Skip to main content

Prisma Cloud v2

This Integration is part of the Prisma Cloud by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Prisma Cloud secures infrastructure, workloads and applications, across the entire cloud-native technology stack. This integration was integrated and tested with version 23.2.1 of PrismaCloud

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure Prisma Cloud v2 in Cortex#

ParameterDescriptionRequired
Server URLTrue
Username / Access Key IDTrue
Password / Access Key SecretTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
Incident typeFalse
Maximum number of incidents to fetchMaximum is limited to 200.False
First fetch time intervalDate or relative timestamp to start fetching incidents from, in the format of <number> <time unit>. For example, 2 minutes, 12 hours, 6 days, 2 weeks, 3 months, 1 year, ISO timestamp. Default is 3 days.False
Advanced: Time in minutes to look back when fetching incidentsUse this parameter to determine how far back to look in the search for incidents that were created before the last run time and did not match the query when they were created. When choosing to increase this value, duplicate incidents might occur at increase time.False
Fetch only incidents matching these filtersComma-separated list of filter name and value, in the following format: filtername1=filtervalue1,filtername2=filtervalue2,etc. Names and possible values for filters can be found by running the "prisma-cloud-alert-filter-list" command.False
Fetch incidentsFalse
Output results of old version commands to the context data in the old formatFalse
Mirroring Direction'Choose the direction to mirror the incident: Incoming (from Prisma Cloud to Cortex XSOAR), Outgoing (from Cortex XSOAR to Prisma Cloud), or Incoming and Outgoing (from/to Cortex XSOAR and Prisma Cloud).'False
Close Mirrored XSOAR IncidentWhen selected, closing and re-opening the Prisma Cloud alert is mirrored in Cortex XSOAR.False
Close Mirrored Prisma Cloud AlertWhen selected, closing and re-opening the Cortex XSOAR incident is mirrored in Prisma Cloud.False

Incident Mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and Prisma Cloud alerts (available from Cortex XSOAR version 6.0.0).

To setup the mirroring follow these instructions:

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Prisma Cloud v2 and select your integration instance.
  3. Enable Fetches incidents.
  4. Optional: You can go to the Fetch only incidents matching these filters parameter and select the query to fetch the alerts from Prisma Cloud.
  5. In the Incident Mirroring Direction parameter, select in which direction the incidents should be mirrored:
    • Incoming - Changes in Prisma Cloud Alerts (status, dismissalNote, reason) will be reflected in Cortex XSOAR incidents.
    • Outgoing - Changes in Cortex XSOAR incidents will be reflected in Prisma Cloud alerts (status, reason).
    • Incoming And Outgoing - Changes in Cortex XSOAR incidents and in Prisma Cloud alerts will be reflected in both directions.
    • None - Turns off incident mirroring.
  6. Optional: Check the Close Mirrored XSOAR Incident integration parameter to close or reopen the Cortex XSOAR incident when the corresponding alert is closed or re-opened in Prisma Cloud.
  7. Optional: Check the Close Mirrored Prisma Cloud Alert integration parameter to close or reopen the Prisma Cloud alert when the corresponding Cortex XSOAR incident is closed or re-opened.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.

Important Notes

  • To ensure the mirroring works as expected, an incoming mapper is required, to map the expected fields in Cortex XSOAR (you can use the default mapper - Prisma Cloud - Incoming Mapper).
  • When mirroring in incidents from Prisma Cloud to Cortex XSOAR:
    • When enabling the Close Mirrored XSOAR Incident integration parameter, the field in Prisma Cloud that determines whether the incident was closed or re-opend is the status field.
  • When mirroring out incidents from Cortex XSOAR to Prisma Cloud:
    • When enabling the Close Mirrored Prisma Cloud Alert integration parameter, the corresponding alert in Prisma Cloud will be closed with a Dismissed status for every reason chosen in the Cortex XSOAR incident (possible reasons are: False Positive, Duplicate, Other and Resolved). The Reason field of the Prisma Cloud alert will include the original reason selected in Cortex XSOAR and the close notes.
    • When re-opening a Cortex XSOAR incident with a Resolved Prisma Cloud status, the incident will be re-opened, but the alert in Prisma Cloud will remain Resolved due to API limitations.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

prisma-cloud-alert-dismiss#


Dismiss or snooze the alerts matching the given filter. Either policy IDs or alert IDs must be provided. When no absolute time nor relative time arguments are provided, the default time range is all times. For snoozing, provide "snooze_unit" and "snooze_value" arguments.

Base Command#

prisma-cloud-alert-dismiss

Input#

Argument NameDescriptionRequired
alert_idsComma-separated list of alert IDs to be dismissed.Optional
policy_idsComma-separated list of policy IDs.Optional
snooze_valueThe amount of time for snoozing alert. Both snooze value and unit must be specified if snoozing.Optional
snooze_unitThe time unit for snoozing alert. Both snooze value and unit must be specified if snoozing. Possible values are: hour, day, week, month, year.Optional
dismissal_noteReason for dismissal.Required
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
filtersComma-separated list of filter name and value, in the following format: filtername1=filtervalue1,filtername2=filtervalue2,etc. Names and possible values for filters can be found by running the "prisma-cloud-alert-filter-list" command.Optional

Context Output#

There is no context output for this command.

Command example#

!prisma-cloud-alert-dismiss dismissal_note="from XSOAR" alert_ids=P-464811 snooze_unit=hour snooze_value=1

Human Readable Output#

Alerts snoozed successfully.#

Snooze note: from XSOAR.

Command example#

!prisma-cloud-alert-dismiss dismissal_note="from XSOAR" alert_ids=P-469663 time_range_unit=month

Human Readable Output#

Alerts dismissed successfully.#

Dismissal note: from XSOAR.

prisma-cloud-alert-get-details#


Gets the details of an alert based on the alert ID.

Base Command#

prisma-cloud-alert-get-details

Input#

Argument NameDescriptionRequired
alert_idThe alert ID.Required
detailedWhether to retrieve the entire / trimmed alert model. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
PrismaCloud.Alert.idStringThe alert ID.
PrismaCloud.Alert.statusStringThe alert status.
PrismaCloud.Alert.reasonStringThe alert reason.
PrismaCloud.Alert.alertTimeDateThe time of the alert.
PrismaCloud.Alert.firstSeenDateThe time the alert was first seen.
PrismaCloud.Alert.lastSeenDateThe time the alert was last seen.
PrismaCloud.Alert.eventOccurredDateThe time the event occurred.
PrismaCloud.Alert.alertRulesStringNames of the alert rules that triggered this alert.
PrismaCloud.Alert.resource.resourceApiNameStringThe resource API name.
PrismaCloud.Alert.resource.idStringThe resource ID.
PrismaCloud.Alert.resource.accountStringThe resource account.
PrismaCloud.Alert.resource.accountIdStringThe resource account ID.
PrismaCloud.Alert.resource.resourceTypeStringThe resource type.
PrismaCloud.Alert.policy.policyIdStringThe policy ID.
PrismaCloud.Alert.policy.nameStringThe policy name.
PrismaCloud.Alert.policy.policyTypeStringThe type of policy.
PrismaCloud.Alert.policy.severityStringThe policy severity.
PrismaCloud.Alert.policy.recommendationStringThe policy recommendation.
PrismaCloud.Alert.policy.remediation.descriptionStringThe policy remediation description.
PrismaCloud.Alert.policy.remediation.cliScriptTemplateStringThe policy remediation CLI script template.
PrismaCloud.Alert.policy.descriptionStringThe policy description.
PrismaCloud.Alert.policy.labelsUnknownThe policy labels.
PrismaCloud.Alert.resource.cloudTypeStringThe resource cloud type.
PrismaCloud.Alert.resource.rrnStringThe restricted resource name.
PrismaCloud.Alert.resource.regionIdStringThe resource region ID.
PrismaCloud.Alert.resource.urlStringThe resource URL.
PrismaCloud.Alert.policy.remediableBooleanWhether the policy is remediable.
PrismaCloud.Alert.policy.systemDefaultBooleanWhether the policy is the system default.
PrismaCloud.Alert.policy.deletedBooleanWhether the policy was deleted.

Command example#

!prisma-cloud-alert-get-details alert_id=P-465020

Context Example#

{
"PrismaCloud": {
"Alert": {
"alertRules": [
{
"alertRuleNotificationConfig": [],
"allowAutoRemediate": false,
"enabled": true,
"name": "test",
"notifyOnDismissed": false,
"notifyOnOpen": true,
"notifyOnResolved": false,
"notifyOnSnoozed": false,
"policyScanConfigId": "policy-scan-config-id3",
"scanAll": true,
"target": {
"accountGroups": [],
"excludedAccounts": [],
"regions": [],
"tags": []
}
},
{
"alertRuleNotificationConfig": [],
"allowAutoRemediate": false,
"enabled": true,
"name": "Default Alert Rule",
"notifyOnDismissed": false,
"notifyOnOpen": true,
"notifyOnResolved": false,
"notifyOnSnoozed": false,
"policyScanConfigId": "policy-scan-config-id2",
"scanAll": false,
"target": {
"accountGroups": [],
"excludedAccounts": [],
"regions": [],
"tags": []
}
}
],
"alertTime": "2023-01-25T19:18:22Z",
"dismissalNote": "from XSOAR",
"dismissalUntilTs": -1,
"dismissedBy": "name@company.com",
"firstSeen": "2023-01-25T19:18:22Z",
"history": [
{
"modifiedBy": "name@company.com",
"modifiedOn": 1674987271011,
"reason": "NEW_ALERT",
"status": "open"
}
],
"id": "P-465020",
"lastSeen": "2023-01-29T10:14:31Z",
"metadata": {
"saveSearchId": "save-search-id1"
},
"networkAnomaly": false,
"policy": {
"complianceMetadata": [
{
"complianceId": "compliance-id1",
"customAssigned": false,
"policyId": "a11b2cc3-1111-2222-33aa-a1b23ccc4dd5",
"requirementId": "DSI",
"requirementName": "Data Security & Information Lifecycle Management",
"requirementViewOrder": 5,
"sectionDescription": "Data Inventory / Flows.",
"sectionId": "DSI-02",
"sectionLabel": "CSA CCM",
"sectionViewOrder": 25,
"standardDescription": "Cloud Security Alliance: Cloud Controls Matrix Version 3.0.1",
"standardName": "CSA CCM v3.0.1",
"systemDefault": true
},
{
"complianceId": "compliance-id2",
"customAssigned": false,
"policyId": "a11b2cc3-1111-2222-33aa-a1b23ccc4dd5",
"requirementId": "IAM",
"requirementName": "Identity & Access Management",
"requirementViewOrder": 10,
"sectionDescription": "Third Party Access.",
"sectionId": "IAM-07",
"sectionLabel": "CSA CCM",
"sectionViewOrder": 72,
"standardDescription": "Cloud Security Alliance: Cloud Controls Matrix Version 3.0.1",
"standardName": "CSA CCM v3.0.1",
"systemDefault": true
}
],
"deleted": false,
"description": "This policy identifies GCP VPC Network subnets have disabled Private Google access. Private Google access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.",
"findingTypes": [],
"labels": [
"Policy Status Review"
],
"lastModifiedBy": "example@gmail.com",
"lastModifiedOn": 1664515792712,
"name": "GCP VPC Network subnets have Private Google access disabled",
"policyId": "a11b2cc3-1111-2222-33aa-a1b23ccc4dd5",
"policyType": "config",
"recommendation": "1. Login to GCP Portal\n2. Go to VPC network (Left Panel)\n3. Select VPC networks\n2. Click on the name of a reported subnet, The 'Subnet details' page will be displayed\n3. Click on 'EDIT' button\n4. Set 'Private Google access' to 'On'\n5. Click on Save",
"remediable": true,
"remediation": {
"cliScriptTemplate": "gcloud compute networks subnets update ${resourceName} --project=${account} --region ${region} --enable-private-ip-google-access",
"description": "This CLI command requires 'compute.networkAdmin' permission. Successful execution will enable GCP VPC Network subnets 'Private Google access'.",
"impact": "enables private-ip-google-access in GCP VPC Network subnets"
},
"severity": "medium",
"systemDefault": true
},
"reason": "USER_DISMISSED",
"resource": {
"account": "mail1@gmail.com",
"accountId": "panw-prisma-cloud",
"additionalInfo": {},
"cloudAccountGroups": [
"Default Account Group"
],
"cloudAccountOwners": [
"mail1@gmail.com"
],
"cloudServiceName": "Google VPC",
"cloudType": "gcp",
"data": {
"creationTimestamp": "2023-01-25T08:52:45.111-08:00",
"fingerprint": "a-fingerprint=",
"gatewayAddress": "1.1.1.1",
"id": "1111111111111111111",
"ipCidrRange": "1.1.1.1/20",
"kind": "compute#subnetwork",
"name": "boombox-network",
"network": "https://some-url",
"privateIpGoogleAccess": false,
"purpose": "PRIVATE",
"region": "https://some-url",
"selfLink": "https://some-url/subnetworks/boombox-network",
"stackType": "IPV4_ONLY"
},
"id": "1111111111111111111",
"internalResourceId": "11111111",
"name": "boombox-network",
"region": "GCP Belgium",
"regionId": "europe-west1",
"resourceApiName": "gcloud-compute-networks-subnets-list",
"resourceConfigJsonAvailable": true,
"resourceDetailsAvailable": true,
"resourceTs": 1676633361033,
"resourceType": "SUBNET",
"rrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"unifiedAssetId": "unified-asset-id1"
},
"saveSearchId": "save-search-id3",
"status": "dismissed"
}
}
}

