Skip to main content

Saas Security - Incident Processor

This Playbook is part of the Saas Security (Prisma) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook notifies incidents owner and provides remediation options to Saas Security admin for resolving incidents.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Send Action Taken Email to Tenant Admin
  • Send Action Taken Email to Assignee

Integrations#

  • EWS Mail Sender

Scripts#

This playbook does not use any scripts.

Commands#

  • send-mail

Playbook Inputs#


NameDescriptionDefault ValueRequired
updated_atThis is the incident updated at timestamp.${incident.saassecurityincidentupdatedat}Optional
tenant_adminThis is the tenant admin email.Optional

Playbook Outputs#


PathDescriptionType
SaasSecurity.Incident.incident_idIncident ID.unknown
SaasSecurity.Incident.tenantTenant associated with the incident.unknown
SaasSecurity.Incident.app_idApplication ID.unknown
SaasSecurity.Incident.app_nameApplication name.unknown
SaasSecurity.Incident.app_typeApplication type.unknown
SaasSecurity.Incident.cloud_idCloud ID.unknown
SaasSecurity.Incident.asset_nameAsset name.unknown
SaasSecurity.Incident.asset_sha256SHA256 hash value of the asset.unknown
SaasSecurity.Incident.asset_idAsset ID.unknown
SaasSecurity.Incident.asset_page_uriAsset page URI.unknown
SaasSecurity.Incident.asset_cloud_uriAsset cloud URI.unknown
SaasSecurity.Incident.exposure_typeExposure type (Internal/External).unknown
SaasSecurity.Incident.exposure_levelExposure level.unknown
SaasSecurity.Incident.policy_idPolicy ID.unknown
SaasSecurity.Incident.policy_namePolicy name.unknown
SaasSecurity.Incident.policy_versionPolicy version.unknown
SaasSecurity.Incident.policy_page_uriPolicy page URI.unknown
SaasSecurity.Incident.severitySeverity of the incident.unknown
SaasSecurity.Incident.statusIncident status.unknown
SaasSecurity.Incident.stateIncident state.unknown
SaasSecurity.Incident.categoryIncident category.unknown
SaasSecurity.Incident.resolved_byName of the user who resolved the incident.unknown
SaasSecurity.Incident.resolution_dateDate the incident was resolved.unknown
SaasSecurity.Incident.created_atDate the incident was created, e.g., `2021-08-23T09:26:25.872Z`.unknown
SaasSecurity.Incident.updated_atDate the incident was last updated. e.g., `2021-08-24T09:26:25.872Z`.unknown
SaasSecurity.Incident.asset_owner_idID of the asset owner.unknown
SaasSecurity.Incident.asset_owner_nameName of the asset owner.unknown
SaasSecurity.Incident.asset_owner_emailEmail address of the asset owner.unknown

Playbook Image#


Saas Security - Incident Processor