Skip to main content

Prisma Cloud (RedLock)

This Integration is part of the Prisma Cloud Pack.#

Configure Prisma Cloud (RedLock) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Prisma Cloud (RedLock).
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer API URL. See here for the relevant API URL for your tenant.True
usernameAPI Access KeyTrue
passwordAPI SecretTrue
customerCustomer nameFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
ruleNameFetch only incidents matching this rule nameFalse
policyNameFetch only incidents matching this policy nameFalse
policySeverityFetch only incidents with this severityFalse
proxyUse system proxy settingsFalse
unsecureTrust any certificate (not secure)False
  1. Click Test to validate the URLs, token, and connection.

Note: Further info on creating access keys for Prisma Cloud is available here.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

redlock-search-alerts#


Search alerts on the Prisma Cloud (RedLock) platform

Base Command#

redlock-search-alerts

Input#

Argument NameDescriptionRequired
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unit. login and epoch are only available if timeRangeValue is not provided.Optional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
alert-idThe alert IDOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional

Context Output#

PathTypeDescription
Redlock.Alert.IDstringID of returned alert
Redlock.Alert.StatusstringStatus of returned alert
Redlock.Alert.AlertTimestringTime of alert
Redlock.Alert.Policy.IDstringThe policy ID
Redlock.Alert.Policy.NamestringThe policy name
Redlock.Alert.Policy.TypestringThe policy type
Redlock.Alert.Policy.SeveritystringThe policy severity
Redlock.Alert.Policy.RemediablebooleanWhether or not the policy is remediable
Redlock.Alert.RiskDetail.RatingstringThe risk rating
Redlock.Alert.RiskDetail.ScorestringThe risk score
Redlock.Metadata.CountOfAlertsnumberThe number of alerts found

Command Example#

!redlock-search-alerts alert-id=P-214016

Context Example#

{
"Redlock": {
"Alert": {
"AlertTime": "05/29/2020 14:16:15",
"ID": "P-214016",
"Policy": {
"ID": "765988-b967-9djksb-830f-sdf98798sdf9",
"Name": "AWS Security groups allow internet traffic gnoy",
"Remediable": true,
"Severity": "high",
"Type": "config"
},
"Resource": {
"Account": "testAWS",
"AccountID": "9876654321",
"ID": "sg-98vc98sd76sd",
"Name": "demo-98787654432"
},
"RiskDetail": {
"Rating": "F",
"Score": 170
},
"Status": "open"
},
"Metadata": {
"CountOfAlerts": 1
}
}
}

Human Readable Output#

Alerts#

IDStatusFirstSeenLastSeenAlertTimePolicyNamePolicyTypePolicyDescriptionPolicySeverityPolicyRecommendationPolicyDeletedPolicyRemediableRiskRatingResourceNameResourceAccountResourceTypeResourceCloudType
P-214016open05/28/2020 01:17:3105/29/2020 14:16:4205/29/2020 14:16:15AWS Security groups allow internet traffic gnoyconfigThis policy identifies that Security Groups do not allow all traffic from internet. A Security Group acts as a virtual firewall that controls the traffic for one or more instances. Security groups should have restrictive ACLs to only allow incoming traffic from specific IPs to specific ports where the application is listening for connections.highIf the Security Groups reported indeed need to restrict all traffic, follow the instructions below:
1. Log in to the AWS console
2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated
3. Navigate to the 'VPC' service
4. Click on the 'Security Group' specific to the alert
5. Click on 'Inbound Rules' and remove the row with the ip value as 0.0.0.0/0 or ::/0
falsetrueFdemo-98787654432testAWSSECURITY_GROUPaws

redlock-get-alert-details#


Gets the details of an alert based on alert ID

Base Command#

redlock-get-alert-details

Input#

Argument NameDescriptionRequired
alert-idThe alert IDRequired
detailedAllows for retrieving entire / trimmed alert modelOptional

Context Output#

PathTypeDescription
Redlock.Alert.IDstringThe alert ID
Redlock.Alert.StatusstringThe alert status
Redlock.Alert.AlertTimedateThe time of the alert
Redlock.Alert.Policy.IDstringThe policy ID
Redlock.Alert.Policy.NamestringThe policy name
Redlock.Alert.Policy.TypestringThe type of policy
Redlock.Alert.Policy.SeveritystringThe policy severity
Redlock.Alert.Policy.RemediablebooleanWhether or not the policy is remediable
Redlock.Alert.RiskDetail.RatingstringThe risk rating
Redlock.Alert.RiskDetail.ScorestringThe risk score

Command Example#

!redlock-get-alert-details alert-id=P-214016

Context Example#

{
"Redlock": {
"Alert": {
"AlertTime": "05/29/2020 14:16:15",
"ID": "P-214016",
"Policy": {
"ID": "765988-b967-9djksb-830f-sdf98798sdf9",
"Name": null,
"Remediable": false,
"Severity": null,
"Type": "config"
},
"Resource": {
"Account": "testAWS",
"AccountID": "9876654321",
"ID": "sg-98vc98sd76sd",
"Name": "demo-98787654432"
},
"RiskDetail": {
"Rating": "F",
"Score": 170
},
"Status": "open"
}
}
}

Human Readable Output#

Alert#

IDStatusFirstSeenLastSeenAlertTimePolicyIDPolicyNamePolicyTypePolicySystemDefaultPolicyLabelsPolicyDescriptionPolicySeverityPolicyRecommendationPolicyDeletedPolicyRemediablePolicyLastModifiedOnPolicyLastModifiedByRiskScoreRiskRatingResourceNameResourceRRNResourceIDResourceAccountResourceAccountIDResourceTypeResourceRegionIDResourceApiNameResourceUrlResourceDataResourceAccessKeyAgeResourceInactiveSinceTsResourceCloudType
P-214016open05/28/2020 01:17:3105/29/2020 14:16:4205/29/2020 14:16:15configfalsefalse170Fdemo-98787654432sg-98vc98sd76sdtestAWS9876654321SECURITY_GROUPus-west-2aws-ec2-describe-security-groupsvpcId: vpc-0824920b6d19bc
description: EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads.
tags: {u'value': u'demo-98787654432', u'key': u'Name'},
{u'value': u'cn-demo', u'key': u'aws:eks:cluster-name'},
{u'value': u'owned', u'key': u'kubernetes.io/cluster/cn-demo'}
ipPermissions: {u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/mtu=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}], u'prefixListIds': [], u'fromPort': 3, u'ipRanges': [u'0.0.0.0/0'], u'toPort': 4, u'ipProtocol': u'icmp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/client=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}, {u'description': u'kubernetes.io/rule/nlb/health=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'192.168.0.0/16'}], u'prefixListIds': [], u'fromPort': 30463, u'ipRanges': [u'0.0.0.0/0', u'192.168.0.0/16'], u'toPort': 30463, u'ipProtocol': u'tcp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'x.x.x.x/16'}], u'ipRanges': [u'x.x.x.x/16'], u'ipProtocol': u'-1', u'userIdGroupPairs': [{u'userId': u'9876654321', u'groupId': u'sg-0ce26260850e500d4', u'description': u'Allow unmanaged nodes to communicate with control plane (all ports)'}, {u'userId': u'9876654321', u'groupId': u'sg-98vc98sd76sd'}], u'ipv6Ranges': []}
groupName: demo-98787654432
ipPermissionsEgress: {u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'0.0.0.0/0'}], u'ipRanges': [u'0.0.0.0/0'], u'ipProtocol': u'-1', u'userIdGroupPairs': [], u'ipv6Ranges': []}
ownerId: 9876654321
groupId: sg-98vc98sd76sd
aws

redlock-dismiss-alerts#


Dismiss the alerts matching the given filter. Must provide either policy IDs or alert IDs.

