Skip to main content

Prisma Cloud DSPM

This Integration is part of the DSPM Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Overview#

The Prisma Cloud DSPM(Data Security Posture Management) integration enhances the management and remediation of DSPM risks. The integration provides users with actionable data, insights and a seamless workflow for addressing potential security threats.

Use Cases#

  • Remediation of DSPM out-of-the-box risks based on automated playbooks.
  • Close or update risks by interacting with DSPM API using a dedicated list of building blocks.
  • Distribute DSPM risks to other systems.

Prerequisites#

  1. An active Prisma Cloud DSPM account
  2. Slack V3 Pack
  3. AWS-S3 Pack
  4. Core REST APIs pack
  5. Atlassian Jira v3 Pack
  6. Google Cloud Storage Pack ( Optional )
  7. Azure Storage Container Pack ( Optional )

Configure Cortex XSOAR on Prisma Cloud DSPM#

  1. Log in to you Prisma Cloud DSPM platform.
  2. Navigate to Settings > Workflow > XSOAR.
  3. Click Connect to create and configure a new XSOAR integration.
  4. XSOAR link - Add the XSOAR API URL.
  5. Notified On - Select the Risks option.
  6. Severity Threshold - Set the severity threshold to receive notifications for assets that fall under that severity.
  7. Filter By Tags - Notifications will be sent for assets that match any of the selected tags.
  8. Advanced - Add required headers Authorization and x-xdr-auth-id

Configure Prisma Cloud DSPM on Cortex XSOAR#

  1. Navigate to Settings & Info > Settings > Integrations > Instances.

  2. Search for Prisma Cloud DSPM.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    DSPM server URLThe tenant URL of the Prisma Cloud DSPMTrue
    DSPM API KeyAPI key to use for the connection.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

dspm-list-risk-findings#


Retrieves risk findings matching the input criteria.

Base Command#

dspm-list-risk-findings

Input#

Argument NameDescriptionRequired
rule_name_inA comma-separated list of rule names.Optional
rule_name_equalThe exact rule name.Optional
dspm_tag_key_inA comma-separated list of DSPM tag keys.Optional
dspm_tag_key_equalExact DSPM tag key.Optional
dspm_tag_value_inA comma-separated list of DSPM tag values.Optional
dspm_tag_value_equalThe exact DSPM tag value.Optional
projectId_inA comma-separated list of project IDs.Optional
projectId_equalThe exact project ID.Optional
cloud_provider_inA comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. Default is AWS.Optional
cloud_provider_equalThe exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
affects_inA comma-separated list of affects. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, SECURITY_AND_GOVERNANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE.Optional
affects_equalThe exact effect. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE.Optional
status_inA comma-separated list of statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING.Optional
status_equalThe exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING.Optional
sortThe sort order.Optional
limitThe maximum number of risk findings to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
DSPM.RiskFinding.assetUnknownThe asset details associated with the risk finding.
DSPM.RiskFinding.cloudEnvironmentStringThe cloud environment (public or private) associated with the risk finding.
DSPM.RiskFinding.cloudProviderStringThe cloud provider associated with the risk finding (e.g., AWS, Azure, GCP).
DSPM.RiskFinding.complianceStandardsUnknownThe compliance standards relevant to the risk finding.
DSPM.RiskFinding.firstDiscoveredDateThe date the risk finding was first discovered.
DSPM.RiskFinding.idStringThe unique ID of the risk finding.
DSPM.RiskFinding.projectIdStringThe project ID where the asset resides.
DSPM.RiskFinding.ruleNameStringThe rule name associated with the risk finding.
DSPM.RiskFinding.severityStringThe severity of the risk finding (e.g., Low, Medium, High).
DSPM.RiskFinding.statusStringThe current status of the risk finding (e.g., Open, Closed).

Command example#

!dspm-list-risk-findings

Context Example#

{
"DSPM": {
"RiskFinding": [
{
"id": "00000000-0000-4f99-0000-616843b6b19e",
"ruleName": "Empty storage asset",
"severity": "LOW",
"asset": {},
"status": "OPEN",
"projectId": "********",
"cloudProvider": "AWS",
"cloudEnvironment": "UNKNOWN",
"firstDiscovered": "2024-09-27T11:55:39.059125Z",
"complianceStandards": {}
}
]
}
}

Human Readable Output#

Results#

AssetCloud EnvironmentCloud ProviderCompliance StandardsFirst DiscoveredIDProject IDRule NameSeverityStatus
{}UNKNOWNAWS{}2024-09-27T11:55:39.059125Z00000000-0000-4f99-0000-616843b6b19e****Empty storage assetLOWOPEN

dspm-get-risk-finding-by-id#


Retrieves the details of a risk for the provided risk ID.

