Prisma Cloud (RedLock) (Deprecated)
This Integration is part of the Prisma Cloud by Palo Alto Networks Pack.#
Deprecated
Use the Prisma Cloud v2 integration instead.
Configure Prisma Cloud (RedLock) on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for Prisma Cloud (RedLock).
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| url | Server API URL. See here for the relevant API URL for your tenant. | True |
| username | API Access Key | True |
| password | API Secret | True |
| customer | Customer name | False |
| isFetch | Fetch incidents | False |
| incidentType | Incident type | False |
| fetch_time | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
| ruleName | Fetch only incidents matching this rule name | False |
| policyName | Fetch only incidents matching this policy name | False |
| policySeverity | Fetch only incidents with this severity | False |
| proxy | Use system proxy settings | False |
| unsecure | Trust any certificate (not secure) | False |
- Click Test to validate the URLs, token, and connection.
Note: Further info on creating access keys for Prisma Cloud is available here.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
redlock-search-alerts#
Search alerts on the Prisma Cloud (RedLock) platform. If no time-range arguments are given, the search will filter only alerts from the last 7 days.
Base Command#
redlock-search-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| time-range-date-from | Start time for search in the following string format - MM/DD/YYYY, Should be provided along with time-range-date-to. If not both are provided, the time range will be set to the last 7 days and this argument will be ignored. | Optional |
| time-range-date-to | End time for search in the following format - MM/DD/YYYY, Should be provided along with time-range-date-from. If not both are provided, the time range will be set to the last 7 days and this argument will be ignored. | Optional |
| time-range-value | The amount of units to go back in time | Optional |
| time-range-unit | The search unit. login and epoch are only available if timeRangeValue is not provided. | Optional |
| policy-name | The policy name | Optional |
| policy-label | The policy label | Optional |
| policy-compliance-standard | The policy compliance standard | Optional |
| cloud-account | The cloud account name | Optional |
| cloud-account-id | The cloud account ID | Optional |
| cloud-region | The cloud region name | Optional |
| alert-rule-name | The alert rule name | Optional |
| resource-id | The resource ID | Optional |
| resource-name | The resource name | Optional |
| resource-type | The resource type | Optional |
| alert-status | The alert status | Optional |
| alert-id | The alert ID | Optional |
| cloud-type | The cloud type | Optional |
| risk-grade | The risk grade | Optional |
| policy-type | The policy type | Optional |
| policy-severity | The policy severity | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Alert.ID | string | ID of returned alert |
| Redlock.Alert.Status | string | Status of returned alert |
| Redlock.Alert.AlertTime | string | Time of alert |
| Redlock.Alert.Policy.ID | string | The policy ID |
| Redlock.Alert.Policy.Name | string | The policy name |
| Redlock.Alert.Policy.Type | string | The policy type |
| Redlock.Alert.Policy.Severity | string | The policy severity |
| Redlock.Alert.Policy.Remediable | boolean | Whether or not the policy is remediable |
| Redlock.Alert.RiskDetail.Rating | string | The risk rating |
| Redlock.Alert.RiskDetail.Score | string | The risk score |
| Redlock.Metadata.CountOfAlerts | number | The number of alerts found |
Command Example#
!redlock-search-alerts alert-id=P-214016
Context Example#
Human Readable Output#
Alerts#
ID Status FirstSeen LastSeen AlertTime PolicyName PolicyType PolicyDescription PolicySeverity PolicyRecommendation PolicyDeleted PolicyRemediable RiskRating ResourceName ResourceAccount ResourceType ResourceCloudType P-214016 open 05/28/2020 01:17:31 05/29/2020 14:16:42 05/29/2020 14:16:15 AWS Security groups allow internet traffic gnoy config This policy identifies that Security Groups do not allow all traffic from internet. A Security Group acts as a virtual firewall that controls the traffic for one or more instances. Security groups should have restrictive ACLs to only allow incoming traffic from specific IPs to specific ports where the application is listening for connections. high If the Security Groups reported indeed need to restrict all traffic, follow the instructions below:
1. Log in to the AWS console
2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated
3. Navigate to the 'VPC' service
4. Click on the 'Security Group' specific to the alert
5. Click on 'Inbound Rules' and remove the row with the ip value as 0.0.0.0/0 or ::/0false true F demo-98787654432 testAWS SECURITY_GROUP aws
redlock-get-alert-details#
Gets the details of an alert based on alert ID
Base Command#
redlock-get-alert-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert-id | The alert ID | Required |
| detailed | Allows for retrieving entire / trimmed alert model | Optional |
| resource_keys | List of additional keys to return from the resource JSON, specified as a comma separated list (e.g. "key1,key2,key3"). To preview all available resource JSON data, run redlock-get-alert-details with the "raw-response=true" option. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Alert.ID | string | The alert ID |
| Redlock.Alert.Status | string | The alert status |
| Redlock.Alert.AlertTime | date | The time of the alert |
| Redlock.Alert.Policy.ID | string | The policy ID |
| Redlock.Alert.Policy.Name | string | The policy name |
| Redlock.Alert.Policy.Type | string | The type of policy |
| Redlock.Alert.Policy.Severity | string | The policy severity |
| Redlock.Alert.Policy.Remediable | boolean | Whether or not the policy is remediable |
| Redlock.Alert.RiskDetail.Rating | string | The risk rating |
| Redlock.Alert.RiskDetail.Score | string | The risk score |
| Redlock.Alert.Resource.ID | string | The Resource ID of the cloud resource |
| Redlock.Alert.Resource.Name | string | The Resource Name of the cloud resource |
| Redlock.Alert.Resource.Account | string | The cloud account name where the resource resides |
| Redlock.Alert.Resource.AccountID | string | The cloud account ID where the resource resides |
| Redlock.Alert.Resource.Data | json | Additional keys from Resource.Data. Only appears when resource_keys argument is specified. |
Command Example#
!redlock-get-alert-details alert-id=P-214016
Context Example#
Human Readable Output#
Alert#
ID Status FirstSeen LastSeen AlertTime PolicyID PolicyName PolicyType PolicySystemDefault PolicyLabels PolicyDescription PolicySeverity PolicyRecommendation PolicyDeleted PolicyRemediable PolicyLastModifiedOn PolicyLastModifiedBy RiskScore RiskRating ResourceName ResourceRRN ResourceID ResourceAccount ResourceAccountID ResourceType ResourceRegionID ResourceApiName ResourceUrl ResourceData ResourceAccessKeyAge ResourceInactiveSinceTs ResourceCloudType P-214016 open 05/28/2020 01:17:31 05/29/2020 14:16:42 05/29/2020 14:16:15 config false false 170 F demo-98787654432 sg-98vc98sd76sd testAWS 9876654321 SECURITY_GROUP us-west-2 aws-ec2-describe-security-groups vpcId: vpc-0824920b6d19bc
description: EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads.
tags: {u'value': u'demo-98787654432', u'key': u'Name'},
{u'value': u'cn-demo', u'key': u'aws:eks:cluster-name'},
{u'value': u'owned', u'key': u'kubernetes.io/cluster/cn-demo'}
ipPermissions: {u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/mtu=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}], u'prefixListIds': [], u'fromPort': 3, u'ipRanges': [u'0.0.0.0/0'], u'toPort': 4, u'ipProtocol': u'icmp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'ipv4Ranges': [{u'description': u'kubernetes.io/rule/nlb/client=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'0.0.0.0/0'}, {u'description': u'kubernetes.io/rule/nlb/health=a7d568916a1b411ea83260a614b2e8ec', u'cidrIp': u'192.168.0.0/16'}], u'prefixListIds': [], u'fromPort': 30463, u'ipRanges': [u'0.0.0.0/0', u'192.168.0.0/16'], u'toPort': 30463, u'ipProtocol': u'tcp', u'userIdGroupPairs': [], u'ipv6Ranges': []},
{u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'x.x.x.x/16'}], u'ipRanges': [u'x.x.x.x/16'], u'ipProtocol': u'-1', u'userIdGroupPairs': [{u'userId': u'9876654321', u'groupId': u'sg-0ce26260850e500d4', u'description': u'Allow unmanaged nodes to communicate with control plane (all ports)'}, {u'userId': u'9876654321', u'groupId': u'sg-98vc98sd76sd'}], u'ipv6Ranges': []}
groupName: demo-98787654432
ipPermissionsEgress: {u'prefixListIds': [], u'ipv4Ranges': [{u'cidrIp': u'0.0.0.0/0'}], u'ipRanges': [u'0.0.0.0/0'], u'ipProtocol': u'-1', u'userIdGroupPairs': [], u'ipv6Ranges': []}
ownerId: 9876654321
groupId: sg-98vc98sd76sdaws
redlock-dismiss-alerts#
Dismiss the alerts matching the given filter. Must provide either policy IDs or alert IDs.
