Skip to main content

SaaS Security

This Integration is part of the Saas Security (Prisma) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use the SaaS Security integration to protect against cloud‑based threats by scanning and analyzing all your assets; applying Security policy to identify exposures, external collaborators, risky user behavior, and sensitive documents; and identifying the potential risks associated with each asset.

Configure SaaSSecurity on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SaaS Security.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLhttps://api.aperture.paloaltonetworks.com (US)
    https://api.aperture-eu.paloaltonetworks.com (EU)
    https://api.aperture-apac.paloaltonetworks.com (APAC)
    True
    Client IDSaas Security Client IDTrue
    Client SecretSaas Security Client SecretTrue
    Fetch incidentsWhether to fetch incidents from the SaaS Security platformFalse
    Incidents Fetch IntervalFalse
    Incident typeFalse
    Number of incidents per fetchMinimum is 10True
    First fetch timestamp(<number> <time unit>, e.g., 12 hours, 7 days)False
    Fetch only incidents with matching stateFalse
    Fetch only incidents with matching severityIf nothing is selected, all severities will be used.False
    Fetch only incidents with matching statusIf nothing is selected, all statuses will be used.False
    Fetch only incidents with matching App IDsComma-separated list of Application IDs. Run the 'saas-security-get-apps'
    command to return the Application ID, Name, and Type for all applications.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

saas-security-incidents-get#


Retrieve incidents from the SaaS Security platform.

Base Command#

saas-security-incidents-get

Input#

Argument NameDescriptionRequired
limitThe number of incidents to pull. Default is 50, maximum is 200, minimum is 10. Default is 50.Optional
fromThe start time of the query, filtered by the date the incident was updated, e.g., 2021-08-23T09:26:25.872Z.Optional
toThe end time of the query, filtered by the date the incident was updated, e.g., 2021-08-23T09:26:25.872Z.Optional
app_idsComma-separated list of application IDs. Run the 'saas-security-get-apps' command to return the Application ID, Name, and Type for all applications.Optional
state'The state of the incidents. If empty, retrieves all states. Possible values: "All", "Open", and "Closed".'Optional
severity'The severity of the incidents. In none is selected, all severities will be pulled. Possible values: "1", "2", "3", "4", and "5".'Optional
status'The status of the incidents. Possible values:"New", "Assigned", " In Progress", "Pending", "No Reason", "Business Justified", "Misidentified", "In The Cloud", and "Dismiss".'Optional
next_pageGet the next batch of incidents. No other argument is needed when providing this.Optional

Context Output#

PathTypeDescription
SaasSecurity.Incident.incident_idNumberIncident ID.
SaasSecurity.Incident.tenantStringTenant associated with the incident.
SaasSecurity.Incident.app_idStringApplication ID.
SaasSecurity.Incident.app_nameStringApplication name.
SaasSecurity.Incident.app_typeStringApplication type.
SaasSecurity.Incident.cloud_idStringCloud ID.
SaasSecurity.Incident.asset_nameStringAsset name.
SaasSecurity.Incident.asset_sha256StringSHA256 hash value of the asset.
SaasSecurity.Incident.asset_idStringAsset ID.
SaasSecurity.Incident.asset_page_uriStringAsset page URI.
SaasSecurity.Incident.asset_cloud_uriStringAsset cloud URI.
SaasSecurity.Incident.exposure_typeNumberExposure type (Internal/External).
SaasSecurity.Incident.exposure_levelStringExposure level.
SaasSecurity.Incident.policy_idStringPolicy ID.
SaasSecurity.Incident.policy_nameStringPolicy name.
SaasSecurity.Incident.policy_versionNumberPolicy version.
SaasSecurity.Incident.policy_page_uriStringPolicy page URI.
SaasSecurity.Incident.severityStringSeverity of the incident.
SaasSecurity.Incident.statusStringIncident status.
SaasSecurity.Incident.stateStringIncident state.
SaasSecurity.Incident.categoryStringIncident category.
SaasSecurity.Incident.resolved_byStringName of the user who resolved the incident.
SaasSecurity.Incident.resolution_dateDateDate the incident was resolved.
SaasSecurity.Incident.created_atDateDate the incident was created, e.g., `2021-08-23T09:26:25.872Z`.
SaasSecurity.Incident.updated_atDateDate the incident was last updated, e.g., `2021-08-24T09:26:25.872Z`.
SaasSecurity.Incident.asset_owner_idStringID of the asset owner.
SaasSecurity.Incident.asset_owner_nameStringName of the asset owner.
SaasSecurity.Incident.asset_owner_emailStringEmail of the asset owner.
SaasSecurity.NextResultsPageStringURI for the next batch of incidents.