Base Command#

redlock-dismiss-alerts

Input#

Argument NameDescriptionRequired
alert-idcomma separated list of string IDs to be dismissedOptional
dismissal-noteReason for dismissalRequired
snooze-valueThe amount of time to snooze. Both snooze value and unit must be specifiedOptional
snooze-unitThe time unit for if snoozing alert. Both snooze value and unit must be specified if snoozing.Optional
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unitOptional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional
policy-idcomma separated string of policy IDsOptional

Context Output#

PathTypeDescription
Redlock.DismissedAlert.IDstringThe IDs of the dismissed alerts

Command Example#

!redlock-dismiss-alerts dismissal-note="testing" alert-id=P-214016

Context Example#

{
"Redlock": {
"DismissedAlert": {
"ID": [
"P-214016"
]
}
}
}

Human Readable Output#

Alerts dismissed successfully. Dismissal Note: testing.#

redlock-reopen-alerts#


Re-open the alerts matching the given filter. Must provide either policy IDs or alert IDs.

Base Command#

redlock-reopen-alerts

Input#

Argument NameDescriptionRequired
alert-idThe IDs of alerts to reopenOptional
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unitOptional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional

Context Output#

PathTypeDescription
Redlock.ReopenedAlert.IDstringIDs of the re-opened alerts

Command Example#

!redlock-reopen-alerts alert-id=P-214016

Context Example#

{
"Redlock": {
"ReopenedAlert": {
"ID": [
"P-214016"
]
}
}
}

Human Readable Output#

Alerts re-opened successfully.#

redlock-list-alert-filters#


List the acceptable filters and values for alerts

Base Command#

redlock-list-alert-filters

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!redlock-list-alert-filters

Context Example#

{}

Human Readable Output#

Filter options#

NameOptionsStatic
cloud.accountfalse
alert.idfalse
cloud.regionfalse
policy.labelfalse
resource.idfalse
cloud.typealibaba_cloud,aws,azure,gcptrue
resource.namefalse
account.groupfalse
risk.gradeA,B,C,Ftrue
policy.complianceSectionfalse
policy.remediabletrue,falsetrue
policy.namefalse
policy.typeanomaly,audit_event,config,networktrue
alert.statusdismissed,snoozed,open,resolvedtrue
alertRule.namefalse
policy.subtypebuild,runtrue
resource.typefalse
policy.complianceStandardfalse
cloud.accountIdfalse
policy.severityhigh,medium,lowtrue
policy.rule.typecft,k8s,tftrue
cloud.servicefalse
policy.complianceRequirementfalse

redlock-get-remediation-details#


Get remediation details for a given alert

Base Command#

redlock-get-remediation-details

Input#

Argument NameDescriptionRequired
alert-idThe alert id to get remediation details forOptional

Context Output#

PathTypeDescription
Redlock.Alert.Remediation.DescriptionstringDescription of CLI remediation instructions
Redlock.Alert.IDstringThe ID of the alert for which the remediation details applies
Redlock.Alert.Remediation.CLIstringExact CLI command string

Command Example#

!redlock-get-remediation-details alert-id=P-214016

Context Example#

{
"Redlock": {
"Alert": {
"ID": "P-214016",
"Remediation": {
"CLI": "aws --region us-west-2 ec2 revoke-security-group-ingress --group-id sg-984392384bkhjb --ip-permissions '[{\"IpProtocol\": \"tcp\", \"IpRanges\":[{\"CidrIp\": \"0.0.0.0/0\"}]}]' ; aws --region us-west-1 ec2 authorize-security-group-ingress --group-id sg-98237498798 --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\":[{\"CidrIp\": \"10.0.0.0/8\", \"Description\": \"Enforced by Redlock Remediation\"}]}]'",
"Description": "\"This CLI command requires 'ec2:RevokeSecurityGroupIngress' permission. Successful execution will update the security group to revoke the ingress rule records open to internet either on IPv4 or on IPv6 protocol.\"} To resolve the alert from Prisma Cloud's console, add the permission."
}
}
}
}