Base Command#
redlock-dismiss-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert-id | Comma-separated list of string IDs to be dismissed | Optional |
| dismissal-note | Reason for dismissal. | Required |
| snooze-value | The amount of time to snooze. Both snooze value and unit must be specified. | Optional |
| snooze-unit | The time unit for if snoozing alert. Both snooze value and unit must be specified if snoozing. | Optional |
| time-range-date-from | Start time for search in the following string format - MM/DD/YYYY | Optional |
| time-range-date-to | End time for search in the following format - MM/DD/YYYY | Optional |
| time-range-value | The amount of units to go back in time | Optional |
| time-range-unit | The search unit | Optional |
| policy-name | The policy name | Optional |
| policy-label | The policy label | Optional |
| policy-compliance-standard | The policy compliance standard | Optional |
| cloud-account | The cloud account | Optional |
| cloud-region | The cloud region | Optional |
| alert-rule-name | The alert rule name | Optional |
| resource-id | The resource ID | Optional |
| resource-name | The resource name | Optional |
| resource-type | The resource type | Optional |
| alert-status | The alert status | Optional |
| cloud-type | The cloud type | Optional |
| risk-grade | The risk grade | Optional |
| policy-type | The policy type | Optional |
| policy-severity | The policy severity | Optional |
| policy-id | Comma-separated string of policy IDs | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.DismissedAlert.ID | string | The IDs of the dismissed alerts |
Command Example#
!redlock-dismiss-alerts dismissal-note="testing" alert-id=P-214016
Context Example#
Human Readable Output#
Alerts dismissed successfully. Dismissal Note: testing.#
redlock-reopen-alerts#
Re-open the alerts matching the given filter. Must provide either policy IDs or alert IDs.
Base Command#
redlock-reopen-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert-id | The IDs of alerts to reopen | Optional |
| time-range-date-from | Start time for search in the following string format - MM/DD/YYYY | Optional |
| time-range-date-to | End time for search in the following format - MM/DD/YYYY | Optional |
| time-range-value | The amount of units to go back in time | Optional |
| time-range-unit | The search unit | Optional |
| policy-name | The policy name | Optional |
| policy-label | The policy label | Optional |
| policy-compliance-standard | The policy compliance standard | Optional |
| cloud-account | The cloud account | Optional |
| cloud-region | The cloud region | Optional |
| alert-rule-name | The alert rule name | Optional |
| resource-id | The resource ID | Optional |
| resource-name | The resource name | Optional |
| resource-type | The resource type | Optional |
| alert-status | The alert status | Optional |
| cloud-type | The cloud type | Optional |
| risk-grade | The risk grade | Optional |
| policy-type | The policy type | Optional |
| policy-severity | The policy severity | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.ReopenedAlert.ID | string | IDs of the re-opened alerts |
Command Example#
!redlock-reopen-alerts alert-id=P-214016
Context Example#
Human Readable Output#
Alerts re-opened successfully.#
redlock-list-alert-filters#
List the acceptable filters and values for alerts
Base Command#
redlock-list-alert-filters
Input#
| Argument Name | Description | Required |
|---|
Context Output#
There is no context output for this command.
Command Example#
!redlock-list-alert-filters
Context Example#
Human Readable Output#
Filter options#
Name Options Static cloud.account false alert.id false cloud.region false policy.label false resource.id false cloud.type alibaba_cloud,aws,azure,gcp true resource.name false account.group false risk.grade A,B,C,F true policy.complianceSection false policy.remediable true,false true policy.name false policy.type anomaly,audit_event,config,network true alert.status dismissed,snoozed,open,resolved true alertRule.name false policy.subtype build,run true resource.type false policy.complianceStandard false cloud.accountId false policy.severity high,medium,low true policy.rule.type cft,k8s,tf true cloud.service false policy.complianceRequirement false
redlock-get-remediation-details#
Get remediation details for a given alert
Base Command#
redlock-get-remediation-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert-id | The alert id to get remediation details for | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Alert.Remediation.Description | string | Description of CLI remediation instructions |
| Redlock.Alert.ID | string | The ID of the alert for which the remediation details applies |
| Redlock.Alert.Remediation.CLI | string | Exact CLI command string |
Command Example#
!redlock-get-remediation-details alert-id=P-214016
Context Example#
Human Readable Output#
Remediation Details#
ID RemediationCLI RemediationDescription P-211648 gcloud compute networks subnets update default --project=project1-111111 --region europe-north2 --enable-flow-logs This CLI command requires 'compute.securityAdmin' permission. Successful execution will enables GCP VPC Flow logs for subnets to capture information about the IP traffic going to and from network interfaces in VPC Subnets. To resolve the alert from Prisma Cloud's console, add the permission.
redlock-get-rql-response#
Run RQL query on Prisma Cloud
Base Command#
redlock-get-rql-response
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | determines the limit on the results. '; limit search records to {}' is appended to every query where {} is the value of limit or 1 if not passed | Optional |
| rql | the RQL query to run. Example RQL queries can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/rql-examples. Note that limit search records to 1 is automatically appended to each query and a ; may need to be added to the end of the rql input to make the entire query valid. The limit parameter adjusts this to be a value other than 1. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.RQL.Query | String | The |
| Redlock.RQL.Response.AccountId | Date | The cloud account ID. |
| Redlock.RQL.Response.AccountName | String | The cloud account name. |
| Redlock.RQL.Response.AllowDrillDown | Boolean | Flag to allow drill down. |
| Redlock.RQL.Response.CloudType | String | The cloud type. |
| Redlock.RQL.Response.Data | Object | The data object returned by the RQL response. Reference: https://api.docs.prismacloud.io/api/cloud/cspm/search/ |
| Redlock.RQL.Response.Deleted | Boolean | Flag if deleted. |
| Redlock.RQL.Response.HasAlert | Boolean | Flag to check if RQL response has alerts. |
| Redlock.RQL.Response.HasExtFindingRiskFactors | Boolean | Flag if query returns external risk factors. |
| Redlock.RQL.Response.HasExternalFinding | Boolean | Flag for external findings. |
| Redlock.RQL.Response.HasExternalIntegration | Boolean | Flag for external integration. |
| Redlock.RQL.Response.HasNetwork | Boolean | Flag for determining if network exists. |
| Redlock.RQL.Response.Id | String | The RQL response ID. |
| Redlock.RQL.Response.InsertTs | Date | The response time. |
| Redlock.RQL.Response.Name | String | The RQL response name. |
| Redlock.RQL.Response.RegionId | String | The cloud region ID. |
| Redlock.RQL.Response.RegionName | String | The cloud region name. |
| Redlock.RQL.Response.ResourceType | String | The resource type. |
| Redlock.RQL.Response.Rrn | String | The account RRN. |
| Redlock.RQL.Response.Service | String | The RQL response service. |
| Redlock.RQL.Response.StateId | String | The response state ID. |
Command Example#
!redlock-get-rql-response rql="config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; config where api.name = 'aws-ec2-describe-vpcs' as Z; filter 'not _Set.intersection($.X.vpcId,$.Y.vpcId) intersects (vpc-5b9a3c33,vpc-b8ba2dd0,vpc-b8ba2dd01)'; show X;"
Context Example#
Human Readable Output#
RQL Output:#
Account Deleted Region Resource Name Service AWS PAN false AWS Ireland cluster-ng-11111111-Node Amazon EC2
redlock-search-config#
Search configuration inventory on the Prisma Cloud (RedLock) platform using RQL language
Base Command#
redlock-search-config
Input#
| Argument Name | Description | Required |
|---|---|---|
| time-range-date-from | Start time for search in the following string format - MM/DD/YYYY. | Optional |
| time-range-date-to | End time for search in the following format - MM/DD/YYYY. | Optional |
| time-range-value | The number of units to go back in time for the search. | Optional |
| time-range-unit | The search unit. Possible values are: "hour", "day", "week", "month", "year", "login", and "epoch". The login and epoch values are only available if the time-range-value argument is not provided. | Optional |
| query | Query to run in Prisma Cloud config API (use RQL). | Required |
| limit | The maximum number of entries to return. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Asset.accountId | Date | Cloud Account ID. |
| Redlock.Asset.accountName | String | Cloud account Name |
| Redlock.Asset.allowDrillDown | Boolean | |
| Redlock.Asset.cloudType | String | Cloud type. |
| Redlock.Asset.deleted | Boolean | Whether the asset was delete. |
| Redlock.Asset.hasAlert | Boolean | Whether the asset has a Prisma Cloud alert. |
| Redlock.Asset.hasExtFindingRiskFactors | Boolean | Whether the asset has external finding risk factors. |
| Redlock.Asset.hasExternalFinding | Boolean | Whether the asset has an external finding. |
| Redlock.Asset.hasExternalIntegration | Boolean | Whether the asset has an external integration. |
| Redlock.Asset.hasNetwork | Boolean | Whether the asset has a network. |
| Redlock.Asset.id | String | The Redlock asset ID. |
| Redlock.Asset.data | Unknown | The Redlock asset specific data. |
| Redlock.Asset.insertTs | Date | The asset insert TS. |
| Redlock.Asset.name | String | The asset name. |
| Redlock.Asset.regionId | String | The cloud region ID of the asset. |
| Redlock.Asset.regionName | String | The cloud region name of the asset. |
| Redlock.Asset.resourceType | String | The cloud resource type of the asset. |
| Redlock.Asset.rrn | String | The cloud RRN of the asset. |
| Redlock.Asset.service | String | The state ID of the asset. |
| Redlock.Asset.stateId | String | State ID |
Command Example#
``!redlock-search-config query=config where cloud.type = "aws" and cloud.service = "Amazon EC2" and api.name = "aws-ec2-describe-instances" and cloud.region="AWS Paris"````
Context Example#
Human Readable Output#
RQL Output:#
Account Deleted Region Resource Name Service Felix - AWS - pan-lab false AWS Virginia tl-console Amazon EC2
redlock-search-event#
Search events on the Prisma Cloud (RedLock) platform using RQL language.
Base Command#
redlock-search-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| time-range-date-from | Start time for the search, in the following format - MM/DD/YYYY. | Optional |
| time-range-date-to | End time for the search, in the following format - MM/DD/YYYY. | Optional |
| time-range-value | The number of time range value units for the search. For example, 3 days, 5 weeks, etc. | Optional |
| time-range-unit | The search unit. Possible values are: "hour", "week", "month", "year", "login", or "epoch". The "login" and "epoch" options are only available if timeRangeValue is not provided. Possible values are: hour, day, week, month, year, login, epoch. | Optional |
| query | Query to run in Prisma Cloud search API using RQL language. | Required |
| limit | Maximum number of entries to return. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Event | Unknown | Cloud audit events. |
Command Example#
!redlock-search-event query=`event from cloud.audit_logs where ip EXISTS AND ip IN (172.31.34.235)` time-range-date-from=10/29/2021 time-range-date-to=10/30/2021
Context Example#
Human Readable Output#
Event Details#
Showing 1 out of 1243 events |accessKeyUsed|account|accountName|cityId|cityLatitude|cityLongitude|cityName|countryId|countryName|dynamicData|eventTs|id|internal|ip|location|name|regionId|regionName|source|stateId|stateName|subject|success|type| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | false | 712829893241 | aws-emea-tac | -4 | -1.0 | -1.0 | Private | -4 | Private | | 1642051938000 | 2557671539 | false | 172.31.34.235 | Private | CreateBucket | 4 | AWS Oregon | s3.amazonaws.com | -4 | Private | ejb-iam-cloudops | false | CREATE |
redlock-search-network#
Search networks on the Prisma Cloud (RedLock) platform using RQL language.
