- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-31-2025 12:42 PM - edited 02-06-2025 11:57 AM
What are Action Plans?
Action Plans is Prisma Cloud’s AI-Driven solution to enhance and expedite security remediation strategy. Through the Action Plans tab, security teams can easily identify and prioritize solving multiple issues through a single fix.
Prioritization:
Action Plans group together alerts and assets that can be secured through a single fix, ensuring your security team spends time on the most effective outcomes. Actions are prioritized based on security context and Prisma Cloud alerts.
Execution and Delegation:
Leverage your integrations on Prisma Cloud to help delegate security fixes to your team through JIRA tickets and/or Slack messages with a single click.
Detailed Visibility:
Ensure that every alert resolved or asset impacted is visible in one location, and provide detailed context to your security teams.
Security Fix Efficiency:
Using machine learning and generative models, Action Plans help summarize tasks across the various alerts that impact the same asset, ensuring a comprehensive plan to reduce alerts with the least number of required steps.
The following are the basic and baseline requirements for Action Plans
On Prisma cloud there is no need to configure Action Plans as it is enabled on all customer tenants by default.
In order to view Action Plans
Step 1: Log into Prisma Cloud Console > Action Plans
Figure 1: PrismaCloudActionPlans_Page_PaloAltoNetworks
You can sort the collections in Action Plans by several options:
Overview: Shows the summary of the action plan finding, the primary asset affected and the ability to trace through impact of the grouped issues.
Assigned to me: Shows the number of action plans assigned to a user logged in (yourself).
Unassigned Action Plans: Shows the number of unassigned action plans.
Menu: Add a customizable view based on saved filters that can be reused later.
Figure 2: ActionPlansOverview_Page_PaloAltoNetworks
Information can be grouped based on two parameters ‘Add Filters’ and ‘Sort by’ for each view:
Figure 3: OverviewFilter_Page_PaloAltoNetworks
Figure 3: StatusFilter_PaloAltoNetworks
Figure 4: ActionPlanNameFilter_PaloAltoNetworks
Figure 5: FindinTypeFilter_PaloAltoNetworks
Figure 6: AssigneeFilter_PaloAltoNetworks
Figure 7: SortByFilter_PaloAltoNetworks
Figure 8: ActionPlanOverview_Page_PaloAltoNetworks
Click on the Overview > Primary Asset, to quickly see detailed information about the asset affected.
Figure 9: ActionPlanOverview_Page_PaloAltoNetworks
Then select Primary Asset > View Details, this opens a dashboard with detailed information on every alert that affects the asset, summary of potential findings, attack paths, alerts, vulnerabilities. The dashboard is similar to to what we see while investigating any instance affected by an alert previously (Prisma cloud console > Alerts > Alert-ID)
Figure 10: AssetDetails_Page_PaloAltoNetworks
On the top right corner of the dashboard ‘Business Criticality’ can be assigned to the asset, this decision can be made by the security team depending on the asset that is affected.
Figure 11: AssetDetailsBusinessCriticality_Page_PaloAltoNetworks
Additionally JSON rules can also be accessed from this dashboard, by clicking on the ‘View JSON[]’ to review the asset configuration
Figure 12: AssetDetailsJSONView_Page_PaloAltoNetworks
With the help of the combined information, several alerts for an impacted asset can be resolved with a single outlined fix.
Figure 13: ActionPlanHowtoFix_Page_PaloAltoNetworks
There are two ways (JIRA and Slack) to easily communicate information with the security team and ensure that the assets are secured. Both are available in the ‘How to fix’ tab.
If there is no JIRA integration, follow the Integrate Prisma Cloud with JIRA documentation.
Figure 14: CreateJIRATicket_Page_PaloAltoNetworks
Figure 15: CreateJIRATicket_Page_PaloAltoNetworks
Click ‘Send’ and then we will see a ‘Successfully created JIRA Ticket’ pop up,
Figure 16: CreateJIRATicket_Page_PaloAltoNetworks
If there is no Slack Integration, follow the Integrate Prisma Cloud with Slack documentation.
Figure 16: SendSlackMessage_Page_PaloAltoNetworks
Click on the Related alerts, as shown below to explore all the alerts individually, this allows the customization and alerts can be individually addressed from the action plan.
Figure 17: RelatedAlerts_Page_PaloAltoNetworks
Figure 18: ImpactedAssets_Page_PaloAltoNetworks
In this article, we discussed how action plans can enhance the efficiency of SOC teams. We cover key details that Prisma Cloud admins can leverage to understand their use and explore how visual representation aid can be used in assessing the security posture of infrastructure. With action plans, teams can benefit from grouped alerts and a single-window "how-to-fix" guide, eliminating the need to navigate through multiple tabs.
Kashan Naqvi is a Customer Success Engineer at Palo Alto Networks. He has vast experience in securing multi-cloud infrastructures and offers expertise across a wide range of Cloud Security Posture Management (CSPM) solutions for Prisma™ Cloud, supporting platforms including AWS, Azure, GCP, OCI, and Alibaba.