Command Example#

!saas-security-incidents-get limit=11 app_ids=acf49b2389c09f26ad0ccd2b1a603328 from=2021-08-23T20:25:17.495Z state=open

Context Example#

{
"SaasSecurity": {
"Incident": [
{
"app_id": "acf49b2389c09f26ad0ccd2b1a603328",
"app_name": "Box 1",
"app_type": "box",
"asset_cloud_uri": "https://www.box.com/files/0/f/114948778953/1/f_675197457403",
"asset_id": "61099dc26b544e38fa3ce06d",
"asset_name": "SP0605 copy 6.java",
"asset_owner_email": "xsoartest@cirrotester.com",
"asset_owner_id": "22FD054D362DC548A9C22F25782E1DAEED03C12F3898CD0F2E2A1B4CF728D04BD644B3CC010FDAC3D10EC0D408F4F79AC147E3D56415D1052BCFCD899A8E249F",
"asset_owner_name": "Xsoar test",
"asset_page_uri": "https://xsoartest.staging.cirrotester.com/cloud_assets/61099dc26b544e38fa3ce06d",
"asset_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"category": "business_justified",
"cloud_id": "675197457403",
"collaborators": [],
"created_at": "2021-08-03T20:25:15.417Z",
"data_patterns": [],
"exposure_level": "internal",
"exposure_type": 8,
"group_ids": [],
"incident_id": 4,
"policy_id": "6109a5d0e64152534b240f48",
"policy_page_uri": "https://xsoartest.staging.cirrotester.com/data_policies/6109a5d0e64152534b240f48",
"policy_version": 1,
"policy_name": "policy name",
"resolution_date": "2021-08-24T07:44:21.608Z",
"resolved_by": "api",
"severity": "Low",
"state": "closed",
"status": "Closed-Business Justified",
"tenant": "xsoartest",
"updated_at": "2021-08-24T07:44:21.608Z"
},
{
"app_id": "acf49b2389c09f26ad0ccd2b1a603328",
"app_name": "Box 1",
"app_type": "box",
"asset_cloud_uri": "https://www.box.com/files/0/f/114948778953/1/f_675197556380",
"asset_id": "61099dbe6b544e38fa3cc9b8",
"asset_name": "SP0605 copy 2.java",
"asset_owner_email": "xsoartest@cirrotester.com",
"asset_owner_id": "22FD054D362DC548A9C22F25782E1DAEED03C12F3898CD0F2E2A1B4CF728D04BD644B3CC010FDAC3D10EC0D408F4F79AC147E3D56415D1052BCFCD899A8E249F",
"asset_owner_name": "Xsoar test",
"asset_page_uri": "https://xsoartest.staging.cirrotester.com/cloud_assets/61099dbe6b544e38fa3cc9b8",
"asset_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"category": "business_justified",
"cloud_id": "675197556380",
"collaborators": [],
"created_at": "2021-08-03T20:25:12.000Z",
"data_patterns": [],
"exposure_level": "internal",
"exposure_type": 8,
"group_ids": [],
"incident_id": 1,
"policy_id": "6109a5d0e64152534b240f48",
"policy_page_uri": "https://xsoartest.staging.cirrotester.com/data_policies/6109a5d0e64152534b240f48",
"policy_version": 1,
"resolution_date": "2021-08-24T08:19:57.429Z",
"resolved_by": "api",
"severity": "Low",
"status": "Closed-Business Justified",
"tenant": "xsoartest",
"updated_at": "2021-08-24T08:19:57.429Z"
}
]
}
}

Human Readable Output#

Incidents#

Incident IdApp IdApp NameAsset NameExposure LevelSeverityCategoryCreated AtUpdated At
4acf49b2389c09f26ad0ccd2b1a603328Box 1SP0605 copy 6.javainternalLowbusiness_justified2021-08-03T20:25:15.417Z2021-08-24T07:44:21.608Z
1acf49b2389c09f26ad0ccd2b1a603328Box 1SP0605 copy 2.javainternalLowbusiness_justified2021-08-03T20:25:12.000Z2021-08-24T08:19:57.429Z
5acf49b2389c09f26ad0ccd2b1a603328Box 1SP0605 copy 7.javainternalLowaperture2021-08-03T20:25:16.842Z2021-08-24T17:08:51.022Z
8acf49b2389c09f26ad0ccd2b1a603328Box 1ml_file.javainternalLowaperture2021-08-03T20:25:17.043Z2021-08-24T17:10:37.433Z
3acf49b2389c09f26ad0ccd2b1a603328Box 1SP0605 copy 5.javainternalLowmisidentified2021-08-03T20:25:13.770Z2021-08-25T14:29:42.288Z

saas-security-incident-get-by-id#


Gets an incident by its ID.

Base Command#

saas-security-incident-get-by-id

Input#

Argument NameDescriptionRequired
idThe incident ID.Required

Context Output#

PathTypeDescription
SaasSecurity.Incident.incident_idNumberIncident ID.
SaasSecurity.Incident.tenantStringTenant associated with the incident.
SaasSecurity.Incident.app_idStringApplication ID.
SaasSecurity.Incident.app_nameStringApplication name.
SaasSecurity.Incident.app_typeStringApplication type.
SaasSecurity.Incident.cloud_idStringCloud ID.
SaasSecurity.Incident.asset_nameStringAsset name.
SaasSecurity.Incident.asset_sha256StringSHA256 hash value of the asset.
SaasSecurity.Incident.asset_idStringAsset ID.
SaasSecurity.Incident.asset_page_uriStringAsset page URI.
SaasSecurity.Incident.asset_cloud_uriStringAsset cloud URI.
SaasSecurity.Incident.exposure_typeNumberExposure type (Internal/External).
SaasSecurity.Incident.exposure_levelStringExposure level.
SaasSecurity.Incident.policy_idStringPolicy ID.
SaasSecurity.Incident.policy_nameStringPolicy name.
SaasSecurity.Incident.policy_versionNumberPolicy version.
SaasSecurity.Incident.policy_page_uriStringPolicy page URI.
SaasSecurity.Incident.severityStringSeverity of the incident.
SaasSecurity.Incident.statusStringIncident status.
SaasSecurity.Incident.stateStringIncident state.
SaasSecurity.Incident.categoryStringIncident category.
SaasSecurity.Incident.resolved_byStringName of the user who resolved the incident.
SaasSecurity.Incident.resolution_dateDateDate the incident was resolved.
SaasSecurity.Incident.created_atDateDate the incident was created, e.g., `2021-08-23T09:26:25.872Z`.
SaasSecurity.Incident.updated_atDateDate the incident was last updated, e.g., `2021-08-24T09:26:25.872Z`.
SaasSecurity.Incident.asset_owner_idStringThe ID of the asset owner.
SaasSecurity.Incident.asset_owner_nameStringThe name of the asset owner.
SaasSecurity.Incident.asset_owner_emailStringThe email address of the asset owner.

Command Example#

!saas-security-incident-get-by-id id=4

Context Example#

{
"SaasSecurity": {
"Incident": {
"app_id": "acf49b2389c09f26ad0ccd2b1a603328",
"app_name": "Box 1",
"app_type": "box",
"asset_cloud_uri": "https://www.box.com/files/0/f/114948778953/1/f_675197457403",
"asset_id": "61099dc26b544e38fa3ce06d",
"asset_name": "SP0605 copy 6.java",
"asset_owner_email": "xsoartest@cirrotester.com",
"asset_owner_id": "22FD054D362DC548A9C22F25782E1DAEED03C12F3898CD0F2E2A1B4CF728D04BD644B3CC010FDAC3D10EC0D408F4F79AC147E3D56415D1052BCFCD899A8E249F",
"asset_owner_name": "Xsoar test",
"asset_page_uri": "https://xsoartest.staging.cirrotester.com/cloud_assets/61099dc26b544e38fa3ce06d",
"asset_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"category": "business_justified",
"cloud_id": "675197457403",
"collaborators": [],
"created_at": "2021-08-03T20:25:15.417Z",
"data_patterns": [],
"exposure_level": "internal",
"exposure_type": 8,
"group_ids": [],
"incident_id": 4,
"policy_id": "6109a5d0e64152534b240f48",
"policy_page_uri": "https://xsoartest.staging.cirrotester.com/data_policies/6109a5d0e64152534b240f48",
"policy_version": 1,
"resolution_date": "2021-08-26T07:04:14.598Z",
"resolved_by": "api",
"severity": "Low",
"state": "closed",
"tenant": "xsoartest",
"updated_at": "2021-08-26T07:04:14.598Z"
}
}
}

Human Readable Output#

Incident 4 details#

Incident IdApp IdApp NameAsset NameExposure LevelSeverityStateCategoryCreated AtUpdated At
4acf49b2389c09f26ad0ccd2b1a603328Box 1SP0605 copy 6.javainternal1.0closedbusiness_justified2021-08-03T20:25:15.417Z2021-08-26T07:04:14.598Z

saas-security-incident-state-update#


Close an incident and update its category.

