About the connector
Prisma Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that provides comprehensive visibility and threat detection across an organization’s hybrid, multi-cloud infrastructure.
This document provides information about the Palo Alto Prisma Cloud Connector, which facilitates automated interactions, with a Palo Alto Prisma Cloud server using FortiSOAR™ playbooks. Add the Palo Alto Prisma Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations with Palo Alto Prisma Cloud.
Version information
Connector Version: 1.0.1
Authored By: Fortinet
Certified: No
Release Notes for version 1.0.1
The following enhancements have been made to the Palo Alto Prisma Cloud connector in version 1.0.1:
- Fixed the API request body in the 'Get Alerts' operation, which was not being passed correctly in the previous version of this connector.
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-paloalto-prisma-cloud
Prerequisites to configuring the connector
- You must have the URL of the Palo Alto Prisma Cloud server to which you will connect and perform automated operations. You will also need the credentials to access the Prisma Cloud account as specified in the Configuration Parameters.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Palo Alto Prisma Cloud server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Palo Alto Prisma Cloud connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter |
Description |
| Server Address |
Address of the Prisma cloud server to which you will connect and perform automated operations. |
| Access Key ID |
Access Key ID of the Prisma cloud account. For a multi-tenant user, enter the username as Access Key ID. |
| Secret Key |
Secret Key of the Prisma cloud account. For a multi-tenant user, enter the password as Secret Key. |
| Prisma ID |
Enter Prisma ID. For a multi-tenant user, at least one parameter is required, either Prisma ID or Customer Name. Your Prisma ID is available from the license information in the Prisma Cloud Console. |
| Customer Name |
Enter Customer Name. For a multi-tenant user, at least one parameter is required, either Prisma ID or Customer Name |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function |
Description |
Annotation and Category |
| Get Alerts |
Returns a list of alerts that match the constraints specified in the parameters. |
get_alerts
Investigation |
| Get Alert Details |
Returns information about an alert for the specified ID. |
get_alert_details
Investigation |
| Dismiss Alerts |
Dismisses one or more alerts on the Prisma Cloud platform. If the caller specifies a dismissal time range, then alerts will snooze for that time period rather than be dismissed. |
dismiss_alerts
Investigation |
| Reopen Alerts |
Sets the status of one or more dismissed or snoozed alerts on the Prisma Cloud platform to Open. |
reopen_alerts
Investigation |
| Get Alert Remediation Commands |
Generates and returns a list of remediation commands for the specified alerts and policies. Data returned for a successful call include fully constructed commands for remediation. |
get_alert_remediation_commands
Investigation |
| Get Policy Information |
Returns the policy that has the specified policy ID. |
get_policy_info
Investigation |
| Get Alert Filters |
Returns an object whose keys are the available policy filters. The corresponding values are default or recently set filter options. |
get_alert_filters
Investigation |
operation: Get Alerts
Input parameters
| Parameter |
Description |
| Detailed |
Return detailed alert data. The default value is 'false'. |
| Fields |
An array of specific fields such as: alert.id, alert.status, alert.time, cloud.accountId, cloud.account, cloud.region, resource.id, resource.name, policy.name, policy.type, policy.severity |
| Filters |
Filters a list of alerts based on the alert parameters. For example: [{"name": "alert.id","operator": "=","value": "12"}] |
| Group By |
Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type.
Currently, if you specify both 'cloud.service' and 'resource.type', only 'cloud.service' will apply. |
| Limit |
The maximum number of items that will be returned in one response. |
| Offset |
Pagination offset. The number of items to skip before selecting items to return. The default value is '0'. |
| Page Token |
Setting this pagination token to the 'nextPageToken' from a response object returns the next page of data. |
| Sort By |
An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
| Time Range |
Enter the time range for which you wish to display the alerts.
If you choose 'Absolute':
- Start Time: Start time to filter alerts.
- End Time: End time to filter alerts.
If you choose 'Relative':
- Amount: Number of time units. For example, if you choose Hours as a unit and provide 2 as the Amount value, then it will consider the time unit as 2 hours.
- Unit: Select unit. The available options are: "Minute", "Hour", "Day", "Week", "Month", "Year".
- Relative Time Type: Direction in which to measure time. The default is BACKWARD.
