Prisma Cloud DSPM #36393
Open
Prisma Cloud DSPM #36393
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fix: for dspm-get-data-types, an extra parameter was eliminated. feat: Added dspm-get-risk-findings page parameter.
fix : commented the mirror functions.
fix : Update method for pagination.
| script: '' | ||
| type: python | ||
| tags: [] | ||
| comment: "This script extracts risk details from an incident object, processes asset tags, and sets the user's Slack email for future notifications.\nIt retrieves the incident details, including risk information, asset tags, and configuration details from the DSPM integration. If the asset owner's email is found, it is stored; otherwise, a default email is used.The extracted data is stored in the XSOAR context and displayed in a readable markdown format." |
There was a problem hiding this comment.
Add a space between .."is used.The extracted data is stored..."
| type: unknown | ||
| - name: action | ||
| default: true | ||
| description: Action to perform on incident list i.e :- add or delete list. |
There was a problem hiding this comment.
Action to perform on an incident list, such as add or delete a list.
| description: DSPM Incident list data | ||
| - name: rerun_time | ||
| required: true | ||
| description: Re-run time to be checked of an incident to delete or not |
There was a problem hiding this comment.
Its not clear what this does. Does it rerun or does it check whether to delete or not? We should make it clearer
| @@ -0,0 +1,946 @@ | |||
| # Overview | |||
| The Prisma Cloud DSPM(Data Security Posture Management) Integration enhances the management and remediation of DSPM risks. The integration provides users with actionable data, insights and a seamless workflow for addressing potential security threats. | |||
There was a problem hiding this comment.
"...integration enhances..."
|
|
||
| # Use Cases | ||
| - Remediation of DSPM out-of-the-box risks based on automated playbooks. | ||
| - Close or update risks by Interacting with DSPM API using a dedicated list of building blocks. |
There was a problem hiding this comment.
Close or update risks by interacting with DSPM API using a dedicated list of building blocks.
| 5. Atlassian Jira v3 Pack. | ||
| 6. Google Cloud Storage Pack. ( Optional ) | ||
| 7. Azure Storage Container Pack. ( Optional ) | ||
|
|
There was a problem hiding this comment.
I suggest removing all the periods above.
|
|
||
| ## Configure Prisma Cloud DSPM on Cortex XSOAR | ||
|
|
||
| 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. |
There was a problem hiding this comment.
Navigate to Settings & Info > Settings > Integrations > Instances
| | **Argument Name** | **Description** | **Required** | | ||
| | --- | --- | --- | | ||
| | rule_name_in | A comma-separated list of rule names. | Optional | | ||
| | rule_name_equal | Exact rule name. | Optional | |
There was a problem hiding this comment.
The exact rule name
| | dspm_tag_key_in | A comma-separated list of DSPM tag keys. | Optional | | ||
| | dspm_tag_key_equal | Exact DSPM tag key. | Optional | | ||
| | dspm_tag_value_in | A comma-separated list of DSPM tag values. | Optional | | ||
| | dspm_tag_value_equal | Exact DSPM tag value. | Optional | |
There was a problem hiding this comment.
The exact DSPM tag value
| | dspm_tag_value_in | A comma-separated list of DSPM tag values. | Optional | | ||
| | dspm_tag_value_equal | Exact DSPM tag value. | Optional | | ||
| | projectId_in | A comma-separated list of project IDs. | Optional | | ||
| | projectId_equal | Exact project ID. | Optional | |
There was a problem hiding this comment.
The exact project ID
| | projectId_in | A comma-separated list of project IDs. | Optional | | ||
| | projectId_equal | Exact project ID. | Optional | | ||
| | cloud_provider_in | A comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. Default is AWS. | Optional | | ||
| | cloud_provider_equal | Exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | |
There was a problem hiding this comment.
