Automated CSPM reporting through Prisma Cloud API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
No ratings

By Alan Gomez, Cloud Security Engineer

 

Introduction

 

If you have ever wondered whether you can use APIs to unlock the full potential of Prisma Cloud's data, you are in the right place. This article explores how to connect securely, navigate the available endpoints, and most importantly, extract crucial information about your cloud environment through the understanding of the core components of Prisma Cloud API. By the end of this article, you will have a solid understanding of how to take advantage of Prisma Cloud’s API to enhance your visibility into your organization's cloud security posture. 

 

Let’s get familiar with some common terms first:

 

API 

An API (Application Programming Interface) acts as a bridge between different software applications, allowing them to communicate and exchange data. It enables you to automate tasks, integrate with other tools, and craft custom solutions.

 

Prisma Cloud API

This is the programmatic gateway (the API) to Prisma Cloud resources.

 

Access Key

Access Keys are a secure way to enable programmatic access to the Prisma Cloud API. A Prisma Cloud System Admin has API access and can enable API access to other administrators.

 

Token

A token is a compact piece of data that serves as proof of identity or permission. Tokens are often used for authentication and authorization purposes.

 

JWT 

A JWT (JSON Web Token) is a specific type of token that adheres to the JSON Web Token standard. It's a self-contained, digitally signed piece of data that carries information about the user or the request.

 

Getting Started

 

To interact with Prisma Cloud data programmatically, you'll need to create an Access Key. This key serves as the foundation for generating a JWT token, which acts as your secure digital certificate, authorizing your connection to the Prisma Cloud API.

 

Generating Access Keys

 

To create an Access Key, login as System Admin* and go to Prisma Cloud SettingsAccess ControlAccess Keys, then  click on Add:

 

unnamed.jpg

Figure 1: Access-keys_PaloAltoNetworks

 

*As a best security practice, System Administrator level privileges should not be used for automation or reporting tasks. Please consider creating a role based service account with the appropriate set of permissions depending on the task you are trying to accomplish. Full list of roles can be found here [1].  

 

Add Access key Name and as a best practice an Expiration Date:

 

 
unnamed.jpg

Figure 2: Add-Access-Key_PaloAltoNetworks

 


A one-time screen will be displayed with the Access Key ID and the Secret Access Key values, these values can be displayed only at this time or downloaded to a CSV file 

 

unnamed.jpg

Figure 3: Access-Key-results_PaloAltoNetworks

 

Generate JWT Tokens in Prisma Cloud

 

Once an Access key was created. It will be used to Login and generate a JWT 

 

curl -X POST \

https://api.prismacloud.io/login \

-H 'Content-Type: application/json' \

-d '{"username":"<Access Key ID>","password":"<Secret Access Key>"}'

 

Where Access Key ID and Secret Access Key are the values you just obtained from the access key 

*Note: The API URL varies depending on the cluster in which your tenant is deployed, please take this into account. List of API URL can be found here [2]

 

Your command would look similar to this

 

$ curl -X POST https://api.prismacloud.io/login -H 'Content-Type: application/json' -d '{"username":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","password":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx"}'

 

Please note that the JWT token will be generated and displayed in the output of the previous command:

 

 
unnamed.jpg

Figure 4: Sample-of-JWT_PaloAltoNetworks


*You can find additional information about JWT generation here [3]

 

Copy and use this string as the JWT in the upcoming API requests

 

Best Practices using JWT

 

Something important to note is that JWT currently expires every 10 minutes. This is a Security control you need to be aware of since once the JWT is expired you no longer will be able to use it and instead you need to generate a new one or extend the actual one. These best practices are out of the scope of this article, though you can read more about them in this article [4]

 

Extracting Information

 

List of Access Keys

 

The following snippet is one of the simplest request you can use to verify your session is active:

 

curl -L 'https://api.prismacloud.io/access_keys' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: <API_KEY_VALUE>'


Where API_KEY_VALUE is the JWT so replace this with the string you obtained before. In this article you will see API_KEY_VALUE referring to the JWT string


Your request would look similar to the following snippet,  where parameter x-redlock-auth’s value corresponds to the JWT value you obtained before:

 

unnamed.jpg

Figure 5: List-access-keys_PaloAltoNetworks


This request will give you the list of your access keys in your tenant. Output is JSON based so you can use a tool like “jq” to handle the output, i.e:


curl -L 'https://api.prismacloud.io/access_keys' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: <API_KEY_VALUE>' | jq '.'

 

You can find more information about this type of request here [5] 

 

Identifying Vulnerabilities of an Asset

 

Let’s go further and see how we can obtain information about an asset’s vulnerabilities 

 

curl -L 'https://api2.prismacloud.io/uai/v1/asset' \

-H 'Content-Type: application/json' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: <API_KEY_VALUE>' \

-d '{

  "assetId": "<Asset ID>",

  "type": "vulnerabilities"

}' 


Where API_KEY_VALUE is the JWT token and Asset ID is the asset ID or unified-asset-id

 

Note: the previous snippet is expecting Asset ID’s value as data passed in the data parameter.  Let’s see where we can get this value in Prisma Cloud so we can use it in our curl.

 

In Prisma Cloud, go to Inventory, Filter out by cloud type and Asset type so you can pick one asset from your inventory, then click on View asset config so you get all the Asset JSON metadata as shown below:

 

 
asset.png

Figure 6: View-asset-config_PaloAltoNetworks


Asset ID is highlighted below:

 

 
unnamed.jpg

Figure 7: Asset-json_PaloAltoNetworks


Your API request would look like this:

 

# Get Asset findings

curl -L 'https://api.prismacloud.io/uai/v1/asset' \

-H 'Content-Type: application/json' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \

-d '{

  "assetId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

  "type": "vulnerabilities"

}'

 

Identifying findings of an Asset

 

We can use the same request only varying the type of request to obtain the list of the Asset’s findings:

 

curl -L 'https://api2.prismacloud.io/uai/v1/asset' \

-H 'Content-Type: application/json' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: <API_KEY_VALUE>' \

-d '{

  "assetId": "<Asset ID>",

  "type": "findings"

}' 


We can obtain much more valuable information by querying this endpoint,  for full information you can read here [6] 

 

Querying Data About Your Resources

 

If we don’t know what specific Assets ID we are looking for but want to obtain the data from a wider range of resources meeting criteria such as the cloud type or cloud account, we can do so. With the following snippet you can obtain a report of assets that matches some criteria like Cloud Type and Cloud Account name:

 

curl -L 'https://api.prismacloud.io/v2/resource/scan_info?cloud.account=<accountname>&cloud.type=<account.type>' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: <API_KEY_VALUE> '


Note the parameters expected like account name. Your command would look similar to this:

 

# Get Assets IDs

curl -L 'https://api0.prismacloud.io/v2/resource/scan_info?cloud.account=PC%20AWS%20Lab&cloud.type=aws&limit=...' \

-H 'Accept: application/json' \

-H 'x-redlock-auth: <API_KEY_VALUE> '

 

Among the data we can obtain from this request is the Asset ID like shown below:

 

 
unnamed.jpg

Figure 8: Asset-id_PaloAltoNetworks

 

You can read more about this endpoint here [7]

 

Conclusion

 

The Prisma Cloud API is a powerful tool, providing programmatic access to your Prisma Cloud resources, empowering organizations to automate,  customize and even integrate with other tools. In this article we demonstrated how easy you can use it to retrieve key information about your resources, such as assets’ findings and vulnerabilities but also how you can extract specific data like the asset's id among your resources’ metadata. 

In further articles we will go more in depth and explore common use cases and reporting tips.

 

Reference

 

[1] Prisma Cloud Administrator Permissions

[2] API URLs | Develop with Palo Alto Networks

[3] Generate JWT Tokens in Prisma Cloud

[4] Scripting and Automation Best Practices with Prisma Cloud CSPM JWT

[5] List Access Keys | Develop with Palo Alto Networks

[6] Get Asset | Develop with Palo Alto Networks

[7] Resource Scan Info V2 - GET | Develop with Palo Alto Networks

 

About the Author

 

Alan Gomez, with a background in DevSecOps & Cloud is a Cloud Security Engineer dedicated to helping organizations strengthen their cloud security posture. He is passionate about leveraging Prisma Cloud's capabilities to proactively address cloud security risks and ensure compliance.

Rate this article:
  • 310 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎10-10-2024 04:29 PM
Updated by: