Skip to main content

Prisma Cloud (RedLock)

This Integration is part of the Prisma Cloud Pack.#

Configure Prisma Cloud (RedLock) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Prisma Cloud (RedLock).
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer API URL. See here for the relevant API URL for your tenant.True
usernameAPI Access KeyTrue
passwordAPI SecretTrue
customerCustomer nameFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
ruleNameFetch only incidents matching this rule nameFalse
policyNameFetch only incidents matching this policy nameFalse
policySeverityFetch only incidents with this severityFalse
proxyUse system proxy settingsFalse
unsecureTrust any certificate (not secure)False
  1. Click Test to validate the URLs, token, and connection.

Note: Further info on creating access keys for Prisma Cloud is available here.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

redlock-search-alerts#


Search alerts on the Prisma Cloud (RedLock) platform. If no time-range arguments are given, the search will filter only alerts from the last 7 days.

Base Command#

redlock-search-alerts

Input#

Argument NameDescriptionRequired
time-range-date-fromStart time for search in the following string format - MM/DD/YYYY, Should be provided along with time-range-date-to. If not both are provided, the time range will be set to the last 7 days and this argument will be ignored.Optional
time-range-date-toEnd time for search in the following format - MM/DD/YYYY, Should be provided along with time-range-date-from. If not both are provided, the time range will be set to the last 7 days and this argument will be ignored.Optional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unit. login and epoch are only available if timeRangeValue is not provided.Optional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
alert-idThe alert IDOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional

Context Output#

PathTypeDescription
Redlock.Alert.IDstringID of returned alert
Redlock.Alert.StatusstringStatus of returned alert
Redlock.Alert.AlertTimestringTime of alert
Redlock.Alert.Policy.IDstringThe policy ID
Redlock.Alert.Policy.NamestringThe policy name
Redlock.Alert.Policy.TypestringThe policy type
Redlock.Alert.Policy.SeveritystringThe policy severity
Redlock.Alert.Policy.RemediablebooleanWhether or not the policy is remediable
Redlock.Alert.RiskDetail.RatingstringThe risk rating
Redlock.Alert.RiskDetail.ScorestringThe risk score
Redlock.Metadata.CountOfAlertsnumberThe number of alerts found

Command Example#

!redlock-search-alerts alert-id=P-214016

Context Example#

{
"Redlock": {
"Alert": {
"AlertTime": "05/29/2020 14:16:15",
"ID": "P-214016",
"Policy": {
"ID": "765988-b967-9djksb-830f-sdf98798sdf9",
"Name": "AWS Security groups allow internet traffic gnoy",
"Remediable": true,
"Severity": "high",
"Type": "config"
},
"Resource": {
"Account": "testAWS",
"AccountID": "9876654321",
"ID": "sg-98vc98sd76sd",
"Name": "demo-98787654432"
},
"RiskDetail": {
"Rating": "F",
"Score": 170
},
"Status": "open"
},
"Metadata": {
"CountOfAlerts": 1
}
}
}

Human Readable Output#

Alerts#

IDStatusFirstSeenLastSeenAlertTimePolicyNamePolicyTypePolicyDescriptionPolicySeverityPolicyRecommendationPolicyDeletedPolicyRemediableRiskRatingResourceNameResourceAccountResourceTypeResourceCloudType
P-214016open05/28/2020 01:17:3105/29/2020 14:16:4205/29/2020 14:16:15AWS Security groups allow internet traffic gnoyconfigThis policy identifies that Security Groups do not allow all traffic from internet. A Security Group acts as a virtual firewall that controls the traffic for one or more instances. Security groups should have restrictive ACLs to only allow incoming traffic from specific IPs to specific ports where the application is listening for connections.highIf the Security Groups reported indeed need to restrict all traffic, follow the instructions below:
1. Log in to the AWS console
2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated
3. Navigate to the 'VPC' service
4. Click on the 'Security Group' specific to the alert
5. Click on 'Inbound Rules' and remove the row with the ip value as 0.0.0.0/0 or ::/0
falsetrueFdemo-98787654432testAWSSECURITY_GROUPaws

redlock-get-alert-details#


Gets the details of an alert based on alert ID

Base Command#

redlock-get-alert-details

Input#

Argument NameDescriptionRequired
alert-idThe alert IDRequired
detailedAllows for retrieving entire / trimmed alert modelOptional

Context Output#

PathTypeDescription
Redlock.Alert.IDstringThe alert ID
Redlock.Alert.StatusstringThe alert status
Redlock.Alert.AlertTimedateThe time of the alert
Redlock.Alert.Policy.IDstringThe policy ID
Redlock.Alert.Policy.NamestringThe policy name
Redlock.Alert.Policy.TypestringThe type of policy
Redlock.Alert.Policy.SeveritystringThe policy severity
Redlock.Alert.Policy.RemediablebooleanWhether or not the policy is remediable
Redlock.Alert.RiskDetail.RatingstringThe risk rating
Redlock.Alert.RiskDetail.ScorestringThe risk score

Command Example#

!redlock-get-alert-details alert-id=P-214016

Context Example#

{
"Redlock": {
"Alert": {
"AlertTime": "05/29/2020 14:16:15",
"ID": "P-214016",
"Policy": {
"ID": "765988-b967-9djksb-830f-sdf98798sdf9",
"Name": null,
"Remediable": false,
"Severity": null,
"Type": "config"
},
"Resource": {
"Account": "testAWS",
"AccountID": "9876654321",
"ID": "sg-98vc98sd76sd",
"Name": "demo-98787654432"
},
"RiskDetail": {
"Rating": "F",
"Score": 170
},
"Status": "open"
}
}
}

Human Readable Output#

Alert#

IDStatusFirstSeenLastSeenAlertTimePolicyIDPolicyNamePolicyTypePolicySystemDefaultPolicyLabelsPolicyDescriptionPolicySeverityPolicyRecommendationPolicyDeletedPolicyRemediablePolicyLastModifiedOnPolicyLastModifiedByRiskScoreRiskRatingResourceNameResourceRRNResourceIDResourceAccountResourceAccountIDResourceTypeResourceRegionIDResourceApiNameResourceUrlResourceDataResourceAccessKeyAgeResourceInactiveSinceTsResourceCloudType
P-214016open05/28/2020 01:17:3105/29/2020 14:16:4205/29/2020 14:16:15configfalsefalse170Fdemo-98787654432sg-98vc98sd76sdtestAWS9876654321SECURITY_GROUPus-west-2aws-ec2-describe-security-groupsvpcId: vpc-0824920b6d19bc
description: EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads.
tags: {u'value': u'demo-98787654432', u'key': u'Name'},
{u'value': u'cn-demo', u'key': u'aws:eks:cluster-name'},
{u'value': u'owned', u'key': u'kubernetes.io/cluster/cn-demo'}
ipPermissions: {u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/mtu=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}], u'prefixListIds': [], u'fromPort': 3, u'ipRanges': [u'0.0.0.0/0'], u'toPort': 4, u'ipProtocol': u'icmp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/client=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}, {u'description': u'kubernetes.io/rule/nlb/health=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'192.168.0.0/16'}], u'prefixListIds': [], u'fromPort': 30463, u'ipRanges': [u'0.0.0.0/0', u'192.168.0.0/16'], u'toPort': 30463, u'ipProtocol': u'tcp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'x.x.x.x/16'}], u'ipRanges': [u'x.x.x.x/16'], u'ipProtocol': u'-1', u'userIdGroupPairs': [{u'userId': u'9876654321', u'groupId': u'sg-0ce26260850e500d4', u'description': u'Allow unmanaged nodes to communicate with control plane (all ports)'}, {u'userId': u'9876654321', u'groupId': u'sg-98vc98sd76sd'}], u'ipv6Ranges': []}
groupName: demo-98787654432
ipPermissionsEgress: {u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'0.0.0.0/0'}], u'ipRanges': [u'0.0.0.0/0'], u'ipProtocol': u'-1', u'userIdGroupPairs': [], u'ipv6Ranges': []}
ownerId: 9876654321
groupId: sg-98vc98sd76sd
aws

redlock-dismiss-alerts#


Dismiss the alerts matching the given filter. Must provide either policy IDs or alert IDs.

Base Command#

redlock-dismiss-alerts

Input#

Argument NameDescriptionRequired
alert-idComma-separated list of string IDs to be dismissedOptional
dismissal-noteReason for dismissal.Required
snooze-valueThe amount of time to snooze. Both snooze value and unit must be specified.Optional
snooze-unitThe time unit for if snoozing alert. Both snooze value and unit must be specified if snoozing.Optional
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unitOptional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional
policy-idComma-separated string of policy IDsOptional

Context Output#

PathTypeDescription
Redlock.DismissedAlert.IDstringThe IDs of the dismissed alerts

Command Example#

!redlock-dismiss-alerts dismissal-note="testing" alert-id=P-214016

Context Example#

{
"Redlock": {
"DismissedAlert": {
"ID": [
"P-214016"
]
}
}
}

Human Readable Output#

Alerts dismissed successfully. Dismissal Note: testing.#

redlock-reopen-alerts#


Re-open the alerts matching the given filter. Must provide either policy IDs or alert IDs.

Base Command#

redlock-reopen-alerts

Input#

Argument NameDescriptionRequired
alert-idThe IDs of alerts to reopenOptional
time-range-date-fromStart time for search in the following string format - MM/DD/YYYYOptional
time-range-date-toEnd time for search in the following format - MM/DD/YYYYOptional
time-range-valueThe amount of units to go back in timeOptional
time-range-unitThe search unitOptional
policy-nameThe policy nameOptional
policy-labelThe policy labelOptional
policy-compliance-standardThe policy compliance standardOptional
cloud-accountThe cloud accountOptional
cloud-regionThe cloud regionOptional
alert-rule-nameThe alert rule nameOptional
resource-idThe resource IDOptional
resource-nameThe resource nameOptional
resource-typeThe resource typeOptional
alert-statusThe alert statusOptional
cloud-typeThe cloud typeOptional
risk-gradeThe risk gradeOptional
policy-typeThe policy typeOptional
policy-severityThe policy severityOptional

Context Output#

PathTypeDescription
Redlock.ReopenedAlert.IDstringIDs of the re-opened alerts

Command Example#

!redlock-reopen-alerts alert-id=P-214016

Context Example#

{
"Redlock": {
"ReopenedAlert": {
"ID": [
"P-214016"
]
}
}
}

Human Readable Output#

Alerts re-opened successfully.#

redlock-list-alert-filters#


List the acceptable filters and values for alerts

Base Command#

redlock-list-alert-filters

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!redlock-list-alert-filters

Context Example#

{}

Human Readable Output#

Filter options#

NameOptionsStatic
cloud.accountfalse
alert.idfalse
cloud.regionfalse
policy.labelfalse
resource.idfalse
cloud.typealibaba_cloud,aws,azure,gcptrue
resource.namefalse
account.groupfalse
risk.gradeA,B,C,Ftrue
policy.complianceSectionfalse
policy.remediabletrue,falsetrue
policy.namefalse
policy.typeanomaly,audit_event,config,networktrue
alert.statusdismissed,snoozed,open,resolvedtrue
alertRule.namefalse
policy.subtypebuild,runtrue
resource.typefalse
policy.complianceStandardfalse
cloud.accountIdfalse
policy.severityhigh,medium,lowtrue
policy.rule.typecft,k8s,tftrue
cloud.servicefalse
policy.complianceRequirementfalse

redlock-get-remediation-details#


Get remediation details for a given alert

Base Command#

redlock-get-remediation-details

Input#

Argument NameDescriptionRequired
alert-idThe alert id to get remediation details forOptional

Context Output#

PathTypeDescription
Redlock.Alert.Remediation.DescriptionstringDescription of CLI remediation instructions
Redlock.Alert.IDstringThe ID of the alert for which the remediation details applies
Redlock.Alert.Remediation.CLIstringExact CLI command string

Command Example#

!redlock-get-remediation-details alert-id=P-214016

Context Example#

{
"Redlock": {
"Alert": {
"ID": "P-214016",
"Remediation": {
"CLI": "aws --region us-west-2 ec2 revoke-security-group-ingress --group-id sg-984392384bkhjb --ip-permissions '[{\"IpProtocol\": \"tcp\", \"IpRanges\":[{\"CidrIp\": \"0.0.0.0/0\"}]}]' ; aws --region us-west-1 ec2 authorize-security-group-ingress --group-id sg-98237498798 --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\":[{\"CidrIp\": \"10.0.0.0/8\", \"Description\": \"Enforced by Redlock Remediation\"}]}]'",
"Description": "\"This CLI command requires 'ec2:RevokeSecurityGroupIngress' permission. Successful execution will update the security group to revoke the ingress rule records open to internet either on IPv4 or on IPv6 protocol.\"} To resolve the alert from Prisma Cloud's console, add the permission."
}
}
}
}

Human Readable Output#

Remediation Details#

IDRemediationCLIRemediationDescription
P-211648gcloud compute networks subnets update default --project=project1-111111 --region europe-north2 --enable-flow-logsThis CLI command requires 'compute.securityAdmin' permission. Successful execution will enables GCP VPC Flow logs for subnets to capture information about the IP traffic going to and from network interfaces in VPC Subnets. To resolve the alert from Prisma Cloud's console, add the permission.

redlock-get-rql-response#


Run RQL query on Prisma Cloud

Base Command#

redlock-get-rql-response

Input#

Argument NameDescriptionRequired
limitdetermines the limit on the results. '; limit search records to {}' is appended to every query where {} is the value of limit or 1 if not passedOptional
rqlthe RQL query to run. Example RQL queries can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/rql-examples. Note that limit search records to 1 is automatically appended to each query and a ; may need to be added to the end of the rql input to make the entire query valid. The limit parameter adjusts this to be a value other than 1.Required

Context Output#

PathTypeDescription
Redlock.RQL.QueryStringThe
Redlock.RQL.Response.AccountIdDateThe cloud account ID.
Redlock.RQL.Response.AccountNameStringThe cloud account name.
Redlock.RQL.Response.AllowDrillDownBooleanFlag to allow drill down.
Redlock.RQL.Response.CloudTypeStringThe cloud type.
Redlock.RQL.Response.DataObjectThe data object returned by the RQL response. Reference: https://api.docs.prismacloud.io/api/cloud/cspm/search/
Redlock.RQL.Response.DeletedBooleanFlag if deleted.
Redlock.RQL.Response.HasAlertBooleanFlag to check if RQL response has alerts.
Redlock.RQL.Response.HasExtFindingRiskFactorsBooleanFlag if query returns external risk factors.
Redlock.RQL.Response.HasExternalFindingBooleanFlag for external findings.
Redlock.RQL.Response.HasExternalIntegrationBooleanFlag for external integration.
Redlock.RQL.Response.HasNetworkBooleanFlag for determining if network exists.
Redlock.RQL.Response.IdStringThe RQL response ID.
Redlock.RQL.Response.InsertTsDateThe response time.
Redlock.RQL.Response.NameStringThe RQL response name.
Redlock.RQL.Response.RegionIdStringThe cloud region ID.
Redlock.RQL.Response.RegionNameStringThe cloud region name.
Redlock.RQL.Response.ResourceTypeStringThe resource type.
Redlock.RQL.Response.RrnStringThe account RRN.
Redlock.RQL.Response.ServiceStringThe RQL response service.
Redlock.RQL.Response.StateIdStringThe response state ID.

Command Example#

!redlock-get-rql-response rql="config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;"

Context Example#

{
"Redlock": {
"RQL": {
"Query": "config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X; limit search records to 1",
"Response": [
{
"AccountId": "1234567890",
"AccountName": "AWS PAN RBC",
"AllowDrillDown": true,
"CloudType": "aws",
"Data": {
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2020-11-22T09:16:37.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol"
}
},
{
"DeviceName": "/dev/xvdbg",
"Ebs": {
"AttachTime": "2020-11-23T15:33:52.000Z",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol"
}
},
{
"DeviceName": "/dev/xvdcp",
"Ebs": {
"AttachTime": "2020-11-23T15:33:52.000Z",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol"
}
}
],
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"ClientToken": "fleet",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 2
},
"EbsOptimized": false,
"ElasticGpuAssociations": [],
"ElasticInferenceAcceleratorAssociations": [],
"EnaSupport": true,
"HibernationOptions": {
"Configured": false
},
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn",
"Id": "AIPARLTR3KMHTT67AZ27N"
},
"ImageId": "ami-008ad23b7f9a160e5",
"InstanceId": "i-123456789",
"InstanceType": "t3.medium",
"KeyName": "kubernetes",
"LaunchTime": "2020-11-22T09:16:36.000Z",
"Licenses": [],
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpPutResponseHopLimit": 2,
"HttpTokens": "optional",
"State": "applied"
},
"Monitoring": {
"State": "disabled"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-x-x-x-x.eu-west-1.compute.amazonaws.com",
"PublicIp": "y.y.y.y"
},
"Attachment": {
"AttachTime": "2020-11-22T09:16:36.000Z",
"AttachmentId": "eni-attach-0146b63374e77b227",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached"
},
"Description": "",
"Groups": [
{
"GroupId": "sg-13456789987654",
"GroupName": "test"
},
{
"GroupId": "sg-1234567898765",
"GroupName": "test"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [],
"MacAddress": "02:94:a1:55:69:43",
"NetworkInterfaceId": "eni-0a5537731ce0b7fa2",
"OwnerId": "1234567890",
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-x-x-x-x.eu-west-1.compute.amazonaws.com",
"PublicIp": "y.y.y.y"
},
"Primary": true,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-a.a.a.a.eu-west-1.compute.internal",
"PrivateIpAddress": "a.a.a.a"
},
{
"Primary": false,
"PrivateDnsName": "ip-z.z.z.z.eu-west-1.compute.internal",
"PrivateIpAddress": "z.z.z.z"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-123456789",
"VpcId": "vpc-123456789"
},
{
"Attachment": {
"AttachTime": "2020-11-23T15:34:00.000Z",
"AttachmentId": "eni-attach-0251b661bb021effe",
"DeleteOnTermination": true,
"DeviceIndex": 1,
"Status": "attached"
},
"Description": "aws-K8S-i-123456789",
"Groups": [
{
"GroupId": "sg-13456789987654",
"GroupName": "test"
},
{
"GroupId": "sg-1234567898765",
"GroupName": "test"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [],
"MacAddress": "x:z:d",
"NetworkInterfaceId": "eni-xyz",
"OwnerId": "1234567890",
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x",
"PrivateIpAddresses": [
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": false,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
},
{
"Primary": true,
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-123456789",
"VpcId": "vpc-123456789"
}
],
"Placement": {
"AvailabilityZone": "eu-west-1c",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-x.x.x.x.eu-west-1.compute.internal",
"PrivateIpAddress": "x.x.x.x",
"ProductCodes": [],
"PublicDnsName": "ec2-x-x-x-x.eu-west-1.compute.amazonaws.com",
"PublicIpAddress": "y.y.y.y",
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupId": "sg-13456789987654",
"GroupName": "test"
},
{
"GroupId": "sg-1234567898765",
"GroupName": "test"
}
],
"SourceDestCheck": true,
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"StatusEvents": [],
"SubnetId": "subnet-123456789",
"Tags": [
{
"Key": "Name",
"Value": "cluster-ng-11111111-Node"
},
{
"Key": "test.com/nodegroup-name",
"Value": "ng-a143ec42"
},
{
"Key": "test.com/nodegroup-type",
"Value": "managed"
},
{
"Key": "aws:autoscaling:groupName",
"Value": "eks-123456789"
},
{
"Key": "aws:ec2:fleet-id",
"Value": "fleet-0987654321"
},
{
"Key": "aws:ec2launchtemplate:id",
"Value": "lt-123456789"
},
{
"Key": "aws:ec2launchtemplate:version",
"Value": "1"
},
{
"Key": "eks:cluster-name",
"Value": "cluster"
},
{
"Key": "eks:nodegroup-name",
"Value": "ng-a143ec42"
},
{
"Key": "test.com/cluster-autoscaler/cluster",
"Value": "owned"
},
{
"Key": "test.com/cluster-autoscaler/enabled",
"Value": "true"
},
{
"Key": "kubernetes.io/cluster/cluster",
"Value": "owned"
}
],
"VirtualizationType": "hvm",
"VpcId": "vpc-123456789"
},
"Deleted": false,
"HasAlert": false,
"HasExtFindingRiskFactors": false,
"HasExternalFinding": false,
"HasExternalIntegration": false,
"HasNetwork": false,
"Id": "i-123456789",
"InsertTs": 1234567876543,
"Name": "cluster-ng-11111111-Node",
"RegionId": "eu-west-1",
"RegionName": "AWS Ireland",
"ResourceType": "Instance",
"Rrn": "rrn:somthing",
"Service": "Amazon EC2",
"StateId": "asdfghjklkjhgfdssaa"
}
]
}
}
}

Human Readable Output#

RQL Output:#

AccountDeletedRegionResource NameService
AWS PANfalseAWS Irelandcluster-ng-11111111-NodeAmazon EC2

redlock-search-config#


Search configuration inventory on the Prisma Cloud (RedLock) platform using RQL language

Base Command#

redlock-search-config

Input#

Argument NameDescriptionRequired
time-range-date-fromStart time for search in the following string format - MM/DD/YYYY.Optional
time-range-date-toEnd time for search in the following format - MM/DD/YYYY.Optional
time-range-valueThe number of units to go back in time for the search.Optional
time-range-unitThe search unit. Possible values are: "hour", "day", "week", "month", "year", "login", and "epoch". The login and epoch values are only available if the time-range-value argument is not provided.Optional
queryQuery to run in Prisma Cloud config API (use RQL).Required
limitThe maximum number of entries to return. Default is 100.Optional

Context Output#

PathTypeDescription
Redlock.Asset.accountIdDateCloud Account ID.
Redlock.Asset.accountNameStringCloud account Name
Redlock.Asset.allowDrillDownBoolean
Redlock.Asset.cloudTypeStringCloud type.
Redlock.Asset.deletedBooleanWhether the asset was delete.
Redlock.Asset.hasAlertBooleanWhether the asset has a Prisma Cloud alert.
Redlock.Asset.hasExtFindingRiskFactorsBooleanWhether the asset has external finding risk factors.
Redlock.Asset.hasExternalFindingBooleanWhether the asset has an external finding.
Redlock.Asset.hasExternalIntegrationBooleanWhether the asset has an external integration.
Redlock.Asset.hasNetworkBooleanWhether the asset has a network.
Redlock.Asset.idStringThe Redlock asset ID.
Redlock.Asset.dataUnknownThe Redlock asset specific data.
Redlock.Asset.insertTsDateThe asset insert TS.
Redlock.Asset.nameStringThe asset name.
Redlock.Asset.regionIdStringThe cloud region ID of the asset.
Redlock.Asset.regionNameStringThe cloud region name of the asset.
Redlock.Asset.resourceTypeStringThe cloud resource type of the asset.
Redlock.Asset.rrnStringThe cloud RRN of the asset.
Redlock.Asset.serviceStringThe state ID of the asset.
Redlock.Asset.stateIdStringState ID

