Prisma Cloud allows you to create policies to ensure that your Cloud Security Posture Management is in compliance with best practices and the needs of your organization. These policies create alerts which need to be evaluated and also indicate which cloud objects need to be updated to be in compliance.
Managing these alerts is a task that many organizations find difficult as the number of alerts increases. Prisma Cloud allows you to define an auto-remediation to correct certain alerts. However, oftentimes an organization requires much more customization and integration with other tools that they are using.
This article describes how to increase your alert automation and integrate with other tools by using a security orchestration, automation, and response (SOAR) platform from Palo Alto Networks.
Cortex XSOAR is a comprehensive security orchestration, automation and response platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle. The Cortex XSOAR platform includes more than 270 out-of-the-box playbooks to automate and orchestrate any security use case.
Prisma Cloud allow you multiple options to deal with alerts.:
Which allows you to prioritize and categorize alerts with different teams in your organization.
We are going to give examples of alert remediation in Prisma Cloud and Cortex XSOAR.
Allows creating an auto remediation using a set of CLI commands for the respected Cloud Service Provider (CSP), such as AWS, Azure, GCP, OCI… for the alert in question.
Figure 1: Prisma Cloud Policy Auto-Remediation Configuration_PaloAltoNetworks
Additional options and flexibility are available when using Cortex XSOAR to remediate an alert. Not only can you resolve the alert, but you can also take any additional actions needed in your specific environment.
Figure 2: Cortex XSOAR Playbook Example_PaloAltoNetworks
These playbooks will be beneficial for not only remediating common issues (such as those in Prisma Cloud using Auto-Remediation) but also for sending out custom actions to address other teams, remediating complex resources.
With the Prisma Cloud and Cortex XSOAR outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR to process as an incident. Connecting these two products enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multi-step workflows for incident management of your cloud resources. This is an alternative to the pull-based integration that you can configure from Cortex XSOAR.
Using the policy ID in the alert, Cortex XSOAR categorizes the alert as a specific incident type. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR.
The current list of Cortex XSOAR incident types are:
If a custom policy is being used in Prisma Cloud which you would like to use as an incident, our best practices would be to create a custom incident in XSOAR to complement and focus on the custom Prisma Cloud policy you have created. This way not only the details of the incident are shown but also a tailored strategy that is specific to your policy needs to help resolve the issue effectively.
If the Prisma Cloud policy ID is not categorized to a specific incident type, it is automatically mapped to the generic Prisma Cloud incident type. Every incident type is mapped to a Cortex XSOAR layout and associated with a playbook to enable auto-remediation of the violating resource, except for the generic Prisma Cloud incident type. Ref: Integrate Prisma Cloud with Cortex XSOAR
To setup a Cortex XSOAR integration in Prisma Cloud select
Settings > Integrations > Add Integration > Select Cortex XSOAR
Figure 3: Adding Integration for Cortex XSOAR_PaloAltoNetworks
Once you have added in the Name, Description, XSOAR FQDN/IP Address*, and API Key, then you can run a test to verify the integration is successful (and save.) For more information, please refer to the link at the bottom of this page [1].
Next, you add this Cortex XSOAR integration into an alert rule[2]. Best practice is to focus on policies that your organization requires to have complex resolution.
This completes setting up Prisma Cloud to send alerts to Cortex XSOAR for incident processing.
Now we need to set up the Cortex XSOAR to receive the alerts.
Many of the Prisma Cloud alerts are already categorized already out-of-the-box (see Alerts vs Incidents above). If the Prisma Cloud policy ID is not categorized to a specific Cortex XSOAR incident type, it is automatically mapped to the generic Prisma Cloud incident type by default.
Before you can see Prisma incidents in XSOAR, you need to install the Prisma Cloud by Palo Alto Networks content pack from the Cortex XSOAR Marketplace.
To set this up in Cortex XSOAR:
Figure 4: Mapping Prisma to XSOAR_PaloAltoNetworks
Once this has been successfully mapped, you can view incident types by the Prisma Cloud App - Classifier under
Settings > Objects Setup > Incidents > Classification & Mapping.
You can click on Prisma incidents and view their playbooks by going to the War Room Tab and selecting their playbook that is associated. From here, you can also manage how this playbook functions and how it will integrate into your environment.
The Playbooks range from simple to very complex depending on the outcome that is desired. Start with the out-of-the-box solutions to see how they perform in your environment. Once you have them working, feel free to add additional functionality to customize the solution to fit your needs.
Take the Prisma Cloud policy:
"AWS Security Groups Allows Internet Traffic To TCP Port"
We want to make sure that a Security Group misconfiguration is being tracked within Cortex XSOAR, when it is alerted as a policy within Prisma Cloud. We see from the following Playbook that as long as the resource is still available then auto-remediation will take place to solve this issue. Alternatively, the solution is to notify the customer of this incident and perform manual steps to remediate.
Figure 5: Playbook Example of a Misconfigured AWS Security Group_PaloAltoNetworks
This article has discussed how Prisma Cloud can remediate alerts using the CSP CLI. By adding a Cortex XSOAR integration, Prisma Cloud can push alerts as they occur to Cortex XSOAR, and the incidents will be processed by runbooks. The Cortex XSOAR runbooks allow greater functionality in being able to remediate an alert automatically, as well as provide the ability to route the alert information to other active applications or systems within your organization.
Cortex XSOAR provides a mechanism for you and your teams to customize the handling of alerts from Prisma Cloud and automate the response to more alerts leaving fewer alerts to be processed by your security team.
[1] Integrate Prisma Cloud with Cortex XSOAR
Brandon Goldstein is the senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Brandon uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success and Jonathan King is a Cloud Security Engineer, specializing in supporting all non-compute solutions for Prisma Cloud AWS, Azure, GCP, OCI, and Alibaba.