If you choose 'Time To Now':
- Time Range: The time range object. Available options are: "MINUTE", "HOUR", "DAY", "WEEK", "MONTH", "YEAR", "EPOCH", "LOGIN"
|
Output
The output contains the following populated JSON schema:
{
"items": [
{
"id": "",
"policy": {
"policyId": "",
"policyType": "",
"remediable": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": ""
},
"reason": "",
"status": "",
"history": [
{
"reason": "",
"status": "",
"modifiedBy": "",
"modifiedOn": ""
}
],
"lastSeen": "",
"metadata": {
"saveSearchId": ""
},
"policyId": "",
"resource": {
"id": "",
"rrn": "",
"url": "",
"data": {
"acl": {
"owner": {
"id": ""
},
"grants": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
],
"grantsAsList": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
],
"requesterCharged": ""
},
"owner": {
"id": "",
"displayName": ""
},
"policy": {},
"accountId": "",
"bucketName": "",
"creationDate": "",
"sseAlgorithm": "",
"kmsMasterKeyID": "",
"policyAvailable": "",
"loggingConfiguration": {
"targetGrants": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
]
},
"versioningConfiguration": {
"status": ""
},
"denyUnencryptedUploadsPolicies": [],
"publicAccessBlockConfiguration": {
"blockPublicAcls": "",
"ignorePublicAcls": "",
"blockPublicPolicy": "",
"restrictPublicBuckets": ""
},
"accountLevelPublicAccessBlockConfiguration": {
"blockPublicAcls": "",
"ignorePublicAcls": "",
"blockPublicPolicy": "",
"restrictPublicBuckets": ""
}
},
"name": "",
"region": "",
"account": "",
"regionId": "",
"accountId": "",
"cloudType": "",
"resourceTs": "",
"resourceType": "",
"additionalInfo": {},
"resourceApiName": "",
"cloudAccountGroups": []
},
"alertTime": "",
"firstSeen": "",
"alertRules": [],
"saveSearchId": ""
}
],
"totalRows": "",
"nextPageToken": "",
"sortAllowedColumns": []
}
operation: Get Alert Details
Input parameters
| Parameter |
Description |
| Alert ID |
The ID of an alert to get its details. |
| Detailed |
Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"policy": {
"name": "",
"labels": [],
"deleted": "",
"policyId": "",
"severity": "",
"policyType": "",
"remediable": "",
"description": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"recommendation": "",
"complianceMetadata": [
{
"policyId": "",
"sectionId": "",
"complianceId": "",
"sectionLabel": "",
"standardName": "",
"requirementId": "",
"systemDefault": "",
"customAssigned": "",
"requirementName": "",
"sectionViewOrder": "",
"sectionDescription": "",
"standardDescription": "",
"requirementViewOrder": ""
}
]
},
"reason": "",
"status": "",
"history": [
{
"reason": "",
"status": "",
"modifiedBy": "",
"modifiedOn": ""
}
],
"lastSeen": "",
"metadata": {
"saveSearchId": ""
},
"resource": {
"id": "",
"rrn": "",
"url": "",
"data": {
"tags": [
{
"key": "",
"value": ""
}
],
"dbname": "",
"engine": "",
"multiAZ": "",
"tagList": [
{
"key": "",
"value": ""
}
],
"endpoint": {
"port": "",
"address": "",
"hostedZoneId": ""
},
"kmsKeyId": "",
"statusInfos": [],
"storageType": "",
"licenseModel": "",
"dbiResourceId": "",
"dbinstanceArn": "",
"dbsubnetGroup": {
"vpcId": "",
"subnets": [
{
"subnetStatus": "",
"subnetOutpost": {},
"subnetIdentifier": "",
"subnetAvailabilityZone": {
"name": ""
}
}
],
"dbsubnetGroupName": "",
"subnetGroupStatus": "",
"dbsubnetGroupDescription": ""
},
"engineVersion": "",
"dbInstancePort": "",
"masterUsername": "",
"associatedRoles": [],
"dbinstanceClass": "",
"allocatedStorage": "",
"availabilityZone": "",
"dbinstanceStatus": "",
"dbsecurityGroups": [],
"storageEncrypted": "",
"dbparameterGroups": [
{
"dbparameterGroupName": "",
"parameterApplyStatus": ""
}
],
"domainMemberships": [],
"monitoringRoleArn": "",
"processorFeatures": [],
"vpcSecurityGroups": [
{
"status": "",
"vpcSecurityGroupId": ""
}
],
"copyTagsToSnapshot": "",
