Skip to main content

Prisma Cloud - Network API and Anomaly Incidents

This Playbook is part of the Prisma Cloud by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This playbook handles incidents of internet exposed services and detects potential risky configurations that can make your cloud environment vulnerable to attacks, and incidents of unusual network and user activity for all users, and are especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Ticket Management - Generic
  • Cloud Enrichment - Generic
  • Cloud User Investigation - Generic
  • Block IP - Generic v3
  • Cloud Response - Generic


  • PrismaCloud v2
  • PrismaCloudV2
  • PrismaCloudIAM
  • RedLock




  • prisma-cloud-host-finding-list
  • core-list-risky-users
  • setAlert
  • ip
  • cve
  • prisma-cloud-alert-get-details

Playbook Inputs#

NameDescriptionDefault ValueRequired
serviceNowShortDescriptionA short description of the ticket.Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
ZenDeskDescriptionThe ticket description.Optional
CreateTicketWhether to create a ticket in ZenDesk or ServiceNow. Options are True or False.FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Prisma Cloud - Network API and Anomaly Incidents