Learn how to integrate Prisma™ Cloud with Cortex XSOAR
(formerly Demisto
®
) to send alerts and enable multi-step
automated remediation using Cortex XSOAR playbooks.
With the Prisma™ Cloud and Cortex XSOAR (formerly
Demisto) outbound or push-based integration, you can send a Prisma
Cloud alert generated by a policy violation to Cortex XSOAR. Cortex
XSOAR maps the alert to an incident type and associates it with
a playbook to enable autoremediation of the violating resource.
For an incident type, the Prisma Cloud alert payload
is mapped to a Cortex XSOAR layout that specifies the incident fields
for data classification and mapping on Cortex XSOAR. After autoremediation,
Prisma Cloud performs a scan that detects that the issue is resolved
and marks the alert as resolved.
This push-based integration
enables your Security operations team to define custom playbooks
or use the out-of-box playbooks on Cortex XSOAR to create multistep
workflows for incident management of your cloud resources; this
is an alternative to the pull-based integration that
you can configure from Cortex XSOAR.
Currently, this integration
does not support the use of notification templates and Prisma Cloud
does not receive state change notifications from Cortex XSOAR after
it resolves an open alert.
Enable the Cortex XSOAR Integration on Prisma Cloud
Set up Cortex XSOAR as an external integration
on Prisma Cloud. For the push-based integration, you must use Cortex
XSOAR version 5.0.0 and content release version 19.10.2 or later.
Log in to Prisma Cloud and select
Settings
Integrations
+Add New
.
Set the
Integration Type
to
Demisto
(Beta)
.
Enter a meaningful
Integration Name
and
a
Description
.
Enter your
Demisto Instance FQDN/IP
address.
If you are adding a Cortex XSOAR instance that is part
of a multi-tenant deployment, enter the tenant URL without the protocol
(http or https).
Enter the
API Key
associated with
the Cortex XSOAR administrative user account.
The API key you provide must belong to a Cortex XSOAR administrative
user who has read-write permissions,
Click
Next
and then
Test
.
Save
the integration.
After you set up the integration, the status indicates
whether Prisma Cloud is connected to Cortex XSOAR.
Before you can view Prisma Cloud alerts as
incidents on Cortex XSOAR, you need content release 19.10.2 or a later
version. The content release includes the incident fields required
for this push-based integration.
On Cortex XSOAR, a
Prisma Cloud alert is mapped to the
Prisma Cloud
incident
type. You must add this incident type manually. For this incident
type, Cortex XSOAR provides an out-of-box,
Incident Layout
that
includes generic details about all relevant incident fields for
Prisma Cloud incidents. Cortex XSOAR also provides the
Incident
Classifier & Mapping
that is required for classifying all
incidents generated by this integration as a Prisma Cloud incident
type and to map the fields in the Prisma Cloud alert payload to
the Cortex XSOAR incident fields. Incident layout and incident
classifier and mapping required to enable remediation using Cortex
XSOAR playbooks.
The playbooks that are available to support
remediation are:
Prisma Cloud Remediation - AWS CloudTrail
is not enabled on the account
Prisma Cloud Remediation - AWS security groups allow internet
traffic To TCP port
Prisma Cloud Remediation - AWS inactive users for more than
30 days
Install Cortex XSOAR content release 19.10.2 or
a later version on your Cortex XSOAR 5.0.0 instance.
19.10.2 is the minimum content release version that includes
the Prisma Cloud incident fields required for this push-based integration. You
can see the incident fields on
Settings
Advanced
Fields
.
Download the layout and classifier mappings for Prisma
Cloud.
Map the Prisma Cloud alert data to the classification
rules defined on Cortex XSOAR.
Select
Setting
Integrations
Classification & Mapping
Cortex
XSOAR REST API
Import existing classification
& mapping
to align the labels in the
alert data payload from Prisma Cloud with Cortex XSOAR labels.
(
Optional
) Create additional classification
and mapping rules and incident layouts to classify Prisma Cloud alerts
to distinct incident types on Cortex XSOAR.
Cortex XSOAR includes one incident type for Prisma Cloud
to which you can associate one of the AWS playbooks (listed above)
for autoremediation. Refer to the Demisto documentation for
detailed instructions customizing your incident types, creating different
classifications, mapping and layouts for Prisma Cloud alerts, and
to associate different playbooks to take action and enable incident
resolution for other cloud platforms.
View incidents on Cortex XSOAR.
Verify that the integration is working as expected and
that Prisma Cloud alerts display as incidents.
