Playbook of the Week: Prisma Cloud Compute - Audit Alert v3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

Title_Prisma-Cloud-Compute-Audit-Alert-v3_palo-alto-networks.jpg

This blog written by Tomer Haimof.

 

Automating Prisma Cloud Compute Runtime Audit Events

 

Navigating Cloud Security Challenges

As applications are deployed across multiple clouds - public, private, hybrid - organizations are using a wide array of compute architectures. You have virtual machines (VMs), containers, Kubernetes, containers as a service (CaaS), platform as a service (PaaS) and serverless cloud entities that have to be monitored and secured.

 

Prisma Cloud Compute provides cloud workload protection, regardless of their underlying cloud technology or the cloud they run on. This includes runtime security, API protection, compliance coverage, and vulnerability management. Cortex XSOAR seamlessly integrates with Prisma Cloud through the Prisma Cloud Compute by Palo Alto Networks pack, providing a focused solution for efficiently handling various cloud security needs.

 

Why Opt for Cortex XSOAR's Prisma Cloud Compute - Audit Alert Playbook?

Imagine a scenario where a container within your infrastructure is compromised, triggering runtime audit events. The aftermath demands meticulous investigation, and this is where the Cortex XSOAR Prisma Cloud Compute - Audit Alert v3 playbook, a part of the Prisma Cloud Compute pack, steps in.

 

Empowering Teams with Automated Alert Handling and Response

Each incident processed through this playbook yields a wealth of information for the security analyst. This not only expedites the investigative process but also empowers teams for automatic handling and response, saving precious time and ensuring no runtime audit event goes unnoticed.

 

Breaking Down the Playbook

Before we delve into the incident layout, let's explore the playbook sections to see how automation is applied to remediation.

Container, images and hosts information enrichment: Gather comprehensive details, including compliance and vulnerability information, to help the analyst understand the context of the incident.

 

Fig 1: Data enrichmentFig 1: Data enrichment

 

Defender logs: Access detailed logs to gain insights into potential threats and vulnerabilities.

Extract forensic data from containers and hosts: Extract forensic data for a deeper understanding of the incident.

 

Fig 2: Extract forensic dataFig 2: Extract forensic data

 

Retrieve relevant alerts: Retrieve historical alerts to piece together the security puzzle.

Get potential owner information: Identify responsible parties swiftly for a targeted response.

 

Fig 3: Get account ownersFig 3: Get account owners

 

Perform automated remediation: Leverage out-of-the-box playbooks like Block Indicators - Generic v3 and Cloud Response - Generic for effective remediation.

 

Fig 4: Run OOTB playbooks for automated remediationFig 4: Run OOTB playbooks for automated remediation

 

Incident Layout: Navigating the Information Maze

Now, let's explore how the playbook sections manifest in the incident layout, where key details are neatly organized:

 

  • Incident Details: Category, event message, image, host, and container names, and associated rule.
  • Case Details: Incident type, severity, external link, and owner email.
  • Quick Actions: Six buttons for rapid response, including severity adjustment, tagging, blocklisting, and reporting.

 

Fig 5: Incident layout with custom Quick Action buttonsFig 5: Incident layout with custom Quick Action buttons

 

Incident detail Drill-down Tabs

Container Alerts Tab

  • Similar container alerts fetched from Prisma Cloud.
  • IP and File Indicators for added context.

 

Fig 6: Container alerts details tabFig 6: Container alerts details tab

 

Forensics Tab

  • Forensics data extracted from relevant containers or hosts.
  • Defenders data and logs for a deeper dive into the incident.

 

Fig 7: Forensic data details tabFig 7: Forensic data details tab

 

Compliance Tab

  • Identification of image compliance issues.
  • List of found CVEs for vulnerability assessment.
  • Quick email options for CVE and Compliance reports.

 

Fig 8: Compliance issue detailsFig 8: Compliance issue details

Use Case Scenario: Unraveling the Compromised Container

Consider a scenario where a container communicates with a C2 server, triggering a runtime audit event. This event is ingested into XSOAR, triggering the playbook. Cloud security and SOC analysts can swiftly access all relevant information, communicate with stakeholders, and implement automated or manual remediation.

 

The result?

 

A significant reduction in investigation time and fortified security defenses.

 

Conclusion: Leveraging the Full Power of Cortex XSOAR and Prisma Cloud Compute

The Cortex XSOAR Prisma Cloud Compute - Audit Alert v3 playbook, part of the versatile Prisma Cloud Compute by Palo Alto Networks pack, offers an automated approach to handling runtime audit events. As we navigate the complex terrain of cloud security, this playbook serves as a valuable asset, guiding security teams towards efficient incident resolution and comprehensive threat management.

 

In a dynamic cloud world where seconds matter, the Cortex XSOAR's Prisma Cloud Compute - Audit Alert v3 playbook emerges as a reliable ally, ensuring runtime audit events are not just responded to but proactively managed.

  • 2699 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors