How to use Prisma Cloud Action Plans  

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
100% helpful (1/1)

 

By Kashan Naqvi, Customer Success Engineer

 

Introduction: 

 

What are Action Plans? 

 

Action Plans is Prisma Cloud’s AI-Driven solution to enhance and expedite security remediation strategy. Through the Action Plans tab, security teams can easily identify and prioritize solving multiple issues through a single fix. 

 

Key Features: 

 

Prioritization: 

Action Plans group together alerts and assets that can be secured through a single fix, ensuring your security team spends time on the most effective outcomes. Actions are prioritized based on security context and Prisma Cloud alerts.

 

Execution and Delegation:

Leverage your integrations on Prisma Cloud to help delegate security fixes to your team through JIRA tickets and/or Slack messages with a single click.

 

Detailed Visibility:

Ensure that every alert resolved or asset impacted is visible in one location, and provide detailed context to your security teams.

 

Security Fix Efficiency: 

Using machine learning and generative models, Action Plans help summarize tasks across the various alerts that impact the same asset, ensuring a comprehensive plan to reduce alerts with the least number of required steps.

 

Prerequisites

 

The following are the basic and baseline requirements for Action Plans 

 


Configuration: 

On Prisma cloud there is no need to configure Action Plans as it is enabled on all customer tenants by default. 

 

In order to view Action Plans

 

Step 1: Log into Prisma Cloud Console > Action Plans 

 

unnamed.png

Figure 1: PrismaCloudActionPlans_Page_PaloAltoNetworks

 

You can sort the collections in Action Plans by several options:

 

Overview: Shows the summary of the action plan finding, the primary asset affected and the ability to trace through impact of the grouped issues.

Assigned to me: Shows the number of action plans assigned to a user logged in (yourself).

Unassigned Action Plans: Shows the number of unassigned action plans.

Menu: Add a customizable view based on saved filters that can be reused later.

 

unnamed.png

Figure 2: ActionPlansOverview_Page_PaloAltoNetworks

 

Information can be grouped based on two parameters ‘Add Filters’ and ‘Sort by’ for each view: 

 

  1. Add Filters: Add desired filter to sort action plan details 
 

unnamed.png

Figure 3: OverviewFilter_Page_PaloAltoNetworks

 

  • Status - allows the option to narrow down based on status
 
unnamed.png

Figure 3: StatusFilter_PaloAltoNetworks

 

  • Action Plan Name - allows the user to select specific action plan.

 

 
unnamed.png

Figure 4: ActionPlanNameFilter_PaloAltoNetworks

 

 
unnamed.png

Figure 5: FindinTypeFilter_PaloAltoNetworks



  • Assignee - allows the user to view if action plans have an owner
 
unnamed.png

Figure 6: AssigneeFilter_PaloAltoNetworks

 

  1. Sort By: Select the number of alerts, affected assets or severity. Action Plans are generated based on the severity of the alerts, and are only available if High/Critical alerts are available.
     

     

unnamed.png

Figure 7: SortByFilter_PaloAltoNetworks

 

  • Criticality - Allows the user to view action plans based on alert severity.
  • Alert Count - Allows the user to view action plans that have generated the most number alerts.
  • Asset count - Allows the user to view action plans that have identified the most number of affected assets.

 

How To Review an Action plan: 

 

Overview: When an action plan view is expanded, at a glance we can review how many alerts this action plan addresses as well as the number of impacted assets. The screenshot below shows a general overview and a summary of the action plan finding with primary affected asset. This allows us to easily assign and change the status of the action plan in Prisma Cloud. 

 

unnamed.png

Figure 8: ActionPlanOverview_Page_PaloAltoNetworks


Click on the Overview > Primary Asset, to quickly see detailed information about the asset affected.

 

unnamed.png

Figure 9: ActionPlanOverview_Page_PaloAltoNetworks


Then select Primary Asset > View Details, this opens a dashboard with detailed information on every alert that affects the asset, summary of potential findings, attack paths, alerts, vulnerabilities. The dashboard is similar to to what we see while investigating any instance affected by an alert previously (Prisma cloud console > Alerts > Alert-ID)

 

 

unnamed.png

Figure 10: AssetDetails_Page_PaloAltoNetworks


On the top right corner of the dashboard ‘Business Criticality’ can be assigned to the asset, this decision can be made by the security team depending on the asset that is affected. 

 

 

unnamed.png

Figure 11: AssetDetailsBusinessCriticality_Page_PaloAltoNetworks


Additionally JSON rules can also be accessed from this dashboard, by clicking on the ‘View JSON[]’ to review the asset configuration

 

unnamed.png

Figure 12: AssetDetailsJSONView_Page_PaloAltoNetworks


How to Fix: This combines the alerts across the action plan to provide a combined fix to help reduce issues through a recommendation and summary. This leverages machine learning and large language models to help present the information in one place. 


With the help of the combined information, several alerts for an impacted asset can be resolved with a single outlined fix.

 

unnamed.png

Figure 13: ActionPlanHowtoFix_Page_PaloAltoNetworks


There are two ways (JIRA and Slack) to easily communicate information with the security team and ensure that the assets are secured. Both are available in the ‘How to fix’ tab.


  1. If JIRA integration is to be used, click ‘Create a JIRA Ticket’ followed by ‘Select Template’ and from the drop down menu, select the Integration.

If there is no JIRA integration, follow the Integrate Prisma Cloud with JIRA documentation.

 

unnamed.png

Figure 14: CreateJIRATicket_Page_PaloAltoNetworks

 

unnamed.png

Figure 15: CreateJIRATicket_Page_PaloAltoNetworks


Click ‘Send’ and then we will see a ‘Successfully created JIRA Ticket’ pop up,

 

 
unnamed.png

Figure 16: CreateJIRATicket_Page_PaloAltoNetworks


  1. To utilize Slack integration, select ‘Send a Slack Message’ to send an internal message to ensure proper visibility to the relevant security team or individuals as needed. A slack group can also be selected as well and an optional message can be sent along with the action plan.

If there is no Slack Integration, follow the Integrate Prisma Cloud with Slack documentation.

 

unnamed.png

Figure 16: SendSlackMessage_Page_PaloAltoNetworks


Related Alerts: Shows the number of alerts that are targeted by the action plans. With this tab Action plan enables the efficiency of security teams to dispatch these alerts and make the assets secure. 


Click on the Related alerts, as shown below to explore all the alerts individually, this allows the customization and alerts can be individually addressed from the action plan. 

 

 
unnamed.png

Figure 17: RelatedAlerts_Page_PaloAltoNetworks


Impacted Assets: Shows the list of all potential assets that the action plan secures. These assets can be browsed and explored with the same UI as any other security exploration done on the Prisma cloud. 

 

unnamed.png

Figure 18: ImpactedAssets_Page_PaloAltoNetworks

 

Conclusion 

 

In this article, we discussed how action plans can enhance the efficiency of SOC teams. We cover key details that Prisma Cloud admins can leverage to understand their use and explore how visual representation aid can be used in assessing the security posture of infrastructure. With action plans, teams can benefit from grouped alerts and a single-window "how-to-fix" guide, eliminating the need to navigate through multiple tabs.


References

 

 

About the Author

 

Kashan Naqvi is a Customer Success Engineer at Palo Alto Networks. He has vast experience in securing multi-cloud infrastructures and offers expertise across a wide range of Cloud Security Posture Management (CSPM) solutions for Prisma™ Cloud, supporting platforms including AWS, Azure, GCP, OCI, and Alibaba.

Rate this article:
  • 238 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎02-06-2025 11:57 AM
Updated by: