By Kashan Naqvi, Customer Success Engineer

Introduction: 

What are Action Plans? 

Action Plans is Prisma Cloud’s AI-Driven solution to enhance and expedite security remediation strategy. Through the Action Plans tab, security teams can easily identify and prioritize solving multiple issues through a single fix. 

Key Features: 

Prioritization: 

Action Plans group together alerts and assets that can be secured through a single fix, ensuring your security team spends time on the most effective outcomes. Actions are prioritized based on security context and Prisma Cloud alerts.

Execution and Delegation:

Leverage your integrations on Prisma Cloud to help delegate security fixes to your team through JIRA tickets and/or Slack messages with a single click.

Detailed Visibility:

Ensure that every alert resolved or asset impacted is visible in one location, and provide detailed context to your security teams.

Security Fix Efficiency: 

Using machine learning and generative models, Action Plans help summarize tasks across the various alerts that impact the same asset, ensuring a comprehensive plan to reduce alerts with the least number of required steps.

Prerequisites

The following are the basic and baseline requirements for Action Plans 

• Onboard your cloud accounts  (AWS, Azure)
• Appropriate Active Role to view Action Plans

Configuration: 

On Prisma cloud there is no need to configure Action Plans as it is enabled on all customer tenants by default. 

In order to view Action Plans

Step 1: Log into Prisma Cloud Console > Action Plans 

Figure 1: PrismaCloudActionPlans_Page_PaloAltoNetworks

You can sort the collections in Action Plans by several options:

Overview: Shows the summary of the action plan finding, the primary asset affected and the ability to trace through impact of the grouped issues.

Assigned to me: Shows the number of action plans assigned to a user logged in (yourself).

Unassigned Action Plans: Shows the number of unassigned action plans.

Menu: Add a customizable view based on saved filters that can be reused later.

Figure 2: ActionPlansOverview_Page_PaloAltoNetworks

Information can be grouped based on two parameters ‘Add Filters’ and ‘Sort by’ for each view: 

1. Add Filters: Add desired filter to sort action plan details 

Figure 3: OverviewFilter_Page_PaloAltoNetworks

• Status - allows the option to narrow down based on status

Figure 3: StatusFilter_PaloAltoNetworks

• Action Plan Name - allows the user to select specific action plan.

Figure 4: ActionPlanNameFilter_PaloAltoNetworks

• Finding Type - allows the user to filter based on Prisma Cloud findings.

Figure 5: FindinTypeFilter_PaloAltoNetworks

• Assignee - allows the user to view if action plans have an owner

Figure 6: AssigneeFilter_PaloAltoNetworks

1. Sort By: Select the number of alerts, affected assets or severity. Action Plans are generated based on the severity of the alerts, and are only available if High/Critical alerts are available.
    

    

Figure 7: SortByFilter_PaloAltoNetworks

• Criticality - Allows the user to view action plans based on alert severity.

• Alert Count - Allows the user to view action plans that have generated the most number alerts.

• Asset count - Allows the user to view action plans that have identified the most number of affected assets.

How To Review an Action plan: 

Overview: When an action plan view is expanded, at a glance we can review how many alerts this action plan addresses as well as the number of impacted assets. The screenshot below shows a general overview and a summary of the action plan finding with primary affected asset. This allows us to easily assign and change the status of the action plan in Prisma Cloud. 

 

Figure 8: ActionPlanOverview_Page_PaloAltoNetworks

Click on the Overview > Primary Asset, to quickly see detailed information about the asset affected.

Figure 9: ActionPlanOverview_Page_PaloAltoNetworks

Then select Primary Asset > View Details, this opens a dashboard with detailed information on every alert that affects the asset, summary of potential findings, attack paths, alerts, vulnerabilities. The dashboard is similar to to what we see while investigating any instance affected by an alert previously (Prisma cloud console > Alerts > Alert-ID)

Figure 10: AssetDetails_Page_PaloAltoNetworks

On the top right corner of the dashboard ‘Business Criticality’ can be assigned to the asset, this decision can be made by the security team depending on the asset that is affected. 

Figure 11: AssetDetailsBusinessCriticality_Page_PaloAltoNetworks

Additionally JSON rules can also be accessed from this dashboard, by clicking on the ‘View JSON[]’ to review the asset configuration

Figure 12: AssetDetailsJSONView_Page_PaloAltoNetworks

How to Fix: This combines the alerts across the action plan to provide a combined fix to help reduce issues through a recommendation and summary. This leverages machine learning and large language models to help present the information in one place. 

With the help of the combined information, several alerts for an impacted asset can be resolved with a single outlined fix.

Figure 13: ActionPlanHowtoFix_Page_PaloAltoNetworks

There are two ways (JIRA and Slack) to easily communicate information with the security team and ensure that the assets are secured. Both are available in the ‘How to fix’ tab.

1. If JIRA integration is to be used, click ‘Create a JIRA Ticket’ followed by ‘Select Template’ and from the drop down menu, select the Integration.

If there is no JIRA integration, follow the Integrate Prisma Cloud with JIRA documentation.

Figure 14: CreateJIRATicket_Page_PaloAltoNetworks

Figure 15: CreateJIRATicket_Page_PaloAltoNetworks

Click ‘Send’ and then we will see a ‘Successfully created JIRA Ticket’ pop up,

Figure 16: CreateJIRATicket_Page_PaloAltoNetworks

1. To utilize Slack integration, select ‘Send a Slack Message’ to send an internal message to ensure proper visibility to the relevant security team or individuals as needed. A slack group can also be selected as well and an optional message can be sent along with the action plan.

If there is no Slack Integration, follow the Integrate Prisma Cloud with Slack documentation.

Figure 16: SendSlackMessage_Page_PaloAltoNetworks

Related Alerts: Shows the number of alerts that are targeted by the action plans. With this tab Action plan enables the efficiency of security teams to dispatch these alerts and make the assets secure. 

Click on the Related alerts, as shown below to explore all the alerts individually, this allows the customization and alerts can be individually addressed from the action plan. 

Figure 17: RelatedAlerts_Page_PaloAltoNetworks

Impacted Assets: Shows the list of all potential assets that the action plan secures. These assets can be browsed and explored with the same UI as any other security exploration done on the Prisma cloud. 

Figure 18: ImpactedAssets_Page_PaloAltoNetworks 

Conclusion 

In this article, we discussed how action plans can enhance the efficiency of SOC teams. We cover key details that Prisma Cloud admins can leverage to understand their use and explore how visual representation aid can be used in assessing the security posture of infrastructure. With action plans, teams can benefit from grouped alerts and a single-window "how-to-fix" guide, eliminating the need to navigate through multiple tabs.

References

• Prisma Cloud Action Plans
• Prisma Cloud Findings
• Integrate Prisma Cloud with Jira
• Integrate Prisma Cloud with Slack
• Onboard your cloud accounts  (AWS, Azure)
• Appropriate Active Role to view Action Plans

About the Author

Kashan Naqvi is a Customer Success Engineer at Palo Alto Networks. He has vast experience in securing multi-cloud infrastructures and offers expertise across a wide range of Cloud Security Posture Management (CSPM) solutions for Prisma™ Cloud, supporting platforms including AWS, Azure, GCP, OCI, and Alibaba.