Command Example#

``!redlock-search-config query=config where cloud.type = "aws" and cloud.service = "Amazon EC2" and api.name = "aws-ec2-describe-instances" and cloud.region="AWS Paris"````

Context Example#

{
"Redlock": {
"Asset": {
"accountId": "1234568717",
"accountName": "cloud-account-test",
"allowDrillDown": true,
"cloudType": "aws",
"data": {
"amiLaunchIndex": 0,
"architecture": "x86_64",
"blockDeviceMappings": [
{
"deviceName": "/dev/sda1",
"ebs": {
"attachTime": "2019-10-24T19:21:26.000Z",
"deleteOnTermination": true,
"status": "attached",
"volumeId": "vol-0d76d5536e9900a9d"
}
}
],
"capacityReservationSpecification": {
"capacityReservationPreference": "open"
},
"clientToken": "",
"cpuOptions": {
"coreCount": 1,
"threadsPerCore": 1
},
"ebsOptimized": false,
"elasticGpuAssociations": [],
"elasticInferenceAcceleratorAssociations": [],
"enaSupport": true,
"hibernationOptions": {
"configured": false
},
"hypervisor": "xen",
"imageId": "ami-0bb607148d8cf36fb",
"instanceId": "i-0b12b0f4ed4b78e0b",
"instanceType": "t2.micro",
"keyName": "server1",
"launchTime": "2019-10-24T19:21:25.000Z",
"licenses": [],
"metadataOptions": {
"httpEndpoint": "enabled",
"httpPutResponseHopLimit": 1,
"httpTokens": "optional",
"state": "applied"
},
"monitoring": {
"state": "disabled"
},
"networkInterfaces": [
{
"association": {
"ipOwnerId": "amazon",
"publicDnsName": "ec2-35-180-1-1.eu-west-3.compute.amazonaws.com",
"publicIp": "35.180.1.1"
},
"attachment": {
"attachTime": "2019-10-24T19:21:25.000Z",
"attachmentId": "eni-attach-0f8b6f1a9db5563d8",
"deleteOnTermination": true,
"deviceIndex": 0,
"status": "attached"
},
"description": "",
"groups": [
{
"groupId": "sg-0528d34b26dc81",
"groupName": "SSH-HTTPS-IPSec"
}
],
"interfaceType": "interface",
"ipv6Addresses": [],
"macAddress": "0e:da:ad:84:82:7e",
"networkInterfaceId": "eni-09e89a2e7923d7",
"ownerId": "1234",
"privateDnsName": "ip-172-31-34-235.eu-west-3.compute.internal",
"privateIpAddress": "172.31.34.235",
"privateIpAddresses": [
{
"association": {
"ipOwnerId": "amazon",
"publicDnsName": "ec2-35-180-1-1.eu-west-3.compute.amazonaws.com",
"publicIp": "35.180.1.1"
},
"primary": true,
"privateDnsName": "ip-172-31-34-235.eu-west-3.compute.internal",
"privateIpAddress": "172.31.34.235"
}
],
"sourceDestCheck": true,
"status": "in-use",
"subnetId": "subnet-89c025c4",
"vpcId": "vpc-079b3111"
}
],
"placement": {
"availabilityZone": "eu-west-3c",
"groupName": "",
"tenancy": "default"
},
"privateDnsName": "ip-172-31-34-235.eu-west-3.compute.internal",
"privateIpAddress": "172.31.34.235",
"productCodes": [],
"publicDnsName": "ec2-35-180-1-1.eu-west-3.compute.amazonaws.com",
"publicIpAddress": "35.180.1.1",
"rootDeviceName": "/dev/sda1",
"rootDeviceType": "ebs",
"securityGroups": [
{
"groupId": "sg-0528d34b26dc81415",
"groupName": "SSH-HTTPS-IPSec"
}
],
"sourceDestCheck": true,
"state": {
"code": 16,
"name": "running"
},
"stateTransitionReason": "",
"statusEvents": [],
"subnetId": "subnet-89c025c4",
"tags": [
{
"key": "Name",
"value": "server1"
}
],
"virtualizationType": "hvm",
"vpcId": "vpc-079b3111"
},
"deleted": false,
"hasAlert": false,
"hasExtFindingRiskFactors": false,
"hasExternalFinding": false,
"hasExternalIntegration": false,
"hasNetwork": false,
"id": "i-0b12baaaaa4b78e0b",
"insertTs": 1603440806825,
"name": "server1",
"regionId": "eu-west-3",
"regionName": "AWS Paris",
"resourceType": "Instance",
"rrn": "rrn::instance:eu-west-3:12345:9db2db5fdba47606863c8da86d3ae594fb5aee2b:i-0b12b0f4ed4b78e0b",
"service": "Amazon EC2",
"stateId": "5e79fd1aaab84a26abbf5641d4a115edfb8f7353"
}
}
}

Human Readable Output#

RQL Output:#

AccountDeletedRegionResource NameService
Felix - AWS - pan-labfalseAWS Virginiatl-consoleAmazon EC2

redlock-search-event#


Search events on the Prisma Cloud (RedLock) platform using RQL language.

Base Command#

redlock-search-event

Input#

Argument NameDescriptionRequired
time-range-date-fromStart time for the search, in the following format - MM/DD/YYYY.Optional
time-range-date-toEnd time for the search, in the following format - MM/DD/YYYY.Optional
time-range-valueThe number of time range value units for the search. For example, 3 days, 5 weeks, etc.Optional
time-range-unitThe search unit. Possible values are: "hour", "week", "month", "year", "login", or "epoch". The "login" and "epoch" options are only available if timeRangeValue
is not provided. Possible values are: hour, day, week, month, year, login, epoch.
Optional
queryQuery to run in Prisma Cloud search API using RQL language.Required
limitMaximum number of entries to return. Default is 100.Optional

Context Output#

PathTypeDescription
Redlock.EventUnknownCloud audit events.

Command Example#

!redlock-search-event query=`event from cloud.audit_logs where ip EXISTS AND ip IN (172.31.34.235)` time-range-date-from=10/29/2021 time-range-date-to=10/30/2021

Context Example#

{
"Redlock": {
"Event": [
{
"account": "712829893241",
"regionId": 4,
"eventTs": 1642051966000,
"subject": "ejb-iam-cloudops",
"type": "CREATE",
"source": "s3.amazonaws.com",
"name": "CreateBucket",
"id": 2557671673,
"ip": "172.31.34.235",
"accessKeyUsed": false,
"cityId": -4,
"cityName": "Private",
"stateId": -4,
"stateName": "Private",
"countryId": -4,
"countryName": "Private",
"cityLatitude": -1.0,
"cityLongitude": -1.0,
"success": false,
"internal": false,
"location": "Private",
"accountName": "aws-emea-tac",
"regionName": "AWS Oregon",
"dynamicData": {}
}
]
}
}

Human Readable Output#

Event Details#

Showing 1 out of 1243 events |accessKeyUsed|account|accountName|cityId|cityLatitude|cityLongitude|cityName|countryId|countryName|dynamicData|eventTs|id|internal|ip|location|name|regionId|regionName|source|stateId|stateName|subject|success|type| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | false | 712829893241 | aws-emea-tac | -4 | -1.0 | -1.0 | Private | -4 | Private | | 1642051938000 | 2557671539 | false | 172.31.34.235 | Private | CreateBucket | 4 | AWS Oregon | s3.amazonaws.com | -4 | Private | ejb-iam-cloudops | false | CREATE |

redlock-search-network#


Search networks on the Prisma Cloud (RedLock) platform using RQL language.

Base Command#

redlock-search-network

Input#

Argument NameDescriptionRequired
time-range-date-fromStart time for the search, in the following format - MM/DD/YYYY.Optional
time-range-date-toEnd time for the search, in the following format - MM/DD/YYYY.Optional
time-range-valueThe number of time range value units for the search. For example, 3 days, 5 weeks, etc.Optional
time-range-unitThe search unit. Possible values are: "hour", "week", "month", "year", "login", or "epoch". The "login" and "epoch" options are only available if timeRangeValue
is not provided. Possible values are: hour, day, week, month, year, login, epoch.
Optional
queryQuery to run in Prisma Cloud search API using RQL language.Required
cloud-typeThe cloud in which the network should be searched. Possible values are: aws, azure, gcp, alibaba_cloud, oci.Optional

Context Output#

PathTypeDescription
Redlock.Network.NodeUnknownCloud network node.
Redlock.Network.ConnectionUnknownCloud network connection.

Command Example#

!redlock-search-network query="network from vpc.flow_record where bytes > 0" time-range-unit=hour time-range-value=2

Context Example#

{
"Redlock": {
"Node": [
{
"id": 1422407688,
"name": "aqwe",
"ipAddr": "172.31.34.235",
"grouped": false,
"suspicious": false,
"vulnerable": true,
"iconId": "web_server",
"metadata": {
"redlock_alert_count": 16,
"host_vulnerability_count": 0,
"vpc_name": [
{
"id": "vpc-ddf45bb4",
"name": "defaultwala"
}
],
"initial": true,
"vpc_id": [
"vpc-ddf45bb4"
],
"ip_addresses": [
"172.31.34.235",
"35.180.1.1"
],
"inspector_rba_count": 0,
"region_id": [
"us-east-2"
],
"guard_duty_iam_count": 0,
"net_iface_id": [
"eni-04fec4df10974b6fe"
],
"guard_duty_host_count": 0,
"tags": [
"None"
],
"rrn": "rrn::managedLb:us-east-2:274307705868:393ffce52a85f09fef1be815f4fe9ca3186b4540:arn%3Aaws%3Aelasticloadbalancing%3Aus-east-2%3A274307705868%3Aloadbalancer%2Fnet%2Faqwe%2Ffb23c6bcbaee17a1",
"security_groups": [
"Unavailable"
],
"serverless_vulnerability_count": 0,
"instance_id": [
"N/A"
],
"account_id": [
"274307705868"
],
"cloud_type": [
"aws"
],
"asset_role": [
"Web Server"
],
"account_name": [
"RedlockSandbox"
],
"resource_id": [
"arn:aws:elasticloadbalancing:us-east-2:274307705868:loadbalancer/net/aqwe/fb23c6bcbaee17a1"
],
"inspector_sbp_count": 0,
"region_name": [
"AWS Ohio"
],
"compliance_count": 0
}
}
],
"Connection": [
{
"from": 994246246,
"to": 1418248367,
"label": "Postgres",
"suspicious": false,
"metadata": {
"account_id": [
"274307705868"
],
"cloud_type": [
"aws"
],
"bytes_attempted": 0,
"connection_overview_table": [
{
"port": "Postgres",
"traffic_volume": 83938,
"accepted": "yes"
}
],
"region_id": [
"us-east-2"
],
"bytes_accepted": 83938,
"to_ip_addresses": [
"172.31.34.235"
],
"flow_class": [
"Postgres"
],
"from_ip_addresses": [
"172.31.34.235"
],
"bytes_rejected": 0
}
}
]
}
}

