Prisma Cloud (RedLock)

Configure Prisma Cloud (RedLock) on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Prisma Cloud (RedLock).
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URLTrue
usernameAPI Access KeyTrue
passwordAPI SecretTrue
customerCustomer nameFalse
proxyUse system proxy settingsFalse
unsecureTrust any certificate (not secure)False
ruleNameFetch only incidents matching this rule nameFalse
policySeverityFetch only incidents with this severityFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

redlock-search-alerts


Search alerts on the Prisma Cloud (RedLock) platform

Base Command

redlock-search-alerts

Input

Argument NameDescriptionRequired
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unit. login and epoch are only available if timeRangeValue is not provided.Optional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
alert-idThe alert IDOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional

Context Output

PathTypeDescription
Redlock.Alert.IDstringID of returned alert
Redlock.Alert.StatusstringStatus of returned alert
Redlock.Alert.AlertTimestringTime of alert
Redlock.Alert.Policy.IDstringThe policy ID
Redlock.Alert.Policy.NamestringThe policy name
Redlock.Alert.Policy.TypestringThe policy type
Redlock.Alert.Policy.SeveritystringThe policy severity
Redlock.Alert.Policy.RemediablebooleanWhether or not the policy is remediable
Redlock.Alert.RiskDetail.RatingstringThe risk rating
Redlock.Alert.RiskDetail.ScorestringThe risk score
Redlock.Metadata.CountOfAlertsnumberThe number of alerts found

Command Example

!redlock-search-alerts alert-id=P-214016

Context Example

{
"Redlock": {
"Alert": {
"AlertTime": "05/29/2020 14:16:15",
"ID": "P-214016",
"Policy": {
"ID": "765988-b967-9djksb-830f-sdf98798sdf9",
"Name": "AWS Security groups allow internet traffic gnoy",
"Remediable": true,
"Severity": "high",
"Type": "config"
},
"Resource": {
"Account": "testAWS",
"AccountID": "9876654321",
"ID": "sg-98vc98sd76sd",
"Name": "demo-98787654432"
},
"RiskDetail": {
"Rating": "F",
"Score": 170
},
"Status": "open"
},
"Metadata": {
"CountOfAlerts": 1
}
}
}

Human Readable Output

Alerts

IDStatusFirstSeenLastSeenAlertTimePolicyNamePolicyTypePolicyDescriptionPolicySeverityPolicyRecommendationPolicyDeletedPolicyRemediableRiskRatingResourceNameResourceAccountResourceTypeResourceCloudType
P-214016open05/28/2020 01:17:3105/29/2020 14:16:4205/29/2020 14:16:15AWS Security groups allow internet traffic gnoyconfigThis policy identifies that Security Groups do not allow all traffic from internet. A Security Group acts as a virtual firewall that controls the traffic for one or more instances. Security groups should have restrictive ACLs to only allow incoming traffic from specific IPs to specific ports where the application is listening for connections.highIf the Security Groups reported indeed need to restrict all traffic, follow the instructions below:
1. Log in to the AWS console
2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated
3. Navigate to the 'VPC' service
4. Click on the 'Security Group' specific to the alert
5. Click on 'Inbound Rules' and remove the row with the ip value as 0.0.0.0/0 or ::/0
falsetrueFdemo-98787654432testAWSSECURITY_GROUPaws

redlock-get-alert-details


Gets the details of an alert based on alert ID

Base Command

redlock-get-alert-details

Input

Argument NameDescriptionRequired
alert-idThe alert IDRequired
detailedAllows for retrieving entire / trimmed alert modelOptional

Context Output

PathTypeDescription
Redlock.Alert.IDstringThe alert ID
Redlock.Alert.StatusstringThe alert status
Redlock.Alert.AlertTimedateThe time of the alert
Redlock.Alert.Policy.IDstringThe policy ID
Redlock.Alert.Policy.NamestringThe policy name
Redlock.Alert.Policy.TypestringThe type of policy
Redlock.Alert.Policy.SeveritystringThe policy severity
Redlock.Alert.Policy.RemediablebooleanWhether or not the policy is remediable
Redlock.Alert.RiskDetail.RatingstringThe risk rating
Redlock.Alert.RiskDetail.ScorestringThe risk score

Command Example

!redlock-get-alert-details alert-id=P-214016

Context Example

{
"Redlock": {
"Alert": {
"AlertTime": "05/29/2020 14:16:15",
"ID": "P-214016",
"Policy": {
"ID": "765988-b967-9djksb-830f-sdf98798sdf9",
"Name": null,
"Remediable": false,
"Severity": null,
"Type": "config"
},
"Resource": {
"Account": "testAWS",
"AccountID": "9876654321",
"ID": "sg-98vc98sd76sd",
"Name": "demo-98787654432"
},
"RiskDetail": {
"Rating": "F",
"Score": 170
},
"Status": "open"
}
}
}

Human Readable Output

Alert

IDStatusFirstSeenLastSeenAlertTimePolicyIDPolicyNamePolicyTypePolicySystemDefaultPolicyLabelsPolicyDescriptionPolicySeverityPolicyRecommendationPolicyDeletedPolicyRemediablePolicyLastModifiedOnPolicyLastModifiedByRiskScoreRiskRatingResourceNameResourceRRNResourceIDResourceAccountResourceAccountIDResourceTypeResourceRegionIDResourceApiNameResourceUrlResourceDataResourceAccessKeyAgeResourceInactiveSinceTsResourceCloudType
P-214016open05/28/2020 01:17:3105/29/2020 14:16:4205/29/2020 14:16:15configfalsefalse170Fdemo-98787654432sg-98vc98sd76sdtestAWS9876654321SECURITY_GROUPus-west-2aws-ec2-describe-security-groupsvpcId: vpc-0824920b6d19bc4f1
description: EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads.
tags: {u'value': u'demo-98787654432', u'key': u'Name'},
{u'value': u'cn-demo', u'key': u'aws:eks:cluster-name'},
{u'value': u'owned', u'key': u'kubernetes.io/cluster/cn-demo'}
ipPermissions: {u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/mtu=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}], u'prefixListIds': [], u'fromPort': 3, u'ipRanges': [u'0.0.0.0/0'], u'toPort': 4, u'ipProtocol': u'icmp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/client=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}, {u'description': u'kubernetes.io/rule/nlb/health=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'192.168.0.0/16'}], u'prefixListIds': [], u'fromPort': 30463, u'ipRanges': [u'0.0.0.0/0', u'192.168.0.0/16'], u'toPort': 30463, u'ipProtocol': u'tcp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'192.168.1.1/16'}], u'ipRanges': [u'192.168.1.1/16'], u'ipProtocol': u'-1', u'userIdGroupPairs': [{u'userId': u'9876654321', u'groupId': u'sg-0ce26260850e500d4', u'description': u'Allow unmanaged nodes to communicate with control plane (all ports)'}, {u'userId': u'9876654321', u'groupId': u'sg-98vc98sd76sd'}], u'ipv6Ranges': []}
groupName: demo-98787654432
ipPermissionsEgress: {u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'0.0.0.0/0'}], u'ipRanges': [u'0.0.0.0/0'], u'ipProtocol': u'-1', u'userIdGroupPairs': [], u'ipv6Ranges': []}
ownerId: 9876654321
groupId: sg-98vc98sd76sd
aws

redlock-dismiss-alerts


Dismiss the alerts matching the given filter. Must provide either policy IDs or alert IDs.

