Prisma Cloud DSPM
DSPM Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
#
OverviewThe Prisma Cloud DSPM(Data Security Posture Management) integration enhances the management and remediation of DSPM risks. The integration provides users with actionable data, insights and a seamless workflow for addressing potential security threats.
#
Use Cases- Remediation of DSPM out-of-the-box risks based on automated playbooks.
- Close or update risks by interacting with DSPM API using a dedicated list of building blocks.
- Distribute DSPM risks to other systems.
#
Prerequisites- An active Prisma Cloud DSPM account
- Slack V3 Pack
- AWS-S3 Pack
- Core REST APIs pack
- Atlassian Jira v3 Pack
- Google Cloud Storage Pack ( Optional )
- Azure Storage Container Pack ( Optional )
#
Configure Cortex XSOAR on Prisma Cloud DSPM- Log in to you Prisma Cloud DSPM platform.
- Navigate to Settings > Workflow > XSOAR.
- Click Connect to create and configure a new XSOAR integration.
- XSOAR link - Add the XSOAR API URL.
- Notified On - Select the Risks option.
- Severity Threshold - Set the severity threshold to receive notifications for assets that fall under that severity.
- Filter By Tags - Notifications will be sent for assets that match any of the selected tags.
- Advanced - Add required headers Authorization and x-xdr-auth-id
#
Configure Prisma Cloud DSPM on Cortex XSOARNavigate to Settings & Info > Settings > Integrations > Instances.
Search for Prisma Cloud DSPM.
Click Add instance to create and configure a new integration instance.
Parameter Description Required DSPM server URL The tenant URL of the Prisma Cloud DSPM True DSPM API Key API key to use for the connection. True Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
dspm-list-risk-findingsRetrieves risk findings matching the input criteria.
#
Base Commanddspm-list-risk-findings
#
InputArgument Name | Description | Required |
---|---|---|
rule_name_in | A comma-separated list of rule names. | Optional |
rule_name_equal | The exact rule name. | Optional |
dspm_tag_key_in | A comma-separated list of DSPM tag keys. | Optional |
dspm_tag_key_equal | Exact DSPM tag key. | Optional |
dspm_tag_value_in | A comma-separated list of DSPM tag values. | Optional |
dspm_tag_value_equal | The exact DSPM tag value. | Optional |
projectId_in | A comma-separated list of project IDs. | Optional |
projectId_equal | The exact project ID. | Optional |
cloud_provider_in | A comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. Default is AWS. | Optional |
cloud_provider_equal | The exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
affects_in | A comma-separated list of affects. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, SECURITY_AND_GOVERNANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional |
affects_equal | The exact effect. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional |
status_in | A comma-separated list of statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional |
status_equal | The exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional |
sort | The sort order. | Optional |
limit | The maximum number of risk findings to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.RiskFinding.asset | Unknown | The asset details associated with the risk finding. |
DSPM.RiskFinding.cloudEnvironment | String | The cloud environment (public or private) associated with the risk finding. |
DSPM.RiskFinding.cloudProvider | String | The cloud provider associated with the risk finding (e.g., AWS, Azure, GCP). |
DSPM.RiskFinding.complianceStandards | Unknown | The compliance standards relevant to the risk finding. |
DSPM.RiskFinding.firstDiscovered | Date | The date the risk finding was first discovered. |
DSPM.RiskFinding.id | String | The unique ID of the risk finding. |
DSPM.RiskFinding.projectId | String | The project ID where the asset resides. |
DSPM.RiskFinding.ruleName | String | The rule name associated with the risk finding. |
DSPM.RiskFinding.severity | String | The severity of the risk finding (e.g., Low, Medium, High). |
DSPM.RiskFinding.status | String | The current status of the risk finding (e.g., Open, Closed). |
#
Command example!dspm-list-risk-findings
#
Context Example#
Human Readable Output#
Results
Asset Cloud Environment Cloud Provider Compliance Standards First Discovered ID Project ID Rule Name Severity Status {} UNKNOWN AWS {} 2024-09-27T11:55:39.059125Z 00000000-0000-4f99-0000-616843b6b19e **** Empty storage asset LOW OPEN
#
dspm-get-risk-finding-by-idRetrieves the details of a risk for the provided risk ID.
#
Base Commanddspm-get-risk-finding-by-id
#
InputArgument Name | Description | Required |
---|---|---|
finding_id | ID of the risk for which to retrieve details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.RiskFinding.asset | Unknown | The asset details associated with the risk finding. |
DSPM.RiskFinding.cloudEnvironment | String | The cloud environment (public or private) associated with the risk finding. |
DSPM.RiskFinding.cloudProvider | String | The cloud provider associated with the risk finding (e.g., AWS, Azure, GCP). |
DSPM.RiskFinding.complianceStandards | Unknown | The compliance standards relevant to the risk finding. |
DSPM.RiskFinding.firstDiscovered | Date | The date the risk finding was first discovered. |
DSPM.RiskFinding.id | String | The unique ID of the risk finding. |
DSPM.RiskFinding.projectId | String | The project ID where the asset resides. |
DSPM.RiskFinding.ruleName | String | The rule name associated with the risk finding. |
DSPM.RiskFinding.severity | String | The severity of the risk finding (e.g., Low, Medium, High). |
DSPM.RiskFinding.status | String | The current status of the risk finding (e.g., Open, Closed). |
#
Command example!dspm-get-risk-finding-by-id finding_id="00000000-0000-4f99-0000-616843b6b19e"
#
Context Example#
Human Readable Output#
Results
Asset Cloud Environment Cloud Provider Compliance Standards First Discovered ID Project ID Rule Name Severity Status {} UNKNOWN AWS {} 2024-09-27T11:55:39.059125Z 00000000-0000-4f99-0000-616843b6b19e **** Empty storage asset LOW OPEN
#
dspm-list-assetsRetrieves a list of assets for the company.
#
Base Commanddspm-list-assets
#
InputArgument Name | Description | Required |
---|---|---|
region_in | A comma-separated list of regions. | Optional |
region_equal | The exact region. | Optional |
cloud_provider_in | A comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
cloud_provider_equal | The exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
service_type_in | A comma-separated list of service types. | Optional |
service_type_equal | The exact service type. | Optional |
lifecycle_in | A comma-separated list of life cycles. Possible values are: RUNNING, STOPPED, DELETED. | Optional |
lifecycle_equal | The exact lifecycle. Possible values are: RUNNING, STOPPED, DELETED. | Optional |
sort | The sorting criteria in the format: property,(asc|desc). Default sort order is ascending. Multiple sort criteria are supported. | Optional |
limit | The maximum number of assets to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.Asset.dataTypes | Unknown | Data types associated with the asset. |
DSPM.Asset.dataTypeGroups | Unknown | Data type groups associated with the asset. |
DSPM.Asset.assetDigTags | Unknown | Dig tags associated with the asset. |
DSPM.Asset.cloudEnvironment | String | The cloud environment in which the asset exists. |
DSPM.Asset.cloudProvider | String | The cloud provider for the asset. |
DSPM.Asset.encrypted | Boolean | Indicates if the asset is encrypted. |
DSPM.Asset.id | String | The unique identifier of the asset. |
DSPM.Asset.lifecycle | String | Lifecycle status of the asset. |
DSPM.Asset.name | String | The name of the asset. |
DSPM.Asset.openAlertsCount | Number | The count of open alerts for the asset. |
DSPM.Asset.openRisksCount | Number | The count of open risks for the asset. |
DSPM.Asset.openToWorld | Boolean | Indicates if the asset is open to the world. |
DSPM.Asset.projectId | String | The ID of the project associated with the asset. |
DSPM.Asset.projectName | String | The name of the project associated with the asset. |
DSPM.Asset.serviceType | String | The type of service associated with the asset. |
DSPM.Asset.tags | Unknown | Tags related to the asset. |
#
Command example!dspm-list-assets cloudProviderEqual=AWS serviceTypeEqual=S3
#
Context Example#
Human Readable Output#
Results
Asset Dig Tags Cloud Environment Cloud Provider Encrypted ID Lifecycle Name Open Alerts Count Open Risks Count Open To World Project ID Project Name Service Type Tags Data Type Groups Data Types TESTING AWS true arn:aws:s3:::dymmy-ci0jq3kgvjnccdfp-us-east-1 RUNNING dymmy-ci0jq3kgvjnccdfp-us-east-1 0 0 false **** **** S3
#
dspm-get-asset-detailsRetrieves details for the specified asset ID.