Human Readable Output#

Alert P-465020 Details:#

Alert IDReasonStatusAlert TimeFirst SeenLast SeenPolicy IDPolicy TypeIs Policy System DefaultIs Policy RemediablePolicy NamePolicy RecommendationPolicy DescriptionPolicy SeverityPolicy Remediation DescriptionPolicy Remediation CLI ScriptPolicy LabelsResource TypeResource AccountResource Cloud TypeResource RRNResource IDResource Account IDResource Region IDResource Api Name
P-465020USER_DISMISSEDdismissed2023-01-25T19:18:22Z2023-01-25T19:18:22Z2023-01-29T10:14:31Za11b2cc3-1111-2222-33aa-a1b23ccc4dd5configtruetrueGCP VPC Network subnets have Private Google access disabled1. Login to GCP Portal
2. Go to VPC network (Left Panel)
3. Select VPC networks
2. Click on the name of a reported subnet, The 'Subnet details' page will be displayed
3. Click on 'EDIT' button
4. Set 'Private Google access' to 'On'
5. Click on Save
This policy identifies GCP VPC Network subnets have disabled Private Google access. Private Google access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.mediumThis CLI command requires 'compute.networkAdmin' permission. Successful execution will enable GCP VPC Network subnets 'Private Google access'.gcloud compute networks subnets update ${resourceName} --project=${account} --region ${region} --enable-private-ip-google-accessPolicy Status ReviewSUBNETmail1@gmail.comgcprrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-251111111111111111111panw-prisma-cloudeurope-west1gcloud-compute-networks-subnets-list

prisma-cloud-alert-filter-list#


List the acceptable filters and values for alerts.

Base Command#

prisma-cloud-alert-filter-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PrismaCloud.AlertFilters.filterNameStringThe filter name.
PrismaCloud.AlertFilters.optionsStringThe filter value options.
PrismaCloud.AlertFilters.staticFilterUnknownWhether the filter is static.

Command example#

!prisma-cloud-alert-filter-list

Context Example#

{
"PrismaCloud": {
"AlertFilters": [
{
"filterName": "policy.name",
"options": [
"GCP Kubernetes Engine Clusters have Master authorized networks disabled"
],
"staticFilter": false
},
{
"filterName": "policy.type",
"options": [
"anomaly",
"audit_event",
"config",
"data",
"iam",
"network",
"workload_incident",
"workload_vulnerability"
],
"staticFilter": true
},
{
"filterName": "policy.label",
"options": [],
"staticFilter": false
},
{
"filterName": "policy.severity",
"options": [
"critical",
"high",
"medium",
"low",
"informational"
],
"staticFilter": true
},
{
"filterName": "policy.complianceStandard",
"options": [],
"staticFilter": false
},
{
"filterName": "policy.complianceRequirement",
"options": [],
"staticFilter": false
},
{
"filterName": "policy.complianceSection",
"options": [],
"staticFilter": false
},
{
"filterName": "cloud.account",
"options": [],
"staticFilter": false
},
{
"filterName": "account.group",
"options": [],
"staticFilter": false
},
{
"filterName": "cloud.region",
"options": [],
"staticFilter": false
},
{
"filterName": "alertRule.name",
"options": [],
"staticFilter": false
},
{
"filterName": "resource.id",
"options": [],
"staticFilter": false
},
{
"filterName": "resource.name",
"options": [],
"staticFilter": false
},
{
"filterName": "resource.type",
"options": [],
"staticFilter": false
},
{
"filterName": "resource.group",
"options": [],
"staticFilter": false
},
{
"filterName": "cloud.service",
"options": [],
"staticFilter": false
},
{
"filterName": "cloud.accountId",
"options": [],
"staticFilter": false
},
{
"filterName": "object.exposure",
"options": [
"private",
"public",
"conditional"
],
"staticFilter": true
},
{
"filterName": "malware",
"options": [
"true"
],
"staticFilter": true
},
{
"filterName": "object.classification",
"options": [],
"staticFilter": false
},
{
"filterName": "object.identifier",
"options": [],
"staticFilter": false
},
{
"filterName": "timeRange.type",
"options": [
"ALERT_STATUS_UPDATED",
"ALERT_UPDATED",
"ALERT_OPENED"
],
"staticFilter": true
},
{
"filterName": "vulnerability.severity",
"options": [
"all",
"high",
"critical",
"low",
"medium"
],
"staticFilter": true
},
{
"filterName": "buildtime.resourceName",
"options": [],
"staticFilter": false
},
{
"filterName": "git.filename",
"options": [],
"staticFilter": false
},
{
"filterName": "git.provider",
"options": [
"github",
"gitlab",
"bitbucket",
"perforce"
],
"staticFilter": false
},
{
"filterName": "git.repository",
"options": [],
"staticFilter": false
},
{
"filterName": "iac.framework",
"options": [
"ttt",
"CloudFormation"
],
"staticFilter": false
},
{
"filterName": "asset.class",
"options": [],
"staticFilter": false
},
{
"filterName": "alert.id",
"options": [],
"staticFilter": false
},
{
"filterName": "policy.subtype",
"options": [
"audit",
"build",
"data_classification",
"dns",
"identity",
"malware",
"network",
"network_config",
"network_event",
"permissions",
"run",
"run_and_build",
"ueba"
],
"staticFilter": true
},
{
"filterName": "alert.status",
"options": [
"dismissed",
"snoozed",
"open",
"resolved"
],
"staticFilter": true
},
{
"filterName": "cloud.type",
"options": [
"alibaba_cloud",
"aws",
"azure",
"gcp",
"oci"
],
"staticFilter": true
},
{
"filterName": "policy.remediable",
"options": [
"true",
"false"
],
"staticFilter": true
}
]
}
}

Human Readable Output#

Filter Options:#

Filter NameOptionsStatic Filter
policy.nameGCP Kubernetes Engine Clusters have Master authorized networks disabledfalse
policy.typeanomaly,
audit_event,
config,
data,
iam,
network,
workload_incident,
workload_vulnerability
true
policy.labelfalse
policy.severitycritical,
high,
medium,
low,
informational
true
policy.complianceStandardfalse
policy.complianceRequirementfalse
policy.complianceSectionfalse
cloud.accountfalse
account.groupfalse
cloud.regionfalse
alertRule.namefalse
resource.idfalse
resource.namefalse
resource.typefalse
resource.groupfalse
cloud.servicefalse
cloud.accountIdfalse
object.exposureprivate,
public,
conditional
true
malwaretruetrue
object.classificationfalse
object.identifierfalse
timeRange.typeALERT_STATUS_UPDATED,
ALERT_UPDATED,
ALERT_OPENED
true
vulnerability.severityall,
high,
critical,
low,
medium
true
buildtime.resourceNamefalse
git.filenamefalse
git.providergithub,
gitlab,
bitbucket,
perforce
false
git.repositoryfalse
iac.frameworkttt,
CloudFormation
false
asset.classfalse
alert.idfalse
policy.subtypeaudit,
build,
data_classification,
dns,
identity,
malware,
network,
network_config,
network_event,
permissions,
run,
run_and_build,
ueba
true
alert.statusdismissed,
snoozed,
open,
resolved
true
cloud.typealibaba_cloud,
aws,
azure,
gcp,
oci
true
policy.remediabletrue,
false
true

prisma-cloud-remediation-command-list#


Generates and returns a list of remediation commands for the specified alerts and policies. Data returned for a successful call include fully constructed commands for remediation. Either a policy ID or alert IDs must be provided. The returned information can be retrieved in the UI by clicking the "Remediate" button under the "Actions" column for supported alerts. When no absolute time nor relative time arguments are provided, the default time range is all times.

Base Command#

prisma-cloud-remediation-command-list

Input#

Argument NameDescriptionRequired
alert_idsComma-seperated list of alert IDs for which to get remediation details. Provided alert IDs must be associated with the same policy. If a policy is specified, all the alerts specified must belong to that policy.Optional
policy_idPolicy ID for which to get remediation details.Optional
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
limitMaximum number of entries to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
PrismaCloud.AlertRemediation.descriptionStringDescription of CLI remediation instructions.
PrismaCloud.AlertRemediation.scriptImpactStringImpact of CLI remediation instructions.
PrismaCloud.AlertRemediation.alertIdStringThe ID of the alert to which the remediation details apply.
PrismaCloud.AlertRemediation.CLIScriptStringThe exact CLI command string.

Command example#

!prisma-cloud-remediation-command-list policy_id=a11b2cc3-1111-2222-33aa-a1b23ccc4dd5 limit=2

Context Example#

{
"PrismaCloud": {
"Alert": {
"Remediation": [
{
"CLIScript": "aws rds modify-db-instance --db-instance-identifier aaaaaaaaaaaaaa --region us-east-1 --deletion-protection",
"alertId": "P-351515",
"description": "This CLI command requires 'rds:ModifyDBInstance' permission. Successful execution will enable deletion protection for the reported AWS RDS instance.",
"scriptImpact": null
},
{
"CLIScript": "aws rds modify-db-instance --db-instance-identifier bbbbbbbbbbbbbbb --region us-east-1 --deletion-protection",
"alertId": "P-351323",
"description": "This CLI command requires 'rds:ModifyDBInstance' permission. Successful execution will enable deletion protection for the reported AWS RDS instance.",
"scriptImpact": null
}
]
}
}
}

Human Readable Output#

Showing 2 of 3 results:

Remediation Command List:#

CLI ScriptAlert IdDescription
aws rds modify-db-instance --db-instance-identifier aaaaaaaaaaaaaa --region us-east-1 --deletion-protectionP-351515This CLI command requires 'rds:ModifyDBInstance' permission. Successful execution will enable deletion protection for the reported AWS RDS instance.
aws rds modify-db-instance --db-instance-identifier bbbbbbbbbbbbbbb --region us-east-1 --deletion-protectionP-351323This CLI command requires 'rds:ModifyDBInstance' permission. Successful execution will enable deletion protection for the reported AWS RDS instance.

prisma-cloud-alert-remediate#


Remediates the alert with the specified ID, if that alert is associated with a remediable policy. In order to check what remediation would run, use the "prisma-cloud-remediation-command-list" command first.

Base Command#

prisma-cloud-alert-remediate

Input#

Argument NameDescriptionRequired
alert_idThe alert ID.Required

Context Output#

PathTypeDescription
PrismaCloud.AlertRemediation.alertIdStringThe ID of the alert to which the remediation apply.
PrismaCloud.AlertRemediation.successfulBooleanWhether the remediation was successful.
PrismaCloud.AlertRemediation.failureReasonStringThe failure reason for the remediation.
PrismaCloud.AlertRemediation.errorValueStringThe error value for the remediation.

Command example#

!prisma-cloud-alert-remediate alert_id=P-488074

Context Example#

{
"PrismaCloud": {
"AlertRemediation": {
"alertId": "P-488074",
"successful": true
}
}
}

Human Readable Output#

Alert P-488074 remediated successfully.

prisma-cloud-alert-reopen#


Re-open the alerts matching the given filter. Either policy IDs or alert IDs must be provided. When no absolute time nor relative time arguments are provided, the default time range is all times.

Base Command#

prisma-cloud-alert-reopen

Input#

Argument NameDescriptionRequired
alert_idsComma-separated list of alert IDs to be reopened.Optional
policy_idsComma-separated list of policy IDs.Optional
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
filtersComma-separated list of filter name and value, in the following format: filtername1=filtervalue1,filtername2=filtervalue2,etc. Names and possible values for filters can be found by running the "prisma-cloud-alert-filter-list" command.Optional

Context Output#

There is no context output for this command.

Command example#

!prisma-cloud-alert-reopen alert_ids=P-469663

Human Readable Output#

Alerts re-opened successfully.#

prisma-cloud-alert-search#


Search alerts on the Prisma Cloud platform. When no absolute time nor relative time arguments are provided, the search will show alerts from the last 7 days.

Base Command#

prisma-cloud-alert-search

Input#

Argument NameDescriptionRequired
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
filtersComma-separated list of filter name and value, in the following format: filtername1=filtervalue1,filtername2=filtervalue2,etc. Names and possible values for filters can be found by running the "prisma-cloud-alert-filter-list" command.Optional
detailedWhether to retrieve the entire / trimmed alert model. Possible values are: true, false. Default is true.Optional
limitMaximum number of entries to return. Default is 50.Optional
next_tokenToken of the next page to retrive. When provided, other arguments are ignored.Optional
sort_fieldThe field to sort the results by. Possible values are: alertTime,firstSeen,lastSeen,lastUpdated.Optional
sort_directionThe direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc.Optional

Context Output#

PathTypeDescription
PrismaCloud.AlertPageToken.nextPageTokenStringNext page token.
PrismaCloud.Alert.idStringThe ID of the returned alert.
PrismaCloud.Alert.statusStringThe status of the returned alert.
PrismaCloud.Alert.reasonStringThe reason of the returned alert.
PrismaCloud.Alert.lastSeenStringThe time the returned alert was last seen.
PrismaCloud.Alert.firstSeenStringThe time the returned alert was first seen.
PrismaCloud.Alert.lastUpdatedStringThe time the returned alert was last updated.
PrismaCloud.Alert.alertTimeStringThe time of the returned alert.
PrismaCloud.Alert.policy.policyIdStringThe policy ID of the returned alert.
PrismaCloud.Alert.policy.nameStringThe policy name of the returned alert.
PrismaCloud.Alert.policy.policyTypeStringThe policy type of the returned alert.
PrismaCloud.Alert.policy.severityStringThe policy severity of the returned alert.
PrismaCloud.Alert.policy.remediableBooleanWhether the policy is remediable.
PrismaCloud.Alert.policy.descriptionStringThe policy description of the returned alert.
PrismaCloud.Alert.policy.recommendationStringThe policy recommendation of the returned alert.
PrismaCloud.Alert.policy.remediation.descriptionStringThe policy remediation description of the returned alert.
PrismaCloud.Alert.policy.remediation.cliScriptTemplateStringThe policy CLI script template description of the returned alert.
PrismaCloud.Alert.policy.systemDefaultBooleanWhether the policy is the system default.
PrismaCloud.Alert.policy.deletedBooleanWhether the policy was deleted.
PrismaCloud.Alert.resource.resourceTypeStringThe resource type of the returned alert.
PrismaCloud.Alert.resource.nameStringThe resource name of the returned alert.
PrismaCloud.Alert.resource.accountStringThe resource account of the returned alert.
PrismaCloud.Alert.resource.cloudTypeStringThe resource cloud type of the returned alert.
PrismaCloud.Alert.resource.rrnStringThe restricted resource name of the returned alert.

Command example#

!prisma-cloud-alert-search filters=alert.status=open,policy.remediable=true,cloud.type=gcp,policy.type=config limit=2

Context Example#

{
"PrismaCloud": {
"Alert": [
{
"alertRules": [],
"alertTime": "2023-02-17T12:57:46Z",
"firstSeen": "2023-02-17T12:57:46Z",
"history": [],
"id": "P-487678",
"lastSeen": "2023-02-17T12:57:46Z",
"lastUpdated": "2023-02-19T13:27:29Z",
"metadata": {
"saveSearchId": "save-search-id2"
},
"policy": {
"complianceMetadata": [
{
"complianceId": "compliance-id1",
"customAssigned": false,
"policyId": "policy-id2",
"requirementId": "DSI",
"requirementName": "Data Security & Information Lifecycle Management",
"requirementViewOrder": 5,
"sectionDescription": "Data Inventory / Flows.",
"sectionId": "DSI-02",
"sectionLabel": "CSA CCM",
"sectionViewOrder": 25,
"standardDescription": "Cloud Security Alliance: Cloud Controls Matrix Version 3.0.1",
"standardName": "CSA CCM v3.0.1",
"systemDefault": true
},
{
"complianceId": "compliance-id2",
"customAssigned": false,
"policyId": "policy-id4",
"requirementId": "IAM",
"requirementName": "Identity & Access Management",
"requirementViewOrder": 10,
"sectionDescription": "Third Party Access.",
"sectionId": "IAM-07",
"sectionLabel": "CSA CCM",
"sectionViewOrder": 72,
"standardDescription": "Cloud Security Alliance: Cloud Controls Matrix Version 3.0.1",
"standardName": "CSA CCM v3.0.1",
"systemDefault": true
}
],
"deleted": false,
"description": "This policy identifies GCP Firewall rule allowing all traffic on read-only port (12346) which exposes GKE clusters. In GKE, Kubelet exposes a read-only port 12346 which shows the configurations of all pods on the cluster at the /pods API endpoint. GKE itself does not expose this port to the Internet as the default project firewall configuration blocks external access. However, it is possible to inadvertently expose this port publicly on GKE clusters by creating a Google Compute Engine VPC firewall for GKE nodes that allows traffic from all source ranges on all the ports. This configuration publicly exposes all pod configurations, which might contain sensitive information.",
"findingTypes": [],
"labels": [],
"lastModifiedBy": "example@gmail.com",
"lastModifiedOn": 1649907869989,
"name": "GCP Firewall rule exposes GKE clusters by allowing all traffic on read-only port (12346)",
"policyId": "policy-id5",
"policyType": "config",
"recommendation": "As port 12345 exposes sensitive information of GKE pod configuration it is recommended to disable this firewall rule. \nOtherwise, remove the overly permissive source IPs following below steps,\n\n1. Login to GCP Console\n2. Navigate to 'VPC Network'(Left Panel)\n3. Go to the 'Firewall' section (Left Panel)\n4. Click on the reported Firewall rule\n5. Click on 'EDIT'\n6. Modify Source IP ranges to specific IP\n7. Click on 'SAVE'.",
"remediable": true,
"remediation": {
"cliScriptTemplate": "gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled",
"description": "This CLI command requires 'compute.firewalls.update' and 'compute.networks.updatePolicy' permission. Successful execution will disable this firewall rule blocking internet traffic to port 12346.",
"impact": "Disable GCP Firewall rule which allows all traffic on read-only port (12345)"
},
"severity": "medium",
"systemDefault": true
},
"policyId": "policy-id7",
"reason": "NEW_ALERT",
"resource": {
"account": "Google Cloud Account",
"accountId": "AAAAAAA",
"additionalInfo": {},
"cloudAccountGroups": [
"Default Account Group"
],
"cloudAccountOwners": [
"mail1@gmail.com",
"example@gmail.com"
],
"cloudServiceName": "Google VPC",
"cloudType": "gcp",
"data": {
"allowed": [
{
"IPProtocol": "all"
}
],
"creationTimestamp": "2022-09-19T21:28:10.104-07:00",
"description": "",
"direction": "INGRESS",
"disabled": false,
"id": "666666666666666666",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "k8s",
"network": "https://some-url",
"priority": 1000,
"selfLink": "https://some-url",
"sourceRanges": [
"0.0.0.0/0"
]
},
"id": "3333333333333333333",
"name": "k8s",
"region": "global",
"regionId": "global",
"resourceApiName": "gcloud-compute-firewall-rules-list",
"resourceConfigJsonAvailable": true,
"resourceDetailsAvailable": true,
"resourceTs": 1676633555070,
"resourceType": "SECURITY_GROUP",
"rrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"unifiedAssetId": "unifiedassetid2"
},
"saveSearchId": "save-search-id5",
"status": "open"
},
{
"alertRules": [],
"alertTime": "2023-02-17T12:57:46Z",
"firstSeen": "2023-02-17T12:57:46Z",
"history": [],
"id": "P-487768",
"lastSeen": "2023-02-17T12:57:46Z",
"lastUpdated": "2023-02-19T13:27:29Z",
"metadata": {
"saveSearchId": "save-search-id5"
},
"policy": {
"complianceMetadata": [
{
"complianceId": "compliance-id5",
"customAssigned": false,
"policyId": "policy-id-4",
"requirementId": "Section 404",
"requirementName": "Management Assessment",
"requirementViewOrder": 3,
"sectionDescription": "(b) Evaluation and Reporting.",
"sectionId": "Section 404.B",
"sectionLabel": "Section 404.B",
"sectionViewOrder": 9,
"standardDescription": "Management",
"standardName": "Management",
"systemDefault": true
}
],
"deleted": false,
"description": "This policy identifies GCP Firewall rule allowing all traffic on port 12345 which allows GKE full node access. The port 12345 on the kubelet is used by the kube-apiserver (running on hosts labelled as Orchestration Plane) for exec and logs. As per security best practice, port 12345 should not be exposed to the public.",
"findingTypes": [],
"labels": [],
"lastModifiedBy": "example@gmail.com",
"lastModifiedOn": 1652328910000,
"name": "GCP Firewall rule exposes GKE clusters by allowing all traffic on port 12345",
"policyId": "policy-id5",
"policyType": "config",
"recommendation": "As port 12345 exposes sensitive information of GKE pod configuration it is recommended to disable this firewall rule. \nOtherwise, remove the overly permissive source IPs following the below steps,\n\n1. Login to GCP Console\n2. Navigate to 'VPC Network'(Left Panel)\n3. Go to the 'Firewall' section (Left Panel)\n4. Click on the reported Firewall rule\n5. Click on 'EDIT'\n6. Modify Source IP ranges to specific IP\n7. Click on 'SAVE'.",
"remediable": true,
"remediation": {
"cliScriptTemplate": "gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled",
"description": "This CLI command requires 'compute.firewalls.update' and 'compute.networks.updatePolicy' permission. Successful execution will disable this firewall rule blocking internet traffic to port 12345.",
"impact": "disable GCP Firewall rule that allows all traffic on port 12345"
},
"severity": "medium",
"systemDefault": true
},
"policyId": "policy-id-2",
"reason": "NEW_ALERT",
"resource": {
"account": "Google Cloud Account",
"accountId": "AAAAAAA",
"additionalInfo": {},
"cloudAccountGroups": [
"AAAAAAA",
"Default Account Group"
],
"cloudAccountOwners": [
"mail1@gmail.com",
"example@gmail.com"
],
"cloudServiceName": "Google VPC",
"cloudType": "gcp",
"data": {
"allowed": [
{
"IPProtocol": "all"
}
],
"creationTimestamp": "2022-09-19T21:28:10.104-07:00",
"description": "",
"direction": "INGRESS",
"disabled": false,
"id": "7777777777777777777",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "k8s",
"network": "https://some-url/global/networks/default",
"priority": 1000,
"selfLink": "https://some-url/global/firewalls/k8s",
"sourceRanges": [
"0.0.0.0/0"
]
},
"id": "7777777777777777777",
"name": "k8s",
"region": "global",
"regionId": "global",
"resourceApiName": "gcloud-compute-firewall-rules-list",
"resourceConfigJsonAvailable": true,
"resourceDetailsAvailable": true,
"resourceTs": 1676633555070,
"resourceType": "SECURITY_GROUP",
"rrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"unifiedAssetId": "unifiedassetid6"
},
"saveSearchId": "save-search-id6",
"status": "open"
}
],
"AlertPageToken": {
"nextPageToken": "token"
}
}
}

Human Readable Output#

Showing 2 of 25 results:

Alerts Details:#

Alert IDReasonStatusAlert TimeFirst SeenLast SeenLast UpdatedPolicy IDPolicy TypeIs Policy System DefaultIs Policy RemediablePolicy NameIs Policy DeletedPolicy RecommendationPolicy DescriptionPolicy SeverityPolicy Remediation DescriptionPolicy Remediation CLI ScriptResource TypeResource NameResource AccountResource Cloud TypeResource RRN
P-487678NEW_ALERTopen2023-02-17T12:57:46Z2023-02-17T12:57:46Z2023-02-17T12:57:46Z2023-02-19T13:27:29Zpolicy-id7configtruetrueGCP Firewall rule exposes GKE clusters by allowing all traffic on read-only port (12346)falseAs port 12346 exposes sensitive information of GKE pod configuration it is recommended to disable this firewall rule.
Otherwise, remove the overly permissive source IPs following below steps,

1. Login to GCP Console
2. Navigate to 'VPC Network'(Left Panel)
3. Go to the 'Firewall' section (Left Panel)
4. Click on the reported Firewall rule
5. Click on 'EDIT'
6. Modify Source IP ranges to specific IP
7. Click on 'SAVE'.
This policy identifies GCP Firewall rule allowing all traffic on read-only port (12346) which exposes GKE clusters. In GKE, Kubelet exposes a read-only port 12346 which shows the configurations of all pods on the cluster at the /pods API endpoint. GKE itself does not expose this port to the Internet as the default project firewall configuration blocks external access. However, it is possible to inadvertently expose this port publicly on GKE clusters by creating a Google Compute Engine VPC firewall for GKE nodes that allows traffic from all source ranges on all the ports. This configuration publicly exposes all pod configurations, which might contain sensitive information.mediumThis CLI command requires 'compute.firewalls.update' and 'compute.networks.updatePolicy' permission. Successful execution will disable this firewall rule blocking internet traffic to port 12346.gcloud compute --project=${account} firewall-rules update ${resourceName} --disabledSECURITY_GROUPk8sGoogle Cloud Accountgcprrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25
P-487768NEW_ALERTopen2023-02-17T12:57:46Z2023-02-17T12:57:46Z2023-02-17T12:57:46Z2023-02-19T13:27:29Zpolicy-id-2configtruetrueGCP Firewall rule exposes GKE clusters by allowing all traffic on port 12345falseAs port 12345 exposes sensitive information of GKE pod configuration it is recommended to disable this firewall rule.
Otherwise, remove the overly permissive source IPs following the below steps,

1. Login to GCP Console
2. Navigate to 'VPC Network'(Left Panel)
3. Go to the 'Firewall' section (Left Panel)
4. Click on the reported Firewall rule
5. Click on 'EDIT'
6. Modify Source IP ranges to specific IP
7. Click on 'SAVE'.
This policy identifies GCP Firewall rule allowing all traffic on port 12345 which allows GKE full node access. The port 12345 on the kubelet is used by the kube-apiserver (running on hosts labelled as Orchestration Plane) for exec and logs. As per security best practice, port 12345 should not be exposed to the public.mediumThis CLI command requires 'compute.firewalls.update' and 'compute.networks.updatePolicy' permission. Successful execution will disable this firewall rule blocking internet traffic to port 12345.gcloud compute --project=${account} firewall-rules update ${resourceName} --disabledSECURITY_GROUPk8sGoogle Cloud Accountgcprrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25

Next Page Token:#

token

prisma-cloud-config-search#


Search configuration inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "config". When no absolute time nor relative time arguments are provided, the default time range is all times.

