- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-27-2024 03:15 PM - edited 10-10-2024 04:29 PM
If you have ever wondered whether you can use APIs to unlock the full potential of Prisma Cloud's data, you are in the right place. This article explores how to connect securely, navigate the available endpoints, and most importantly, extract crucial information about your cloud environment through the understanding of the core components of Prisma Cloud API. By the end of this article, you will have a solid understanding of how to take advantage of Prisma Cloud’s API to enhance your visibility into your organization's cloud security posture.
Let’s get familiar with some common terms first:
API
An API (Application Programming Interface) acts as a bridge between different software applications, allowing them to communicate and exchange data. It enables you to automate tasks, integrate with other tools, and craft custom solutions.
Prisma Cloud API
This is the programmatic gateway (the API) to Prisma Cloud resources.
Access Key
Access Keys are a secure way to enable programmatic access to the Prisma Cloud API. A Prisma Cloud System Admin has API access and can enable API access to other administrators.
Token
A token is a compact piece of data that serves as proof of identity or permission. Tokens are often used for authentication and authorization purposes.
JWT
A JWT (JSON Web Token) is a specific type of token that adheres to the JSON Web Token standard. It's a self-contained, digitally signed piece of data that carries information about the user or the request.
To interact with Prisma Cloud data programmatically, you'll need to create an Access Key. This key serves as the foundation for generating a JWT token, which acts as your secure digital certificate, authorizing your connection to the Prisma Cloud API.
To create an Access Key, login as System Admin* and go to Prisma Cloud Settings, Access Control, Access Keys, then click on Add:
Figure 1: Access-keys_PaloAltoNetworks
*As a best security practice, System Administrator level privileges should not be used for automation or reporting tasks. Please consider creating a role based service account with the appropriate set of permissions depending on the task you are trying to accomplish. Full list of roles can be found here [1].
Add Access key Name and as a best practice an Expiration Date:
Figure 2: Add-Access-Key_
A one-time screen will be displayed with the Access Key ID and the Secret Access Key values, these values can be displayed only at this time or downloaded to a CSV file
Figure 3: Access-Key-results_
Once an Access key was created. It will be used to Login and generate a JWT
curl -X POST \
https://api.prismacloud.io/
-H 'Content-Type: application/json' \
-d '{"username":"<Access Key ID>","password":"<Secret Access Key>"}'
Where Access Key ID and Secret Access Key are the values you just obtained from the access key
*Note: The API URL varies depending on the cluster in which your tenant is deployed, please take this into account. List of API URL can be found here [2]
Your command would look similar to this
$ curl -X POST https://api.prismacloud.io/
Please note that the JWT token will be generated and displayed in the output of the previous command:
Figure 4: Sample-of-JWT_PaloAltoNetworks
*You can find additional information about JWT generation here [3]
Copy and use this string as the JWT in the upcoming API requests
Something important to note is that JWT currently expires every 10 minutes. This is a Security control you need to be aware of since once the JWT is expired you no longer will be able to use it and instead you need to generate a new one or extend the actual one. These best practices are out of the scope of this article, though you can read more about them in this article [4]
The following snippet is one of the simplest request you can use to verify your session is active:
curl -L 'https://api.prismacloud.io/
-H 'Accept: application/json' \
-H 'x-redlock-auth: <API_KEY_VALUE>'
Where API_KEY_VALUE is the JWT so replace this with the string you obtained before. In this article you will see API_KEY_VALUE referring to the JWT string
Your request would look similar to the following snippet, where parameter x-redlock-auth’s value corresponds to the JWT value you obtained before:
Figure 5: List-access-keys_
This request will give you the list of your access keys in your tenant. Output is JSON based so you can use a tool like “jq” to handle the output, i.e:
curl -L 'https://api.prismacloud.io/
-H 'Accept: application/json' \
-H 'x-redlock-auth: <API_KEY_VALUE>' | jq '.'
You can find more information about this type of request here [5]
Let’s go further and see how we can obtain information about an asset’s vulnerabilities
curl -L 'https://api2.prismacloud.io/
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'x-redlock-auth: <API_KEY_VALUE>' \
-d '{
"assetId": "<Asset ID>",
"type": "vulnerabilities"
}'
Where API_KEY_VALUE is the JWT token and Asset ID is the asset ID or unified-asset-id
Note: the previous snippet is expecting Asset ID’s value as data passed in the data parameter. Let’s see where we can get this value in Prisma Cloud so we can use it in our curl.
In Prisma Cloud, go to Inventory, Filter out by cloud type and Asset type so you can pick one asset from your inventory, then click on View asset config so you get all the Asset JSON metadata as shown below:
Figure 6: View-asset-config_
Asset ID is highlighted below:
Figure 7: Asset-json_PaloAltoNetworks
Your API request would look like this:
# Get Asset findings
curl -L 'https://api.prismacloud.io/
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'x-redlock-auth: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-d '{
"assetId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"type": "vulnerabilities"
}'
We can use the same request only varying the type of request to obtain the list of the Asset’s findings:
curl -L 'https://api2.prismacloud.io/
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'x-redlock-auth: <API_KEY_VALUE>' \
-d '{
"assetId": "<Asset ID>",
"type": "findings"
}'
We can obtain much more valuable information by querying this endpoint, for full information you can read here [6]
If we don’t know what specific Assets ID we are looking for but want to obtain the data from a wider range of resources meeting criteria such as the cloud type or cloud account, we can do so. With the following snippet you can obtain a report of assets that matches some criteria like Cloud Type and Cloud Account name:
curl -L 'https://api.prismacloud.io/
-H 'Accept: application/json' \
-H 'x-redlock-auth: <API_KEY_VALUE> '
Note the parameters expected like account name. Your command would look similar to this:
# Get Assets IDs
curl -L 'https://api0.prismacloud.io/
-H 'Accept: application/json' \
-H 'x-redlock-auth: <API_KEY_VALUE> '
Among the data we can obtain from this request is the Asset ID like shown below:
Figure 8: Asset-id_PaloAltoNetworks
You can read more about this endpoint here [7]
The Prisma Cloud API is a powerful tool, providing programmatic access to your Prisma Cloud resources, empowering organizations to automate, customize and even integrate with other tools. In this article we demonstrated how easy you can use it to retrieve key information about your resources, such as assets’ findings and vulnerabilities but also how you can extract specific data like the asset's id among your resources’ metadata.
In further articles we will go more in depth and explore common use cases and reporting tips.
[1] Prisma Cloud Administrator Permissions
[2] API URLs | Develop with Palo Alto Networks
[3] Generate JWT Tokens in Prisma Cloud
[4] Scripting and Automation Best Practices with Prisma Cloud CSPM JWT
[5] List Access Keys | Develop with Palo Alto Networks
[6] Get Asset | Develop with Palo Alto Networks
[7] Resource Scan Info V2 - GET | Develop with Palo Alto Networks
Alan Gomez, with a background in DevSecOps & Cloud is a Cloud Security Engineer dedicated to helping organizations strengthen their cloud security posture. He is passionate about leveraging Prisma Cloud's capabilities to proactively address cloud security risks and ensure compliance.