Human Readable Output#

Network Details#

Node#

groupedidipAddrmetadatanamesuspiciousvulnerable
false1411487329172.31.34.235redlock_alert_count: 5
vpc_name: {'id': 'https://www.googleapis.com/compute/v1/projects/tac-prisma-cloud-and-compute/global/networks/us-central1', 'name': 'us-central1'}
vpc_id: https://www.googleapis.com/compute/v1/projects/tac-prisma-cloud-and-compute/global/networks/us-central1
ip_addresses: 172.31.34.235
inspector_rba_count: 0
secgroup_ids: 7466735050281694697,
5386953130680217005
guard_duty_iam_count: 0
asset_role: VM Instance
account_name: gcp-emea-tac
region_name: GCP Iowa
compliance_count: 0
host_vulnerability_count: 0
initial: true
region_id: us-central1
net_iface_id: gke-oldtac-nopublicclust-default-pool-f08b69f0-6g3n#nic0
guard_duty_host_count: 0
tags: {'name': 'gke-oldtac-nopublicclusterhere-fc43a760-node', 'values': ['']},
{'name': 'goog-gke-node', 'values': ['']}
rrn: rrn::instance:us-central1:tac-prisma-cloud-and-compute:7040cac26d62fa19dea22bcb6cd52dba6c213212:1397701696990493277
security_groups: {'id': '7466735050281694697', 'name': 'allow-ingress-from-iap-tac'},
{'id': '5386953130680217005', 'name': 'gke-oldtac-nopublicclusterhere-fc43a760-all'}
serverless_vulnerability_count: 0
instance_id: 1397701696990493277
account_id: tac-prisma-cloud-and-compute
cloud_type: gcp
resource_id: 1397701696990493277
inspector_sbp_count: 0
gke-oldtac-nopublicclust-default-pool-f08b69f0-6g3nfalsetrue

Connection#

fromlabelmetadatasuspiciousto
1418600304Webbytes_attempted: 1473
connection_overview_table: {'port': 'Web (443)', 'traffic_volume': 43694, 'accepted': 'yes'},
{'port': 'Web (443)', 'traffic_volume': 1473, 'accepted': 'no'}
region_id: us-central1
countries: N/A
to_ip_addresses: 0.0.0.0
flow_class: Web (443)
states: N/A
account_id: tac-prisma-cloud-and-compute
cloud_type: gcp
asset_role: Internet IPs
bytes_accepted: 43694
isps: N/A
from_ip_addresses: 10.128.0.5
bytes_rejected: 0
false-1977384788

redlock-list-scans#


List DevOps Scans

Base Command#

redlock-list-scans

Input#

Argument NameDescriptionRequired
group_byGroup by which to aggregate scan results. Possible values are: scanId, assetType, assetName, resourceList. Default is scanId.Optional
page_sizePagination size. Default is 25.Optional
page_numberPagination number. Default is 1.Optional
sortSorting parameters. The sort order is ascending unless the field is prefixed with minus (-), in which case it is descending.Optional
filter_typeTime filter type. Possible values are: to_now, absolute, relative. Default is relative.Optional
filter_time_amountNumber of time units. Default is 1.Optional
to_now_time_unitThe time unit for retrieving the list of IaC scans. Possible values are: epoch, login, hour, day, week, month, year. Default is day.Optional
filter_start_timeStart time , for example: 11/01/2021 10:10:10.Optional
filter_end_timeEnd time in Unix time (the number of seconds that have elapsed since the Unix epoch) for the absolute time type.Optional
filter_asset_typeAsset type to search with.Optional
filter_asset_nameAsset name to search with.Optional
filter_userUser to filter with, example: ayman@example.domain.Optional
filter_statusStatus to filter with, example: passed. Possible values are: .Optional
relative_time_unitRelative Time unit. Possible values are: epoch, login, year. Default is login.Optional

Context Output#

PathTypeDescription
Redlock.Scans.deployedBooleanScan deployed attribute.
Redlock.Scans.failNumberScan fail attribute.
Redlock.Scans.failureCriteriaStringScan failure criteria attribute.
Redlock.Scans.matchedPoliciesSummary.highNumberScan matched policies summary attribute.
Redlock.Scans.matchedPoliciesSummary.lowNumberScan matched low policies summary attribute.
Redlock.Scans.matchedPoliciesSummary.mediumNumberScan matched medium policies summary attribute.
Redlock.Scans.mergedBooleanScan merged attribute.
Redlock.Scans.nameStringScan name attribute.
Redlock.Scans.passNumberScan pass attribute.
Redlock.Scans.scanAttributes.appliedAlertRulesStringScan applied alert rules attribute.
Redlock.Scans.scanAttributes.branchStringScan Scan branch attribute.
Redlock.Scans.scanAttributes.orgStringScan org attribute.
Redlock.Scans.scanAttributes.pullRequestIdStringScan PR ID attribute.
Redlock.Scans.scanAttributes.repositoryStringScan repository attribute.
Redlock.Scans.scanAttributes.resourcesScannedStringScan resources scanned attribute.
Redlock.Scans.scanAttributes.templateTypeStringScan template type attribute.
Redlock.Scans.scanAttributes.triggeredOnStringScan triggered on attribute.
Redlock.Scans.scanAttributes.userIdStringScan user id attribute.
Redlock.Scans.scanTimeDateScan scan time attribute.
Redlock.Scans.statusStringScan status attribute.
Redlock.Scans.tags.nameStringScan tags name attribute.
Redlock.Scans.tags.valueStringScan tags value attribute.
Redlock.Scans.typeStringScan type attribute.
Redlock.Scans.userStringScan user attribute.
Redlock.Scans.idStringScan id.
Redlock.Scans.links.selfStringScan links.
Redlock.Scans.relationships.scanResult.links.relatedStringScan relationships scan result links .