Base Command#

dspm-get-risk-finding-by-id

Input#

Argument NameDescriptionRequired
finding_idID of the risk for which to retrieve details.Required

Context Output#

PathTypeDescription
DSPM.RiskFinding.assetUnknownThe asset details associated with the risk finding.
DSPM.RiskFinding.cloudEnvironmentStringThe cloud environment (public or private) associated with the risk finding.
DSPM.RiskFinding.cloudProviderStringThe cloud provider associated with the risk finding (e.g., AWS, Azure, GCP).
DSPM.RiskFinding.complianceStandardsUnknownThe compliance standards relevant to the risk finding.
DSPM.RiskFinding.firstDiscoveredDateThe date the risk finding was first discovered.
DSPM.RiskFinding.idStringThe unique ID of the risk finding.
DSPM.RiskFinding.projectIdStringThe project ID where the asset resides.
DSPM.RiskFinding.ruleNameStringThe rule name associated with the risk finding.
DSPM.RiskFinding.severityStringThe severity of the risk finding (e.g., Low, Medium, High).
DSPM.RiskFinding.statusStringThe current status of the risk finding (e.g., Open, Closed).

Command example#

!dspm-get-risk-finding-by-id finding_id="00000000-0000-4f99-0000-616843b6b19e"

Context Example#

{
"DSPM": {
"RiskFinding": {
"id": "00000000-0000-4f99-0000-616843b6b19e",
"ruleName": "Empty storage asset",
"severity": "LOW",
"asset": {},
"status": "OPEN",
"projectId": "********",
"cloudProvider": "AWS",
"cloudEnvironment": "UNKNOWN",
"firstDiscovered": "2024-09-27T11:55:39.059125Z",
"complianceStandards": {}
}
}
}

Human Readable Output#

Results#

AssetCloud EnvironmentCloud ProviderCompliance StandardsFirst DiscoveredIDProject IDRule NameSeverityStatus
{}UNKNOWNAWS{}2024-09-27T11:55:39.059125Z00000000-0000-4f99-0000-616843b6b19e****Empty storage assetLOWOPEN

dspm-list-assets#


Retrieves a list of assets for the company.

Base Command#

dspm-list-assets

Input#

Argument NameDescriptionRequired
region_inA comma-separated list of regions.Optional
region_equalThe exact region.Optional
cloud_provider_inA comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
cloud_provider_equalThe exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
service_type_inA comma-separated list of service types.Optional
service_type_equalThe exact service type.Optional
lifecycle_inA comma-separated list of life cycles. Possible values are: RUNNING, STOPPED, DELETED.Optional
lifecycle_equalThe exact lifecycle. Possible values are: RUNNING, STOPPED, DELETED.Optional
sortThe sorting criteria in the format: property,(asc|desc). Default sort order is ascending. Multiple sort criteria are supported.Optional
limitThe maximum number of assets to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
DSPM.Asset.dataTypesUnknownData types associated with the asset.
DSPM.Asset.dataTypeGroupsUnknownData type groups associated with the asset.
DSPM.Asset.assetDigTagsUnknownDig tags associated with the asset.
DSPM.Asset.cloudEnvironmentStringThe cloud environment in which the asset exists.
DSPM.Asset.cloudProviderStringThe cloud provider for the asset.
DSPM.Asset.encryptedBooleanIndicates if the asset is encrypted.
DSPM.Asset.idStringThe unique identifier of the asset.
DSPM.Asset.lifecycleStringLifecycle status of the asset.
DSPM.Asset.nameStringThe name of the asset.
DSPM.Asset.openAlertsCountNumberThe count of open alerts for the asset.
DSPM.Asset.openRisksCountNumberThe count of open risks for the asset.
DSPM.Asset.openToWorldBooleanIndicates if the asset is open to the world.
DSPM.Asset.projectIdStringThe ID of the project associated with the asset.
DSPM.Asset.projectNameStringThe name of the project associated with the asset.
DSPM.Asset.serviceTypeStringThe type of service associated with the asset.
DSPM.Asset.tagsUnknownTags related to the asset.

