAR playbooks that
are available to support remediation on Prisma Cloud for example
Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration and
Prisma Cloud Remediation - GCP VPC Network Misconfiguration; search
for
playbook-PrismaCloudRemediation_
.
If
you want to use the pull-based integration from Cortex XSOAR, see Cortex documentation.
In a pull-based integration, you must enable the instance to
Fetches
incidents
.
Install Cortex XSOAR content release 19.10.2 or
a later version on your Cortex XSOAR 5.0.0 or later instance.
19.10.2 is the minimum content release version that includes
the Prisma Cloud incident fields required for this push-based integration.
You can see the incident fields on
Settings
Advanced
Fields
.
Enable the connection between Cortex XSOAR and Prisma
Cloud.
Navigate to
Settings
Integrations
Servers&Services
.
Search for
Prisma Cloud
and
Add
Instance
.
Complete the set up.
Provide a
Name
for the Prisma Cloud
instance you are integrating (the name must be unique from other
Integrations within cortex XSOAR), the
Server URL
that
corresponds to the API endpoint for the Prisma Cloud instance, and
your access key and secret keys as username and password.
If
you access your Prisma Cloud instance at https://app2.eu.prismacloud.io,
the API endpoint is https://api2.eu.prismacloud.io
Review the classification mapping for incident types.
When Prisma Cloud pushes alerts to the Cortex XSOAR endpoint,
the alerts are classified under the
Prisma Cloud App
(
/prismacloud app
)
path, and listed in
Settings
Integrations
Classification Mapping
and the playbooks
associated with each incident type are in
Settings
Integrations
Advanced
Incident Types
View incidents on Cortex XSOAR.
Verify that the integration is working as expected and
that Prisma Cloud alerts display as incidents and are mapped to
specific incident types.
.
(
Optional
) Create additional classification
and mapping rules and incident layouts to classify Prisma Cloud
alerts to distinct incident types on Cortex XSOAR.
Cortex XSOAR includes a few incident types for Prisma Cloud
to which you can associate one of the AWS playbooks (listed above)
for autoremediation. Refer to the Cortex XSOAR documentation for
detailed instructions about customizing your incident types, creating
different classifications, mapping and layouts for Prisma Cloud
alerts, and to associate different playbooks to take action and
enable incident resolution for other cloud platforms. Refer to the Cortex XSOAR GitHub repository
for some sample packs.
