Prisma Cloud - Network API and Anomaly Incidents

This playbook handles incidents of internet exposed services and detect potential risky configurations that can make your cloud environment vulnerable to attacks, and incidents of unusual network and user activity for all users, and are especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise.

Prisma Cloud by Palo Alto Networks · 39 tasks · 20 inputs · 0 outputs

Inputs

  • CreateTicket — Whether to create a ticket in ZenDesk or ServiceNow. Insert True or False
  • StopForRecommendations
  • EarlyContainment — Whether to perform early containment.
  • CloudResponse — Whether to perform cloud response.
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • ZenDeskDescription — The ticket description.

Commands used

core-list-risky-users cve ip prisma-cloud-alert-get-details prisma-cloud-host-finding-list setAlert

Flowchart

yes yes yes yes yes yes yes yes yes yes yes Start Start Enrichment Enrichment IP Enrichment - ip IP Enrichment ip Early Containment Early Containment Does IP is malicious? Does IP is malicious? Early Containment enabled? Early Containment enabled? Early Containment Early Containment Containment Complete Containment Complete Investigation Investigation Cloud User Investigation - Generic - Cloud User Investigation - Generic Cloud User Investigation ... Cloud User Investigation - Ge... Cloud Enrichment - Generic - Cloud Enrichment - Generic Cloud Enrichment - Generic Cloud Enrichment - Generic User Investigation User Investigation Vulnerability Enrichment Vulnerability Enrichment Verdict Verdict Does response needed? Does response needed? Remediation Remediation Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Perform Cloud Response? Perform Cloud Response? Pause the playbook to perform policy recommendations? Pause the playbook to per... Pause the playbook to perform policy recommendations Pause the playbook to per... Done Done Block IP - Generic v3 - Block IP - Generic v3 Block IP - Generic v3 Block IP - Generic v3 Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic Create a ticket? Create a ticket? Risky User Risky User Check if user is risky by XDR - core-list-risky-users Check if user is risky by... core-list-risky-users Prisma alert enrichment - prisma-cloud-alert-get-details Prisma alert enrichment prisma-cloud-alert-get-details Does Alert Contains IP? Does Alert Contains IP? Host RRN has received from Prisma? Host RRN has received fro... Get host findings - prisma-cloud-host-finding-list Get host findings prisma-cloud-host-finding-list Determine Verdict - setAlert Determine Verdict setAlert Set status to layout - setAlert Set status to layout setAlert Is Part of Alert Rule? Is Part of Alert Rule? Map Alert Rules - JsonToTable Map Alert Rules JsonToTable Get CVE Details - cve Get CVE Details cve Has related CVE? Has related CVE? Has Results? Has Results? Set User Investigation Results - setAlert Set User Investigation Re... setAlert Set status to layout - setAlert Set status to layout setAlert