#
Base Commanddspm-get-asset-details
#
InputArgument Name | Description | Required |
---|---|---|
asset_id | ID of the asset for which to retrieve details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.AssetDetails.assetDigTags | Unknown | The dig tags associated with the asset. |
DSPM.AssetDetails.cloudEnvironment | String | The cloud environment in which the asset exists. |
DSPM.AssetDetails.cloudProvider | String | The cloud provider for the asset (e.g., AWS, Azure, GCP). |
DSPM.AssetDetails.dataTypeGroups | Unknown | Groups of data types associated with the asset. |
DSPM.AssetDetails.dataTypes | Unknown | The data types related to the asset. |
DSPM.AssetDetails.encrypted | Boolean | Indicates if the asset is encrypted. |
DSPM.AssetDetails.id | String | The unique identifier of the asset. |
DSPM.AssetDetails.lifecycle | String | The lifecycle status of the asset. |
DSPM.AssetDetails.name | String | The name of the asset. |
DSPM.AssetDetails.openAlertsCount | Number | The count of open alerts for the asset. |
DSPM.AssetDetails.openRisksCount | Number | The count of open risks for the asset. |
DSPM.AssetDetails.openToWorld | Boolean | Indicates if the asset is open to the world. |
DSPM.AssetDetails.projectId | String | The ID of the project associated with the asset. |
DSPM.AssetDetails.projectName | String | The name of the project associated with the asset. |
DSPM.AssetDetails.serviceType | String | The type of service associated with the asset. |
DSPM.AssetDetails.tags | Unknown | Tags related to the asset. |
#
Command example!dspm-get-asset-details asset_id="arn:aws:s3:::dummyS3-cifp-us-east-1"
#
Context Example#
Human Readable Output#
Results
assetDigTags cloudEnvironment cloudProvider dataTypeGroups dataTypes encrypted id lifecycle name openAlertsCount openRisksCount openToWorld projectId projectName serviceType tags TESTING AWS true arn:aws:s3:::dummyS3-cifp-us-east-1 RUNNING dymmy-ci0jq3kgvjnccdfp-us-east-1 0 0 false **** **** S3
#
dspm-get-asset-files-by-idRetrieves file details for the specified asset ID.
#
Base Commanddspm-get-asset-files-by-id
#
InputArgument Name | Description | Required |
---|---|---|
asset_id | ID of the asset for which to retrieve file details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.AssetFiles.filename | String | Asset file name. |
DSPM.AssetFiles.path | String | Asset file path. |
DSPM.AssetFiles.type | String | Asset file type. |
DSPM.AssetFiles.size | String | Asset file size. |
DSPM.AssetFiles.openToWorld | Boolean | Whether the asset is open to world. |
DSPM.AssetFiles.isDeleted | Boolean | Whether the asset is deleted. |
DSPM.AssetFiles.isMalicious | Boolean | Whether the asset is malicious. |
DSPM.AssetFiles.dataTypes.name | String | Asset file data types name. |
DSPM.AssetFiles.dataTypes.label | String | Asset file data types label. |
DSPM.AssetFiles.dataTypes.count | Number | Asset file data types count. |
DSPM.AssetFiles.dataTypes.valueDetails.masked_value | String | Asset file data types value detail masked value. |
DSPM.AssetFiles.dataTypes.valueDetails.line | Number | Asset file data types value detail line. |
DSPM.AssetFiles.labels | String | Asset file labels. |
DSPM.AssetFiles.isDbDump | Boolean | Asset file is a database dump. |
#
Command example!dspm-get-asset-files-by-id asset_id="arn:aws:s3:::dummyS3-cifp-us-east-1"
#
Context Example#
Human Readable Output
filename path type size openToWorld isDeleted isMalicious dataTypes labels isDbDump 268d4e2d-03f2-4044-b82d-8855b2e77f8d.csv 268d4e2d-03f2-4044-b82d-8855b2e77f8d.csv Data Format 17081 true false false IP Address (Sensitive), Internal IP Address (Sensitive) Sensitive false data security test cases.pdf data security test cases.pdf Document 73286 true false false Street Address (Sensitive), Email Address (PII) PII, Sensitive false
#
dspm-get-list-of-asset-fields-by-idReturn list of fields for structured assets such as RDS, Aurora, and BigQuery.
