Prisma Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that provides comprehensive visibility and threat detection across an organization’s hybrid, multi-cloud infrastructure.
This document provides information about the Palo Alto Prisma Cloud Connector, which facilitates automated interactions, with a Palo Alto Prisma Cloud server using FortiSOAR™ playbooks. Add the Palo Alto Prisma Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations with Palo Alto Prisma Cloud.
Connector Version: 1.0.1
Authored By: Fortinet
Certified: No
The following enhancements have been made to the Palo Alto Prisma Cloud connector in version 1.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-paloalto-prisma-cloud
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Palo Alto Prisma Cloud connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server Address | Address of the Prisma cloud server to which you will connect and perform automated operations. |
Access Key ID | Access Key ID of the Prisma cloud account. For a multi-tenant user, enter the username as Access Key ID. |
Secret Key | Secret Key of the Prisma cloud account. For a multi-tenant user, enter the password as Secret Key. |
Prisma ID | Enter Prisma ID. For a multi-tenant user, at least one parameter is required, either Prisma ID or Customer Name. Your Prisma ID is available from the license information in the Prisma Cloud Console. |
Customer Name | Enter Customer Name. For a multi-tenant user, at least one parameter is required, either Prisma ID or Customer Name |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Returns a list of alerts that match the constraints specified in the parameters. | get_alerts Investigation |
Get Alert Details | Returns information about an alert for the specified ID. | get_alert_details Investigation |
Dismiss Alerts | Dismisses one or more alerts on the Prisma Cloud platform. If the caller specifies a dismissal time range, then alerts will snooze for that time period rather than be dismissed. | dismiss_alerts Investigation |
Reopen Alerts | Sets the status of one or more dismissed or snoozed alerts on the Prisma Cloud platform to Open. | reopen_alerts Investigation |
Get Alert Remediation Commands | Generates and returns a list of remediation commands for the specified alerts and policies. Data returned for a successful call include fully constructed commands for remediation. | get_alert_remediation_commands Investigation |
Get Policy Information | Returns the policy that has the specified policy ID. | get_policy_info Investigation |
Get Alert Filters | Returns an object whose keys are the available policy filters. The corresponding values are default or recently set filter options. | get_alert_filters Investigation |
Parameter | Description |
---|---|
Detailed | Return detailed alert data. The default value is 'false'. |
Fields | An array of specific fields such as: alert.id, alert.status, alert.time, cloud.accountId, cloud.account, cloud.region, resource.id, resource.name, policy.name, policy.type, policy.severity |
Filters | Filters a list of alerts based on the alert parameters. For example: [{"name": "alert.id","operator": "=","value": "12"}] |
Group By | Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both 'cloud.service' and 'resource.type', only 'cloud.service' will apply. |
Limit | The maximum number of items that will be returned in one response. |
Offset | Pagination offset. The number of items to skip before selecting items to return. The default value is '0'. |
Page Token | Setting this pagination token to the 'nextPageToken' from a response object returns the next page of data. |
Sort By | An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
Time Range | Enter the time range for which you wish to display the alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
The output contains the following populated JSON schema:
{
"items": [
{
"id": "",
"policy": {
"policyId": "",
"policyType": "",
"remediable": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": ""
},
"reason": "",
"status": "",
"history": [
{
"reason": "",
"status": "",
"modifiedBy": "",
"modifiedOn": ""
}
],
"lastSeen": "",
"metadata": {
"saveSearchId": ""
},
"policyId": "",
"resource": {
"id": "",
"rrn": "",
"url": "",
"data": {
"acl": {
"owner": {
"id": ""
},
"grants": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
],
"grantsAsList": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
],
"requesterCharged": ""
},
"owner": {
"id": "",
"displayName": ""