Command example#

!dspm-list-assets cloudProviderEqual=AWS serviceTypeEqual=S3

Context Example#

{
"DSPM": {
"Assets": [{
"projectId": "************",
"projectName": "************",
"name": "dymmy-ci0jq3kgvjnccdfp-us-east-1",
"cloudProvider": "AWS",
"cloudEnvironment": "TESTING",
"serviceType": "S3",
"dataTypeGroups": [],
"dataTypes": [],
"lifecycle": "RUNNING",
"openRisksCount": 0,
"openAlertsCount": 0,
"encrypted": true,
"openToWorld": false,
"tags": {},
"assetDigTags": [],
"id": "arn:aws:s3:::dymmy-ci0jq3kgvjnccdfp-us-east-1"
}]
}
}

Human Readable Output#

Results#

Asset Dig TagsCloud EnvironmentCloud ProviderEncryptedIDLifecycleNameOpen Alerts CountOpen Risks CountOpen To WorldProject IDProject NameService TypeTagsData Type GroupsData Types
TESTINGAWStruearn:aws:s3:::dymmy-ci0jq3kgvjnccdfp-us-east-1RUNNINGdymmy-ci0jq3kgvjnccdfp-us-east-100false********S3

dspm-get-asset-details#


Retrieves details for the specified asset ID.

Base Command#

dspm-get-asset-details

Input#

Argument NameDescriptionRequired
asset_idID of the asset for which to retrieve details.Required

Context Output#

PathTypeDescription
DSPM.AssetDetails.assetDigTagsUnknownThe dig tags associated with the asset.
DSPM.AssetDetails.cloudEnvironmentStringThe cloud environment in which the asset exists.
DSPM.AssetDetails.cloudProviderStringThe cloud provider for the asset (e.g., AWS, Azure, GCP).
DSPM.AssetDetails.dataTypeGroupsUnknownGroups of data types associated with the asset.
DSPM.AssetDetails.dataTypesUnknownThe data types related to the asset.
DSPM.AssetDetails.encryptedBooleanIndicates if the asset is encrypted.
DSPM.AssetDetails.idStringThe unique identifier of the asset.
DSPM.AssetDetails.lifecycleStringThe lifecycle status of the asset.
DSPM.AssetDetails.nameStringThe name of the asset.
DSPM.AssetDetails.openAlertsCountNumberThe count of open alerts for the asset.
DSPM.AssetDetails.openRisksCountNumberThe count of open risks for the asset.
DSPM.AssetDetails.openToWorldBooleanIndicates if the asset is open to the world.
DSPM.AssetDetails.projectIdStringThe ID of the project associated with the asset.
DSPM.AssetDetails.projectNameStringThe name of the project associated with the asset.
DSPM.AssetDetails.serviceTypeStringThe type of service associated with the asset.
DSPM.AssetDetails.tagsUnknownTags related to the asset.

Command example#

!dspm-get-asset-details asset_id="arn:aws:s3:::dummyS3-cifp-us-east-1"

Context Example#

{
"DSPM": {
"AssetDetails": {
"assetDigTags": [],
"cloudEnvironment": "TESTING",
"cloudProvider": "AWS",
"dataTypeGroups": [],
"dataTypes": [],
"encrypted": true,
"id": "arn:aws:s3:::dummyS3-cifp-us-east-1",
"lifecycle": "RUNNING",
"name": "dymmy-ci0jq3kgvjnccdfp-us-east-1",
"openAlertsCount": 0,
"openRisksCount": 0,
"openToWorld": false,
"projectId": "************",
"projectName": "************",
"serviceType": "S3",
"tags": {}
}
}
}

Human Readable Output#

Results#

assetDigTagscloudEnvironmentcloudProviderdataTypeGroupsdataTypesencryptedidlifecyclenameopenAlertsCountopenRisksCountopenToWorldprojectIdprojectNameserviceTypetags
TESTINGAWStruearn:aws:s3:::dummyS3-cifp-us-east-1RUNNINGdymmy-ci0jq3kgvjnccdfp-us-east-100false********S3

dspm-get-asset-files-by-id#


Retrieves file details for the specified asset ID.

