Integrate Prisma Cloud with Demisto (Beta)
Learn how to integrate Prisma Cloud with Demisto to send alerts and enable multi-step automated remediation using Demisto playbooks.
With the Prisma Cloud and Demisto outbound or push-based integration, you can send a Prisma Cloud alert that is generated on a policy violation, as an incident to Demisto. The alert is mapped to an incident type on Demisto and associated with a playbook to enable auto-remediation of the violating resource. For an incident type, the Prisma Cloud alert payload is mapped to a Demisto layout that specifies the incident fields for data classification and mapping on Demisto. Upon auto-remediation, in a subsequent scan, Prisma Cloud detects that the issue is resolved and the alert is marked as resolved.
This push-based integration enables your security operations team to define custom playbooks or use the out-of-the-box playbooks on Demisto to create multi-step workflows for incident management of your cloud resources, and is an alternative to the pull-based integration that you can configure from Demisto.
In this beta, the use of notification templates are not supported, and Prisma Cloud does not receive state change notifications from Demisto when an open alert is resolved.
Enable the Demisto Integration on Prisma Cloud
Set up Demisto as an external integration on Prisma Cloud. For the push-based integration, your Demisto instance must be version 5.0.0 and have content version 19.10.2.
- Log in to Prisma Cloud and select.SettingsIntegrations+Add New
- Set theIntegration TypeasDemisto (Beta).
- Enter a meaningfulIntegration Nameand aDescription.
- Enter yourDemisto Instance FQDN/IPaddress.
- Enter theAPI Keyassociated with the Demisto administrative user account.The API key you provide must belong to an Demisto administrative user who has read/write permissions. Read-write permissions are required to enable this push-based integration.
- ClickNextand then clickTest.
- Savethe integration.After you set up the integration, the status indicates whether Prisma Cloud is connected to Demisto.
- Modify an existing Alert rule, or create a new Alert Rule to send Alert notifications to Demisto. See Send Prisma Cloud Alert Notifications to Third-Party Tools.
- Continue to Set Up the Integration on Demisto.
Set Up the Integration on Demisto
Before you can view Prisma Cloud alerts as incidents on Demisto, you need the Content Version: 19.10.2 or later. The content version includes the incident fields required for this push-based integration.
On Demisto, a Prisma Cloud alert is mapped as
Prisma CloudIncident Type. You must add this incident type manuallyFor this incident type, Demisto provides an out-of-the-box,
Incident Layoutthat includes generic details about all the relevant incident fields for Prisma Cloud incidents. It also provides the
Incident Classifier & Mappingthat is required to classify all incidents generated from this integration as Prisma Cloud incident type, and to map the fields in the Prisma Cloud alert payload to the Demisto incident fields. incident layout and incident classifier and mapping required to enable remediation using Demisto playbooks
The playbooks that are available to support remediation are:
- Prisma Cloud Remediation - AWS CloudTrail is not enabled on the account
- Prisma Cloud Remediation - AWS security groups allows internet traffic To TCP port
- Prisma Cloud Remediation - AWS inactive users For more than 30 days
- Install Demisto content version: 19.10.2 on your Demisto instance version: 188.8.131.52.10.2 is the minimum content version that includes the Prisma Cloud incident fields required for this push-based integration. You can see the incident fields on.SettingsAdvancedFields
- Create a new incident type for Prisma Cloud.In order to use the incident fields that are pushed through the content update, you need to add a new incident type.
- Select.SettingsAdvancedIncident Types
- Create aNew Incident Typeand name itPrisma CloudandSave.
- Select the Incident Type andEdit LayouttoImportthe layout you downloaded earlier.
- Map the Prisma Cloud alert data to the classification rules defined on Demisto.Selectto align the labels in the alert data payload from Prisma Cloud with Demisto labels.SettingIntegrationsClassification & MappingDemisto REST APIImport existing classification & mapping
- (Optional) Create additional classification and mapping, and incident layouts to classify Prisma Cloud alerts to distinct incident types on Demisto.Demisto includes one incident type for Prisma Cloud to which you can associate one of the AWS playbooks (listed above) for auto-remediation. Refer to the Demisto documentation for detailed instructions to customize your incident types, create different classification, mapping and layout for Prisma Cloud alerts and associate different playbooks to take action and enable incident resolution for other cloud platforms.
- View incidents on Demisto.Verify that the integration is working as expected, and Prisma Cloud alerts are displayed as incidents. .