SaasSecurity

SaaS Security API is a cloud-based service that you can connect directly to your sanctioned SaaS applications using the cloud app’s API to provide data classification, sharing and permission visibility, and threat detection. This Content Pack provides insights into risks posed by data exposure and policy violations and enables you to use Cortex XSOAR to effectively manage the incidents discovered by SaaS Security API.

Network Security · SaaS Security by Palo Alto Networks

Configuration parameters

  • url — Server URL (required)
  • credentials — Client ID (required)
  • isFetch — Fetch incidents
  • incidentFetchInterval — Incidents Fetch Interval
  • incidentType — Incident type
  • mirror_direction — Incident Mirroring Direction
  • max_fetch — Number of incidents per fetch. (required)
  • first_fetch — First fetch timestamp (<number> <time unit>. For example, 12 hours, 7 days)
  • state — Fetch only incidents with matching state
  • severity — Fetch only incidents with matching severity
  • status — Fetch only incidents with matching status
  • app_ids — Fetch only incidents with matching Application IDs
  • close_incident — Close Mirrored XSOAR Incident
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings

Commands (10)

  • get-mapping-fields

    Returns the list of fields for an incident type.

  • get-modified-remote-data

    Get the list of incidents that were modified since the last update. Note that this method is used for debugging purposes. get-modified-remote-data is used as part of a Mirroring feature, which is available since Cortex XSOAR version 6.1.

  • get-remote-data

    Get remote data from a remote incident. Note that this method will not update the current incident. It's used for debugging purposes.

  • saas-security-asset-remediate

    Remediates an asset.

  • saas-security-get-apps

    Returns the Application ID, Name, and Type for all applications.

  • saas-security-incident-get-by-id

    Gets an incident by its ID.

  • saas-security-incident-state-update

    Closes an incident and updates its category.

  • saas-security-incidents-get

    Retrieves incidents from the SaaS Security platform.

  • saas-security-remediation-status-get

    Gets the remediation status for a given asset ID.

  • update-remote-system

    Updates local incident changes in the remote incident. This method is only used for debugging purposes and will not update the current incident.