Base Command#

dspm-get-asset-files-by-id

Input#

Argument NameDescriptionRequired
asset_idID of the asset for which to retrieve file details.Required

Context Output#

PathTypeDescription
DSPM.AssetFiles.filenameStringAsset file name.
DSPM.AssetFiles.pathStringAsset file path.
DSPM.AssetFiles.typeStringAsset file type.
DSPM.AssetFiles.sizeStringAsset file size.
DSPM.AssetFiles.openToWorldBooleanWhether the asset is open to world.
DSPM.AssetFiles.isDeletedBooleanWhether the asset is deleted.
DSPM.AssetFiles.isMaliciousBooleanWhether the asset is malicious.
DSPM.AssetFiles.dataTypes.nameStringAsset file data types name.
DSPM.AssetFiles.dataTypes.labelStringAsset file data types label.
DSPM.AssetFiles.dataTypes.countNumberAsset file data types count.
DSPM.AssetFiles.dataTypes.valueDetails.masked_valueStringAsset file data types value detail masked value.
DSPM.AssetFiles.dataTypes.valueDetails.lineNumberAsset file data types value detail line.
DSPM.AssetFiles.labelsStringAsset file labels.
DSPM.AssetFiles.isDbDumpBooleanAsset file is a database dump.

Command example#

!dspm-get-asset-files-by-id asset_id="arn:aws:s3:::dummyS3-cifp-us-east-1"

Context Example#

{
"files": [
{
"filename": "268d4e2d-03f2-4044-b82d-8855b2e77f8d.csv",
"path": "268d4e2d-03f2-4044-b82d-8855b2e77f8d.csv",
"type": "Data Format",
"size": "17081",
"openToWorld": true,
"isDeleted": false,
"isMalicious": false,
"dataTypes": [
{
"name": "IP Address",
"label": "Sensitive",
"count": 100,
"valueDetails": [
{
"masked_value": "20.163.*.*",
"line": 3
},
{
"masked_value": "38.229.*.*",
"line": 4
},
{
"masked_value": "45.136.*.*",
"line": 5
}
]
},
{
"name": "Internal IP Address",
"label": "Sensitive",
"count": 100,
"valueDetails": [
{
"masked_value": "10.0.*.*",
"line": 2
},
{
"masked_value": "10.0.*.*",
"line": 8
},
{
"masked_value": "10.0.*.*",
"line": 14
}
]
}
],
"labels": [
"Sensitive"
],
"isDbDump": false
},
{
"filename": "data security test cases.pdf",
"path": "data security test cases.pdf",
"type": "Document",
"size": "73286",
"openToWorld": true,
"isDeleted": false,
"isMalicious": false,
"dataTypes": [
{
"name": "Street Address",
"label": "Sensitive",
"count": 1,
"valueDetails": [
{
"masked_value": "3** E*** R******* Street",
"line": null
}
]
},
{
"name": "Email Address",
"label": "PII",
"count": 1,
"valueDetails": [
{
"masked_value": "t**t@b****l.com",
"line": null
}
]
}
],
"labels": [
"PII",
"Sensitive"
],
"isDbDump": false
}
],
"filesCount": 2
}

Human Readable Output#

filenamepathtypesizeopenToWorldisDeletedisMaliciousdataTypeslabelsisDbDump
268d4e2d-03f2-4044-b82d-8855b2e77f8d.csv268d4e2d-03f2-4044-b82d-8855b2e77f8d.csvData Format17081truefalsefalseIP Address (Sensitive), Internal IP Address (Sensitive)Sensitivefalse
data security test cases.pdfdata security test cases.pdfDocument73286truefalsefalseStreet Address (Sensitive), Email Address (PII)PII, Sensitivefalse

dspm-get-list-of-asset-fields-by-id#


Return list of fields for structured assets such as RDS, Aurora, and BigQuery.