#
Base Commanddspm-get-list-of-asset-fields-by-id
#
InputArgument Name | Description | Required |
---|---|---|
assetId | ID of the asset for which to retrieve field details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.AssetFields.name | String | Asset field name. |
DSPM.AssetFields.path | String | Asset field path. |
DSPM.AssetFields.tableName | String | Asset field table name. |
DSPM.AssetFields.tableSize | String | Asset field table size. |
DSPM.AssetFields.databaseName | String | Asset field database name. |
DSPM.AssetFields.collectionName | String | Asset field collection name. |
DSPM.AssetFields.type | String | Asset field type. |
DSPM.AssetFields.dataTypes.name | String | Asset field data type name. |
DSPM.AssetFields.dataTypes.label | String | Asset field data type label. |
DSPM.AssetFields.dataTypes.hitPercentage | Number | Asset field data type hit percentage. |
DSPM.AssetFields.dataTypes.maskedValues.masked_value | String | Asset field datat ype masked value. |
DSPM.AssetFields.dataTypes.maskedValues.line | Number | Asset field data type masked value line. |
DSPM.AssetFields.schemaName | String | Asset field schema name. |
#
Command example!dspm-get-list-of-asset-fields-by-id assetId="arn:aws:rds:::dummyrds-cifp-us-east-1"
#
Context Example#
Human Readable Output#
Asset Fieldsname | dataTypes | path | tableName | tableSize | databaseName | collectionName | type | schemaName |
---|---|---|---|---|---|---|---|---|
maidenname | [] | /public/dummy | dummy | 29996 | Hi | null | varchar | public |
maidenname | [] | /public/dummy | dummy | 29996 | Hi | null | varchar | public |
#
dspm-get-data-typesFetches the available data types for the DSPM integration.
#
Base Commanddspm-get-data-types
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.DataTypes.Key | String | Data types key. |
DSPM.DataTypes.No | Number | Data types number. |
#
Command example!dspm-get-data-types
#
Context Example#
Human Readable Output#
Data Types
No Key 1 ID Number - Aadhaar (India) 2 Artifactory API Key 3 AWS Secret Key 4 Credit Card Expiration Date 5 Certificate
#
dspm-list-labelsReturns a list of label names based on the company.
#
Base Commanddspm-list-labels
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.Label.Key | String | Label key. |
DSPM.Label.No | unknown | Label number. |
#
Command example!dspm-list-labels
#
Context Example#
Human Readable Output#
Data Types
No Key 1 PCI 2 PHI 3 PII 4 Confidential 5 Sensitive
#
dspm-list-data-types-findingsRetrieves a list of data type findings for the company.
#
Base Commanddspm-list-data-types-findings
#
InputArgument Name | Description | Required |
---|---|---|
region_in | A comma-separated list of regions. | Optional |
region_equal | The exact region. | Optional |
cloud_provider_in | A comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
cloud_provider_equal | The exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
service_type_in | A comma-separated list of service types. | Optional |
service_type_equal | The exact service type. | Optional |
lifecycle_in | A comma-separated list of life cycles. | Optional |
projectId_in | A comma-separated list of project IDs. | Optional |
projectId_equal | The exact project ID. | Optional |
lifecycle_equal | The exact life cycle. | Optional |
sort | The sorting criteria in the format: property,(asc|desc). Default sort order is ascending. Multiple sort criteria are supported. | Optional |
limit | The maximum number of data types findings to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.DataTypesFinding.dataTypeName | String | Represents the name of the data type being analyzed. |
DSPM.DataTypesFinding.label | String | Label associated with the data type, such as PII. |
DSPM.DataTypesFinding.records | Integer | The number of records associated with the data type. |
DSPM.DataTypesFinding.publicRecords | Integer | The number of public records found for this data type. |
DSPM.DataTypesFinding.assets | Integer | The number of assets associated with this data type. |
DSPM.DataTypesFinding.clouds | String | The clouds where the data type was found (e.g., AWS, Azure). |
DSPM.DataTypesFinding.regions | String | The regions where the data type was found. |
DSPM.DataTypesFinding.lastFound | Date | The timestamp when the data type was last found. |
DSPM.DataTypesFinding.recordsAtRisk.high | Integer | The number of high-risk records found for this data type. |
DSPM.DataTypesFinding.recordsAtRisk.medium | Integer | The number of medium-risk records found for this data type. |
DSPM.DataTypesFinding.recordsAtRisk.low | Integer | The number of low-risk records found for this data type. |
#
Command example!dspm-list-data-types-findings cloudProviderEqual=AWS
#
Context Example#
Human Readable Output#
Data Types Findings
dataTypeName label records publicRecords assets clouds regions lastFound recordsAtRisk.high recordsAtRisk.medium recordsAtRisk.low AADHAAR_INDIVIDUAL_IDENTIFICATION PII 4 0 1 AWS us-east-1 2024-05-09T03:24:29Z 0 4 0
#
dspm-update-risk-finding-statusUpdates the status of a risk finding.