"deletionProtection": "",
"instanceCreateTime": "",
"monitoringInterval": "",
"publiclyAccessible": "",
"maxAllocatedStorage": "",
"dbinstanceIdentifier": "",
"backupRetentionPeriod": "",
"pendingModifiedValues": {
"processorFeatures": []
},
"preferredBackupWindow": "",
"customerOwnedIpEnabled": "",
"optionGroupMemberships": [
{
"status": "",
"optionGroupName": ""
}
],
"autoMinorVersionUpgrade": "",
"cacertificateIdentifier": "",
"secondaryAvailabilityZone": "",
"performanceInsightsEnabled": "",
"preferredMaintenanceWindow": "",
"enabledCloudwatchLogsExports": [],
"enhancedMonitoringResourceArn": "",
"readReplicaDBClusterIdentifiers": [],
"iamdatabaseAuthenticationEnabled": "",
"readReplicaDBInstanceIdentifiers": [],
"dbinstanceAutomatedBackupsReplications": []
},
"name": "",
"region": "",
"account": "",
"regionId": "",
"accountId": "",
"cloudType": "",
"resourceTs": "",
"resourceType": "",
"additionalInfo": {},
"resourceApiName": "",
"cloudAccountGroups": [],
"internalResourceId": ""
},
"alertTime": "",
"firstSeen": "",
"alertRules": [
{
"name": "",
"deleted": "",
"enabled": "",
"createdBy": "",
"notifyOnOpen": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"notifyOnSnoozed": "",
"notifyOnResolved": "",
"notifyOnDismissed": "",
"allowAutoRemediate": "",
"policyScanConfigId": "",
"delayNotificationMs": "",
"alertRuleNotificationConfig": [
{
"id": "",
"type": "",
"enabled": "",
"frequency": "",
"hourOfDay": "",
"customerId": "",
"dayOfMonth": "",
"daysOfWeek": [
{
"day": "",
"offset": ""
}
],
"recipients": [],
"lastUpdated": "",
"last_sent_ts": "",
"detailedReport": "",
"withCompression": "",
"frequencyFromRRule": "",
"includeRemediation": ""
}
]
}
],
"saveSearchId": "",
"networkAnomaly": ""
}
operation: Dismiss Alerts
Input parameters
| Parameter |
Description |
| Alert IDs |
Alert IDs to dismiss (in CSV or list format). |
| Dismissal Note |
Reason for dismissal. (This only applies to the dismiss alerts endpoint.) |
| Dismissal Time Range |
Enter the time range for which you wish to dismiss the alerts.
If you choose 'Absolute':
- Start Time: Start time to dismiss alerts
- End Time: End time to dismiss alerts
If you choose 'Relative':
- Amount: Number of time units. For example, if you choose Hours as a unit and provide 2 as the Amount value, then it will consider the time unit as 2 hours.
- Unit: Select unit, available options are: "Minute", "Hour", "Day", "Week", "Month", "Year"
- Relative Time Type: Direction in which to measure time. The default is BACKWARD.
If you choose 'Time To Now':
- Time Range: The time range object. Available options are: "MINUTE", "HOUR", "DAY", "WEEK", "MONTH", "YEAR", "EPOCH", "LOGIN".
- LOGIN: From the last login
- EPOCH: From account onboarding
- DAY: From the beginning of the day
- WEEK: From the beginning of the week
- MONTH: From the beginning of the month
- YEAR: From the beginning of the year
|
| Detailed |
Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
| Fields |
An array of specific fields you want this operation to return. |
| Filters |
Filters a list of alerts based on the alert parameters. For example: [{"name": "string","operator": "=","value": "string"}] |
| Group By |
Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both cloud.service and resource.type, only cloud.service gets applied. |
| Limit |
The maximum number of items to return. When data is paginated, the Limit indicates the maximum number of items per page. |
| Offset |
The number of items to skip before selecting items to return. The default value is '0'. |
| Page Token |
Setting this pagination Token to the 'nextPageToken' from a response object returns the next page of data. |
| Sort By |
An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
| Time Range |
Enter the time range to filter alerts.
If you choose 'Absolute':
- Start Time: Start time to filter alerts.
- End Time: End time to filter alerts.
If you choose 'Relative':
- Amount: Number of time units. For example, if you choose Hours as a unit and provide 2 as the Amount value, then it will consider the time unit as 2 hours.
- Unit: Select the unit. The available options are: "Minute", "Hour", "Day", "Week", "Month", "Year"
- Relative Time Type: Direction in which to measure time. The default is BACKWARD.
If you choose 'Time To Now':
- Time Range: The time range object. Available options are: "MINUTE", "HOUR", "DAY", "WEEK", "MONTH", "YEAR", "EPOCH", "LOGIN"
|
| Policy IDs |
Specify the Policy IDs based on which you want to filter the result retrieved by this operation. |
Output
The output contains a non-dictionary value.
operation: Reopen Alerts
Input parameters
| Parameter |
Description |
| Alert IDs |
IDs of the alerts to reopen. |
| Dismissal Note |
Reason for dismissal. (This only applies to the dismiss alerts endpoint.) |
| Dismissal Time Range |
Enter the time range for which you want to reopen alerts.
If you choose 'Absolute':
- Start Time: Start time to reopen alerts.
- End Time: End time to reopen alerts.
If you choose 'Relative':
- Amount: Number of time units. For example, if you choose Hours as a unit and provide 2 as the Amount value, then it will consider the time unit as 2 hours.
- Unit: Select the unit. The available options are: "Minute", "Hour", "Day", "Week", "Month", "Year"
- Relative Time Type: Direction in which to measure time. The default is BACKWARD
If you choose 'Time To Now':
- Time Range: The time range object. Available options are: "MINUTE", "HOUR", "DAY", "WEEK", "MONTH", "YEAR", "EPOCH", "LOGIN".
- LOGIN: From the last login
- EPOCH: From account onboarding
- DAY: From the beginning of the day
- WEEK: From the beginning of the week
- MONTH: From the beginning of the month
- YEAR: From the beginning of the year
|
| Detailed |
Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
| Fields |
An array of specific fields to be returned. |
| Filters |
Filters a list of alerts based on the alert parameters. For example: [{"name": "string","operator": "=","value": "string"}] |
| Group By |
Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both cloud.service and resource.type, only cloud.service gets applied. |
| Limit |
The maximum number of items to return. When data is paginated, the Limit indicates the maximum number of items per page. |
| Offset |
The number of items to skip before selecting items to return. The default value is '0'. |
| Page Token |
Setting this pagination Token to the 'nextPageToken' from a response object returns the next page of data |
| Sort By |
An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
| Time Range |
Enter the time range to filter alerts.
If you choose 'Absolute':
- Start Time: Start time to filter alerts.
- End Time: End time to filter alerts.
If you choose 'Relative':
- Amount: Number of time units. For example, if you choose Hours as a unit and provide 2 as the Amount value, then it will consider the time unit as 2 hours.
- Unit: Select the unit. The available options are: "Minute", "Hour", "Day", "Week", "Month", "Year"
- Relative Time Type: Direction in which to measure time. The default is BACKWARD.
If you choose 'Time To Now':
- Time Range: The time range object. Available options are: "MINUTE", "HOUR", "DAY", "WEEK", "MONTH", "YEAR", "EPOCH", "LOGIN".
|
| Policy IDs |
Specify the Policy IDs based on which you want to filter the result retrieved by this operation. |
Output
The output contains a non-dictionary value.
operation: Get Alert Remediation Commands
Input parameters
| Parameter |
Description |
| Time Range |
Enter the time range to filter alerts.
If you choose 'Absolute':
- Start Time: Start time to filter alerts
- End Time: End time to filter alerts
If you choose 'Relative':
- Amount: Number of time units. For example, if you choose Hours as a unit and provide 2 as the Amount value, then it will consider the time unit as 2 hours.
- Unit: Select the unit. The available options are: "Minute", "Hour", "Day", "Week", "Month", "Year".
