Cortex Cloud Discussions

Welcome to the Prisma Cloud Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Resolved! How to use multiline aws-cli command in remediation

I am using below aws-cli command to remove/disable cloudfront distribution originprotocolssl:SSLv3aws cloudfront get-distribution-config --id E29BDBENPXM1VE | jq -c -r 'del(.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items[0])|.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Quantity=3 | .Di...

Resolved! "aws-elb(v2)-describe-load-balancers" ingest API

Perhaps I missed the memo, but I did not see in the RQL documentation anywhere that the similiarly named ingest APIs as the AWS API are the same. So I was searching for for JSON structures that are not available, since the output is entirely different. Need something to note that somewhere.

Resolved! CloudWatch RQL

Hi all, Relatively new with Prisma and playing with the RQL. Would anyone be able to tell me if there's a query i can run that tells me if cloudwatch is enabled within an AWS environment? Report wise, I tried running something against CIS compliance and it's really just telling me that cloud trail is not integrated with cloud watch which doesn't...

Resolved! How can i see a list of open alerts in Red Lock for All Time

Hi, How can i see a list of open alerts for All Time? I do not want to see alerts that were open (in past) but fixed now. Here's what i am doing to see the list but not working as expected. The list shows all the alerts including alerts that were open in past but fixed now. In Alerts Tab, Select All Time and Open. Please let me know...

Resolved! Check for snapshot taken using programmatic access

I need to write a query to check for events of a snapshot taken using programmatic access : event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.userIdentity.type = "Consolepassword"Till now I have tried to do this, and I am pretty sure "json.rule = $.userIdentity.type = "Consolepassword" is 100% incorrect. I...

Resolved! RQL Filter Bug

I found that when I use the filter command in RQL, it requires you to assign two variables in order for the filter command to work appropriately. Even if you don’t use the other assigned variable in the filter command, the api requires the two variables to be assigned. Otherwise, a warning is returned with no output. I beleive this could be prob...

Resolved! Has anyone succeeded at integrating Prisma cloud with Jira Cloud?

I have been trying to find how to integrate Jira Cloud with Prisma Cloud (aka Redlock). I found this guide: https://docs.paloaltonetworks.com/redlock/redlock-admin/configure-external-integrations-on-redlock/integrate-redlock-with-jira and also it says that it works for Jira Cloud too it only talks about Jira On Prem.Has anyone figured it out? Thx.

Resolved! What is frequency at which redlock scans cloud accounts ?

I am curious to know the frequency at which redlock scans /make api calls to cloud accounts, I undersatnd once policy is created and alert rule is configured & also wanted to know if there is any feature in redlock to capture the exact details api calls made. However I have been configured redlock service with my multiple AWS accounts and I ...

Error while adding GCP account (permission denied)

Hi,I am trying out RedLock using the trial and I am having issues trying to configure my GCP project. I followed the instructions carefully at https://docs.paloaltonetworks.com/redlock/redlock-admin/connect-your-cloud-platform-to-redlock/onboard-your-gcp-account/set-up-gcp-account-for-redLock-service.html I got permissions error. I even tried te...

Capture JSON for Alerts that are sent to SQS

I have configured Redlock to send alert to SQS queue. I am getting the below fields in JSON body when I fetch it from SQS:However, When I try to fetch the alert details using Alert API I get the complete different schema. SQS_JSON_FieldsAlert_API_JSONAs soon as an alert is generated, then the JSON data for that alert is sent to SQS queue. (I ha...

Python API for Compliance Reports

Hi all, I'd like to create, read, update and/or delete Compliance Reports via the API but there's no documentation on compliance reports in the REST API documentation. It was confirmed that the API does support CRUD for compliance reports and that a ticket for the inclusion of the information in the documentation has been opened, but I was wonde...

Resolved! Query to alert when EBS data volume is de-attached from and EC2 instance

Looking for help with the right RQL toalert when any EBS data volume is de-attached from an EC2 instance

Resolved! Prisma Public Cloud (formerly RedLock) setting warning

I am running Prisma Public Cloud with trial version.I had configured Prisma Public Cloud and AWS.I found status is orrange following as;What is mean 3 warring messages and how could I fix it on AWS or Prisma Public Cloud.Please help me....

RedLock _ Cloud Accounts 2019-04-28 00-02-41.png

Resolved! API GET Cloud Account Info: no data in "lastModifiedTs" or "lastModifiedBy" in Azure accounts

Hi all, With the returned JSON using the 'Cloud Account Info' API for a couple of Azure accounts I have, the fields "lastModifiedTs" and "lastModifiedBy" show 0 and null respectively. However, the portal has the correct time and details of who last modified. Is this a bug or am I missing something? Thanks!

Resolved! Python API: Add Compliance Standard to Policy

Hi all, I'm having trouble adding a Compliance Standard to an existing Policy via the API. In essence my code looks like:import requests url = https://api2.redlock.io/policy/{policy_id} header = {'Content-Type': 'application/json', 'x-redlock-auth': 'token'} payload = { 'name': 'policy_name', 'policyType': 'policy_type', 'severit...