},
"policy": {},
"accountId": "",
"bucketName": "",
"creationDate": "",
"sseAlgorithm": "",
"kmsMasterKeyID": "",
"policyAvailable": "",
"loggingConfiguration": {
"targetGrants": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
]
},
"versioningConfiguration": {
"status": ""
},
"denyUnencryptedUploadsPolicies": [],
"publicAccessBlockConfiguration": {
"blockPublicAcls": "",
"ignorePublicAcls": "",
"blockPublicPolicy": "",
"restrictPublicBuckets": ""
},
"accountLevelPublicAccessBlockConfiguration": {
"blockPublicAcls": "",
"ignorePublicAcls": "",
"blockPublicPolicy": "",
"restrictPublicBuckets": ""
}
},
"name": "",
"region": "",
"account": "",
"regionId": "",
"accountId": "",
"cloudType": "",
"resourceTs": "",
"resourceType": "",
"additionalInfo": {},
"resourceApiName": "",
"cloudAccountGroups": []
},
"alertTime": "",
"firstSeen": "",
"alertRules": [],
"saveSearchId": ""
}
],
"totalRows": "",
"nextPageToken": "",
"sortAllowedColumns": []
}
Parameter | Description |
---|---|
Alert ID | The ID of an alert to get its details. |
Detailed | Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
The output contains the following populated JSON schema:
{
"id": "",
"policy": {
"name": "",
"labels": [],
"deleted": "",
"policyId": "",
"severity": "",
"policyType": "",
"remediable": "",
"description": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"recommendation": "",
"complianceMetadata": [
{
"policyId": "",
"sectionId": "",
"complianceId": "",
"sectionLabel": "",
"standardName": "",
"requirementId": "",
"systemDefault": "",
"customAssigned": "",
"requirementName": "",
"sectionViewOrder": "",
"sectionDescription": "",
"standardDescription": "",
"requirementViewOrder": ""
}
]
},
"reason": "",
"status": "",
"history": [
{
"reason": "",
"status": "",
"modifiedBy": "",
"modifiedOn": ""
}
],
"lastSeen": "",
"metadata": {
"saveSearchId": ""
},
"resource": {
"id": "",
"rrn": "",
"url": "",
"data": {
"tags": [
{
"key": "",
"value": ""
}
],
"dbname": "",
"engine": "",
"multiAZ": "",
"tagList": [
{
"key": "",
"value": ""
}
],
"endpoint": {
"port": "",
"address": "",
"hostedZoneId": ""
},
"kmsKeyId": "",
"statusInfos": [],
"storageType": "",
"licenseModel": "",
"dbiResourceId": "",
"dbinstanceArn": "",
"dbsubnetGroup": {
"vpcId": "",
"subnets": [
{
"subnetStatus": "",
"subnetOutpost": {},
"subnetIdentifier": "",
"subnetAvailabilityZone": {
"name": ""
}
}
],
"dbsubnetGroupName": "",
"subnetGroupStatus": "",
"dbsubnetGroupDescription": ""
},
"engineVersion": "",
"dbInstancePort": "",
"masterUsername": "",
"associatedRoles": [],
"dbinstanceClass": "",
"allocatedStorage": "",
"availabilityZone": "",
"dbinstanceStatus": "",
"dbsecurityGroups": [],
"storageEncrypted": "",
"dbparameterGroups": [
{
"dbparameterGroupName": "",
"parameterApplyStatus": ""
}
],
"domainMemberships": [],
"monitoringRoleArn": "",
"processorFeatures": [],
"vpcSecurityGroups": [
{
"status": "",
"vpcSecurityGroupId": ""
}
],
"copyTagsToSnapshot": "",
"deletionProtection": "",
"instanceCreateTime": "",
"monitoringInterval": "",
"publiclyAccessible": "",
"maxAllocatedStorage": "",
"dbinstanceIdentifier": "",
"backupRetentionPeriod": "",
"pendingModifiedValues": {
"processorFeatures": []
},
"preferredBackupWindow": "",
"customerOwnedIpEnabled": "",
"optionGroupMemberships": [
{
"status": "",
"optionGroupName": ""
}
],
"autoMinorVersionUpgrade": "",
"cacertificateIdentifier": "",
"secondaryAvailabilityZone": "",
"performanceInsightsEnabled": "",
"preferredMaintenanceWindow": "",
"enabledCloudwatchLogsExports": [],
"enhancedMonitoringResourceArn": "",
"readReplicaDBClusterIdentifiers": [],
"iamdatabaseAuthenticationEnabled": "",
"readReplicaDBInstanceIdentifiers": [],
"dbinstanceAutomatedBackupsReplications": []
},
"name": "",
"region": "",
"account": "",
"regionId": "",
"accountId": "",
"cloudType": "",
"resourceTs": "",
"resourceType": "",
"additionalInfo": {},
"resourceApiName": "",
"cloudAccountGroups": [],
"internalResourceId": ""
},
"alertTime": "",
"firstSeen": "",
"alertRules": [
{
"name": "",
"deleted": "",
"enabled": "",
"createdBy": "",
"notifyOnOpen": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"notifyOnSnoozed": "",
"notifyOnResolved": "",
"notifyOnDismissed": "",
"allowAutoRemediate": "",
"policyScanConfigId": "",
"delayNotificationMs": "",
"alertRuleNotificationConfig": [
{
"id": "",
"type": "",
"enabled": "",
"frequency": "",
"hourOfDay": "",
"customerId": "",
"dayOfMonth": "",
"daysOfWeek": [
{
"day": "",
"offset": ""
}
],
"recipients": [],
"lastUpdated": "",