Base Command#

saas-security-incident-state-update

Input#

Argument NameDescriptionRequired
idThe incident ID.Required
category'Reason for closing the incident. Possible values: "Misidentified", "No Reason", and "Business Justified".'Required

Context Output#

PathTypeDescription
SaasSecurity.IncidentState.incident_idStringThe incident ID.
SaasSecurity.IncidentState.stateStringIncident state (open/closed).
SaasSecurity.IncidentState.categoryStringIncident category.
SaasSecurity.IncidentState.resolved_byStringName of the user who resolved the incident.
SaasSecurity.IncidentState.resolution_dateDateDate when the incident was resolved.

Command Example#

!saas-security-incident-state-update category="Business Justified" id=4

Context Example#

{
"SaasSecurity": {
"IncidentState": {
"category": "business_justified",
"incident_id": "4",
"resolution_date": "2021-08-26T07:04:14.598Z",
"resolved_by": "api",
"state": "closed"
}
}
}

Human Readable Output#

Incident 4 status details#

CategoryIncident IdResolution DateResolved ByState
business_justified42021-08-26T07:04:14.598Zapiclosed

saas-security-get-apps#


Returns the Application ID, Name, and Type for all applications.

Base Command#

saas-security-get-apps

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
SaasSecurity.App.app_nameStringApplication name.
SaasSecurity.App.app_idStringApplication ID.
SaasSecurity.App.app_typeStringApplication type.

Command Example#

!saas-security-get-apps

Context Example#

{
"SaasSecurity": {
"App": [
{
"app_id": "acf49b2389c09f26ad0ccd2b1a603328",
"app_name": "Box 1",
"app_type": "box"
},
{
"app_id": "2642aaa03dc6fc44496bdfffe5e1bc74",
"app_name": "Office 365 1",
"app_type": "office365"
}
]
}
}

Human Readable Output#

Apps Info#

App IdApp NameApp Type
acf49b2389c09f26ad0ccd2b1a603328Box 1box
2642aaa03dc6fc44496bdfffe5e1bc74Office 365 1office365

saas-security-asset-remediate#


Remediate an asset.

Base Command#

saas-security-asset-remediate

Input#

Argument NameDescriptionRequired
asset_idThe ID of the asset to remediate.Required
remediation_type'The remediation action to take. Possible values: "Remove public sharing", "Quarantine", and "Restore".'Required
remove_inherited_sharing'Used when the remediation type is “Remove public sharing”. When set
to true, all the parent folders with a shared URL will be removed. Possible values: "True" and "False"'Optional

Context Output#

PathTypeDescription
SaasSecurity.Remediation.asset_idStringAsset ID.
SaasSecurity.Remediation.remediation_typeStringRemediation type.
SaasSecurity.Remediation.statusStringRemediation action status.

Command Example#

!saas-security-asset-remediate asset_id=61099dc46b544e38fa3ce89a remediation_type=Quarantine

Context Example#

{
"SaasSecurity": {
"Remediation": {
"asset_id": "61099dc46b544e38fa3ce89a",
"remediation_type": "system_quarantine",
"status": "pending"
}
}
}

Human Readable Output#

Remediation details for asset: 61099dc46b544e38fa3ce89a#

Asset IdRemediation TypeStatus
61099dc46b544e38fa3ce89asystem_quarantinepending

saas-security-remediation-status-get#


Get the remediation status for a given asset ID.

Base Command#

saas-security-remediation-status-get

Input#

Argument NameDescriptionRequired
asset_idThe asset ID.Required
remediation_type'The remediation action that was taken. Possible values: "Remove public sharing", "Quarantine", and "Restore".'Required

Context Output#

PathTypeDescription
SaasSecurity.Remediation.asset_idStringAsset ID.
SaasSecurity.Remediation.asset_nameStringAsset name.
SaasSecurity.Remediation.remediation_typeStringRemediation type.
SaasSecurity.Remediation.action_takerStringSource of the remediation action, e.g., 'api'.
SaasSecurity.Remediation.action_dateDateDate when the remediation action was taken.
SaasSecurity.Remediation.statusStringRemediation action status.

Command Example#

!saas-security-remediation-status-get asset_id=61099dc46b544e38fa3ce89a remediation_type=Quarantine

Context Example#

{
"SaasSecurity": {
"Remediation": {
"action_date": "2021-08-25T21:18:37.148+0000",
"action_taker": "api",
"asset_id": "61099dc46b544e38fa3ce89a",
"asset_name": "SP0605 copy.java",
"remediation_type": "system_quarantine",
"status": "success"
}
}
}

Human Readable Output#

Asset 61099dc46b544e38fa3ce89a remediation details#

Action DateAction TakerAsset IdAsset NameRemediation TypeStatus
2021-08-25T21:18:37.148+0000api61099dc46b544e38fa3ce89aSP0605 copy.javasystem_quarantinesuccess