Human Readable Output#

Remediation Details#

IDRemediationCLIRemediationDescription
P-211648gcloud compute networks subnets update default --project=project1-111111 --region europe-north2 --enable-flow-logsThis CLI command requires 'compute.securityAdmin' permission. Successful execution will enables GCP VPC Flow logs for subnets to capture information about the IP traffic going to and from network interfaces in VPC Subnets. To resolve the alert from Prisma Cloud's console, add the permission.

redlock-get-rql-response#


Run RQL query on Prisma Cloud

Base Command#

redlock-get-rql-response

Input#

Argument NameDescriptionRequired
limitdetermines the limit on the results. '; limit search records to {}' is appended to every query where {} is the value of limit or 1 if not passedOptional
rqlthe RQL query to run. Example RQL queries can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/rql-examples. Note that limit search records to 1 is automatically appended to each query and a ; may need to be added to the end of the rql input to make the entire query valid. The limit parameter adjusts this to be a value other than 1.Required

Context Output#

PathTypeDescription
Redlock.RQL.QueryStringThe
Redlock.RQL.Response.AccountIdDateThe cloud account ID.
Redlock.RQL.Response.AccountNameStringThe cloud account name.
Redlock.RQL.Response.AllowDrillDownBooleanFlag to allow drill down.
Redlock.RQL.Response.CloudTypeStringThe cloud type.
Redlock.RQL.Response.DataObjectThe data object returned by the RQL response. Reference: https://api.docs.prismacloud.io/api/cloud/cspm/search/
Redlock.RQL.Response.DeletedBooleanFlag if deleted.
Redlock.RQL.Response.HasAlertBooleanFlag to check if RQL response has alerts.
Redlock.RQL.Response.HasExtFindingRiskFactorsBooleanFlag if query returns external risk factors.
Redlock.RQL.Response.HasExternalFindingBooleanFlag for external findings.
Redlock.RQL.Response.HasExternalIntegrationBooleanFlag for external integration.
Redlock.RQL.Response.HasNetworkBooleanFlag for determining if network exists.
Redlock.RQL.Response.IdStringThe RQL response ID.
Redlock.RQL.Response.InsertTsDateThe response time.
Redlock.RQL.Response.NameStringThe RQL response name.
Redlock.RQL.Response.RegionIdStringThe cloud region ID.
Redlock.RQL.Response.RegionNameStringThe cloud region name.
Redlock.RQL.Response.ResourceTypeStringThe resource type.
Redlock.RQL.Response.RrnStringThe account RRN.
Redlock.RQL.Response.ServiceStringThe RQL response service.
Redlock.RQL.Response.StateIdStringThe response state ID.

Command Example#

!redlock-get-rql-response rql="config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;"

