Skip to main content

PrismaCloud IAM

This Integration is part of the Prisma Cloud by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Note: This integration should be used as part of our Identity Lifecycle Management premium pack. For more information, please refer to the Identity Lifecycle Management article.

The Prisma Cloud IAM API consists of a set of API endpoints that allow customers to perform CRUD operation on their user profiles.

Configure PrismaCloud IAM in Cortex#

ParameterDescriptionRequired
Base URLTrue
UsernameTrue
PasswordTrue
Customer nameIf you are a multi-tenant user you will also need to provide the customerName.False
Trust any certificate (not secure)False
Use system proxy settingsFalse
Allow creating usersFalse
Allow updating usersFalse
Allow enabling usersFalse
Allow disabling usersFalse
Automatically create user if not found in update commandFalse
Incoming MapperTrue
Outgoing MapperTrue

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

iam-create-user#


Creates a user.

Base Command#

iam-create-user

Input#

Argument NameDescriptionRequired
user-profileUser Profile indicator details.Required
allow-enableWhen set to true, after the command execution the status of the user in the 3rd-party integration will be active. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

``!iam-create-user user-profile={"email": "john.doe@example.com", "givenname": "test", "surname": "test"}````

Context Example#

{
"IAM": {
"UserProfile": {
"email": "john.doe@example.com",
"givenname": "test",
"surname": "test"
},
"Vendor": {
"action": "update",
"active": null,
"brand": "PrismaCloudIAM",
"details": {
"email": "john.doe@example.com",
"firstName": "test",
"lastName": "test",
"roleId": "some_role_id",
"timeZone": "America/Los_Angeles"
},
"email": "john.doe@example.com",
"errorCode": null,
"errorMessage": "",
"id": null,
"instanceName": "PrismaCloudIAM_instance_1",
"reason": "",
"skipped": false,
"success": true,
"username": null
}
}
}

Human Readable Output#

Update User Results (PrismaCloudIAM)#

brandinstanceNamesuccessemaildetails
PrismaCloudIAMPrismaCloudIAM_instance_1truejohn.doe@example.comemail: john.doe@example.com
firstName: test
lastName: test
roleId: some_role_id
timeZone: America/Los_Angeles

iam-update-user#


Updates an existing user with the data passed in the user-profile argument.

Base Command#

iam-update-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required
allow-enableWhen set to true, after the command execution the status of the user in the 3rd-party integration will be active. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

``!iam-update-user user-profile={"email": "john.doe@example.com", "givenname": "John"}````

Context Example#

{
"IAM": {
"UserProfile": {
"email": "john.doe@example.com",
"givenname": "John"
},
"Vendor": {
"action": "update",
"active": null,
"brand": "PrismaCloudIAM",
"details": {
"email": "john.doe@example.com",
"firstName": "John",
"roleId": "some_role_id",
"timeZone": "America/Los_Angeles"
},
"email": "john.doe@example.com",
"errorCode": null,
"errorMessage": "",
"id": null,
"instanceName": "PrismaCloudIAM_instance_1",
"reason": "",
"skipped": false,
"success": true,
"username": null
}
}
}

Human Readable Output#

Update User Results (PrismaCloudIAM)#

brandinstanceNamesuccessemaildetails
PrismaCloudIAMPrismaCloudIAM_instance_1truejohn.doe@example.comemail: john.doe@example.com
firstName: John
roleId: some_role_id
timeZone: America/Los_Angeles

iam-get-user#


Retrieves a single user resource.

Base Command#

iam-get-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

``!iam-get-user user-profile={"email": "john.doe@example.com"}````

Context Example#

{
"IAM": {
"UserProfile": {
"Display Name": "test test",
"Email": "john.doe@example.com",
"Given Name": "test",
"Surname": "test"
},
"Vendor": {
"action": "get",
"active": true,
"brand": "PrismaCloudIAM",
"details": {
"accessKeysAllowed": true,
"displayName": "test test",
"email": "john.doe@example.com",
"enabled": true,
"firstName": "test",
"lastLoginTs": -1,
"lastModifiedBy": "modifier@example.com",
"lastModifiedTs": 1628152142011,
"lastName": "test",
"role": {
"id": "some_role_id",
"name": "System Admin"
},
"roleId": "some_role_id",
"roleType": "System Admin",
"timeZone": "America/Los_Angeles"
},
"email": null,
"errorCode": null,
"errorMessage": "",
"id": "john.doe@example.com",
"instanceName": "PrismaCloudIAM_instance_1",
"reason": "",
"skipped": false,
"success": true,
"username": null
}
}
}

Human Readable Output#

Get User Results (PrismaCloudIAM)#

brandinstanceNamesuccessactiveiddetails
PrismaCloudIAMPrismaCloudIAM_instance_1truetruejohn.doe@example.comemail: john.doe@example.com
firstName: test
lastName: test
timeZone: America/Los_Angeles
enabled: true
roleId: some_role_id
lastModifiedBy: modifier@example.com
lastModifiedTs: 1628152142011
lastLoginTs: -1
role: {"id": "some_role_id", "name": "System Admin"}
roleType: System Admin
displayName: test test
accessKeysAllowed: true

iam-disable-user#


Disable an active user.

Base Command#

iam-disable-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

``!iam-disable-user user-profile={"email": "john.doe@example.com", "givenname": "John"}````

Context Example#

{
"IAM": {
"UserProfile": {
"email": "john.doe@example.com",
"givenname": "John"
},
"Vendor": {
"action": "disable",
"active": false,
"brand": "PrismaCloudIAM",
"details": null,
"email": "john.doe@example.com",
"errorCode": null,
"errorMessage": "",
"id": null,
"instanceName": "PrismaCloudIAM_instance_1",
"reason": "",
"skipped": false,
"success": true,
"username": null
}
}
}

Human Readable Output#

Disable User Results (PrismaCloudIAM)#

brandinstanceNamesuccessactiveemail
PrismaCloudIAMPrismaCloudIAM_instance_1truefalsejohn.doe@example.com

Outgoing Mapper#

  • In the User Profile - PrismaCloudIAM (Outgoing) you should manually configure and map the following required attributes:
    1. timeZone - the time zone of the user.
    2. roleId - the id of the role assigned to the user