Base Command#
redlock-search-network
Input#
| Argument Name | Description | Required |
|---|---|---|
| time-range-date-from | Start time for the search, in the following format - MM/DD/YYYY. | Optional |
| time-range-date-to | End time for the search, in the following format - MM/DD/YYYY. | Optional |
| time-range-value | The number of time range value units for the search. For example, 3 days, 5 weeks, etc. | Optional |
| time-range-unit | The search unit. Possible values are: "hour", "week", "month", "year", "login", or "epoch". The "login" and "epoch" options are only available if timeRangeValue is not provided. Possible values are: hour, day, week, month, year, login, epoch. | Optional |
| query | Query to run in Prisma Cloud search API using RQL language. | Required |
| cloud-type | The cloud in which the network should be searched. Possible values are: aws, azure, gcp, alibaba_cloud, oci. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Network.Node | Unknown | Cloud network node. |
| Redlock.Network.Connection | Unknown | Cloud network connection. |
Command Example#
!redlock-search-network query="network from vpc.flow_record where bytes > 0" time-range-unit=hour time-range-value=2
Context Example#
Human Readable Output#
Network Details#
Node#
grouped id ipAddr metadata name suspicious vulnerable false 1411487329 172.31.34.235 redlock_alert_count: 5
vpc_name: {'id': 'https://www.googleapis.com/compute/v1/projects/tac-prisma-cloud-and-compute/global/networks/us-central1', 'name': 'us-central1'}
vpc_id: https://www.googleapis.com/compute/v1/projects/tac-prisma-cloud-and-compute/global/networks/us-central1
ip_addresses: 172.31.34.235
inspector_rba_count: 0
secgroup_ids: 7466735050281694697,
5386953130680217005
guard_duty_iam_count: 0
asset_role: VM Instance
account_name: gcp-emea-tac
region_name: GCP Iowa
compliance_count: 0
host_vulnerability_count: 0
initial: true
region_id: us-central1
net_iface_id: gke-oldtac-nopublicclust-default-pool-f08b69f0-6g3n#nic0
guard_duty_host_count: 0
tags: {'name': 'gke-oldtac-nopublicclusterhere-fc43a760-node', 'values': ['']},
{'name': 'goog-gke-node', 'values': ['']}
rrn: rrn::instance:us-central1:tac-prisma-cloud-and-compute:7040cac26d62fa19dea22bcb6cd52dba6c213212:1397701696990493277
security_groups: {'id': '7466735050281694697', 'name': 'allow-ingress-from-iap-tac'},
{'id': '5386953130680217005', 'name': 'gke-oldtac-nopublicclusterhere-fc43a760-all'}
serverless_vulnerability_count: 0
instance_id: 1397701696990493277
account_id: tac-prisma-cloud-and-compute
cloud_type: gcp
resource_id: 1397701696990493277
inspector_sbp_count: 0gke-oldtac-nopublicclust-default-pool-f08b69f0-6g3n false true Connection#
from label metadata suspicious to 1418600304 Web bytes_attempted: 1473
connection_overview_table: {'port': 'Web (443)', 'traffic_volume': 43694, 'accepted': 'yes'},
{'port': 'Web (443)', 'traffic_volume': 1473, 'accepted': 'no'}
region_id: us-central1
countries: N/A
to_ip_addresses: 0.0.0.0
flow_class: Web (443)
states: N/A
account_id: tac-prisma-cloud-and-compute
cloud_type: gcp
asset_role: Internet IPs
bytes_accepted: 43694
isps: N/A
from_ip_addresses: 10.128.0.5
bytes_rejected: 0false -1977384788
redlock-list-scans#
List DevOps Scans
Base Command#
redlock-list-scans
Input#
| Argument Name | Description | Required |
|---|---|---|
| group_by | Group by which to aggregate scan results. Possible values are: scanId, assetType, assetName, resourceList. Default is scanId. | Optional |
| page_size | Pagination size. Default is 25. | Optional |
| page_number | Pagination number. Default is 1. | Optional |
| sort | Sorting parameters. The sort order is ascending unless the field is prefixed with minus (-), in which case it is descending. | Optional |
| filter_type | Time filter type. Possible values are: to_now, absolute, relative. Default is relative. | Optional |
| filter_time_amount | Number of time units. Default is 1. | Optional |
| to_now_time_unit | The time unit for retrieving the list of IaC scans. Possible values are: epoch, login, hour, day, week, month, year. Default is day. | Optional |
| filter_start_time | Start time , for example: 11/01/2021 10:10:10. | Optional |
| filter_end_time | End time in Unix time (the number of seconds that have elapsed since the Unix epoch) for the absolute time type. | Optional |
| filter_asset_type | Asset type to search with. | Optional |
| filter_asset_name | Asset name to search with. | Optional |
| filter_user | User to filter with, example: ayman@example.domain. | Optional |
| filter_status | Status to filter with, example: passed. Possible values are: . | Optional |
| relative_time_unit | Relative Time unit. Possible values are: epoch, login, year. Default is login. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Scans.deployed | Boolean | Scan deployed attribute. |
| Redlock.Scans.fail | Number | Scan fail attribute. |
| Redlock.Scans.failureCriteria | String | Scan failure criteria attribute. |
| Redlock.Scans.matchedPoliciesSummary.high | Number | Scan matched policies summary attribute. |
| Redlock.Scans.matchedPoliciesSummary.low | Number | Scan matched low policies summary attribute. |
| Redlock.Scans.matchedPoliciesSummary.medium | Number | Scan matched medium policies summary attribute. |
| Redlock.Scans.merged | Boolean | Scan merged attribute. |
| Redlock.Scans.name | String | Scan name attribute. |
| Redlock.Scans.pass | Number | Scan pass attribute. |
| Redlock.Scans.scanAttributes.appliedAlertRules | String | Scan applied alert rules attribute. |
| Redlock.Scans.scanAttributes.branch | String | Scan Scan branch attribute. |
| Redlock.Scans.scanAttributes.org | String | Scan org attribute. |
| Redlock.Scans.scanAttributes.pullRequestId | String | Scan PR ID attribute. |
| Redlock.Scans.scanAttributes.repository | String | Scan repository attribute. |
| Redlock.Scans.scanAttributes.resourcesScanned | String | Scan resources scanned attribute. |
| Redlock.Scans.scanAttributes.templateType | String | Scan template type attribute. |
| Redlock.Scans.scanAttributes.triggeredOn | String | Scan triggered on attribute. |
| Redlock.Scans.scanAttributes.userId | String | Scan user id attribute. |
| Redlock.Scans.scanTime | Date | Scan scan time attribute. |
| Redlock.Scans.status | String | Scan status attribute. |
| Redlock.Scans.tags.name | String | Scan tags name attribute. |
| Redlock.Scans.tags.value | String | Scan tags value attribute. |
| Redlock.Scans.type | String | Scan type attribute. |
| Redlock.Scans.user | String | Scan user attribute. |
| Redlock.Scans.id | String | Scan id. |
| Redlock.Scans.links.self | String | Scan links. |
| Redlock.Scans.relationships.scanResult.links.related | String | Scan relationships scan result links . |
Command Example#
!redlock-list-scans filter_type="absolute" filter_start_time="01/01/2021 10:10:10" filter_end_time="10/08/2021 10:10:10" filter_asset_type="GitHub" filter_asset_name="Github Asset Dev" filter_user="user@domain.example"
Context Example#
Human Readable Output#
Scans List:#
ID Name Scan Time Type User 81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d Github Asset Dev 2021-09-27T11:26:23Z GitHub user@domain.example
redlock-get-scan-status#
Get scan status
Base Command#
redlock-get-scan-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| scan_id | The scan ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Scans.id | String | Scan ID |
| Redlock.Scans.status | String | Scan status |
Command Example#
!redlock-get-scan-status scan_id="81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d"
Context Example#
Human Readable Output#
Scan Status:#
ID Status 81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d failed
redlock-get-scan-results#
Get scan results
Base Command#
redlock-get-scan-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| scan_id | The scan ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Redlock.Scans.id | String | Scan ID |
| Redlock.Scans.results.attributes.blameList.file | String | Scan results blame list file |
| Redlock.Scans.results.attributes.blameList.locations.line | Number | Scan results blame list locations line |
| Redlock.Scans.results.attributes.blameList.locations.path | String | Scan results blame list locations path |
| Redlock.Scans.results.attributes.desc | String | Scan results description |
| Redlock.Scans.results.attributes.docUrl | String | Scan results doc URL |
| Redlock.Scans.results.attributes.files | String | Scan results files |
| Redlock.Scans.results.attributes.name | String | Scan results name |
| Redlock.Scans.results.attributes.policyId | String | Scan results policy ID |
| Redlock.Scans.results.attributes.rule | String | Scan results rule |
| Redlock.Scans.results.attributes.severity | String | Scan results severity |
| Redlock.Scans.results.attributes.systemDefault | Boolean | Scan results system default |
| Redlock.Scans.results.id | String | Scan results ID |
Command Example#
!redlock-get-scan-results scan_id="81bb4c30-0a83-4e33-bbf7-0bb96ca15b9d"
Context Example#
Human Readable Output#
Scan Results:#
Description ID Name Policy ID Severity Ensure that all capabilities are dropped. cca6bb6a-4e05-47a1-acaa-29f198799aa2 All capabilities should be dropped cca6bb6a-4e05-47a1-acaa-29f198799aa2 high