Context Example#

{
"Redlock": {
"RQL": {
"Query": "config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X; limit search records to 1",
"Response": [
{
"AccountId": "1234567890",
"AccountName": "AWS PAN RBC",
"AllowDrillDown": true,
"CloudType": "aws",
"Data": {
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2020-11-22T09:16:37.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol"
}
},
{
"DeviceName": "/dev/xvdbg",
"Ebs": {
"AttachTime": "2020-11-23T15:33:52.000Z",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol"
}
},
{
"DeviceName": "/dev/xvdcp",
"Ebs": {
"AttachTime": "2020-11-23T15:33:52.000Z",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol"
}
}
],
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"ClientToken": "fleet",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 2
},
"EbsOptimized": false,
"ElasticGpuAssociations": [],
"ElasticInferenceAcceleratorAssociations": [],
"EnaSupport": true,
"HibernationOptions": {
"Configured": false
},
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn",
"Id": "AIPARLTR3KMHTT67AZ27N"
},
"ImageId": "ami-008ad23b7f9a160e5",
"InstanceId": "i-123456789",
"InstanceType": "t3.medium",
"KeyName": "kubernetes",
"LaunchTime": "2020-11-22T09:16:36.000Z",
"Licenses": [],
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional",
"State": "applied"
},
"Monitoring": {
"State": "disabled"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-x-x-x-x.eu-west-1.compute.amazonaws.com",
"PublicIp": "y.y.y.y"
},
"Attachment": {
"AttachTime": "2020-11-22T09:16:36.000Z",
"AttachmentId": "eni-attach-0146b63374e77b227",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached"
},
"Description": "",
"Groups": [
{
"GroupId": "sg-13456789987654",
"GroupName": "test"
},
{
"GroupId": "sg-1234567898765",
"GroupName": "test"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [],
"MacAddress": "02:94:a1:55:69:43",
"NetworkInterfaceId": "eni-0a5537731ce0b7fa2",
"OwnerId": "1234567890",
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-x-x-x-x.eu-west-1.compute.amazonaws.com",
"PublicIp": "y.y.y.y"
},
"Primary": true,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-a.a.a.a.eu-west-1.compute.internal",
"PrivateIpAddress": "a.a.a.a"
},
{
"Primary": false,
"PrivateDnsName": "ip-z.z.z.z.eu-west-1.compute.internal",
"PrivateIpAddress": "z.z.z.z"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-123456789",
"VpcId": "vpc-123456789"
},
{
"Attachment": {
"AttachTime": "2020-11-23T15:34:00.000Z",
"AttachmentId": "eni-attach-0251b661bb021effe",
"DeleteOnTermination": true,
"DeviceIndex": 1,
"Status": "attached"
},
"Description": "aws-K8S-i-123456789",
"Groups": [
{
"GroupId": "sg-13456789987654",
"GroupName": "test"
},
{
"GroupId": "sg-1234567898765",
"GroupName": "test"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [],
"MacAddress": "x:z:d",
"NetworkInterfaceId": "eni-xyz",
"OwnerId": "1234567890",
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x",
"PrivateIpAddresses": [
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": true,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-123456789",
"VpcId": "vpc-123456789"
}
],
"Placement": {
"AvailabilityZone": "eu-west-1c",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x",
"ProductCodes": [],
"PublicDnsName": "ec2-x-x-x-x.eu-west-1.compute.amazonaws.com",
"PublicIpAddress": "y.y.y.y",
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupId": "sg-13456789987654",
"GroupName": "test"
},
{
"GroupId": "sg-1234567898765",
"GroupName": "test"
}
],
"SourceDestCheck": true,
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"StatusEvents": [],
"SubnetId": "subnet-123456789",
"Tags": [
{
"Key": "Name",
"Value": "cluster-ng-11111111-Node"
},
{
"Key": "test.com/nodegroup-name",
"Value": "ng-a143ec42"
},
{
"Key": "test.com/nodegroup-type",
"Value": "managed"
},
{
"Key": "aws:autoscaling:groupName",
"Value": "eks-123456789"
},
{
"Key": "aws:ec2:fleet-id",
"Value": "fleet-0987654321"
},
{
"Key": "aws:ec2launchtemplate:id",
"Value": "lt-123456789"
},
{
"Key": "aws:ec2launchtemplate:version",
"Value": "1"
},
{
"Key": "eks:cluster-name",
"Value": "cluster"
},
{
"Key": "eks:nodegroup-name",
"Value": "ng-a143ec42"
},
{
"Key": "test.com/cluster-autoscaler/cluster",
"Value": "owned"
},
{
"Key": "test.com/cluster-autoscaler/enabled",
"Value": "true"
},
{
"Key": "kubernetes.io/cluster/cluster",
"Value": "owned"
}
],
"VirtualizationType": "hvm",
"VpcId": "vpc-123456789"
},
"Deleted": false,
"HasAlert": false,
"HasExtFindingRiskFactors": false,
"HasExternalFinding": false,
"HasExternalIntegration": false,
"HasNetwork": false,
"Id": "i-123456789",
"InsertTs": 1234567876543,
"Name": "cluster-ng-11111111-Node",
"RegionId": "eu-west-1",
"RegionName": "AWS Ireland",
"ResourceType": "Instance",
"Rrn": "rrn:somthing"
"Service": "Amazon EC2",
"StateId": "asdfghjklkjhgfdssaa"
}
]
}
}
}

Human Readable Output#

RQL Output:#

AccountDeletedRegionResource NameService
AWS PANfalseAWS Irelandcluster-ng-11111111-NodeAmazon EC2

redlock-search-config#


Search configuration inventory on the Prisma Cloud (RedLock) platform using RQL language

Base Command#

redlock-search-config

Input#

Argument NameDescriptionRequired
time-range-date-fromStart time for search in the following string format - MM/DD/YYYY.Optional
time-range-date-toEnd time for search in the following format - MM/DD/YYYY.Optional
time-range-valueThe number of units to go back in time for the search.Optional
time-range-unitThe search unit. Possible values are: "hour", "day", "week", "month", "year", "login", and "epoch". The login and epoch values are only available if the time-range-value argument is not provided.Optional
queryQuery to run in Prisma Cloud config API (use RQL).Required
limitThe maximum number of entries to return. Default is 100.Optional

Context Output#

PathTypeDescription
Redlock.Asset.accountIdDateCloud Account ID.
Redlock.Asset.accountNameStringCloud account Name
Redlock.Asset.allowDrillDownBoolean
Redlock.Asset.cloudTypeStringCloud type.
Redlock.Asset.deletedBooleanWhether the asset was delete.
Redlock.Asset.hasAlertBooleanWhether the asset has a Prisma Cloud alert.
Redlock.Asset.hasExtFindingRiskFactorsBooleanWhether the asset has external finding risk factors.
Redlock.Asset.hasExternalFindingBooleanWhether the asset has an external finding.
Redlock.Asset.hasExternalIntegrationBooleanWhether the asset has an external integration.
Redlock.Asset.hasNetworkBooleanWhether the asset has a network.
Redlock.Asset.idStringThe Redlock asset ID.
Redlock.Asset.dataUnknownThe Redlock asset specific data.
Redlock.Asset.insertTsDateThe asset insert TS.
Redlock.Asset.nameStringThe asset name.
Redlock.Asset.regionIdStringThe cloud region ID of the asset.
Redlock.Asset.regionNameStringThe cloud region name of the asset.
Redlock.Asset.resourceTypeStringThe cloud resource type of the asset.
Redlock.Asset.rrnStringThe cloud RRN of the asset.
Redlock.Asset.serviceStringThe state ID of the asset.
Redlock.Asset.stateIdStringState ID

Command Example#

``!redlock-search-config query=config where cloud.type = "aws" and cloud.service = "Amazon EC2" and api.name = "aws-ec2-describe-instances" and cloud.region="AWS Paris"````

Context Example#

{
"Redlock": {
"Asset": {
"accountId": "1234568717",
"accountName": "cloud-account-test",
"allowDrillDown": true,
"cloudType": "aws",
"data": {
"amiLaunchIndex": 0,
"architecture": "x86_64",
"blockDeviceMappings": [
{
"deviceName": "/dev/sda1",
"ebs": {
"attachTime": "2019-10-24T19:21:26.000Z",
"deleteOnTermination": true,
"status": "attached",
"volumeId": "vol-0d76d5536e9900a9d"
}
}
],
"capacityReservationSpecification": {
"capacityReservationPreference": "open"
},
"clientToken": "",
"cpuOptions": {
"coreCount": 1,
"threadsPerCore": 1
},
"ebsOptimized": false,
"elasticGpuAssociations": [],
"elasticInferenceAcceleratorAssociations": [],
"enaSupport": true,
"hibernationOptions": {
"configured": false
},
"hypervisor": "xen",
"imageId": "ami-0bb607148d8cf36fb",
"instanceId": "i-0b12b0f4ed4b78e0b",
"instanceType": "t2.micro",
"keyName": "server1",
"launchTime": "2019-10-24T19:21:25.000Z",
"licenses": [],
"metadataOptions": {
"httpEndpoint": "enabled",
"httpPutResponseHopLimit": 1,
"httpTokens": "optional",
"state": "applied"
},
"monitoring": {
"state": "disabled"
},
"networkInterfaces": [
{
"association": {
"ipOwnerId": "amazon",
"publicDnsName": "ec2-35-180-1-1.eu-west-3.compute.amazonaws.com",
"publicIp": "35.180.1.1"
},
"attachment": {
"attachTime": "2019-10-24T19:21:25.000Z",
"attachmentId": "eni-attach-0f8b6f1a9db5563d8",
"deleteOnTermination": true,
"deviceIndex": 0,
"status": "attached"
},
"description": "",
"groups": [
{
"groupId": "sg-0528d34b26dc81",
"groupName": "SSH-HTTPS-IPSec"
}
],
"interfaceType": "interface",
"ipv6Addresses": [],
"macAddress": "0e:da:ad:84:82:7e",
"networkInterfaceId": "eni-09e89a2e7923d7",
"ownerId": "1234",
"privateDnsName": "ip-172-31-34-235.eu-west-3.compute.internal",
"privateIpAddress": "172.31.34.235",
"privateIpAddresses": [
{
"association": {
"ipOwnerId": "amazon",
"publicDnsName": "ec2-35-180-1-1.eu-west-3.compute.amazonaws.com",
"publicIp": "35.180.1.1"
},
"primary": true,
"privateDnsName": "ip-172-31-34-235.eu-west-3.compute.internal",
"privateIpAddress": "172.31.34.235"
}
],
"sourceDestCheck": true,
"status": "in-use",
"subnetId": "subnet-89c025c4",
"vpcId": "vpc-079b3111"
}
],
"placement": {
"availabilityZone": "eu-west-3c",
"groupName": "",
"tenancy": "default"
},
"privateDnsName": "ip-172-31-34-235.eu-west-3.compute.internal",
"privateIpAddress": "172.31.34.235",
"productCodes": [],
"publicDnsName": "ec2-35-180-1-1.eu-west-3.compute.amazonaws.com",
"publicIpAddress": "35.180.1.1",
"rootDeviceName": "/dev/sda1",
"rootDeviceType": "ebs",
"securityGroups": [
{
"groupId": "sg-0528d34b26dc81415",
"groupName": "SSH-HTTPS-IPSec"
}
],
"sourceDestCheck": true,
"state": {
"code": 16,
"name": "running"
},
"stateTransitionReason": "",
"statusEvents": [],
"subnetId": "subnet-89c025c4",
"tags": [
{
"key": "Name",
"value": "server1"
}
],
"virtualizationType": "hvm",
"vpcId": "vpc-079b3111"
},
"deleted": false,
"hasAlert": false,
"hasExtFindingRiskFactors": false,
"hasExternalFinding": false,
"hasExternalIntegration": false,
"hasNetwork": false,
"id": "i-0b12baaaaa4b78e0b",
"insertTs": 1603440806825,
"name": "server1",
"regionId": "eu-west-3",
"regionName": "AWS Paris",
"resourceType": "Instance",
"rrn": "rrn::instance:eu-west-3:12345:9db2db5fdba47606863c8da86d3ae594fb5aee2b:i-0b12b0f4ed4b78e0b",
"service": "Amazon EC2",
"stateId": "5e79fd1aaab84a26abbf5641d4a115edfb8f7353"
}
}
}

Human Readable Output#

RQL Output:#

AccountDeletedRegionResource NameService
Felix - AWS - pan-labfalseAWS Virginiatl-consoleAmazon EC2