Base Command

redlock-dismiss-alerts

Input

Argument NameDescriptionRequired
alert-idcomma separated list of string IDs to be dismissedOptional
dismissal-noteReason for dismissalRequired
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unitOptional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional
policy-idcomma separated string of policy IDsOptional

Context Output

PathTypeDescription
Redlock.DismissedAlert.IDstringThe IDs of the dismissed alerts

Command Example

!redlock-dismiss-alerts dismissal-note="testing" alert-id=P-214016

Context Example

{
"Redlock": {
"DismissedAlert": {
"ID": [
"P-214016"
]
}
}
}

Human Readable Output

Alerts dismissed successfully. Dismissal Note: testing.

redlock-reopen-alerts


Re-open the alerts matching the given filter. Must provide either policy IDs or alert IDs.

Base Command

redlock-reopen-alerts

Input

Argument NameDescriptionRequired
alert-idThe IDs of alerts to reopenOptional
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unitOptional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional

Context Output

PathTypeDescription
Redlock.ReopenedAlert.IDstringIDs of the re-opened alerts

Command Example

!redlock-reopen-alerts alert-id=P-214016

Context Example

{
"Redlock": {
"ReopenedAlert": {
"ID": [
"P-214016"
]
}
}
}

Human Readable Output

Alerts re-opened successfully.

redlock-list-alert-filters


List the acceptable filters and values for alerts

Base Command

redlock-list-alert-filters

Input

Argument NameDescriptionRequired

Context Output

There is no context output for this command.

Command Example

!redlock-list-alert-filters

Context Example

{}

Human Readable Output

Filter options

NameOptionsStatic
cloud.accountfalse
alert.idfalse
cloud.regionfalse
policy.labelfalse
resource.idfalse
cloud.typealibaba_cloud,aws,azure,gcptrue
resource.namefalse
account.groupfalse
risk.gradeA,B,C,Ftrue
policy.complianceSectionfalse
policy.remediabletrue,falsetrue
policy.namefalse
policy.typeanomaly,audit_event,config,networktrue
alert.statusdismissed,snoozed,open,resolvedtrue
alertRule.namefalse
policy.subtypebuild,runtrue
resource.typefalse
policy.complianceStandardfalse
cloud.accountIdfalse
policy.severityhigh,medium,lowtrue
policy.rule.typecft,k8s,tftrue
cloud.servicefalse
policy.complianceRequirementfalse

redlock-get-remediation-details


Get remediation details for a given alert

Base Command

redlock-get-remediation-details

Input

Argument NameDescriptionRequired
alert-idThe alert id to get remediation details forOptional

Context Output

PathTypeDescription
Redlock.Alert.Remediation.DescriptionstringDescription of CLI remediation instructions
Redlock.Alert.IDstringThe ID of the alert for which the remediation details applies
Redlock.Alert.Remediation.CLIstringExact CLI command string

Command Example

!redlock-get-remediation-details alert-id=P-214016

Context Example

{
"Redlock": {
"Alert": {
"ID": "P-214016",
"Remediation": {
"CLI": "aws --region us-west-2 ec2 revoke-security-group-ingress --group-id sg-984392384bkhjb --ip-permissions '[{\"IpProtocol\": \"tcp\", \"IpRanges\":[{\"CidrIp\": \"0.0.0.0/0\"}]}]' ; aws --region us-west-1 ec2 authorize-security-group-ingress --group-id sg-98237498798 --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\":[{\"CidrIp\": \"10.0.0.0/8\", \"Description\": \"Enforced by Redlock Remediation\"}]}]'",
"Description": "\"This CLI command requires 'ec2:RevokeSecurityGroupIngress' permission. Successful execution will update the security group to revoke the ingress rule records open to internet either on IPv4 or on IPv6 protocol.\"} To resolve the alert from Prisma Cloud's console, add the permission."
}
}
}
}

Human Readable Output

Remediation Details

IDRemediationCLIRemediationDescription
P-211648gcloud compute networks subnets update default --project=project1-111111 --region europe-north2 --enable-flow-logsThis CLI command requires 'compute.securityAdmin' permission. Successful execution will enables GCP VPC Flow logs for subnets to capture information about the IP traffic going to and from network interfaces in VPC Subnets. To resolve the alert from Prisma Cloud's console, add the permission.