Base Command#

prisma-cloud-config-search

Input#

Argument NameDescriptionRequired
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
queryQuery to run in Prisma Cloud config API using RQL language. For more information see: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/config-query.Required
limitMaximum number of entries to return. Default is 50.Optional
search_idSearch ID. Can be used to rerun the same search.Optional
sort_directionThe direction to sort the results by. Both sort direction and field must be specified if sorting. Possible values are: asc, desc. Default is desc.Optional
sort_fieldThe field to sort the results by. Both sort direction and field must be specified if sorting. Possible values are: id, time, apiName, customerId, insertTs, json, cloudAccount, cloudRegion, stateId. Default is insertTs.Optional

Context Output#

PathTypeDescription
PrismaCloud.Config.accountIdStringCloud account ID.
PrismaCloud.Config.accountNameStringCloud account name.
PrismaCloud.Config.allowDrillDownBooleanWhether to allow drill down.
PrismaCloud.Config.cloudTypeStringCloud type.
PrismaCloud.Config.deletedBooleanWhether the asset was deleted.
PrismaCloud.Config.hasExtFindingRiskFactorsBooleanWhether the configuration has external finding risk factors.
PrismaCloud.Config.hasExternalFindingBooleanWhether the configuration has an external finding.
PrismaCloud.Config.hasExternalIntegrationBooleanWhether the configuration has an external integration.
PrismaCloud.Config.hasNetworkBooleanWhether the configuration has a network.
PrismaCloud.Config.idStringPrisma Cloud configuration ID.
PrismaCloud.Config.assetIdStringPrisma Cloud asset ID.
PrismaCloud.Config.dataUnknownPrisma Cloud asset specific data.
PrismaCloud.Config.insertTsDateInsert timestamp.
PrismaCloud.Config.createdTsDateCreated timestamp.
PrismaCloud.Config.nameStringAsset name.
PrismaCloud.Config.regionIdStringCloud region ID.
PrismaCloud.Config.regionNameStringCloud region name.
PrismaCloud.Config.resourceTypeStringCloud resource type.
PrismaCloud.Config.rrnStringCloud restricted resource name.
PrismaCloud.Config.serviceStringCloud service.
PrismaCloud.Config.stateIdStringState ID.

Command example#

!prisma-cloud-config-search query="config from cloud.resource where cloud.region = 'AWS Ohio' " limit=1

Context Example#

{
"PrismaCloud": {
"Config": {
"accountId": "888888888888",
"accountName": "labs",
"allowDrillDown": true,
"assetId": "assetid1",
"cloudType": "aws",
"createdTs": "2023-02-17T11:07:40Z",
"data": {
"status": {
"isLogging": true,
"latestCloudWatchLogsDeliveryTime": "2023-02-19T13:27:38.122Z",
"latestDeliveryAttemptSucceeded": "2023-02-19T13:28:24Z",
"latestDeliveryAttemptTime": "2023-02-19T13:28:24Z",
"latestDeliveryTime": "2023-02-19T13:28:24.465Z",
"latestDigestDeliveryTime": "2023-02-19T12:40:04.109Z",
"latestNotificationAttemptSucceeded": "2023-02-19T13:28:24Z",
"latestNotificationAttemptTime": "2023-02-19T13:28:24Z",
"latestNotificationTime": "2023-02-19T13:28:24.461Z",
"logging": true,
"startLoggingTime": "2022-05-25T10:51:34.851Z",
"timeLoggingStarted": "2022-05-25T10:51:34Z",
"timeLoggingStopped": ""
},
"trail": "control"
},
"deleted": false,
"hasExtFindingRiskFactors": false,
"hasExternalFinding": false,
"hasExternalIntegration": false,
"hasNetwork": false,
"id": "arn:aws:trail:us-west-1:888888888888:trail/control",
"insertTs": "2023-02-19T13:29:28Z",
"name": "trail-status",
"regionId": "us-east-1",
"regionName": "AWS Ohio",
"resourceConfigJsonAvailable": true,
"resourceType": "Cloud Trail Status",
"rrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"service": "AWS CloudTrail",
"stateId": "stateid3"
}
}
}

Human Readable Output#

Showing 1 of 2925 results:

Configuration Details:#

NameIdCloud TypeServiceAccount NameRegion NameDeletedAccount IdAsset IdCreated TsInsert TsRegion IdResource TypeRrn
control-trail-statusarn:aws:trail:us-west-1:888888888888:trail/controlawsAWS CloudTraillabsAWS Ohiofalse888888888888assetid12023-02-17T11:07:40Z2023-02-19T13:29:28Zus-east-2Cloud Trail Statusrrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25

prisma-cloud-event-search#


Search events inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "event". When no absolute time nor relative time arguments are provided, the default time range is all times.

Base Command#

prisma-cloud-event-search

Input#

Argument NameDescriptionRequired
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
queryQuery to run in Prisma Cloud event API using RQL language. For more information see: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/event-query.Required
limitMaximum number of entries to return. Default is 50.Optional
sort_fieldThe field to sort the results by. Possible values are: cloudService, operation, cloudAccount, cloudRegion, id, time, crud, user.Optional
sort_directionThe direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc.Optional

Context Output#

PathTypeDescription
PrismaCloud.Event.subjectStringCloud event subject.
PrismaCloud.Event.accountNameStringCloud event account name.
PrismaCloud.Event.nameStringCloud event name.
PrismaCloud.Event.sourceStringCloud event source.
PrismaCloud.Event.ipStringCloud event IP address.
PrismaCloud.Event.eventTsDateCloud event timestamp.
PrismaCloud.Event.countryNameStringCloud event country name.
PrismaCloud.Event.stateNameStringCloud event state name.
PrismaCloud.Event.cityNameStringCloud event city name.
PrismaCloud.Event.locationStringCloud event location.
PrismaCloud.Event.accountStringCloud event account.
PrismaCloud.Event.regionIdNumberCloud event region ID.
PrismaCloud.Event.typeStringCloud event type.
PrismaCloud.Event.idNumberCloud event ID.
PrismaCloud.Event.roleStringCloud event role.
PrismaCloud.Event.accessKeyUsedBooleanWhether the cloud event access key is used.
PrismaCloud.Event.successBooleanWhether the cloud event is successful.
PrismaCloud.Event.internalBooleanWhether the cloud event is internal.
PrismaCloud.Event.cityIdNumberCloud event city ID.
PrismaCloud.Event.cityLatitudeNumberCloud event city latitude.
PrismaCloud.Event.cityLongitudeNumberCloud event city longitude.
PrismaCloud.Event.countryIdNumberCloud event country ID.
PrismaCloud.Event.dynamicDataStringCloud event dynamic data.
PrismaCloud.Event.stateIdNumberCloud event state ID.

Command example#

!prisma-cloud-event-search query="event from cloud.audit_logs where cloud.type = 'aws'" limit=2

Context Example#

{
"PrismaCloud": {
"Event": [
{
"accessKeyUsed": false,
"account": "111111111111",
"accountName": "AAAAAAA",
"cityId": -3,
"cityLatitude": -1,
"cityLongitude": -1,
"cityName": "Internal",
"countryId": -3,
"countryName": "Internal",
"dynamicData": {},
"eventTs": "2022-10-17T00:00:26Z",
"id": 222222222,
"internal": false,
"location": "Internal",
"name": "StartBuild",
"notPersisted": false,
"regionId": 2,
"regionName": "AWS Ohio",
"role": "CloudWatchEventRule",
"source": "codebuild",
"stateId": -3,
"stateName": "Internal",
"subject": "Subject3",
"success": true,
"type": "CREATE"
},
{
"accessKeyUsed": false,
"account": "111111111111",
"accountName": "AAAAAAA",
"cityId": 4509177,
"cityLatitude": -1,
"cityLongitude": -1,
"cityName": "Columbus",
"countryId": 6251111,
"countryName": "United States of America",
"dynamicData": {},
"eventTs": "2022-10-17T00:03:07Z",
"id": 333333333,
"internal": false,
"ip": "1.1.1.1",
"location": "Columbus, Ohio, United States of America",
"name": "CreateReportGroup",
"notPersisted": false,
"regionId": 2,
"regionName": "AWS Ohio",
"role": "aws-codebuild-samples",
"source": "codebuild",
"stateId": 6666666,
"stateName": "Ohio",
"subject": "Subject6",
"success": false,
"type": "CREATE"
}
]
}
}

Human Readable Output#

Showing 2 of 39018 results:

Event Details:#

SubjectAccount NameNameSourceIpEvent TsCountry NameState NameCity NameLocationAccountRegion IdTypeIdRoleAccess Key UsedSuccessInternal
Subject3AAAAAAAStartBuildcodebuild2022-10-17T00:00:26ZInternalInternalInternalInternal1111111111112CREATE222222222CloudWatchEventRulefalsetruefalse
Subject6AAAAAAACreateReportGroupcodebuild1.1.1.12022-10-17T00:03:07ZUnited States of AmericaOhioColumbusColumbus, Ohio, United States of America1111111111112CREATE333333333aws-codebuild-samplesfalsefalsefalse

prisma-cloud-network-search#


Search networks inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "networks". When no absolute time nor relative time arguments are provided, the default time range is all times. In order to limit the results returning, use "limit search records to" at the end of the RQL query, followed by a value from one of these options: 1, 10, 100, 1000, and 10,000.

Base Command#

prisma-cloud-network-search

Input#

Argument NameDescriptionRequired
time_range_date_fromStart time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_date_toEnd time for the search. Time is interpreted as UTC. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00 GMT+3" (ISO date format), "3 days" (relative time), 1579039377301 (epoch time).Optional
time_range_unitThe search time unit. The "login" and "epoch" options are only available if "time_range_value" is not provided. Possible values are: hour, day, week, month, year, login, epoch.Optional
time_range_valueThe amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc.Optional
queryQuery to run in Prisma Cloud network API using RQL language. For more information see: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/network-query.Required
cloud_typeThe cloud in which the network should be searched. Possible values are: aws, azure, gcp, alibaba_cloud, oci.Optional
search_idSearch ID. Can be used to rerun the same search.Optional

Context Output#

PathTypeDescription
PrismaCloud.Network.Node.idNumberCloud network node ID.
PrismaCloud.Network.Node.nameStringCloud network node name.
PrismaCloud.Network.Node.ipAddrStringCloud network node IP address.
PrismaCloud.Network.Node.groupedBooleanWhether the cloud network node is grouped.
PrismaCloud.Network.Node.suspiciousBooleanWhether the cloud network node is suspicious.
PrismaCloud.Network.Node.vulnerableBooleanWhether the cloud network node is vulnerable.
PrismaCloud.Network.Node.metadataUnknownCloud network node metadata.
PrismaCloud.Network.Connection.fromNumberCloud network connection from node ID.
PrismaCloud.Network.Connection.toNumberCloud network connection to node ID.
PrismaCloud.Network.Connection.labelStringCloud network connection label.
PrismaCloud.Network.Connection.suspiciousBooleanWhether the cloud network node is suspicious.
PrismaCloud.Network.Connection.metadataUnknownCloud network connection metadata.