"last_sent_ts": "",
"detailedReport": "",
"withCompression": "",
"frequencyFromRRule": "",
"includeRemediation": ""
}
]
}
],
"saveSearchId": "",
"networkAnomaly": ""
}
Parameter | Description |
---|---|
Alert IDs | Alert IDs to dismiss (in CSV or list format). |
Dismissal Note | Reason for dismissal. (This only applies to the dismiss alerts endpoint.) |
Dismissal Time Range | Enter the time range for which you wish to dismiss the alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Detailed | Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
Fields | An array of specific fields you want this operation to return. |
Filters | Filters a list of alerts based on the alert parameters. For example: [{"name": "string","operator": "=","value": "string"}] |
Group By | Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both cloud.service and resource.type, only cloud.service gets applied. |
Limit | The maximum number of items to return. When data is paginated, the Limit indicates the maximum number of items per page. |
Offset | The number of items to skip before selecting items to return. The default value is '0'. |
Page Token | Setting this pagination Token to the 'nextPageToken' from a response object returns the next page of data. |
Sort By | An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
Time Range | Enter the time range to filter alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Policy IDs | Specify the Policy IDs based on which you want to filter the result retrieved by this operation. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert IDs | IDs of the alerts to reopen. |
Dismissal Note | Reason for dismissal. (This only applies to the dismiss alerts endpoint.) |
Dismissal Time Range | Enter the time range for which you want to reopen alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Detailed | Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
Fields | An array of specific fields to be returned. |
Filters | Filters a list of alerts based on the alert parameters. For example: [{"name": "string","operator": "=","value": "string"}] |
Group By | Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both cloud.service and resource.type, only cloud.service gets applied. |
Limit | The maximum number of items to return. When data is paginated, the Limit indicates the maximum number of items per page. |
Offset | The number of items to skip before selecting items to return. The default value is '0'. |
Page Token | Setting this pagination Token to the 'nextPageToken' from a response object returns the next page of data |
Sort By | An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
Time Range | Enter the time range to filter alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Policy IDs | Specify the Policy IDs based on which you want to filter the result retrieved by this operation. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Range | Enter the time range to filter alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Alert IDs | Specify a list of alert IDs whose remediation commands you want to retrieve. One or more alert IDs associated with a single policy are required if no policies are specified. If a policy is specified, then all the alerts specified must belong to that policy. |
Policy IDs | Specify the Policy IDs based on which you want to retrieve the alert remediation commands. A single policy ID is required if no alerts are specified. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Policy ID | Specify the Policy ID whose information you want to retrieve from Palo Alto Prisma Cloud. |
The output contains the following populated JSON schema:
{
"name": "",
"rule": {
"name": "",
"type": "",
"children": [
{
"name": "",
"type": "",
"criteria": "",
"recommendation": ""
}
],
"criteria": "",
"parameters": {
"withIac": "",
"savedSearch": ""
}
},
"owner": "",
"labels": [],
"deleted": "",
"enabled": "",
"policyId": "",
"severity": "",
"cloudType": "",
"createdBy": "",
"createdOn": "",
"policyUpi": "",
"policyMode": "",
"policyType": "",
"remediable": "",
"description": "",
"policyClass": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"policyCategory": "",
"policySubTypes": [],
"recommendation": "",
"complianceMetadata": [
{
"policyId": "",
"sectionId": "",
"complianceId": "",
"sectionLabel": "",
"standardName": "",
"requirementId": "",
"systemDefault": "",
"customAssigned": "",
"requirementName": "",
"sectionDescription": "",
"standardDescription": ""
}
],
"ruleLastModifiedOn": ""
}
None.
