Enhanced Alert Remediation for Prisma Cloud CSPM Using Cortex XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L3 Networker
No ratings

By Jonathan King, Customer Success Engineer

 

and

 

Brandon Goldstein, Senior Customer Success Engineer

 

Introduction 

 

Prisma Cloud allows you to create policies to ensure that your Cloud Security Posture Management is in compliance with best practices and the needs of your organization.  These policies create alerts which need to be evaluated and also indicate which cloud objects need to be updated to be in compliance. 

 

Managing these alerts is a task that many organizations find difficult as the number of alerts increases. Prisma Cloud allows you to define an auto-remediation to correct certain alerts.  However, oftentimes an organization requires much more customization and integration with other tools that they are using. 

 

This article describes how to increase your alert automation and integrate with other tools by using a security orchestration, automation, and response (SOAR) platform from Palo Alto Networks.

 

What is Cortex XSOAR?

 

Cortex XSOAR is a comprehensive security orchestration, automation and response platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle. The Cortex XSOAR platform includes more than 270 out-of-the-box playbooks to automate and orchestrate any security use case.

 

Prisma Cloud Alert Handling

 

Prisma Cloud allow you multiple options to deal with alerts.: 

 

  1. You can configure your alert handling to automatically remediate cloud security policy violations using a set of CLI commands. 
  2. You can configure your alert to be sent to external systems such as
      1. Email
      2. Jira
      3. ServiceNow

    Which allows you to prioritize and categorize alerts with different teams in your organization. 

  3. You can configure your alert to be sent to Cortex XSOAR and have the alert resolved using a playbook. These playbooks allow a different approach to handling alerts by providing your organization with a remediation that is custom tailored to your environment and tools. 

 

Alert Remediation

 

We are going to give examples of alert remediation in Prisma Cloud  and Cortex XSOAR. 

 

Prisma Cloud 

 

Allows creating an auto remediation using a set of CLI commands for the respected Cloud Service Provider (CSP), such as AWS, Azure, GCP, OCI… for the alert in question. 

 

RPrasadi_0-1709755281832.png

Figure 1: Prisma Cloud Policy Auto-Remediation Configuration_palo-alto-networks 

 

Cortex XSOAR

 

Additional options and flexibility are available when using Cortex XSOAR to remediate an alert.  Not only can you resolve the alert, but you can also take any additional actions needed in your specific environment. 

 

RPrasadi_1-1709755336005.png

Fig 2. Cortex XSOAR Playbook Example_palo-alto-networks 

 

These playbooks will be beneficial for not only remediating common issues (such as those in Prisma Cloud using Auto-Remediation) but also for sending out custom actions to address other teams, remediating complex resources.

 

Alerts vs Incidents

 

With the Prisma Cloud and Cortex XSOAR outbound or push-based integration, you can send a Prisma Cloud alert generated by a policy violation to Cortex XSOAR to process as an incident. Connecting these two products enables your Security operations team to define custom playbooks or use the out-of-box playbooks on Cortex XSOAR to create multi-step workflows for incident management of your cloud resources. This is an alternative to the pull-based integration that you can configure from Cortex XSOAR.

 

  1. Push-based integration sends alerts as they happen from Prisma Cloud to Cortex XSOAR.
  2. Pull-based integration has Cortex XSOAR logging into Prisma Cloud and checking for alerts, every n minutes, where n is a configuration option. 

 

Using the policy ID in the alert, Cortex XSOAR categorizes the alert as a specific incident type. For an incident type, the Prisma Cloud alert payload is mapped to a Cortex XSOAR layout that specifies the incident fields for data classification and mapping on Cortex XSOAR. 

 

The current list of Cortex XSOAR incident types are: 

 

  1. AWS CloudTrail Misconfiguration
  2. AWS EC2 Instance Misconfiguration 
  3. AWS IAM Policy Misconfiguration
  4. Azure AKS Misconfiguration
  5. Azure Network Misconfiguration
  6. Azure SQL Misconfiguration
  7. Azure Storage Misconfiguration
  8. GCP Compute Engine Misconfiguration
  9. GCP Kubernetes Engine Misconfiguration 
  10. Prisma Cloud

 

If a custom policy is being used in Prisma Cloud which you would like to use as an incident, our best practices would be to create a custom incident in XSOAR to complement and focus on the custom Prisma Cloud policy you have created. This way not only the details of the incident are shown but also a tailored strategy that is specific to your policy needs to help resolve the issue effectively.