Command example#

!prisma-cloud-network-search query="network from vpc.flow_record where cloud.account = 'AWS Prod' AND source.publicnetwork IN ( 'Suspicious IPs' ) AND bytes > 0 "

Context Example#

{
"PrismaCloud": {
"Network": {
"Connection": [
{
"from": -963693921,
"label": "Web & 1 more",
"metadata": {
"account_id": [
"888888888888"
],
"asset_role": [
"Suspicious IPs"
],
"bytes_accepted": 598088,
"bytes_attempted": 360,
"bytes_rejected": 0,
"cloud_type": [
"aws"
],
"connection_overview_table": [
{
"accepted": "yes",
"port": "Web (80)",
"traffic_volume": 565611
},
{
"accepted": "yes",
"port": "SSH (22)",
"traffic_volume": 32477
},
{
"accepted": "no",
"port": "Web (80)",
"traffic_volume": 360
}
],
"countries": [
"N/A"
],
"flow_class": [
"Web (80)",
"SSH (22)"
],
"from_ip_addresses": [
"0.0.0.0"
],
"isps": [
"N/A"
],
"region_id": [
"N/A"
],
"states": [
"N/A"
],
"suspicious_ips": [
"35.180.1.1",
"172.31.34.235"
],
"to_ip_addresses": [
"35.180.1.1",
"10.0.2.5"
]
},
"suspicious": true,
"to": -1695489264
}
],
"Node": [
{
"grouped": false,
"iconId": "web_server",
"id": -1695489264,
"ipAddr": "10.0.2.5",
"metadata": {
"account_id": [
"888888888888"
],
"account_name": [
"AWS Prod"
],
"asset_role": [
"VM Instance",
"SSH",
"Web Server"
],
"cloud_type": [
"aws"
],
"compliance_count": 0,
"guard_duty_host_count": 4,
"guard_duty_iam_count": 0,
"host_vulnerability_count": 0,
"initial": true,
"inspector_rba_count": 0,
"inspector_sbp_count": 0,
"instance_id": [
"i-0d"
],
"ip_addresses": [
"10.0.2.5"
],
"net_iface_id": [
"eni-08"
],
"redlock_alert_count": 10,
"region_id": [
"us-west-1"
],
"region_name": [
"AWS California"
],
"resource_id": [
"i-00"
],
"rrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"secgroup_ids": [
"sg-0a"
],
"security_groups": [
{
"id": "sg-0a",
"name": "WebServersg"
}
],
"serverless_vulnerability_count": 0,
"tags": [
{
"name": "aws:cloudformation:stack-name",
"values": [
"aaa"
]
},
{
"name": "aws:cloudformation:stack-id",
"values": [
"arn:aws:trail:us-west-1:888888888888:trail/control"
]
},
{
"name": "aws:cloudformation:logical-id",
"values": [
"WebServerInstance"
]
},
{
"name": "Name",
"values": [
"PANW-WebServer"
]
}
],
"vpc_id": [
"vpc-07"
],
"vpc_name": [
{
"id": "vpc-07",
"name": "VPC-aaa"
}
]
},
"name": "PANW-WebServer",
"suspicious": false,
"vulnerable": true
},
{
"grouped": true,
"iconId": "suspicious",
"id": -963693921,
"ipAddr": "0.0.0.0",
"metadata": {
"account_id": [
"888888888888"
],
"account_name": [
"N/A"
],
"asset_role": [
"Suspicious IPs"
],
"bytes_accepted": 1368976,
"bytes_attempted": 2428,
"bytes_rejected": 0,
"cloud_type": [
"aws"
],
"compliance_count": 0,
"countries": [
"N/A"
],
"guard_duty_host_count": 0,
"guard_duty_iam_count": 0,
"host_vulnerability_count": 0,
"inspector_rba_count": 0,
"inspector_sbp_count": 0,
"instance_id": [
"N/A"
],
"ip_addresses": [
"N/A"
],
"isps": [
"N/A"
],
"launched_on": [
"N/A"
],
"net_iface_id": [
"N/A"
],
"redlock_alert_count": 0,
"region_id": [
"N/A"
],
"region_name": [
"N/A"
],
"resource_id": [
"N/A"
],
"secgroup_ids": [
"N/A"
],
"secgroup_names": [
"N/A"
],
"security_groups": [
"N/A"
],
"serverless_vulnerability_count": 0,
"specificIps": [
"172.31.34.235",
"1.1.1.1"
],
"states": [
"N/A"
],
"tags": [
"N/A"
],
"vpc_name": [
"N/A"
]
},
"name": "Suspicious IPs",
"suspicious": false,
"vulnerable": false
}
]
}
}
}

Human Readable Output#

Network Details#

Nodes:#

IdNameIp AddrGroupedSuspiciousVulnerable
-1695489264PANW-WebServer10.0.2.5falsefalsetrue
-963693921Suspicious IPs0.0.0.0truefalsefalse

Connections:#

FromToLabelSuspicious
-963693921-1695489264Web & 1 moretrue

prisma-cloud-error-file-list#


Deprecated, use the prisma-cloud-code-issues-list command instead.

prisma-cloud-trigger-scan#


Trigger asynchronous scan of all resources to refresh the current state at Prisma Cloud Code Security. In order to use this command, the "Code Security" module needs to be enabled and accessible in the Prisma Cloud UI.

Base Command#

prisma-cloud-trigger-scan

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command example#

!prisma-cloud-trigger-scan

Human Readable Output#

Trigger Scan Results:#

Is ExecutedMessage
falseExecuting a new scan has failed - a scheduled scan is already in progress.

prisma-cloud-resource-get#


Get resource details.

Base Command#

prisma-cloud-resource-get

Input#

Argument NameDescriptionRequired
rrnRestricted Resource Name of the resource to get details about. Can be retrieved by running a command that has that RRN.Required

Context Output#

PathTypeDescription
PrismaCloud.Resource.rrnStringPrisma Cloud restricted resource name.
PrismaCloud.Resource.idStringPrisma Cloud resource ID.
PrismaCloud.Resource.nameStringResource name.
PrismaCloud.Resource.urlStringResource URL.
PrismaCloud.Resource.accountIdStringCloud account ID.
PrismaCloud.Resource.accountNameStringCloud account name.
PrismaCloud.Resource.cloudTypeStringCloud type.
PrismaCloud.Resource.regionIdStringCloud region ID.
PrismaCloud.Resource.regionNameStringCloud region Name.
PrismaCloud.Resource.serviceStringCloud service.
PrismaCloud.Resource.resourceTypeStringCloud resource type.
PrismaCloud.Resource.insertTsDateInsert timestamp.
PrismaCloud.Resource.deletedBooleanWhether the resource was deleted.
PrismaCloud.Resource.vpcIdStringVPC ID.
PrismaCloud.Resource.vpcNameStringVPC name.
PrismaCloud.Resource.tagsUnknownPrisma Cloud resource tags.
PrismaCloud.Resource.riskGradeStringRisk grade.
PrismaCloud.Resource.hasNetworkBooleanWhether the resource has a network.
PrismaCloud.Resource.hasExternalFindingBooleanWhether the resource has an external finding.
PrismaCloud.Resource.hasExternalIntegrationBooleanWhether the resource has an external integration.
PrismaCloud.Resource.allowDrillDownBooleanWhether to allow drill down.
PrismaCloud.Resource.hasExtFindingRiskFactorsBooleanWhether the resource has external finding risk factors.
PrismaCloud.Resource.dataUnknownPrisma Cloud resource specific data.

Command example#

!prisma-cloud-resource-get rrn=rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25

Context Example#

{
"PrismaCloud": {
"Resource": {
"accountId": "111111111111",
"accountName": "AAAAAAA",
"allowDrillDown": true,
"cloudType": "aws",
"data": {
"attributes": [
{
"attributeName": "restore",
"attributeValues": []
}
],
"snapshot": {
"allocatedStorage": 20,
"availabilityZone": "us-east-1a",
"dbiResourceId": "db-S",
"dbinstanceIdentifier": "aaaaaaaaaaaaaa",
"dbsnapshotArn": "arn:aws:trail:us-west-1:888888888888:trail/control",
"dbsnapshotIdentifier": "rds:aaaaaaaaaaaaaa-2023-01-29-09-25",
"encrypted": false,
"engine": "postgres",
"engineVersion": "13.7",
"iamdatabaseAuthenticationEnabled": false,
"instanceCreateTime": "2022-07-22T18:35:54.809Z",
"licenseModel": "postgresql-license",
"masterUsername": "master",
"optionGroupName": "default:postgres-13",
"originalSnapshotCreateTime": "2023-01-29T09:25:08.698Z",
"percentProgress": 100,
"port": 5432,
"processorFeatures": [],
"snapshotCreateTime": "2023-01-29T09:25:08.698Z",
"snapshotTarget": "region",
"snapshotType": "automated",
"status": "available",
"storageThroughput": 0,
"storageType": "standard",
"tagList": [],
"vpcId": "vpc-0f"
},
"tags": []
},
"deleted": true,
"hasExtFindingRiskFactors": false,
"hasExternalFinding": false,
"hasExternalIntegration": false,
"hasNetwork": false,
"id": "rds:aaaaaaaaaaaaaa-2023-01-29-09-25",
"insertTs": "2023-01-29T09:35:27Z",
"name": "rds:aaaaaaaaaaaaaa-2023-01-29-09-25",
"regionId": "us-east-1",
"regionName": "AWS Virginia",
"resourceConfigJsonAvailable": false,
"resourceType": "Managed Database Snapshot",
"riskGrade": "A",
"rrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"service": "Amazon RDS",
"tags": {
"": ""
},
"url": "https://some-url?region=us-east-1#db-snapshots:id=rds:aaaaaaaaaaaaaa-2023-01-29-09-25",
"vpcId": "vpc-0f",
"vpcName": "ServerlessVPC"
}
}
}

Human Readable Output#

Resource Details:#

RrnIdNameUrlAccount IdAccount NameCloud TypeRegion IdRegion NameServiceResource TypeInsert TsDeletedVpc IdVpc NameTagsRisk GradeHas NetworkHas External FindingHas External IntegrationAllow Drill DownHas Ext Finding Risk Factors
rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25rds:aaaaaaaaaaaaaa-2023-01-29-09-25rds:aaaaaaaaaaaaaa-2023-01-29-09-25https://some_url?region=us-east-1#db-snapshots:id=rds:aaaaaaaaaaaaaa-2023-01-29-09-25111111111111AAAAAAAawsus-east-1AWS VirginiaAmazon RDSManaged Database Snapshot2023-01-29T09:35:27Ztruevpc-0fServerlessVPC:Afalsefalsefalsetruefalse

prisma-cloud-resource-list#


Returns all the resource lists. Maps to the Resource Lists under Settings > Resource Lists in the Console UI.

Base Command#

prisma-cloud-resource-list

Input#

Argument NameDescriptionRequired
list_typeThe resource list type.Optional
limitMaximum number of entries to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
PrismaCloud.ResourceList.idStringPrisma Cloud resource list ID.
PrismaCloud.ResourceList.nameStringResource list name.
PrismaCloud.ResourceList.resourceListTypeStringResource list type.
PrismaCloud.ResourceList.descriptionStringResource list description.
PrismaCloud.ResourceList.lastModifiedByStringResource list last modified user.
PrismaCloud.ResourceList.lastModifiedTsDateResource list last modified time.
PrismaCloud.ResourceList.membersUnknownResource list members.

Command example#

!prisma-cloud-resource-list limit=3

Context Example#

{
"PrismaCloud": {
"ResourceList": [
{
"description": null,
"id": "aa11bb22",
"lastModifiedBy": "admin@paloaltonetworks.com",
"lastModifiedTs": "2021-09-20T16:23:15Z",
"members": [
{
"demo": "lab"
},
{
"dev": "prisma"
},
{
"env": "lab"
}
],
"name": "First",
"resourceListType": "TAG"
},
{
"description": null,
"id": "aa22bb11",
"lastModifiedBy": "admin2@paloaltonetworks.com",
"lastModifiedTs": "2023-03-10T04:54:34Z",
"members": [
{
}
],
"name": "other",
"resourceListType": "COMPUTE_ACCESS_GROUP"
},
{
"description": null,
"id": "a3b4",
"lastModifiedBy": "test@paloaltonetworks.com",
"lastModifiedTs": "2023-07-10T22:27:55Z",
"members": [
{
"labels": [
"*"
],
"namespaces": [
"*"
]
}
],
"name": "panw",
"resourceListType": "COMPUTE_ACCESS_GROUP"
}
]
}
}

Human Readable Output#

Showing 3 of 6 results:

Resources Details:#

NameIdTypeLast Modified By
Firstaa11bb22TAGadmin@paloaltonetworks.com
otheraa22bb11COMPUTE_ACCESS_GROUPadmin2@paloaltonetworks.com
panwa3b4COMPUTE_ACCESS_GROUPtest@paloaltonetworks.com

prisma-cloud-user-roles-list#


Retrieves user roles. Maps to Settings > Access Control > Roles in the Console UI.

Base Command#

prisma-cloud-user-roles-list

Input#

Argument NameDescriptionRequired
role_idThe role id to get details of.Optional
limitMaximum number of entries to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
PrismaCloud.UserRoles.idStringPrisma Cloud user roles ID.
PrismaCloud.UserRoles.nameStringUser roles name.
PrismaCloud.UserRoles.resourceListIdsUnknownUser roles resource list IDs.
PrismaCloud.UserRoles.descriptionStringUser roles description.
PrismaCloud.UserRoles.lastModifiedByStringUser roles last modified user.
PrismaCloud.UserRoles.lastModifiedTsDateUser roles last modified time.
PrismaCloud.UserRoles.associatedUsersUnknownUser roles associated users.
PrismaCloud.UserRoles.restrictDismissalAccessBooleanWhether dismissal access is restricted for the user role.
PrismaCloud.UserRoles.roleTypeStringUser roles role type.
PrismaCloud.UserRoles.additionalAttributesUnknownUser roles additional attributes.
PrismaCloud.UserRoles.codeRepositoryIdsUnknownUser roles code repository IDs.
PrismaCloud.UserRoles.accountGroupIdsUnknownUser roles account group IDs.
PrismaCloud.UserRoles.resourceListsUnknownUser roles resource lists.
PrismaCloud.UserRoles.permissionGroupUnknownUser roles permission group.
PrismaCloud.UserRoles.codeRepositoriesUnknownUser roles code repositories.
PrismaCloud.UserRoles.accountGroupsUnknownUser roles account groups.