The output contains the following populated JSON schema:
{
"malware": {
"options": [],
"staticFilter": ""
},
"alert.id": {
"options": [],
"staticFilter": ""
},
"cloud.type": {
"options": [],
"staticFilter": ""
},
"policy.name": {
"options": [],
"staticFilter": ""
},
"policy.type": {
"options": [],
"staticFilter": ""
},
"resource.id": {
"options": [],
"staticFilter": ""
},
"alert.status": {
"options": [],
"staticFilter": ""
},
"cloud.region": {
"options": [],
"staticFilter": ""
},
"policy.label": {
"options": [],
"staticFilter": ""
},
"account.group": {
"options": [],
"staticFilter": ""
},
"cloud.account": {
"options": [],
"staticFilter": ""
},
"cloud.service": {
"options": [],
"staticFilter": ""
},
"resource.name": {
"options": [],
"staticFilter": ""
},
"resource.type": {
"options": [],
"staticFilter": ""
},
"alertRule.name": {
"options": [],
"staticFilter": ""
},
"policy.subtype": {
"options": [],
"staticFilter": ""
},
"resource.group": {
"options": [],
"staticFilter": ""
},
"timeRange.type": {
"options": [],
"staticFilter": ""
},
"cloud.accountId": {
"options": [],
"staticFilter": ""
},
"object.exposure": {
"options": [],
"staticFilter": ""
},
"policy.severity": {
"options": [],
"staticFilter": ""
},
"object.identifier": {
"options": [],
"staticFilter": ""
},
"policy.remediable": {
"options": [],
"staticFilter": ""
},
"object.classification": {
"options": [],
"staticFilter": ""
},
"policy.complianceSection": {
"options": [],
"staticFilter": ""
},
"policy.complianceStandard": {
"options": [],
"staticFilter": ""
},
"policy.complianceRequirement": {
"options": [],
"staticFilter": ""
}
}
The Sample - Palo Alto Prisma Cloud - 1.0.1 playbook collection comes bundled with the Palo Alto Prisma Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Prisma Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Prisma Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that provides comprehensive visibility and threat detection across an organization’s hybrid, multi-cloud infrastructure.
This document provides information about the Palo Alto Prisma Cloud Connector, which facilitates automated interactions, with a Palo Alto Prisma Cloud server using FortiSOAR™ playbooks. Add the Palo Alto Prisma Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations with Palo Alto Prisma Cloud.
Connector Version: 1.0.1
Authored By: Fortinet
Certified: No
The following enhancements have been made to the Palo Alto Prisma Cloud connector in version 1.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-paloalto-prisma-cloud
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Palo Alto Prisma Cloud connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server Address | Address of the Prisma cloud server to which you will connect and perform automated operations. |
Access Key ID | Access Key ID of the Prisma cloud account. For a multi-tenant user, enter the username as Access Key ID. |
Secret Key | Secret Key of the Prisma cloud account. For a multi-tenant user, enter the password as Secret Key. |
Prisma ID | Enter Prisma ID. For a multi-tenant user, at least one parameter is required, either Prisma ID or Customer Name. Your Prisma ID is available from the license information in the Prisma Cloud Console. |
Customer Name | Enter Customer Name. For a multi-tenant user, at least one parameter is required, either Prisma ID or Customer Name |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Returns a list of alerts that match the constraints specified in the parameters. | get_alerts Investigation |
Get Alert Details | Returns information about an alert for the specified ID. | get_alert_details Investigation |
Dismiss Alerts | Dismisses one or more alerts on the Prisma Cloud platform. If the caller specifies a dismissal time range, then alerts will snooze for that time period rather than be dismissed. | dismiss_alerts Investigation |
Reopen Alerts | Sets the status of one or more dismissed or snoozed alerts on the Prisma Cloud platform to Open. | reopen_alerts Investigation |
Get Alert Remediation Commands | Generates and returns a list of remediation commands for the specified alerts and policies. Data returned for a successful call include fully constructed commands for remediation. | get_alert_remediation_commands Investigation |
Get Policy Information | Returns the policy that has the specified policy ID. | get_policy_info Investigation |
Get Alert Filters | Returns an object whose keys are the available policy filters. The corresponding values are default or recently set filter options. | get_alert_filters Investigation |
Parameter | Description |
---|---|
Detailed | Return detailed alert data. The default value is 'false'. |