#
Base Commanddspm-update-risk-finding-status
#
InputArgument Name | Description | Required |
---|---|---|
risk_finding_id | Risk Finding ID. | Required |
status | List of supported statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.RiskFindingStatusUpdate.newStatus | String | Updated risk finding status. |
DSPM.RiskFindingStatusUpdate.oldStatus | String | Old risk finding status. |
DSPM.RiskFindingStatusUpdate.riskFindingId | String | Risk finding ID. |
#
Command example!dspm-update-risk-finding-status riskFindingId="00000000-0000-4f99-0000-616843b6b19e" status=INVESTIGATING
#
Context Example#
Human Readable Output#
Risk Status Update
Risk Finding ID Old Status New Status 00000000-0000-4f99-0000-616843b6b19e INVESTIGATING INVESTIGATING
#
dspm-update-alert-statusUpdates the status of an alert.
#
Base Commanddspm-update-alert-status
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert ID. | Required |
status | List of supported statuses. Possible values are: OPEN, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.AlertStatusUpdate.newStatus | String | Updated alert status. |
DSPM.AlertStatusUpdate.oldStatus | String | Old alert status. |
DSPM.AlertStatusUpdate.alertId | String | Alert ID. |
#
Command example!dspm-update-alert-status alertId="000000608" status=INVESTIGATING
#
Context Example#
Human Readable Output#
Alert Status Update
Alert ID Old Status New Status 000000608 INVESTIGATING INVESTIGATING
#
dspm-list-alertsFetch list of alerts.
#
Base Commanddspm-list-alerts
#
InputArgument Name | Description | Required |
---|---|---|
detection_time_equals | The exact detection time (equals). detection time format - YYYY-MM-DDTHH:MM:SSZ. | Optional |
detection_time_greater_than_or_equal | Detection time (greater than or equal). detection time format - YYYY-MM-DDTHH:MM:SSZ. | Optional |
detection_time_greater_than | Detection time (greater than). detection time format - YYYY-MM-DDTHH:MM:SSZ. | Optional |
detection_time_less_than_or_equal | Detection time (less than or equal). detection time format - YYYY-MM-DDTHH:MM:SSZ. | Optional |
detection_time_less_than | Detection time (less than). detection time format - YYYY-MM-DDTHH:MM:SSZ. | Optional |
policy_name_in | A comma-separated list of policy names. | Optional |
policy_name_equals | The exact policy name. | Optional |
asset_name_in | A comma-separated list of asset names. | Optional |
asset_name_equals | The exact asset name. | Optional |
cloud_provider_in | A comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
cloud_provider_equals | The exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional |
destination_project_vendor_name_in | A comma-separated list of project vendor names. | Optional |
destination_project_vendor_name_equals | The exact destination project vendor name. | Optional |
cloud_environment_in | A comma-separated list of cloud environments. Possible values are: UNKNOWN, DEVELOPMENT, STAGING, TESTING, PRODUCTION. | Optional |
cloud_environment_equals | The exact cloud environment. Possible values are: UNKNOWN, DEVELOPMENT, STAGING, TESTING, PRODUCTION. | Optional |
policy_severity_in | A comma-separated list of policy severities. Possible values are: HIGH, MEDIUM, LOW. | Optional |
policy_severity_equals | The exact policy severity. Possible values are: HIGH, MEDIUM, LOW. | Optional |
category_type_in | A comma-separated list of category types. Possible values are: FIRST_MOVE, ATTACK, COMPLIANCE, ASSET_AT_RISK, RECONNAISSANCE. | Optional |
category_type_equals | The exact category type. Possible values are: FIRST_MOVE, ATTACK, COMPLIANCE, ASSET_AT_RISK, RECONNAISSANCE. | Optional |
status_in | A comma-separated list of statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional |
status_equals | The exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional |
sort | Sort order (property,asc|desc). | Optional |
limit | The maximum number of alerts to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DSPM.Alert.id | String | Alert ID. |
DSPM.Alert.detectionTime | Date | Alert detection time. |
DSPM.Alert.policyName | String | Alert policy name. |
DSPM.Alert.assetName | String | Alert asset name. |
DSPM.Alert.assetLabels | Unknown | Alert asset label. |
DSPM.Alert.cloudProvider | String | Alert cloud provider. |
DSPM.Alert.destinationProjects | Unknown | Alert destination projects. |
DSPM.Alert.cloudEnvironment | String | Alert cloud enviroment. |
DSPM.Alert.policySeverity | String | Alert policy severity. |
DSPM.Alert.policyCategoryType | String | Alert policy category type. |
DSPM.Alert.status | String | Alert status. |
DSPM.Alert.eventActor | String | Alert event actor. |
DSPM.Alert.eventUserAgent | String | Alert event user agent. |
DSPM.Alert.eventActionMedium | String | Alert event action medium. |
DSPM.Alert.eventSource | String | Alert event source. |
DSPM.Alert.policyFrameWorks | String | Alert policy frameworks. |
DSPM.Alert.eventRawData | String | Alert event raw data. |
#
Command example!dspm-list-alerts cloudEnvironmentEquals="TESTING"
#
Context Example#
Human Readable Output#
DSPM Alert
Alert ID Detection Time Policy Name Asset Name Cloud Provider Cloud Environment Policy Severity Policy Category Status Event Actor Event Action Medium Event Source Policy Frameworks eventRawData 340256006 2024-08-07T18:55:50.64996Z Asset made public mikeys3 AWS TESTING HIGH ATTACK OPEN dummy_email CONSOLE *...*.*** MITRE-T1098 "{\"eventVersion\":\"1.09\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROASI3QR4HKUAIEPBICG:dummy_email\",\"arn\":\"arn:aws:sts::576847873638:assumed-role/sso_admin-tac-nam/dummy_email\",\"accountId\":\"576847873638\",\"accessKeyId\":\"ASIASI3QR4HK2LDI5JMN\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROASI3QR4HKUAIEPBICG\",\"arn\":\"arn:aws:iam::576847873638:role/sso_admin-tac-nam\",\"accountId\":\"576847873638\",\"userName\":\"sso_admin-tac-nam\"},\"attributes\":{\"creationDate\":\"2024-08-07T18:51:51Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2024-08-07T18:55:37Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"PutBucketPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"*...*.**\",\"userAgent\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.220-187.867.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"requestParameters\":{\"bucketPolicy\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Statement1\",\"Effect\":\"Allow\",\"Principal\":\"\",\"Action\":[\"s3:AbortMultipartUpload\",\"s3:DeleteObject\",\"s3:GetObject\",\"s3:ListBucketMultipartUploads\",\"s3:ListMultipartUploadParts\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::mikeys3\",\"arn:aws:s3:::mikeys3/*\"]}]},\"bucketName\":\"mikeys3\",\"Host\":\"s3.amazonaws.com\",\"policy\":\"\"},\"responseElements\":null,\"additionalEventData\":{\"SignatureVersion\":\"SigV4\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"bytesTransferredIn\":568,\"AuthenticationMethod\":\"AuthHeader\",\"x-amz-id-2\":\"KXHYo+o2TWL/Gnk0pmKY+gV+0YufF6uGyD3GRwK+FXEJ7eai772ytOzbV9CwwoBq+pezhB5PPR/6RxZyhOyZltIBowBOyQih\",\"bytesTransferredOut\":0},\"requestID\":\"CJ3J7M851NAGAF58\",\"eventID\":\"df06b9ad-79dc-4a17-ae0e-82ecff9cfa5e\",\"readOnly\":false,\"resources\":[{\"accountId\":\"576847873638\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::mikeys3\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"576847873638\",\"vpcEndpointId\":\"vpce-f40dc59d\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"s3.amazonaws.com\"}}"