Command example#

!prisma-cloud-user-roles-list limit=3

Context Example#

{
"PrismaCloud": {
"UserRoles": [
{
"accountGroupIds": [],
"accountGroups": [],
"additionalAttributes": {
"hasDefenderPermissions": false,
"onlyAllowCIAccess": false,
"onlyAllowComputeAccess": false,
"onlyAllowReadAccess": false
},
"associatedUsers": [
"lab",
"demo"
],
"codeRepositories": [],
"codeRepositoryIds": [],
"description": "",
"id": "a2b2",
"lastModifiedBy": "test@paloaltonetworks.com",
"lastModifiedTs": "2023-08-02T17:47:07Z",
"name": "dev-test",
"permissionGroup": null,
"resourceListIds": [],
"resourceLists": [],
"restrictDismissalAccess": true,
"roleType": "Developer"
},
{
"accountGroupIds": [],
"accountGroups": [],
"additionalAttributes": {
"hasDefenderPermissions": false,
"onlyAllowCIAccess": false,
"onlyAllowComputeAccess": false,
"onlyAllowReadAccess": false
},
"associatedUsers": [
"test"
],
"codeRepositories": [],
"codeRepositoryIds": [],
"description": "",
"id": "a3b3",
"lastModifiedBy": "admin@paloaltonetworks.com",
"lastModifiedTs": "2023-07-21T15:27:04Z",
"name": "Custom Read Only",
"permissionGroup": null,
"resourceListIds": [],
"resourceLists": [],
"restrictDismissalAccess": false,
"roleType": "Custom Read Only"
},
{
"accountGroupIds": [
"aaa111",
"bbb222"
],
"accountGroups": [
{
"id": "aaa111",
"name": "group1"
},
{
"id": "bbb222",
"name": "group2"
}
],
"additionalAttributes": {
"hasDefenderPermissions": false,
"onlyAllowCIAccess": false,
"onlyAllowComputeAccess": false,
"onlyAllowReadAccess": true
},
"associatedUsers": [
"user1",
"user2"
],
"codeRepositories": [
{
"id": "a3c3",
"name": "demo"
}
],
"codeRepositoryIds": [
"a3c3"
],
"description": "",
"id": "a4b4",
"lastModifiedBy": "test@paloaltonetworks.com",
"lastModifiedTs": "2023-07-18T19:27:59Z",
"name": "Read Only",
"permissionGroup": null,
"resourceListIds": [],
"resourceLists": [],
"restrictDismissalAccess": true,
"roleType": "Account Group Read Only"
}
]
}
}

Human Readable Output#

Showing 3 of 14 results:

User Roles Details:#

NameIdRole Type
dev-testa2b2Developer
Custom Read Onlya3b3Custom Read Only
Read Onlya4b4Account Group Read Only

prisma-cloud-users-list#


Lists all users and service accounts for your tenant. Maps to Settings > Access Control > Users in the Console UI.

Base Command#

prisma-cloud-users-list

Input#

Argument NameDescriptionRequired
limitMaximum number of entries to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false.Optional
usernamesUsernames to return only users associated with.Optional

Context Output#

PathTypeDescription
PrismaCloud.Users.emailStringPrisma Cloud user email.
PrismaCloud.Users.firstNameStringUser first name.
PrismaCloud.Users.lastNameStringUser last name.
PrismaCloud.Users.timeZoneStringUser time zone.
PrismaCloud.Users.enabledBooleanUser enabled.
PrismaCloud.Users.lastModifiedByStringUser last modified user.
PrismaCloud.Users.lastModifiedTsDateUser last modified time.
PrismaCloud.Users.lastLoginTsDateUser last login time.
PrismaCloud.Users.displayNameStringUser display name.
PrismaCloud.Users.ssoBypassAllowedBooleanWhether SSO bypass is allowed for the user role.
PrismaCloud.Users.accessKeysAllowedBooleanWhether access keys are allowed for the user role.
PrismaCloud.Users.defaultRoleIdStringUser default role ID.
PrismaCloud.Users.roleIdsUnknownUser role IDs.
PrismaCloud.Users.rolesUnknownUser roles.
PrismaCloud.Users.usernameStringUser username.
PrismaCloud.Users.typeStringUser type.
PrismaCloud.Users.enableKeyExpirationBooleanWhether key expiration is enabled for the user role.
PrismaCloud.Users.accessKeysCountNumberUser access keys count.

Command example#

!prisma-cloud-users-list limit=2

Context Example#

{
"PrismaCloud": {
"Users": [
{
"accessKeysAllowed": false,
"accessKeysCount": 0,
"defaultRoleId": "a4b4",
"displayName": "User Test",
"email": "test@paloaltonetworks.com",
"enableKeyExpiration": false,
"enabled": true,
"firstName": "User",
"lastLoginTs": "1969-12-31T23:59:59Z",
"lastModifiedBy": "admin@paloaltonetworks.com",
"lastModifiedTs": "2020-01-21T22:35:36Z",
"lastName": "Test",
"roleIds": [
"a4b4"
],
"roles": [
{
"id": "a4b4",
"name": "Read Only",
"onlyAllowCIAccess": false,
"onlyAllowComputeAccess": false,
"onlyAllowReadAccess": true,
"type": "Account Group Read Only"
}
],
"roles names": [
"Read Only"
],
"ssoBypassAllowed": false,
"timeZone": "America/New_York",
"type": "USER_ACCOUNT",
"username": "test@paloaltonetworks.com"
},
{
"accessKeysAllowed": false,
"accessKeysCount": 0,
"defaultRoleId": "a4b4",
"displayName": "User Other",
"email": "other@paloaltonetworks.com",
"enableKeyExpiration": false,
"enabled": true,
"firstName": "User",
"lastLoginTs": "2023-08-29T14:04:17Z",
"lastModifiedBy": "USER-ADD",
"lastModifiedTs": "2023-08-29T13:45:06Z",
"lastName": "Other",
"roleIds": [
"a4b4"
],
"roles": [
{
"id": "a4b4",
"name": "Read Only",
"onlyAllowCIAccess": false,
"onlyAllowComputeAccess": false,
"onlyAllowReadAccess": true,
"type": "Account Group Read Only"
}
],
"roles names": [
"Read Only"
],
"ssoBypassAllowed": false,
"timeZone": "America/New_York",
"type": "USER_ACCOUNT",
"username": "other@paloaltonetworks.com"
}
]
}
}

Human Readable Output#

Showing 2 of 200 results:

Users Details:#

Display NameEmailEnabledUsernameTypeRoles Names
User Testtest@paloaltonetworks.comtruetest@paloaltonetworks.comUSER_ACCOUNTRead Only
User Otherother@paloaltonetworks.comtrueother@paloaltonetworks.comUSER_ACCOUNTRead Only

prisma-cloud-account-list#


List accounts.

Base Command#

prisma-cloud-account-list

Input#

Argument NameDescriptionRequired
exclude_account_group_detailsWhether to exclude account group details. Possible values are: true, false. Default is false.Optional
limitMaximum number of entries to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
PrismaCloud.Account.nameStringAccount name.
PrismaCloud.Account.cloudTypeStringAccount cloud type.
PrismaCloud.Account.accountTypeStringAccount type.
PrismaCloud.Account.enabledBooleanWhether the account is enabled.
PrismaCloud.Account.lastModifiedTsDateAccount last modified time.
PrismaCloud.Account.storageScanEnabledBooleanWhether account storage scan is enabled.
PrismaCloud.Account.protectionModeStringAccount protection mode.
PrismaCloud.Account.ingestionModeNumberAccount ingestion mode.
PrismaCloud.Account.deploymentTypeStringAccount deployment type.
PrismaCloud.Account.groupIdsUnknownAccount group IDs.
PrismaCloud.Account.groupsUnknownAccount groups.
PrismaCloud.Account.statusStringAccount status.
PrismaCloud.Account.numberOfChildAccountsNumberThe number of child accounts.
PrismaCloud.Account.accountIdStringAccount ID.
PrismaCloud.Account.addedOnDateAccount added on time.

Command example#

!prisma-cloud-account-list limit=1

Context Example#

{
"PrismaCloud": {
"Account": [
{
"accountId": "777777777777",
"accountType": "organization",
"addedOn": "2022-10-06T04:06:41Z",
"cloudAccountOwner": "mail1@gmail.com",
"cloudAccountOwnerCount": 1,
"cloudType": "aws",
"deploymentType": "aws",
"enabled": true,
"groupIds": [
"group2"
],
"groups": [
{
"id": "group2",
"name": "Adi"
}
],
"ingestionMode": 7,
"lastModifiedBy": "example@example.com",
"lastModifiedTs": "2022-10-06T12:48:42Z",
"name": "aws-Adi-train",
"numberOfChildAccounts": 4,
"protectionMode": "MONITOR_AND_PROTECT",
"status": "warning",
"storageScanEnabled": false
}
]
}
}

Human Readable Output#

Showing 1 of 19 results:

Accounts Details:#

Account IdNameCloud TypeAccount TypeEnabledAdded OnLast Modified TsLast Modified ByStorage Scan EnabledProtection ModeIngestion ModeDeployment TypeStatus
777777777777aws-Adi-trainawsorganizationtrue2022-10-06T04:06:41Z2022-10-06T12:48:42Zexample@example.comfalseMONITOR_AND_PROTECT7awswarning

prisma-cloud-account-status-get#


Get the statuses of the provided accounts.

Base Command#

prisma-cloud-account-status-get

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of accound IDs. To get account IDs, run the "prisma-cloud-account-list" command.Required

Context Output#

PathTypeDescription
PrismaCloud.Account.accountIdStringAccount ID.
PrismaCloud.Account.nameStringAccount name.
PrismaCloud.Account.statusStringAccount status.
PrismaCloud.Account.messageStringAccount message.
PrismaCloud.Account.remediationStringAccount remediation action.

Command example#

!prisma-cloud-account-status-get account_ids=111111111111

Context Example#

{
"PrismaCloud": {
"Account": {
"accountId": "111111111111",
"message": "",
"name": "Config",
"remediation": "",
"status": "ok",
"subComponents": []
}
}
}

Human Readable Output#

Accounts Status Details:#

Account IdNameStatus
111111111111Configok

prisma-cloud-account-owner-list#


Get the owners of the provided accounts.

Base Command#

prisma-cloud-account-owner-list

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of account IDs. To get account IDs, run the "prisma-cloud-account-list" command.Required

Context Output#

PathTypeDescription
PrismaCloud.Account.accountIdStringAccount ID.
PrismaCloud.Account.emailsUnknownAccount owner emails.

Command example#

!prisma-cloud-account-owner-list account_ids=888888888888888888888888888888888888,111111111111

Context Example#

{
"PrismaCloud": {
"Account": [
{
"accountId": "888888888888888888888888888888888888",
"emails": [
"name@company.com"
]
},
{
"accountId": "111111111111",
"emails": []
}
]
}
}

Human Readable Output#

Accounts Owner Details:#

Account IdEmails
888888888888888888888888888888888888name@company.com
111111111111

prisma-cloud-host-finding-list#


Get resource host finding list.

Base Command#

prisma-cloud-host-finding-list

Input#

Argument NameDescriptionRequired
rrnRestricted Resource Name of the resource to get host finding of. Can be retrieved by running a command that has that RRN.Required
finding_typesComma separated list of finding types to look for. Available options are: guard_duty_host, guard_duty_iam, inspector_sbp, compliance_cis, host_vulnerability_cve. When left empty, will return all options.Optional
risk_factorsComma separated list of risk factors to look for. Available options are: CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, HAS_FIX, REMOTE_EXECUTION, DOS, RECENT_VULNERABILITY, EXPLOIT_EXISTS, ATTACK_COMPLEXITY_LOW, ATTACK_VECTOR_NETWORK, REACHABLE_FROM_THE_INTERNET, LISTENING_PORTS, CONTAINER_IS_RUNNING_AS_ROOT, NO_MANDATORY_SECURITY_PROFILE_APPLIED, RUNNING_AS_PRIVILEGED_CONTAINER, PACKAGE_IN_USE. When left empty, will return all options.Optional
limitMaximum number of entries to return. Default is 50.Optional
all_resultsWhether to retrieve all results. The "limit" argument will be ignored. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
PrismaCloud.HostFinding.accountIdStringHost finding account ID.
PrismaCloud.HostFinding.regionIdStringHost finding region ID.
PrismaCloud.HostFinding.findingIdStringHost finding ID.
PrismaCloud.HostFinding.typeStringHost finding type.
PrismaCloud.HostFinding.sourceStringHost finding source.
PrismaCloud.HostFinding.severityStringHost finding severity.
PrismaCloud.HostFinding.statusStringHost finding status.
PrismaCloud.HostFinding.createdOnDateThe date on which the host finding was created.
PrismaCloud.HostFinding.updatedOnDateThe date on which the host finding was updated.
PrismaCloud.HostFinding.normalizedNamesUnknownHost finding normalized names.
PrismaCloud.HostFinding.scanIdStringHost finding scan ID.
PrismaCloud.HostFinding.resourceCloudIdStringHost finding resource cloud ID.
PrismaCloud.HostFinding.sourceData.accountIdStringHost finding source data account ID.
PrismaCloud.HostFinding.sourceData.arnStringHost finding source data ARN.
PrismaCloud.HostFinding.titleStringHost finding title.
PrismaCloud.HostFinding.descriptionStringHost finding description.
PrismaCloud.HostFinding.resourceUrlStringHost finding resource URL.
PrismaCloud.HostFinding.rlUpdatedOnDateThe date on which the RL was updated.
PrismaCloud.HostFinding.externalFindingIdStringExternal finding ID.
PrismaCloud.HostFinding.sourceDataUnknownHost finding source data.
PrismaCloud.HostFinding.scoreStringHost finding score.
PrismaCloud.HostFinding.countNumberThe number of host findings.