Fields | An array of specific fields such as: alert.id, alert.status, alert.time, cloud.accountId, cloud.account, cloud.region, resource.id, resource.name, policy.name, policy.type, policy.severity |
Filters | Filters a list of alerts based on the alert parameters. For example: [{"name": "alert.id","operator": "=","value": "12"}] |
Group By | Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both 'cloud.service' and 'resource.type', only 'cloud.service' will apply. |
Limit | The maximum number of items that will be returned in one response. |
Offset | Pagination offset. The number of items to skip before selecting items to return. The default value is '0'. |
Page Token | Setting this pagination token to the 'nextPageToken' from a response object returns the next page of data. |
Sort By | An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
Time Range | Enter the time range for which you wish to display the alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
The output contains the following populated JSON schema:
{
"items": [
{
"id": "",
"policy": {
"policyId": "",
"policyType": "",
"remediable": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": ""
},
"reason": "",
"status": "",
"history": [
{
"reason": "",
"status": "",
"modifiedBy": "",
"modifiedOn": ""
}
],
"lastSeen": "",
"metadata": {
"saveSearchId": ""
},
"policyId": "",
"resource": {
"id": "",
"rrn": "",
"url": "",
"data": {
"acl": {
"owner": {
"id": ""
},
"grants": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
],
"grantsAsList": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
],
"requesterCharged": ""
},
"owner": {
"id": "",
"displayName": ""
},
"policy": {},
"accountId": "",
"bucketName": "",
"creationDate": "",
"sseAlgorithm": "",
"kmsMasterKeyID": "",
"policyAvailable": "",
"loggingConfiguration": {
"targetGrants": [
{
"grantee": {
"identifier": "",
"typeIdentifier": ""
},
"permission": ""
}
]
},
"versioningConfiguration": {
"status": ""
},
"denyUnencryptedUploadsPolicies": [],
"publicAccessBlockConfiguration": {
"blockPublicAcls": "",
"ignorePublicAcls": "",
"blockPublicPolicy": "",
"restrictPublicBuckets": ""
},
"accountLevelPublicAccessBlockConfiguration": {
"blockPublicAcls": "",
"ignorePublicAcls": "",
"blockPublicPolicy": "",
"restrictPublicBuckets": ""
}
},
"name": "",
"region": "",
"account": "",
"regionId": "",
"accountId": "",
"cloudType": "",
"resourceTs": "",
"resourceType": "",
"additionalInfo": {},
"resourceApiName": "",
"cloudAccountGroups": []
},
"alertTime": "",
"firstSeen": "",
"alertRules": [],
"saveSearchId": ""
}
],
"totalRows": "",
"nextPageToken": "",
"sortAllowedColumns": []
}
Parameter | Description |
---|---|
Alert ID | The ID of an alert to get its details. |
Detailed | Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
The output contains the following populated JSON schema:
{
"id": "",
"policy": {
"name": "",
"labels": [],
"deleted": "",
"policyId": "",
"severity": "",
"policyType": "",
"remediable": "",
"description": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"recommendation": "",
"complianceMetadata": [
{
"policyId": "",
"sectionId": "",
"complianceId": "",
"sectionLabel": "",
"standardName": "",
"requirementId": "",
"systemDefault": "",
"customAssigned": "",
"requirementName": "",
"sectionViewOrder": "",
"sectionDescription": "",
"standardDescription": "",
"requirementViewOrder": ""
}
]
},
"reason": "",
"status": "",
"history": [
{
"reason": "",
"status": "",
"modifiedBy": "",
"modifiedOn": ""
}
],
"lastSeen": "",
"metadata": {
"saveSearchId": ""
},
"resource": {
"id": "",
"rrn": "",
"url": "",
"data": {
"tags": [
{
"key": "",
"value": ""
}
],
"dbname": "",
"engine": "",
"multiAZ": "",
"tagList": [
{
"key": "",
"value": ""
}
],
"endpoint": {
"port": "",
"address": "",
"hostedZoneId": ""
},
"kmsKeyId": "",
"statusInfos": [],
"storageType": "",
"licenseModel": "",
"dbiResourceId": "",
"dbinstanceArn": "",
"dbsubnetGroup": {
"vpcId": "",
"subnets": [
{
"subnetStatus": "",
"subnetOutpost": {},
"subnetIdentifier": "",
"subnetAvailabilityZone": {
"name": ""
}
}
],
"dbsubnetGroupName": "",
"subnetGroupStatus": "",
"dbsubnetGroupDescription": ""
},
"engineVersion": "",
"dbInstancePort": "",
"masterUsername": "",
"associatedRoles": [],
"dbinstanceClass": "",
"allocatedStorage": "",
"availabilityZone": "",
"dbinstanceStatus": "",
"dbsecurityGroups": [],
"storageEncrypted": "",
"dbparameterGroups": [
{
"dbparameterGroupName": "",
"parameterApplyStatus": ""
}
],
"domainMemberships": [],
"monitoringRoleArn": "",
"processorFeatures": [],
"vpcSecurityGroups": [
{
"status": "",
"vpcSecurityGroupId": ""
}
],
"copyTagsToSnapshot": "",