Command Example#

!redlock-list-scans filter_type="absolute" filter_start_time="01/01/2021 10:10:10" filter_end_time="10/08/2021 10:10:10" filter_asset_type="GitHub" filter_asset_name="Github Asset Dev" filter_user="user@domain.example"

Context Example#

{
"Redlock": {
"Scans": [
{
"attributes": {
"deployed": false,
"fail": 1,
"failureCriteria": "H:1 or M:1 or L:1",
"matchedPoliciesSummary": {
"high": 1,
"low": 7,
"medium": 4
},
"merged": false,
"name": [
"Github Asset Dev"
],
"pass": 0,
"resourceList": [],
"scanAttributes": {
"appliedAlertRules": "*",
"branch": "vulnerable",
"org": "my-devsecops",
"pullRequestId": "96",
"repository": "moon",
"resourcesScanned": "1",
"templateType": "k8s",
"triggeredOn": "Pull Request",
"userId": "my-devsecops"
},
"scanTime": "2021-09-27T11:26:23Z",
"status": "failed",
"tags": [
{
"name": "Org",
"value": "Engineering"
},
{
"name": "Team",
"value": "DevSecOps"
},
{
"name": "env",
"value": "QA"
},
{
"name": "phase",
"value": "testing"
}
],
"type": [
"GitHub"
],
"user": [
"user@domain.example"
]
},
"id": "81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d",
"links": {
"self": "/v2/scans/81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d"
},
"relationships": {
"scanResult": {
"links": {
"related": "/v2/scans/results"
}
}
}
}
]
}
}

Human Readable Output#

Scans List:#

IDNameScan TimeTypeUser
81bb4c30-0a83-4e33-bbf7-0bb96ca15b9dGithub Asset Dev2021-09-27T11:26:23ZGitHubuser@domain.example

redlock-get-scan-status#


Get scan status

Base Command#

redlock-get-scan-status

Input#

Argument NameDescriptionRequired
scan_idThe scan ID.Required

Context Output#

PathTypeDescription
Redlock.Scans.idStringScan ID
Redlock.Scans.statusStringScan status

Command Example#

!redlock-get-scan-status scan_id="81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d"

Context Example#

{
"Redlock": {
"Scans": {
"attributes": {
"status": "failed"
},
"id": "81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d"
}
}
}

Human Readable Output#

Scan Status:#

IDStatus
81bb4c30-0a83-4e33-bbf7-0bb96ca15b9dfailed

redlock-get-scan-results#


Get scan results

Base Command#

redlock-get-scan-results

Input#

Argument NameDescriptionRequired
scan_idThe scan ID.Required

Context Output#

PathTypeDescription
Redlock.Scans.idStringScan ID
Redlock.Scans.results.attributes.blameList.fileStringScan results blame list file
Redlock.Scans.results.attributes.blameList.locations.lineNumberScan results blame list locations line
Redlock.Scans.results.attributes.blameList.locations.pathStringScan results blame list locations path
Redlock.Scans.results.attributes.descStringScan results description
Redlock.Scans.results.attributes.docUrlStringScan results doc URL
Redlock.Scans.results.attributes.filesStringScan results files
Redlock.Scans.results.attributes.nameStringScan results name
Redlock.Scans.results.attributes.policyIdStringScan results policy ID
Redlock.Scans.results.attributes.ruleStringScan results rule
Redlock.Scans.results.attributes.severityStringScan results severity
Redlock.Scans.results.attributes.systemDefaultBooleanScan results system default
Redlock.Scans.results.idStringScan results ID

Command Example#

!redlock-get-scan-results scan_id="81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d"

Context Example#

{
"Redlock": {
"Scans": {
"id": "81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d",
"results": [
{
"attributes": {
"blameList": [
{
"file": "./my-devsecops-moon-405fc6e/iac/vulnerable-iac.yaml",
"locations": [
{
"line": 2,
"path": "/kind"
},
{
"line": 18,
"path": "/spec/template/spec/containers"
}
]
}
],
"desc": "Ensure that all capabilities are dropped.",
"docUrl": "https://some-url",
"files": [
"./my-devsecops-moon-405fc6e/iac/vulnerable-iac.yaml:[2,18]"
],
"name": "All capabilities should be dropped",
"policyId": "cca6bb6a-4e05-47a1-acaa-29f198799aa2",
"rule": "($.kind equals Pod and (spec.containers[?any(securityContext.capabilities.drop does not exist or securityContext.capabilities.drop[*] does not contain ALL)] exists or spec. initContainers[?any(securityContext.capabilities.drop does not exist or securityContext.capabilities.drop[*] does not contain ALL )] exists)) or ($.kind is member of (Deployment, Job, DaemonSet, ReplicaSet, ReplicationController, StatefulSet) and (spec.template.spec.containers[?any(securityContext.capabilities.drop does not exist or securityContext.capabilities.drop[*] does not contain ALL)] exists or spec. initContainers[?any(securityContext.capabilities.drop does not exist or securityContext.capabilities.drop[*] does not contain ALL)] exists))",
"severity": "high",
"systemDefault": false
},
"id": "cca6bb6a-4e05-47a1-acaa-29f198799aa2"
}
]
}
}
}

Human Readable Output#

Scan Results:#

DescriptionIDNamePolicy IDSeverity
Ensure that all capabilities are dropped.cca6bb6a-4e05-47a1-acaa-29f198799aa2All capabilities should be droppedcca6bb6a-4e05-47a1-acaa-29f198799aa2high