Command example#

!prisma-cloud-host-finding-list rrn=rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25 finding_types=guard_duty_host,guard_duty_iam limit=2

Context Example#

{
"PrismaCloud": {
"HostFinding": {
"accountId": "555555555555",
"count": "5",
"createdOn": "2023-01-03T16:13:25Z",
"description": "35.180.1.1 is performing SSH brute force attacks against i-44444444444444444. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
"externalFindingId": 999999,
"findingId": "findingid3",
"normalizedNames": [
"UnauthorizedAccess:EC2/SSHBruteForce"
],
"regionId": "us-east-1",
"resourceCloudId": "i-44444444444444444",
"resourceUrl": "https://some-url?#/findings?search=id%3D66666666666666666666666666666666",
"rlUpdatedOn": "2023-02-16T16:27:26Z",
"scanId": "scan-id-5",
"score": "N/A",
"severity": "low",
"source": "guardduty",
"sourceData": {
"accountId": "555555555555",
"arn": "arn:aws:trail:us-west-1:888888888888:trail/control",
"createdAt": "2023-01-03T16:13:25.421Z",
"description": "35.180.1.1 is performing SSH brute force attacks against i-44444444444444444. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
"id": "66666666666666666666666666666666",
"partition": "aws",
"region": "us-east-1",
"resource": {
"instanceDetails": {
"availabilityZone": "us-east-1a",
"iamInstanceProfile": {
"arn": "arn:aws:trail:us-west-1:888888888888:trail/control",
"id": "A2"
},
"imageDescription": "Amazon Linux AMI 2.0.20222202 x86_64 ECS HVM GP2",
"imageId": "ami-2",
"instanceId": "i-44444444444444444",
"instanceState": "running",
"instanceType": "t2.xlarge",
"launchTime": "2022-12-13T01:29:18.000Z",
"networkInterfaces": [
{
"ipv6Addresses": [],
"networkInterfaceId": "eni-1",
"privateDnsName": "ip-1-1-1-1.ec2.internal",
"privateIpAddress": "1.1.1.1",
"privateIpAddresses": [
{
"privateDnsName": "ip-1-1-1-1.ec2.internal",
"privateIpAddress": "1.1.1.1"
}
],
"publicDnsName": "ec2-5.compute-1.amazonaws.com",
"publicIp": "1.1.1.1",
"sgs": [
{
"groupId": "sg-000",
"groupName": "security-group"
}
],
"subnetId": "subnet-0",
"vpcId": "vpc-01"
}
],
"productCodes": [],
"tags": [
{
"key": "aws:autoscaling:groupName",
"value": "pc-infra-autoscaling"
}
]
},
"resourceType": "Instance"
},
"schemaVersion": "2.0",
"service": {
"action": {
"actionType": "NETWORK_CONNECTION",
"networkConnectionAction": {
"blocked": false,
"connectionDirection": "INBOUND",
"localIpDetails": {
"ipAddressV4": "1.1.1.1"
},
"localPortDetails": {
"port": 22,
"portName": "SSH"
},
"protocol": "TCP",
"remoteIpDetails": {
"city": {
"cityName": "George Town"
},
"country": {
"countryName": "Malaysia"
},
"geoLocation": {
"lat": 5.4244,
"lon": 100.333
},
"ipAddressV4": "35.180.1.1",
"organization": {
"asn": "9999",
"asnOrg": "TIME",
"isp": "TIME",
"org": "TIME"
}
},
"remotePortDetails": {
"port": 33333,
"portName": "Unknown"
}
}
},
"additionalInfo": {
"type": "default",
"value": "{}"
},
"archived": false,
"count": 5,
"detectorId": "scan-id-5",
"eventFirstSeen": "2023-01-03T15:56:55.000Z",
"eventLastSeen": "2023-02-16T15:53:32.000Z",
"resourceRole": "TARGET",
"serviceName": "guardduty"
},
"severity": 2,
"title": "35.180.1.1 is performing SSH brute force attacks against i-44444444444444444.",
"type": "UnauthorizedAccess:EC2/SSHBruteForce",
"updatedAt": "2023-02-16T16:01:36.608Z"
},
"status": "open",
"title": "35.180.1.1 is performing SSH brute force attacks against i-44444444444444444.",
"type": "guard_duty_host",
"updatedOn": "2023-02-16T16:01:36Z"
}
}
}

Human Readable Output#

Showing 1 of 1 results:

Host Finding Details:#

Account IdRegion IdFinding IdTypeSourceSeverityStatusCreated OnUpdated OnNormalized NamesScan IdResource Cloud IdSource Data Account IDARNTitleDescriptionResource Url
555555555555us-east-166666666666666666666666666666666guard_duty_hostguarddutylowopen2023-01-03T16:13:25Z2023-02-16T16:01:36ZUnauthorizedAccess:EC2/SSHBruteForcescan-id-5i-44444444444444444555555555555arn:aws:trail:us-west-1:888888888888:trail/control35.180.1.1 is performing SSH brute force attacks against i-44444444444444444.35.180.1.1 is performing SSH brute force attacks against i-44444444444444444. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.https://some_url?#/findings?search=id%3D66666666666666666666666666666666

prisma-cloud-permission-list#


Get permission list. You must provide either "query" or "next_token".

Base Command#

prisma-cloud-permission-list

Input#

Argument NameDescriptionRequired
user_idUser ID to look for. Must be provided with the "query" argument.Optional
queryIAM query to run in Prisma Cloud config API using RQL language. For more information see: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/iam-query.Optional
limitMaximum number of entries to return. Default is 50.Optional
next_tokenToken of the next page to retrive.Optional

Context Output#

PathTypeDescription
PrismaCloud.PermissionPageToken.nextPageTokenStringNext page token.
PrismaCloud.Permission.idStringPermission ID.
PrismaCloud.Permission.sourceCloudTypeStringPermission source cloud type.
PrismaCloud.Permission.sourceCloudAccountStringPermission source cloud account.
PrismaCloud.Permission.sourceResourceIdStringPermission source resource ID.
PrismaCloud.Permission.destCloudTypeStringPermission destination cloud type.
PrismaCloud.Permission.destCloudServiceNameStringPermission destination cloud service name.
PrismaCloud.Permission.destResourceTypeStringPermission destination resource type.
PrismaCloud.Permission.effectiveActionNameStringPermission effective action name.
PrismaCloud.Permission.grantedByCloudTypeStringPermission granted by cloud type.
PrismaCloud.Permission.grantedByCloudPolicyIdStringPermission granted by cloud policy ID.
PrismaCloud.Permission.grantedByCloudPolicyNameStringPermission granted by cloud policy name.
PrismaCloud.Permission.grantedByCloudPolicyTypeStringPermission granted by cloud policy type.
PrismaCloud.Permission.grantedByCloudPolicyRrnStringPermission granted by cloud policy restricted resource name.
PrismaCloud.Permission.grantedByCloudEntityIdStringPermission granted by cloud entity ID.
PrismaCloud.Permission.grantedByCloudEntityNameStringPermission granted by cloud entity name.
PrismaCloud.Permission.grantedByCloudEntityRrnStringPermission granted by cloud entity restricted resource name.
PrismaCloud.Permission.sourcePublicBooleanWhether the permission source is public.
PrismaCloud.Permission.sourceCloudRegionStringPermission source cloud region.
PrismaCloud.Permission.sourceCloudServiceNameStringPermission source cloud service name.
PrismaCloud.Permission.sourceResourceNameStringPermission source resource name.
PrismaCloud.Permission.sourceResourceTypeStringPermission source resource type.
PrismaCloud.Permission.sourceIdpServiceStringPermission source IDP service.
PrismaCloud.Permission.sourceIdpDomainStringPermission source IDP domain.
PrismaCloud.Permission.sourceIdpEmailStringPermission source IDP email.
PrismaCloud.Permission.sourceIdpUsernameStringPermission source IDP username.
PrismaCloud.Permission.sourceIdpGroupStringPermission source IDP group.
PrismaCloud.Permission.sourceIdpRrnStringPermission source IDP restricted resource name.
PrismaCloud.Permission.sourceCloudResourceRrnStringPermission source cloud resource restricted resource name.
PrismaCloud.Permission.destCloudAccountStringPermission destination cloud account.
PrismaCloud.Permission.destCloudRegionStringPermission destination cloud region.
PrismaCloud.Permission.destResourceNameStringPermission destination resource name.
PrismaCloud.Permission.destResourceIdStringPermission destination resource ID.
PrismaCloud.Permission.destCloudResourceRrnStringPermission destination cloud resource restricted resource name.
PrismaCloud.Permission.grantedByCloudEntityTypeStringPermission granted by cloud entity type.
PrismaCloud.Permission.accessedResourcesCountStringPermission accessed resources count.
PrismaCloud.Permission.lastAccessDateStringPermission last access date.
PrismaCloud.Permission.lastAccessStatusStringPermission last access status.
PrismaCloud.Permission.isWildCardDestCloudResourceNameBooleanWhether the destination cloud resource name is a wildcard.
PrismaCloud.Permission.exceptionsUnknownPermission exceptions.
PrismaCloud.Permission.grantedByLevelTypeStringPermission granted by level type.
PrismaCloud.Permission.grantedByLevelIdStringPermission granted by level ID.
PrismaCloud.Permission.grantedByLevelNameStringPermission granted by level name.
PrismaCloud.Permission.grantedByLevelRrnStringPermission granted by level restricted resource name.

Command example#

!prisma-cloud-permission-list query="config from iam where source.cloud.service.name = 'EC2'" limit=2

Context Example#

{
"PrismaCloud": {
"Permission": [
{
"accessedResourcesCount": null,
"destCloudAccount": "AWS-JLo",
"destCloudRegion": "*",
"destCloudResourceRrn": null,
"destCloudServiceName": "ec2",
"destCloudType": "AWS",
"destResourceId": "*",
"destResourceName": "*",
"destResourceType": "instance",
"effectiveActionName": "ssm:UpdateInstanceInformation",
"exceptions": [
{
"messageCode": "CLOUD_EVENT_NOT_SUPPORTED"
},
{
"messageCode": "AWS_ROOT_ACCOUNT_IS_NOT_ONBOARDED"
}
],
"grantedByCloudEntityId": "arn:aws:trail:us-west-1:888888888888:trail/control",
"grantedByCloudEntityName": "service-role/AWSCloud9SSMAccessRole",
"grantedByCloudEntityRrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"grantedByCloudEntityType": "role",
"grantedByCloudPolicyId": "arn:aws:arn:aws:trail:us-west-1:888888888888:trail/control",
"grantedByCloudPolicyName": "AWSCloud9SSMInstanceProfile",
"grantedByCloudPolicyRrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"grantedByCloudPolicyType": "AWS Managed Policy",
"grantedByCloudType": "AWS",
"grantedByLevelId": null,
"grantedByLevelName": null,
"grantedByLevelRrn": null,
"grantedByLevelType": "",
"id": "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj",
"isWildCardDestCloudResourceName": true,
"lastAccessDate": null,
"lastAccessStatus": "NOT_AVAILABLE",
"sourceCloudAccount": "AWS-JLo",
"sourceCloudRegion": "AWS Oregon",
"sourceCloudResourceRrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"sourceCloudServiceName": "ec2",
"sourceCloudType": "AWS",
"sourceIdpDomain": null,
"sourceIdpEmail": null,
"sourceIdpGroup": null,
"sourceIdpRrn": null,
"sourceIdpService": null,
"sourceIdpUsername": null,
"sourcePublic": false,
"sourceResourceId": "arn:aws:trail:us-west-1:888888888888:trail/control",
"sourceResourceName": "i-33333333333333333",
"sourceResourceType": "instance"
},
{
"accessedResourcesCount": null,
"destCloudAccount": "AWS-JLo",
"destCloudRegion": "*",
"destCloudResourceRrn": null,
"destCloudServiceName": "ssm",
"destCloudType": "AWS",
"destResourceId": "*",
"destResourceName": "*",
"destResourceType": "managed-instance",
"effectiveActionName": "ssm:UpdateInstanceInformation",
"exceptions": [
{
"messageCode": "CLOUD_EVENT_NOT_SUPPORTED"
},
{
"messageCode": "AWS_ROOT_ACCOUNT_IS_NOT_ONBOARDED"
}
],
"grantedByCloudEntityId": "arn:aws:arn:aws:trail:us-west-1:888888888888:trail/control",
"grantedByCloudEntityName": "service-role/AWSCloud9SSMAccessRole",
"grantedByCloudEntityRrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"grantedByCloudEntityType": "role",
"grantedByCloudPolicyId": "arn:aws:trail:us-west-1:888888888888:trail/control",
"grantedByCloudPolicyName": "AWSCloud9SSMInstanceProfile",
"grantedByCloudPolicyRrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"grantedByCloudPolicyType": "AWS Managed Policy",
"grantedByCloudType": "AWS",
"grantedByLevelId": null,
"grantedByLevelName": null,
"grantedByLevelRrn": null,
"grantedByLevelType": "",
"id": "kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk",
"isWildCardDestCloudResourceName": true,
"lastAccessDate": null,
"lastAccessStatus": "NOT_AVAILABLE",
"sourceCloudAccount": "AWS-JLo",
"sourceCloudRegion": "AWS Oregon",
"sourceCloudResourceRrn": "rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25",
"sourceCloudServiceName": "ec2",
"sourceCloudType": "AWS",
"sourceIdpDomain": null,
"sourceIdpEmail": null,
"sourceIdpGroup": null,
"sourceIdpRrn": null,
"sourceIdpService": null,
"sourceIdpUsername": null,
"sourcePublic": false,
"sourceResourceId": "arn:aws:trail:us-west-1:888888888888:trail/control",
"sourceResourceName": "i-33333333333333333",
"sourceResourceType": "instance"
}
],
"PermissionPageToken": {
"nextPageToken": "token2"
}
}
}