"deletionProtection": "",
"instanceCreateTime": "",
"monitoringInterval": "",
"publiclyAccessible": "",
"maxAllocatedStorage": "",
"dbinstanceIdentifier": "",
"backupRetentionPeriod": "",
"pendingModifiedValues": {
"processorFeatures": []
},
"preferredBackupWindow": "",
"customerOwnedIpEnabled": "",
"optionGroupMemberships": [
{
"status": "",
"optionGroupName": ""
}
],
"autoMinorVersionUpgrade": "",
"cacertificateIdentifier": "",
"secondaryAvailabilityZone": "",
"performanceInsightsEnabled": "",
"preferredMaintenanceWindow": "",
"enabledCloudwatchLogsExports": [],
"enhancedMonitoringResourceArn": "",
"readReplicaDBClusterIdentifiers": [],
"iamdatabaseAuthenticationEnabled": "",
"readReplicaDBInstanceIdentifiers": [],
"dbinstanceAutomatedBackupsReplications": []
},
"name": "",
"region": "",
"account": "",
"regionId": "",
"accountId": "",
"cloudType": "",
"resourceTs": "",
"resourceType": "",
"additionalInfo": {},
"resourceApiName": "",
"cloudAccountGroups": [],
"internalResourceId": ""
},
"alertTime": "",
"firstSeen": "",
"alertRules": [
{
"name": "",
"deleted": "",
"enabled": "",
"createdBy": "",
"notifyOnOpen": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"notifyOnSnoozed": "",
"notifyOnResolved": "",
"notifyOnDismissed": "",
"allowAutoRemediate": "",
"policyScanConfigId": "",
"delayNotificationMs": "",
"alertRuleNotificationConfig": [
{
"id": "",
"type": "",
"enabled": "",
"frequency": "",
"hourOfDay": "",
"customerId": "",
"dayOfMonth": "",
"daysOfWeek": [
{
"day": "",
"offset": ""
}
],
"recipients": [],
"lastUpdated": "",
"last_sent_ts": "",
"detailedReport": "",
"withCompression": "",
"frequencyFromRRule": "",
"includeRemediation": ""
}
]
}
],
"saveSearchId": "",
"networkAnomaly": ""
}
Parameter | Description |
---|---|
Alert IDs | Alert IDs to dismiss (in CSV or list format). |
Dismissal Note | Reason for dismissal. (This only applies to the dismiss alerts endpoint.) |
Dismissal Time Range | Enter the time range for which you wish to dismiss the alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Detailed | Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
Fields | An array of specific fields you want this operation to return. |
Filters | Filters a list of alerts based on the alert parameters. For example: [{"name": "string","operator": "=","value": "string"}] |
Group By | Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both cloud.service and resource.type, only cloud.service gets applied. |
Limit | The maximum number of items to return. When data is paginated, the Limit indicates the maximum number of items per page. |
Offset | The number of items to skip before selecting items to return. The default value is '0'. |
Page Token | Setting this pagination Token to the 'nextPageToken' from a response object returns the next page of data. |
Sort By | An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
Time Range | Enter the time range to filter alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Policy IDs | Specify the Policy IDs based on which you want to filter the result retrieved by this operation. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert IDs | IDs of the alerts to reopen. |
Dismissal Note | Reason for dismissal. (This only applies to the dismiss alerts endpoint.) |
Dismissal Time Range | Enter the time range for which you want to reopen alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Detailed | Select this checkbox if you want this operation to return detailed alert data. The default value is false. |
Fields | An array of specific fields to be returned. |
Filters | Filters a list of alerts based on the alert parameters. For example: [{"name": "string","operator": "=","value": "string"}] |
Group By | Group alerts by the following: cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type. Currently, if you specify both cloud.service and resource.type, only cloud.service gets applied. |
Limit | The maximum number of items to return. When data is paginated, the Limit indicates the maximum number of items per page. |
Offset | The number of items to skip before selecting items to return. The default value is '0'. |
Page Token | Setting this pagination Token to the 'nextPageToken' from a response object returns the next page of data |
Sort By | An array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are 'id:asc' and 'timestamp:desc' |
Time Range | Enter the time range to filter alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Policy IDs | Specify the Policy IDs based on which you want to filter the result retrieved by this operation. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Range | Enter the time range to filter alerts.
