This integration lets you import Palo Alto Networks - Prisma Cloud Compute alerts into Demisto
- Manage Prisma Cloud Compute alerts in Demisto.
- You can create new playbooks, or extend the default ones, to analyze alerts, assign tasks based on your analysis, and open tickets on other platforms.
Configure Prisma Cloud Compute to Send Alerts to Demisto
To send alerts from Prisma Cloud Compute to Demisto, you need to create an alert profile.
- Log in to your Prisma Cloud Compute console.
- Navigate to Manage > Alerts.
- Click Add Profile to create a new alert profile.
- On the left, select Demisto from the provider list.
- On the right, select the alert triggers. Alert triggers specify which alerts are sent to Demisto.
- Click Save to save the alert profile.
Navigate to Settings > Integrations > Servers & Services.
Search for Prisma Cloud Compute.
Click Add instance to create and configure a new integration.
Parameter Name Description Default Name A meaningful name for the integration instance. Prisma Cloud Compute_<alertProfileName> Fetches incidents Configures this integration instance to fetch alerts from Prisma Cloud Compute. N/A Prisma Cloud Compute Console URL URL address and port of your Prisma Cloud Compute console. Copy the address from the alert profile created in Prisma Cloud Compute. https://proxyserver.com Prisma Cloud Compute Project Name (if applicable) Copy the project name from the alert profile created in Prisma Cloud Compute and enter paste in this field. N/A Trust any certificate (not secure) Skips verification of the CA certificate (not recommended). N/A Use system proxy settings Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. https://proxyserver.com Credentials Prisma Cloud Compute login credentials. N/A Prisma Cloud Compute CA Certificate CA Certificate used by Prisma Cloud Compute. Copy the certificate from the alert profile created in Prisma Cloud Compute. N/A
Click Test to validate the integration.
Click Done to save the integration.
Using the Integration and Scripts
The integration ships with four default playbooks and four scripts that are used by the playbooks. The scripts encode the raw JSON alerts into Demisto objects that can then be used in the playbooks. The scripts are:
To better understand how playbooks and scripts interoperate, consider the Prisma Cloud Compute - Vulnerability Alert playbook.
- When the playbook is triggered, the Parse Vulnerability Alert starts running.
- The task runs the PrismaCloudComputeParseVulnerabilityAlert script, which takes the
prismacloudcomputerawalertjsonfield of the incident (the raw JSON alert data) as input.
- Click outputs to see how the script transformed the raw JSON input into a Demisto object.
At this point, you can add tasks that extend the playbook to check and respond to alerts depending on the properties of the Demisto object.
If any alerts are missing in Demisto, check the status of the integration.
If you have any questions, contact Demisto support and attach the server logs.