Base Command#

dspm-get-list-of-asset-fields-by-id

Input#

Argument NameDescriptionRequired
assetIdID of the asset for which to retrieve field details.Required

Context Output#

PathTypeDescription
DSPM.AssetFields.nameStringAsset field name.
DSPM.AssetFields.pathStringAsset field path.
DSPM.AssetFields.tableNameStringAsset field table name.
DSPM.AssetFields.tableSizeStringAsset field table size.
DSPM.AssetFields.databaseNameStringAsset field database name.
DSPM.AssetFields.collectionNameStringAsset field collection name.
DSPM.AssetFields.typeStringAsset field type.
DSPM.AssetFields.dataTypes.nameStringAsset field data type name.
DSPM.AssetFields.dataTypes.labelStringAsset field data type label.
DSPM.AssetFields.dataTypes.hitPercentageNumberAsset field data type hit percentage.
DSPM.AssetFields.dataTypes.maskedValues.masked_valueStringAsset field datat ype masked value.
DSPM.AssetFields.dataTypes.maskedValues.lineNumberAsset field data type masked value line.
DSPM.AssetFields.schemaNameStringAsset field schema name.

Command example#

!dspm-get-list-of-asset-fields-by-id assetId="arn:aws:rds:::dummyrds-cifp-us-east-1"

Context Example#

{
"fields": [
{
"name": "maidenname",
"dataTypes": [],
"path": "/public/dummy",
"tableName": "dummy",
"tableSize": "29996",
"databaseName": "Hi",
"collectionName": null,
"type": "varchar",
"schemaName": "public"
},
{
"name": "phone",
"dataTypes": [],
"path": "/public/dummy",
"tableName": "dummy",
"tableSize": "29996",
"databaseName": "Hi",
"collectionName": null,
"type": "varchar",
"schemaName": "public"
}
],
"fieldsCount": 2
}

Human Readable Output#

Asset Fields#

namedataTypespathtableNametableSizedatabaseNamecollectionNametypeschemaName
maidenname[]/public/dummydummy29996Hinullvarcharpublic
maidenname[]/public/dummydummy29996Hinullvarcharpublic

dspm-get-data-types#


Fetches the available data types for the DSPM integration.

Base Command#

dspm-get-data-types

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
DSPM.DataTypes.KeyStringData types key.
DSPM.DataTypes.NoNumberData types number.

Command example#

!dspm-get-data-types

Context Example#

{
"DSPM": {
"DataTypes": [
{
"Key": "ID Number - Aadhaar (India)",
"No": 1
},
{
"Key": "Artifactory API Key",
"No": 2
},
{
"Key": "AWS Secret Key",
"No": 3
},
{
"Key": "Credit Card Expiration Date",
"No": 4
},
{
"Key": "Certificate",
"No": 5
}
]
}
}

Human Readable Output#

Data Types#

NoKey
1ID Number - Aadhaar (India)
2Artifactory API Key
3AWS Secret Key
4Credit Card Expiration Date
5Certificate

dspm-list-labels#


Returns a list of label names based on the company.

Base Command#

dspm-list-labels

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
DSPM.Label.KeyStringLabel key.
DSPM.Label.NounknownLabel number.

Command example#

!dspm-list-labels

Context Example#

{
"DSPM": {
"Label": [
{
"Key": "PCI",
"No": 1
},
{
"Key": "PHI",
"No": 2
},
{
"Key": "PII",
"No": 3
},
{
"Key": "Confidential",
"No": 4
},
{
"Key": "Sensitive",
"No": 5
}
]
}
}

Human Readable Output#

Data Types#

NoKey
1PCI
2PHI
3PII
4Confidential
5Sensitive

dspm-list-data-types-findings#


Retrieves a list of data type findings for the company.

Base Command#

dspm-list-data-types-findings

Input#

Argument NameDescriptionRequired
region_inA comma-separated list of regions.Optional
region_equalThe exact region.Optional
cloud_provider_inA comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
cloud_provider_equalThe exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
service_type_inA comma-separated list of service types.Optional
service_type_equalThe exact service type.Optional
lifecycle_inA comma-separated list of life cycles.Optional
projectId_inA comma-separated list of project IDs.Optional
projectId_equalThe exact project ID.Optional
lifecycle_equalThe exact life cycle.Optional
sortThe sorting criteria in the format: property,(asc|desc). Default sort order is ascending. Multiple sort criteria are supported.Optional
limitThe maximum number of data types findings to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
DSPM.DataTypesFinding.dataTypeNameStringRepresents the name of the data type being analyzed.
DSPM.DataTypesFinding.labelStringLabel associated with the data type, such as PII.
DSPM.DataTypesFinding.recordsIntegerThe number of records associated with the data type.
DSPM.DataTypesFinding.publicRecordsIntegerThe number of public records found for this data type.
DSPM.DataTypesFinding.assetsIntegerThe number of assets associated with this data type.
DSPM.DataTypesFinding.cloudsStringThe clouds where the data type was found (e.g., AWS, Azure).
DSPM.DataTypesFinding.regionsStringThe regions where the data type was found.
DSPM.DataTypesFinding.lastFoundDateThe timestamp when the data type was last found.
DSPM.DataTypesFinding.recordsAtRisk.highIntegerThe number of high-risk records found for this data type.
DSPM.DataTypesFinding.recordsAtRisk.mediumIntegerThe number of medium-risk records found for this data type.
DSPM.DataTypesFinding.recordsAtRisk.lowIntegerThe number of low-risk records found for this data type.