If you choose 'Absolute':
If you choose 'Relative':
If you choose 'Time To Now':
|
Alert IDs | Specify a list of alert IDs whose remediation commands you want to retrieve. One or more alert IDs associated with a single policy are required if no policies are specified. If a policy is specified, then all the alerts specified must belong to that policy. |
Policy IDs | Specify the Policy IDs based on which you want to retrieve the alert remediation commands. A single policy ID is required if no alerts are specified. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Policy ID | Specify the Policy ID whose information you want to retrieve from Palo Alto Prisma Cloud. |
The output contains the following populated JSON schema:
{
"name": "",
"rule": {
"name": "",
"type": "",
"children": [
{
"name": "",
"type": "",
"criteria": "",
"recommendation": ""
}
],
"criteria": "",
"parameters": {
"withIac": "",
"savedSearch": ""
}
},
"owner": "",
"labels": [],
"deleted": "",
"enabled": "",
"policyId": "",
"severity": "",
"cloudType": "",
"createdBy": "",
"createdOn": "",
"policyUpi": "",
"policyMode": "",
"policyType": "",
"remediable": "",
"description": "",
"policyClass": "",
"remediation": {
"impact": "",
"description": "",
"cliScriptTemplate": ""
},
"systemDefault": "",
"lastModifiedBy": "",
"lastModifiedOn": "",
"policyCategory": "",
"policySubTypes": [],
"recommendation": "",
"complianceMetadata": [
{
"policyId": "",
"sectionId": "",
"complianceId": "",
"sectionLabel": "",
"standardName": "",
"requirementId": "",
"systemDefault": "",
"customAssigned": "",
"requirementName": "",
"sectionDescription": "",
"standardDescription": ""
}
],
"ruleLastModifiedOn": ""
}
None.
The output contains the following populated JSON schema:
{
"malware": {
"options": [],
"staticFilter": ""
},
"alert.id": {
"options": [],
"staticFilter": ""
},
"cloud.type": {
"options": [],
"staticFilter": ""
},
"policy.name": {
"options": [],
"staticFilter": ""
},
"policy.type": {
"options": [],
"staticFilter": ""
},
"resource.id": {
"options": [],
"staticFilter": ""
},
"alert.status": {
"options": [],
"staticFilter": ""
},
"cloud.region": {
"options": [],
"staticFilter": ""
},
"policy.label": {
"options": [],
"staticFilter": ""
},
"account.group": {
"options": [],
"staticFilter": ""
},
"cloud.account": {
"options": [],
"staticFilter": ""
},
"cloud.service": {
"options": [],
"staticFilter": ""
},
"resource.name": {
"options": [],
"staticFilter": ""
},
"resource.type": {
"options": [],
"staticFilter": ""
},
"alertRule.name": {
"options": [],
"staticFilter": ""
},
"policy.subtype": {
"options": [],
"staticFilter": ""
},
"resource.group": {
"options": [],
"staticFilter": ""
},
"timeRange.type": {
"options": [],
"staticFilter": ""
},
"cloud.accountId": {
"options": [],
"staticFilter": ""
},
"object.exposure": {
"options": [],
"staticFilter": ""
},
"policy.severity": {
"options": [],
"staticFilter": ""
},
"object.identifier": {
"options": [],
"staticFilter": ""
},
"policy.remediable": {
"options": [],
"staticFilter": ""
},
"object.classification": {
"options": [],
"staticFilter": ""
},
"policy.complianceSection": {
"options": [],
"staticFilter": ""
},
"policy.complianceStandard": {
"options": [],
"staticFilter": ""
},
"policy.complianceRequirement": {
"options": [],
"staticFilter": ""
}
}
The Sample - Palo Alto Prisma Cloud - 1.0.1 playbook collection comes bundled with the Palo Alto Prisma Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Prisma Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.