Human Readable Output#

Showing 2 of 20261 results:

Permissions Details:#

IdSource Cloud TypeSource Cloud AccountSource Resource IdDestination Cloud TypeDestination Cloud Service NameDestination Resource TypeEffective Action NameGranted By Cloud TypeGranted By Cloud Policy IdGranted By Cloud Policy NameGranted By Cloud Policy TypeGranted By Cloud Policy RrnGranted By Cloud Entity IdGranted By Cloud Entity NameGranted By Cloud Entity Rrn
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjAWSAWS-JLoarn:aws:trail:us-west-1:888888888888:trail/controlAWSec2instancessm:UpdateInstanceInformationAWSarn:aws:trail:us-west-1:888888888888:trail/controlAWSCloud9SSMInstanceProfileAWS Managed Policyrrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25arn:aws:iam::555555555555:role/service-role/AWSCloud9SSMAccessRoleservice-role/AWSCloud9SSMAccessRolerrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkAWSAWS-JLoarn:aws:trail:us-west-1:888888888888:trail/controlAWSssmmanaged-instancessm:UpdateInstanceInformationAWSarn:aws:trail:us-west-1:888888888888:trail/controlAWSCloud9SSMInstanceProfileAWS Managed Policyrrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25arn:aws:iam::555555555555:role/service-role/AWSCloud9SSMAccessRoleservice-role/AWSCloud9SSMAccessRolerrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25

Next Page Token:#

token2

Access Keys#


Access keys are a secure way to enable programmatic access to the Prisma Cloud API. By default, only the System Admin has API access and can enable API access for other administrators. If you have API access, you can create up to two access keys.

A service account is a special Prisma Cloud identity used to access Prisma Cloud programmatically via API.

To create a service account, see Add Service Accounts On Prisma Cloud

Base Command#

prisma-cloud-access-key-create

Input#

Argument NameDescriptionRequired
nameAccess key name.Required
expires-onTimestamp in milliseconds when access key expires. Default:0.Optional

Context Output#

PathTypeDescription
PrismaCloud.AccessKeys.idStringAccess key ID.
PrismaCloud.AccessKeys.secretKeyStringAccess key secret.

Command example#

!prisma-cloud-access-key-create name=MyNewKey

Context Example#

{
"PrismaCloud": {
"AccessKeys": [
{
"Id": "Id",
"Secret Key": "Secret Key"
}
]
}
}

prisma-cloud-access-keys-list

Input#

Argument NameDescriptionRequired
access-keyReturns the metadata of the access key that has the specified ID.Optional
limitMaximum number of entries to return.Optional

Context Output#

PathTypeDescription
PrismaCloud.AccessKeys.idStringAccess key ID.
PrismaCloud.AccessKeys.nameStringThe name of the access key.
PrismaCloud.AccessKeys.createdByStringThe user who created the access key.
PrismaCloud.AccessKeys.createdTsStringTime access key was created.
PrismaCloud.AccessKeys.expiresOnStringThe time the access key expires.
PrismaCloud.AccessKeys.lastUsedTimeStringThe last time the access key was used.
PrismaCloud.AccessKeys.statusStringAccess key status.
PrismaCloud.AccessKeys.role.idStringUser role ID.
PrismaCloud.AccessKeys.role.nameStringUser role name.
PrismaCloud.AccessKeys.roleTypeStringUser role permission type.
PrismaCloud.AccessKeys.usernameStringAccess key user name.

Command example#

!prisma-cloud-access-keys-list limit=2

Context Example#

{
"PrismaCloud": {
"AccessKeys": [
{
"id": "string",
"name": "string",
"createdBy": "string",
"createdTs": "number",
"lastUsedTime": "number",
"status": "string",
"expiresOn": "number",
"role": {
"id": "string",
"name": "string"
},
"roleType": "string",
"username": "string"
},
{
"id": "string",
"name": "string",
"createdBy": "string",
"createdTs": "number",
"lastUsedTime": "number",
"status": "string",
"expiresOn": "number",
"role": {
"id": "string",
"name": "string"
},
"roleType": "string",
"username": "string"
}
]
}
}

prisma-cloud-access-key-disable

Input#

Argument NameDescriptionRequired
access-keyAccess key ID.Required

Command example#

!prisma-cloud-access-key-disable access-key=id

Human Readable Output#

Access key mockmock-mock-mock-mock-mockmockmock was disabled successfully

prisma-cloud-access-key-enable

Input#

Argument NameDescriptionRequired
access-keyAccess key ID.Required

Command example#

!prisma-cloud-access-key-enable access-key=id

Human Readable Output#

Access key mockmock-mock-mock-mock-mockmockmock was enabled successfully

prisma-cloud-access-key-delete

Input#

Argument NameDescriptionRequired
access-keyAccess key ID.Required

Command example#

!prisma-cloud-access-key-delete access-key=id

Human Readable Output#

Access key mockmock-mock-mock-mock-mockmockmock was successfully deleted successfully

Breaking changes from the previous version of this integration - Prisma Cloud v2#

The following sections list the changes in this version.

Commands#

The following commands were deprecated in this version because they are not supported by the API anymore:#

  • redlock-list-scans
  • *redlock-get-scan-status***
  • redlock-get-scan-results

The following commands were replaced in this version:#

  • redlock-dismiss-alerts - this command is replaced by prisma-cloud-alert-dismiss.
  • redlock-get-alert-details - this command is replaced by prisma-cloud-alert-get-details.
  • redlock-get-remediation-details - this command is replaced by prisma-cloud-remediation-command-list.
  • redlock-get-rql-response - this command is replaced by prisma-cloud-config-search.
  • redlock-list-alert-filters - this command is replaced by prisma-cloud-alert-filter-list.
  • redlock-reopen-alerts - this command is replaced by prisma-cloud-alert-reopen.
  • redlock-search-alerts - this command is replaced by prisma-cloud-alert-search.
  • redlock-search-config - this command is replaced by prisma-cloud-config-search.
  • redlock-search-event - this command is replaced by prisma-cloud-event-search.
  • redlock-search-network - this command is replaced by prisma-cloud-network-search.

Additional Considerations for this version#

  • "Risk detail" was removed from all commands because it is not supported by the API anymore.
  • Commands from the previous version were kept in order to make to transition from v1 to v2 easy for existing playbooks. We encourage to use the new version of each command.

prisma-cloud-code-issues-list#


Retrieves the code errors detected by Application Security during periodic scans.

Base Command#

prisma-cloud-code-issues-list

Input#

Argument NameDescriptionRequired
git_usersComma-separated list of names of Git users.Optional
branchA branch name.Optional
code_categoriesComma-separated list of code issue categories. Is also available as a search criteria (search_scopes). Possible values are: IacMisconfiguration, IacExternalModule, ImageReferencerVul, ImageReferencerLicenses, Vulnerabilities, Licenses, Secrets.Optional
iac_categoriesComma-separated list of categories related to Infrastructure-as-Code (IaC) issues. Possible values are: IAM, Monitoring, Networking, Kubernetes, General, Storage, Public, Drift, Compute.Optional
iac_labelsComma-separated list of labels associated with Infrastructure-as-Code (IaC). Possible values are: CustomPolicy, HasFix.Optional
file_typesComma-separated list of file types. Possible values are: yml, yaml, json, template, py, js, properties, pem, php, xml, ts, env, Dockerfile, java, rb, sum, mod, cs, txt, bicep, hcl, gradle, kts, lock, config, csproj, dependencies.Optional
fixable_onlyWhether to retrieve only fixable issues. Recommended to use this argument with another argument code_categories ,for example. Possible values are: true, false.Optional
repositoriesComma-separated list of repository names.Optional
secrets_risk_factorsComma-separated list of risk factors related to secrets. Possible values are: PublicRepository, PrivateRepository, User, Privileged, Valid, Invalid, Unknown, FoundInHistory.Optional
search_scopesComma-separated list of specific areas or categories within which to search. When specifying search_scopes, search_term argument is required. Possible values are: IacMisconfiguration, IacExternalModule, ImageReferencerVul, ImageReferencerLicenses, Vulnerabilities, Licenses, Secrets.Optional
severitiesComma-separated list of the criticality of issues. Possible values are: INFO, LOW, MEDIUM, HIGH, CRITICAL.Optional
vulnerability_risk_factorsComma-separated list of risk factors for vulnerabilities. Possible values are: AttackComplexity, AttackVector, DoS, HasFix, RemoteExecution, ExploitInTheWild, ExploitPOC, IsUsed.Optional
search_termA keyword or phrase used to narrow down results within specific scopes (like a particular vulnerability). It's needed if you are filtering results by search_scopes.Optional
iac_tagsAn infrastructure-as-code (IaC) resource. Relevant only to- IacMisconfiguration,Vulnerabilities.Optional
license_typeComma-separated list of license types.Optional
check_statusStatus of checks. Possible values are: Error, Passed, Suppressed, FixPendin.Optional
limitThe limit of issues to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
PrismaCloud.CodeIssue.modifiedOnStringThe date and time when the code issue was last modified.
PrismaCloud.CodeIssue.isPublicStringIndicates whether the repository or resource is publicly accessible (true/false).
PrismaCloud.CodeIssue.fileTypeStringThe type of file where the issue was detected (e.g., `.js`, `.py`).
PrismaCloud.CodeIssue.secretCommitRemoveStringThe commit identifier where a secret was removed.
PrismaCloud.CodeIssue.secretCommitAddStringThe commit identifier where a secret was added.
PrismaCloud.CodeIssue.gitUserStringThe username of the person who made the commit associated with the code issue.
PrismaCloud.CodeIssue.codePathStringThe path to the code file where the issue was detected.
PrismaCloud.CodeIssue.codeCategoryStringThe category or classification of the detected issue (e.g., security, compliance).
PrismaCloud.CodeIssue.authorStringThe original author of the code where the issue was detected.
PrismaCloud.CodeIssue.repositoryUuidStringThe unique identifier of the repository where the issue was found.
PrismaCloud.CodeIssue.pathStringThe path in the repository where the issue was detected.
PrismaCloud.CodeIssue.repositorySourceStringThe source of the repository (e.g., GitHub, Bitbucket).
PrismaCloud.CodeIssue.firstDetectedStringThe date and time when the code issue was first detected.
PrismaCloud.CodeIssue.codeIssueLineStringThe line number in the code where the issue was detected.
PrismaCloud.CodeIssue.labelsStringLabels associated with the code issue for classification or categorization.
PrismaCloud.CodeIssue.labels.labelStringA specific label related to the code issue.
PrismaCloud.CodeIssue.labels.metadata.imageNameStringThe name of the image associated with the label metadata.
PrismaCloud.CodeIssue.policyStringThe policy that was violated by the detected issue.
PrismaCloud.CodeIssue.repositoryStringThe name of the repository where the issue was found.
PrismaCloud.CodeIssue.resourceNameStringThe name of the resource associated with the code issue.
PrismaCloud.CodeIssue.resourceScanTypeStringThe type of scan that detected the issue (e.g., static analysis, secret detection).
PrismaCloud.CodeIssue.resourceUuidStringThe unique identifier of the resource associated with the code issue.
PrismaCloud.CodeIssue.severityStringThe severity level of the detected issue (e.g., High, Medium, Low).
PrismaCloud.CodeIssue.violationIdStringThe unique identifier for the policy violation related to the code issue.
PrismaCloud.CodeIssue.causePackageIdStringThe ID of the package that caused the issue.
PrismaCloud.CodeIssue.causePackageNameStringThe name of the package that caused the issue.
PrismaCloud.CodeIssue.cveUuidStringThe unique identifier of the Common Vulnerabilities and Exposures (CVE) related to the issue.
PrismaCloud.CodeIssue.cvssStringThe Common Vulnerability Scoring System (CVSS) score for the detected issue.
PrismaCloud.CodeIssue.fixVersionStringThe version of the code or package that contains the fix for the issue.
PrismaCloud.CodeIssue.prStringThe pull request (PR) associated with resolving the code issue.
PrismaCloud.CodeIssue.resourceIdStringThe identifier of the resource related to the code issue.
PrismaCloud.CodeIssue.riskFactorsStringRisk factors associated with the code issue, such as high-impact areas or sensitive data.
PrismaCloud.CodeIssue.isIndirectPackageStringIndicates whether the issue is from an indirect package (true/false).