 

If the Prisma Cloud policy ID is not categorized to a specific incident type, it is automatically mapped to the generic Prisma Cloud incident type. Every incident type is mapped to a Cortex XSOAR layout and associated with a playbook to enable auto-remediation of the violating resource, except for the generic Prisma Cloud incident type. Ref: Integrate Prisma Cloud with Cortex XSOAR

 

Integrating Cortex XSOAR into Prisma Cloud

 

To setup a Cortex XSOAR integration in Prisma Cloud select 

Settings > Integrations > Add Integration > Select Cortex XSOAR

 

RPrasadi_2-1709755381578.jpeg

Fig 3: Adding Integration for Cortex XSOAR_palo-alto-networks 

 

Once you have added in the Name, Description, XSOAR FQDN/IP Address*, and API Key, then you can run a test to verify the integration is successful (and save.) For more information, please refer to the link at the bottom of this page [1].

NOTE: Make sure that if you are using a multi-tenant deployment to enter the tenant URL without HTTP or HTTPS.
 

Create Prisma Cloud Alert Rule

 

Next, you add this Cortex XSOAR integration into an alert rule[2].  Best practice is to focus on policies that your organization requires to have complex resolution. 

 

  1. Go to Alert Rules > Edit or Add a New Alert rule > Verify that Alert Notifications is Checked 
  2. Add your Targets and Policies you want Alerted to XSOAR 
  3. Under “Configure Notifications” go under Cortex XSOAR and enable with the integration you want selected in the drop-down > Click Finish


This completes setting up Prisma Cloud to send alerts to Cortex XSOAR for incident processing.  

 

Now we need to set up the Cortex XSOAR to receive the alerts. 

 

Setting up the integration in Cortex XSOAR

 

Many of the Prisma Cloud alerts are already categorized already out-of-the-box (see Alerts vs Incidents above). If the Prisma Cloud policy ID is not categorized to a specific Cortex XSOAR incident type, it is automatically mapped to the generic Prisma Cloud incident type by default.

 

XSOAR Marketplace Prisma Cloud installation

 

Before you can see Prisma incidents in XSOAR, you need to install the Prisma Cloud by Palo Alto Networks content pack from the Cortex XSOAR Marketplace.

 

To set this up in Cortex XSOAR:

  1. Marketplace > Browse >
    Select Prisma Cloud by Palo Alto Networks content pack and Install > 
  2. Enable the connection by
    Settings > Objects Setup > Classification & Mapping >
    Click the Triple Dot and select API endpoint Mapping 
  3. For the Prisma Cloud Row, select
    Prisma Cloud App - Classifier and Prisma Cloud App - Incoming Mapper > And Save

 

RPrasadi_3-1709755621709.png

Fig 4: Mapping Prisma to XSOAR_palo-alto-networks 

 

Once this has been successfully mapped, you can view incident types by the Prisma Cloud App - Classifier under 

 

Settings > Objects Setup > Incidents > Classification & Mapping.

 

You can click on Prisma incidents and view their playbooks by going to the War Room Tab and selecting their playbook that is associated. From here, you can also manage how this playbook functions and how it will integrate into your environment.

 

The Playbooks range from simple to  very complex depending on the outcome that is desired. Start with the out-of-the-box solutions to see how they perform in your environment. Once you have them working, feel free to add additional functionality to customize the solution to fit your needs.

 

Security Group Misconfiguration Example

 

Take the Prisma Cloud policy:

"AWS Security Groups Allows Internet Traffic To TCP Port"

 

We want to make sure that a Security Group misconfiguration is being tracked within Cortex XSOAR, when it is alerted as a policy within Prisma Cloud. We see from the following Playbook that as long as the resource is still available then auto-remediation will take place to solve this issue. Alternatively, the solution is to notify the customer of this incident and perform manual steps to remediate.

 

RPrasadi_4-1709755679322.png

Fig 5: Playbook Example of a Misconfigured AWS Security Group_palo-alto-networks 

 

Conclusion

 

This article has discussed how Prisma Cloud can remediate alerts using the CSP CLI.  By adding a Cortex XSOAR integration, Prisma Cloud can push alerts as they occur to Cortex XSOAR, and the incidents will be processed by runbooks. The Cortex XSOAR runbooks allow greater functionality in being able to remediate an alert automatically, as well as provide the ability to route the alert information to other active applications or systems within your organization. 

 

Cortex XSOAR provides a mechanism for you and your teams to customize the handling of alerts from Prisma Cloud and automate the response to more alerts leaving fewer alerts to be processed by your security team. 

 

Reference

 

[1] Integrate Prisma Cloud with Cortex XSOAR

 

[2] Prisma Cloud Alert Rule 

 

About the Authors

 

Brandon Goldstein is the senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Brandon uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success and Jonathan King is a Cloud Security Engineer, specializing in supporting all non-compute solutions for Prisma Cloud  AWS, Azure, GCP, OCI, and Alibaba.

Rate this article:
  • 735 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎03-13-2024 12:17 PM
Updated by: