PrismaCloudComputeParseVulnerabilityAlert

Parse Vulnerability alert raw JSON data.

python · Prisma Cloud Compute by Palo Alto Networks

Source

import json

import demistomock as demisto
from CommonServerPython import *


def parse_vulnerability(raw_json):
    data = json.loads(raw_json)

    if data.get("kind") != "vulnerability":
        raise ValueError(f"Input should be a raw JSON vulnerability alert, received: {raw_json}")

    outputs = {"PrismaCloudCompute.VulnerabilityAlert": data}

    # remove unneeded fields from human readable results
    headers: list = []
    for field in data:
        if field not in ["_id", "kind", "vulnerabilities"]:
            headers.append(field)
    headers.sort()

    readable_outputs = tableToMarkdown("Vulnerability Information", data, headers=headers)

    # add another table for vulnerabilities
    readable_outputs += tableToMarkdown("Vulnerabilities", data.get("vulnerabilities"))

    return (readable_outputs, outputs, raw_json)


def main():
    try:
        return_outputs(*parse_vulnerability(demisto.args().get("alert_raw_json", "")))
    except Exception as ex:
        return_error(f"Failed to execute PrismaCloudComputeParseVulnerabilityAlert. Error: {ex!s}")


if __name__ in ("__builtin__", "builtins"):
    main()

README

Parse Vulnerability alert raw JSON data

Script Data


Name Description
Script Type python3
Tags Prisma Cloud Compute
Cortex XSOAR Version 5.0.0

Used In


This script is used in the following playbooks and scripts.

  • Prisma Cloud Compute - Vulnerability Alert

Inputs


Argument Name Description
alert_raw_json The vulneribility alert raw JSON data

Outputs


Path Description Type
PrismaCloudCompute.VulnerabilityAlert.time Vulnerability discovery time Date
PrismaCloudCompute.VulnerabilityAlert.imageName Impacted image name String
PrismaCloudCompute.VulnerabilityAlert.distroName Full name of the image distribution String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.cve CVE ID of the vulnerability String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.severity The Severity of the vulnerability String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.link The CVE vendor link String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.status The CVE vendor status String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.packages Package names String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.packageVersion The version of the package that caused the vulnerability String
PrismaCloudCompute.VulnerabilityAlert.vulnerabilities.sourcePackage The name of the source package if such package exist, for os packages, source package is the package used to build the binary String