Auto-Remediation in Prisma Cloud

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter

Learn how Prisma Cloud's auto-remediation feature saves time and makes the process more efficient.Learn how Prisma Cloud's auto-remediation feature saves time and makes the process more efficient.


This article was written by Emmanuel Nwankwo (@ENwankwo ), a Palo Alto Networks Customer Success Engineer.

Auto-Remediation in Prisma Cloud


Reducing the number of alerts is a very crucial step to increasing the security posture of your cloud environment. An excessive number of alerts can quickly become unmanageable. To assist you with this issue, you can easily have Prisma Cloud automatically resolve policy violations, such as misconfigured security groups. You can swiftly get this done by configuring Prisma Cloud for automated remediation!


I will walk you through the process of optimizing your cloud environment by auto-remediating open alerts.  The first step in remediating alerts is knowing the three ways alerts are remediated in Prisma Cloud: Manual Remediation, Guided Remediation, and Auto-Remediation. However, the focus of this guide is on Auto-Remediation which is applicable to only config policies and IAM security alerts. 


On Prisma Cloud, you can enable automated remediation for default policies (config policies only) that are designated as remediable (indicated by a green checkmark in the Remediable column) and for any cloned or custom policies that you added. For IAM security alerts, you can configure a custom python script to automate the remediation steps.

Why Use Prisma Cloud Auto-Remediation?


Considering the voluminous infrastructure within our multi-cloud environments, managing these infrastructures and applications becomes more daunting and complicates the operational challenges you face today. To stay abreast of competitors and meet the needs of your customers, automation is the way to go. 


Auto-Remediation, is a self-healing workflow which triggers and responds to alerts or events by executing actions that can prevent or fix the problem. Prisma Cloud is an event-driven application and uses event-driven automation to resolve policy violations. The Auto-remediation in Prisma Cloud can trigger a CLI command, or serverless function to remediate alerts detected as a result of misconfiguration.  


With Prisma Cloud Auto-Remediation, your Mean Time to Recover or Restore(MTTR) will be at the bare minimum, thereby improving your security posture and compliance requirements. 

Configure Prisma Cloud to Automatically Remediate Alerts


To enable automated remediation, identify the set of policies that you want to remediate automatically and verify that Prisma Cloud has the required permissions in the associated cloud environments. Then Create an Alert Rule for Run-Time Checks that enables automated remediation for the set of policies you identified.



  1. To view remediable policies, select Policies and set the filter to Remediable > True.




  1. Select a policy for which you want to enable remediation and go to the Remediation page. Then review the required privileges in the CLI Command Description to identify which permissions Prisma Cloud requires in the associated cloud environments to be able to remediate violations of the policy. You can define up to 5 CLI commands in a sequence for a multi-step automatic remediation workflow.





Create an Alert Rule for Run-Time Checks or modify an existing alert rule. Alert rules (for run-time checks) enable you to define the policy violations in a selected set of cloud accounts for which you want to trigger alerts.






On the Select Policies page, enable Automated Remediation and then Continue to acknowledge the impact of automated remediation on your application. The list of available policies updates to show only those policies that are remediable (as indicated by green checkmark  in the Remediable column).





Finish configuring and Save the new alert rule or Confirm your changes to an existing alert rule. When you save the alert rule, Prisma Cloud automatically runs the remediation CLI to resolve policy violations for all open alerts regardless of when they were generated, and updates the alert status as Resolved.


Note: When you enable automated remediation, Prisma Cloud makes changes to the resource configuration in your cloud environment to address security misconfigurations. These changes are executed using CLI commands and can potentially disrupt access to your applications.

Remediate Using Serverless


Prisma Cloud also provides runbooks on GitHub  if you want automated remediation using serverless functions for your cloud resources on AWS. Serverless functions are a simple way to create custom auto-remediation solutions based on Prisma Cloud alerts. Using Prisma Cloud's built-in integrations to CSPs (e.g. AWS SQS), you can quickly and easily remediate misconfigurations in your cloud environment with the flexibility of a full-fledged coding environment. 

For example, with serverless auto-remediation, you can automatically block public access to an insecure AWS S3 bucket, while creating a Jira ticket notifying your DevOps team with more details. Or even send a Slack notification after enabling VPC flow logs. Our GitHub repo gives you the starting point to build your own custom auto-remediation capabilities. 


How Does Serverless Auto-Remediation Work?


The Prisma Cloud platform sends alert messages to an AWS SQS Queue, which in turn invokes a lambda function The function then calls the appropriate runbook script to remediate the alert(s). To use AWS Lambda for automatic remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts, and is an alternative way if you are concerned with giving too many write permission to Prisma Cloud. Remediation with Microsoft Azure function is in development while Google Cloud Platform (GCP) function is coming soon!


Using our out-of-the-box runbooks takes minimal programming knowledge and can be set up by following our step-by-step instructions Amazon Web Services (AWS) Setup Guide. Developing your own runbooks (Custom runbook development guide) will require familiarity with your CSP's relevant SDK.


Auto-Remediate Alerts for IAM Security


Like the auto-remediation for serverless function and config policies,  you can configure a custom python script to automate the remediation steps and send alert notification to 14 third-party tools including email, Lambda, Security Hub, PagerDuty, ServiceNow or Slack. The custom python script receives an alert via the AWS SQS queue, extracts the alert id and uses it to call the IAM remediation API, then runs the commands which are provided by the API response.


To set up alert rules with automated remediation:

  1. Integrate Prisma Cloud with Amazon SQS
  2. Create alert rules and set up alert notifications to Amazon SQS
  3. Copy/paste the provided Python script into a text editor or integrated development environment (IDE)
  4. Edit the python script to include the required values for the environment variables
  5. Install the third-party libraries
  6. Run the script to view the remediation results


First, to set up automatic remediation for IAM Security alerts, you will need to integrate Prisma Cloud with Amazon SQS, create alert rules and set up alert notifications to Amazon SQS. All alerts triggered for the iam policy you selected will be sent to the SNS queue. Follow the steps to integrate Prisma Cloud with SQS.





Secondly, configure and run the python script by installing third-party libraries in order to create HTTP requests to your API endpoints, and edit the custom python script to include the values for the environment variables so that you can automatically remediate alerts. Please follow this guide to help you set-up and Remediate Alerts for IAM Security


By following the above steps, your alerts will be manageable and this will increase the efficiency of the security posture of your cloud environment.  When configured, Prisma Cloud's auto remediation feature can get this done swiftly. 


This article was written by Emmanuel Nwankwo (@ENwankwo), a Palo Alto Networks Customer Success Engineer. Read more about the author below.





Register or Sign-in
Top Liked Authors