Command example#

!dspm-list-data-types-findings cloudProviderEqual=AWS

Context Example#

[{
"dataTypeName": "AADHAAR_INDIVIDUAL_IDENTIFICATION",
"label": "PII",
"records": 4,
"publicRecords": 0,
"assets": 1,
"clouds": [
"AWS"
],
"regions": [
"us-east-1"
],
"lastFound": "2024-05-09T03:24:29Z",
"recordsAtRisk": {
"high": 0,
"medium": 4,
"low": 0
}
}]

Human Readable Output#

Data Types Findings#

dataTypeNamelabelrecordspublicRecordsassetscloudsregionslastFoundrecordsAtRisk.highrecordsAtRisk.mediumrecordsAtRisk.low
AADHAAR_INDIVIDUAL_IDENTIFICATIONPII401AWSus-east-12024-05-09T03:24:29Z040

dspm-update-risk-finding-status#


Updates the status of a risk finding.

Base Command#

dspm-update-risk-finding-status

Input#

Argument NameDescriptionRequired
risk_finding_idRisk Finding ID.Required
statusList of supported statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING.Required

Context Output#

PathTypeDescription
DSPM.RiskFindingStatusUpdate.newStatusStringUpdated risk finding status.
DSPM.RiskFindingStatusUpdate.oldStatusStringOld risk finding status.
DSPM.RiskFindingStatusUpdate.riskFindingIdStringRisk finding ID.

Command example#

!dspm-update-risk-finding-status riskFindingId="00000000-0000-4f99-0000-616843b6b19e" status=INVESTIGATING

Context Example#

{
"DSPM": {
"RiskFindingStatusUpdate": {
"newStatus": "INVESTIGATING",
"oldStatus": "INVESTIGATING",
"riskFindingId": "00000000-0000-4f99-0000-616843b6b19e"
}
}
}

Human Readable Output#

Risk Status Update#

Risk Finding IDOld StatusNew Status
00000000-0000-4f99-0000-616843b6b19eINVESTIGATINGINVESTIGATING

dspm-update-alert-status#


Updates the status of an alert.

Base Command#

dspm-update-alert-status

Input#

Argument NameDescriptionRequired
alert_idAlert ID.Required
statusList of supported statuses. Possible values are: OPEN, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING.Required

Context Output#

PathTypeDescription
DSPM.AlertStatusUpdate.newStatusStringUpdated alert status.
DSPM.AlertStatusUpdate.oldStatusStringOld alert status.
DSPM.AlertStatusUpdate.alertIdStringAlert ID.

Command example#

!dspm-update-alert-status alertId="000000608" status=INVESTIGATING

Context Example#

{
"DSPM": {
"AlertStatusUpdate": {
"newStatus": "INVESTIGATING",
"oldStatus": "INVESTIGATING",
"alertId": "000000608"
}
}
}

Human Readable Output#

Alert Status Update#

Alert IDOld StatusNew Status
000000608INVESTIGATINGINVESTIGATING

dspm-list-alerts#


Fetch list of alerts.

Base Command#

dspm-list-alerts

Input#

Argument NameDescriptionRequired
detection_time_equalsThe exact detection time (equals). detection time format - YYYY-MM-DDTHH:MM:SSZ.Optional
detection_time_greater_than_or_equalDetection time (greater than or equal). detection time format - YYYY-MM-DDTHH:MM:SSZ.Optional
detection_time_greater_thanDetection time (greater than). detection time format - YYYY-MM-DDTHH:MM:SSZ.Optional
detection_time_less_than_or_equalDetection time (less than or equal). detection time format - YYYY-MM-DDTHH:MM:SSZ.Optional
detection_time_less_thanDetection time (less than). detection time format - YYYY-MM-DDTHH:MM:SSZ.Optional
policy_name_inA comma-separated list of policy names.Optional
policy_name_equalsThe exact policy name.Optional
asset_name_inA comma-separated list of asset names.Optional
asset_name_equalsThe exact asset name.Optional
cloud_provider_inA comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
cloud_provider_equalsThe exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365.Optional
destination_project_vendor_name_inA comma-separated list of project vendor names.Optional
destination_project_vendor_name_equalsThe exact destination project vendor name.Optional
cloud_environment_inA comma-separated list of cloud environments. Possible values are: UNKNOWN, DEVELOPMENT, STAGING, TESTING, PRODUCTION.Optional
cloud_environment_equalsThe exact cloud environment. Possible values are: UNKNOWN, DEVELOPMENT, STAGING, TESTING, PRODUCTION.Optional
policy_severity_inA comma-separated list of policy severities. Possible values are: HIGH, MEDIUM, LOW.Optional
policy_severity_equalsThe exact policy severity. Possible values are: HIGH, MEDIUM, LOW.Optional
category_type_inA comma-separated list of category types. Possible values are: FIRST_MOVE, ATTACK, COMPLIANCE, ASSET_AT_RISK, RECONNAISSANCE.Optional
category_type_equalsThe exact category type. Possible values are: FIRST_MOVE, ATTACK, COMPLIANCE, ASSET_AT_RISK, RECONNAISSANCE.Optional
status_inA comma-separated list of statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING.Optional
status_equalsThe exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING.Optional
sortSort order (property,asc|desc).Optional
limitThe maximum number of alerts to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
DSPM.Alert.idStringAlert ID.
DSPM.Alert.detectionTimeDateAlert detection time.
DSPM.Alert.policyNameStringAlert policy name.
DSPM.Alert.assetNameStringAlert asset name.
DSPM.Alert.assetLabelsUnknownAlert asset label.
DSPM.Alert.cloudProviderStringAlert cloud provider.
DSPM.Alert.destinationProjectsUnknownAlert destination projects.
DSPM.Alert.cloudEnvironmentStringAlert cloud enviroment.
DSPM.Alert.policySeverityStringAlert policy severity.
DSPM.Alert.policyCategoryTypeStringAlert policy category type.
DSPM.Alert.statusStringAlert status.
DSPM.Alert.eventActorStringAlert event actor.
DSPM.Alert.eventUserAgentStringAlert event user agent.
DSPM.Alert.eventActionMediumStringAlert event action medium.
DSPM.Alert.eventSourceStringAlert event source.
DSPM.Alert.policyFrameWorksStringAlert policy frameworks.
DSPM.Alert.eventRawDataStringAlert event raw data.

Command example#

!dspm-list-alerts cloudEnvironmentEquals="TESTING"