- Relative Time Type: Direction in which to measure time. The default is BACKWARD.
If you choose 'Time To Now':
- Time Range: The time range object. Available options are: "MINUTE", "HOUR", "DAY", "WEEK", "MONTH", "YEAR", "EPOCH", "LOGIN"
|
| Alert IDs |
Specify a list of alert IDs whose remediation commands you want to retrieve. One or more alert IDs associated with a single policy are required if no policies are specified. If a policy is specified, then all the alerts specified must belong to that policy. |
| Policy IDs |
Specify the Policy IDs based on which you want to retrieve the alert remediation commands. A single policy ID is required if no alerts are specified. |
Output
The output contains a non-dictionary value.
operation: Get Policy Information
Input parameters
| Parameter |
Description |
| Policy ID |
Specify the Policy ID whose information you want to retrieve from Palo Alto Prisma Cloud. |
Output
The output contains the following populated JSON schema:
{
"name": "",
"rule": {
"name": "",
"type": "",
"children": [
{
"name": "",
"type": "",
"criteria": "",
"recommendation": ""
}
],
"criteria": "",
"parameters": {
"withIac": "",
"savedSearch": ""
}
},
"owner": "",
"labels": [],
"deleted": "",
"enabled": "",
"policyId": "",
"severity": "",
"cloudType": "",
"createdBy": "",
"createdOn": "",
"policyUpi": "",
"policyMode": "",
"policyType": "",
"remediable": "",
"description": "",
"policyClass": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"policyCategory": "",
"policySubTypes": [],
"recommendation": "",
"complianceMetadata": [
{
"policyId": "",
"sectionId": "",
"complianceId": "",
"sectionLabel": "",
"standardName": "",
"requirementId": "",
"systemDefault": "",
"customAssigned": "",
"requirementName": "",
"sectionDescription": "",
"standardDescription": ""
}
],
"ruleLastModifiedOn": ""
}
operation: Get Alert Filters
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"malware": {
"options": [],
"staticFilter": ""
},
"alert.id": {
"options": [],
"staticFilter": ""
},
"cloud.type": {
"options": [],
"staticFilter": ""
},
"policy.name": {
"options": [],
"staticFilter": ""
},
"policy.type": {
"options": [],
"staticFilter": ""
},
"resource.id": {
"options": [],
"staticFilter": ""
},
"alert.status": {
"options": [],
"staticFilter": ""
},
"cloud.region": {
"options": [],
"staticFilter": ""
},
"policy.label": {
"options": [],
"staticFilter": ""
},
"account.group": {
"options": [],
"staticFilter": ""
},
"cloud.account": {
"options": [],
"staticFilter": ""
},
"cloud.service": {
"options": [],
"staticFilter": ""
},
"resource.name": {
"options": [],
"staticFilter": ""
},
"resource.type": {
"options": [],
"staticFilter": ""
},
"alertRule.name": {
"options": [],
"staticFilter": ""
},
"policy.subtype": {
"options": [],
"staticFilter": ""
},
"resource.group": {
"options": [],
"staticFilter": ""
},
"timeRange.type": {
"options": [],
"staticFilter": ""
},
"cloud.accountId": {
"options": [],
"staticFilter": ""
},
"object.exposure": {
"options": [],
"staticFilter": ""
},
"policy.severity": {
"options": [],
"staticFilter": ""
},
"object.identifier": {
"options": [],
"staticFilter": ""
},
"policy.remediable": {
"options": [],
"staticFilter": ""
},
"object.classification": {
"options": [],
"staticFilter": ""
},
"policy.complianceSection": {
"options": [],
"staticFilter": ""
},
"policy.complianceStandard": {
"options": [],
"staticFilter": ""
},
"policy.complianceRequirement": {
"options": [],
"staticFilter": ""
}
}
Included playbooks
The Sample - Palo Alto Prisma Cloud - 1.0.1 playbook collection comes bundled with the Palo Alto Prisma Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Prisma Cloud connector.
- Dismiss Alerts
- Get Alert Details
- Get Alert Filters
- Get Alert Remediation Commands
- Get Alerts
- Get Policy Information
- Reopen Alerts
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
