Skip to main content

Prisma SASE - Block IP

This Playbook is part of the Prisma SASE by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This playbook assists in blocking communication with the provided IPs in the Prisma SASE policy. If a group name is provided, the IPs will be added to the mentioned static address group (there should be a rule associated with the group name to block communication with that group). And if the group name is not provided, a new group will be created with a dedicated rule to block communication with those IPs.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Prisma SASE - Create Address Object
  • Prisma SASE - Add IPs to Static Address Group


  • PrismaSASE


This playbook does not use any scripts.


  • prisma-sase-candidate-config-push
  • prisma-sase-security-rule-create
  • prisma-sase-address-group-list
  • prisma-sase-address-group-create

Playbook Inputs#

NameDescriptionDefault ValueRequired
TSGIDTenant services group ID. If not provided, the tsg_id integration parameter will be used as the default.Optional
IPThe address value (should match the type).Optional
FolderThe configuration folder group setting.
The default value is 'Shared'.
StaticAddressGroupNameThe static address group name will be appended with IP indicators.Optional
AutoCommitPossible Values:
True -> Will commit and push configuration.
False -> Manual push will be required.
Else --> Will ignore the push section and continue the playbook.

Playbook Outputs#

PrismaSase.AddressGroupThe Prisma Access Address group object.unknown
PrismaSase.AddressGroup.idThe address group ID.unknown
PrismaSase.AddressGroup.nameThe address group name.unknown
PrismaSase.AddressGroup.descriptionThe address group description.unknown
PrismaSase.AddressGroup.addressesThe address group addresses.unknown
PrismaSase.AddressGroup.dynamic_filterThe address group filter.unknown
PrismaSase.AddressGroup.folderThe address group folder.unknown
PrismaSaseThe root context key for Prisma SASE integration output.unknown
PrismaSase.SecurityRuleCreated security rule.unknown
PrismaSase.SecurityRule.actionSecurity rule action.unknown
PrismaSase.SecurityRule.applicationSecurity rule application.unknown
PrismaSase.SecurityRule.categorySecurity rule category.unknown
PrismaSase.SecurityRule.descriptionSecurity rule description.unknown
PrismaSase.SecurityRule.destinationSecurity rule destination.unknown
PrismaSase.SecurityRule.folderSecurity rule folder.unknown
PrismaSase.SecurityRule.fromSecurity rule from field (source zone(s)).unknown
PrismaSase.SecurityRule.idSecurity rule ID.unknown
PrismaSase.SecurityRule.nameSecurity rule name.unknown
PrismaSase.SecurityRule.positionSecurity rule position.unknown
PrismaSase.SecurityRule.serviceSecurity rule service.unknown
PrismaSase.SecurityRule.sourceSecurity rule source.unknown
PrismaSase.SecurityRule.source_userSecurity rule source user.unknown
PrismaSase.SecurityRule.toSecurity rule to field (destination zone(s)).unknown
PrismaSase.SecurityRule.profile_settingThe Security rule group object in the rule.unknown
PrismaSase.SecurityRule.profile_setting.groupSecurity rule group.unknown
PrismaSase.CandidateConfigConfiguration job object.unknown
PrismaSase.CandidateConfig.job_idConfiguration job ID.unknown
PrismaSase.CandidateConfig.resultThe configuration push result, e.g., OK, FAIL.unknown
PrismaSase.CandidateConfig.detailsThe configuration push details.unknown
PrismaSase.AddressCreated address object.unknown
PrismaSase.Address.descriptionAddress description.unknown
PrismaSase.Address.folderAddress folder.unknown
PrismaSase.Address.idAddress ID.unknown
PrismaSase.Address.typeAddress type.unknown
PrismaSase.Address.address_valueAddress value.unknown
PrismaSase.Address.nameAddress name.unknown

Playbook Image#

Prisma SASE - Block IP