Context Example#

{
"DSPM": {
"Alerts": [
{
"id": "340256006",
"detectionTime": "2024-08-07T18:55:50.64996Z",
"policyName": "Asset made public",
"assetName": "mikeys3",
"assetLabels": [],
"cloudProvider": "AWS",
"destinationProjects": {},
"cloudEnvironment": "TESTING",
"policySeverity": "HIGH",
"policyCategoryType": "ATTACK",
"status": "OPEN",
"eventActor": "dummy_email",
"eventUserAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.220-187.867.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]",
"eventActionMedium": "CONSOLE",
"eventSource": "***.**.**.***.***",
"policyFrameWorks": [
"MITRE-T1098"
],
"eventRawData": "{\"eventVersion\":\"1.09\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROASI3QR4HKUAIEPBICG:dummy_email\",\"arn\":\"arn:aws:sts::576847873638:assumed-role/sso_admin-tac-nam/dummy_email\",\"accountId\":\"576847873638\",\"accessKeyId\":\"ASIASI3QR4HK2LDI5JMN\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROASI3QR4HKUAIEPBICG\",\"arn\":\"arn:aws:iam::576847873638:role/sso_admin-tac-nam\",\"accountId\":\"576847873638\",\"userName\":\"sso_admin-tac-nam\"},\"attributes\":{\"creationDate\":\"2024-08-07T18:51:51Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2024-08-07T18:55:37Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"PutBucketPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"***.**.**.***.***\",\"userAgent\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.220-187.867.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"requestParameters\":{\"bucketPolicy\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Statement1\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:AbortMultipartUpload\",\"s3:DeleteObject\",\"s3:GetObject\",\"s3:ListBucketMultipartUploads\",\"s3:ListMultipartUploadParts\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::mikeys3\",\"arn:aws:s3:::mikeys3/*\"]}]},\"bucketName\":\"mikeys3\",\"Host\":\"s3.amazonaws.com\",\"policy\":\"\"},\"responseElements\":null,\"additionalEventData\":{\"SignatureVersion\":\"SigV4\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"bytesTransferredIn\":568,\"AuthenticationMethod\":\"AuthHeader\",\"x-amz-id-2\":\"KXHYo+o2L/Gnk0pmKY+gV+0YufF6uGyD3GRwK+FXEJ7eai772ytOzbV9CwwoezhB5PPR/6RxZyhOyBowBOyQih\",\"bytesTransferredOut\":0},\"requestID\":\"CJ3J7M851NAGAF58\",\"eventID\":\"df06b9ad-79dc-4a17-ae0e-82ecff9cfa5e\",\"readOnly\":false,\"resources\":[{\"accountId\":\"576847873638\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::mikeys3\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"576847873638\",\"vpcEndpointId\":\"vpce-f40dc59d\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"s3.amazonaws.com\"}}"
}
]
}
}

Human Readable Output#

DSPM Alert#

Alert IDDetection TimePolicy NameAsset NameCloud ProviderCloud EnvironmentPolicy SeverityPolicy CategoryStatusEvent ActorEvent Action MediumEvent SourcePolicy FrameworkseventRawData
3402560062024-08-07T18:55:50.64996ZAsset made publicmikeys3AWSTESTINGHIGHATTACKOPENdummy_emailCONSOLE*...*.***MITRE-T1098"{\"eventVersion\":\"1.09\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROASI3QR4HKUAIEPBICG:dummy_email\",\"arn\":\"arn:aws:sts::576847873638:assumed-role/sso_admin-tac-nam/dummy_email\",\"accountId\":\"576847873638\",\"accessKeyId\":\"ASIASI3QR4HK2LDI5JMN\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROASI3QR4HKUAIEPBICG\",\"arn\":\"arn:aws:iam::576847873638:role/sso_admin-tac-nam\",\"accountId\":\"576847873638\",\"userName\":\"sso_admin-tac-nam\"},\"attributes\":{\"creationDate\":\"2024-08-07T18:51:51Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2024-08-07T18:55:37Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"PutBucketPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"*...*.**\",\"userAgent\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.220-187.867.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"requestParameters\":{\"bucketPolicy\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Statement1\",\"Effect\":\"Allow\",\"Principal\":\"\",\"Action\":[\"s3:AbortMultipartUpload\",\"s3:DeleteObject\",\"s3:GetObject\",\"s3:ListBucketMultipartUploads\",\"s3:ListMultipartUploadParts\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::mikeys3\",\"arn:aws:s3:::mikeys3/*\"]}]},\"bucketName\":\"mikeys3\",\"Host\":\"s3.amazonaws.com\",\"policy\":\"\"},\"responseElements\":null,\"additionalEventData\":{\"SignatureVersion\":\"SigV4\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"bytesTransferredIn\":568,\"AuthenticationMethod\":\"AuthHeader\",\"x-amz-id-2\":\"KXHYo+o2TWL/Gnk0pmKY+gV+0YufF6uGyD3GRwK+FXEJ7eai772ytOzbV9CwwoBq+pezhB5PPR/6RxZyhOyZltIBowBOyQih\",\"bytesTransferredOut\":0},\"requestID\":\"CJ3J7M851NAGAF58\",\"eventID\":\"df06b9ad-79dc-4a17-ae0e-82ecff9cfa5e\",\"readOnly\":false,\"resources\":[{\"accountId\":\"576847873638\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::mikeys3\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"576847873638\",\"vpcEndpointId\":\"vpce-f40dc59d\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"s3.amazonaws.com\"}}"