The exact cloud provider
| | cloud_provider_in | A comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. Default is AWS. | Optional | | ||
| | cloud_provider_equal | Exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | affects_in | A comma-separated list of affects. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, SECURITY_AND_GOVERNANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional | | ||
| | affects_equal | Exact affect. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional | |
| | affects_in | A comma-separated list of affects. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, SECURITY_AND_GOVERNANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional | | ||
| | affects_equal | Exact affect. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional | | ||
| | status_in | A comma-separated list of statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional | | ||
| | status_equal | Exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional | |
| | affects_equal | Exact affect. Possible values are: SECURITY, COMPLIANCE, GOVERNANCE, SECURITY_AND_COMPLIANCE, COMPLIANCE_AND_GOVERNANCE, SECURITY_AND_GOVERNANCE, SECURITY_AND_COMPLIANCE_AND_GOVERNANCE. | Optional | | ||
| | status_in | A comma-separated list of statuses. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional | | ||
| | status_equal | Exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional | | ||
| | sort | Sort order. | Optional | |
|
|
||
| | **Argument Name** | **Description** | **Required** | | ||
| | --- | --- | --- | | ||
| | region_in | Comma-separated list of regions. | Optional | |
There was a problem hiding this comment.
A comma-separated list of regions
| | **Argument Name** | **Description** | **Required** | | ||
| | --- | --- | --- | | ||
| | region_in | Comma-separated list of regions. | Optional | | ||
| | region_equal | Exact region. | Optional | |
| | --- | --- | --- | | ||
| | region_in | Comma-separated list of regions. | Optional | | ||
| | region_equal | Exact region. | Optional | | ||
| | cloud_provider_in | Comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | |
There was a problem hiding this comment.
A comma-separated list of cloud providers
| | region_in | Comma-separated list of regions. | Optional | | ||
| | region_equal | Exact region. | Optional | | ||
| | cloud_provider_in | Comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | cloud_provider_equal | Exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | |
There was a problem hiding this comment.
The exact cloud provider
| | region_equal | Exact region. | Optional | | ||
| | cloud_provider_in | Comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | cloud_provider_equal | Exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | service_type_in | Comma-separated list of service types. | Optional | |
There was a problem hiding this comment.
A comma-separated....
| | cloud_provider_in | Comma-separated list of cloud providers. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | cloud_provider_equal | Exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | service_type_in | Comma-separated list of service types. | Optional | | ||
| | service_type_equal | Exact Service Type. | Optional | |
There was a problem hiding this comment.
The exact service type.
| | cloud_provider_equal | Exact cloud provider. Possible values are: AWS, AZURE, GCP, SNOWFLAKE, FILE_SHARE, O365. | Optional | | ||
| | service_type_in | Comma-separated list of service types. | Optional | | ||
| | service_type_equal | Exact Service Type. | Optional | | ||
| | lifecycle_in | Comma-separated list of life cycles. Possible values are: RUNNING, STOPPED, DELETED. | Optional | |
There was a problem hiding this comment.
A comma-separated list....
| | service_type_in | Comma-separated list of service types. | Optional | | ||
| | service_type_equal | Exact Service Type. | Optional | | ||
| | lifecycle_in | Comma-separated list of life cycles. Possible values are: RUNNING, STOPPED, DELETED. | Optional | | ||
| | lifecycle_equal | Exact life cycle. Possible values are: RUNNING, STOPPED, DELETED. | Optional | |
There was a problem hiding this comment.
The exact lifecycle.
| | service_type_equal | Exact Service Type. | Optional | | ||
| | lifecycle_in | Comma-separated list of life cycles. Possible values are: RUNNING, STOPPED, DELETED. | Optional | | ||
| | lifecycle_equal | Exact life cycle. Possible values are: RUNNING, STOPPED, DELETED. | Optional | | ||
| | sort | Sorting criteria in the format: property,(asc\|desc). Default sort order is ascending. Multiple sort criteria are supported. | Optional | |
There was a problem hiding this comment.
The sorting criteria...
| | DSPM.AssetFiles.path | String | Asset file path. | | ||
| | DSPM.AssetFiles.type | String | Asset file type. | | ||
| | DSPM.AssetFiles.size | String | Asset file size. | | ||
| | DSPM.AssetFiles.openToWorld | Boolean | Asset open to world. | |
There was a problem hiding this comment.
Whether the asset is open to world
| | DSPM.AssetFiles.type | String | Asset file type. | | ||
| | DSPM.AssetFiles.size | String | Asset file size. | | ||
| | DSPM.AssetFiles.openToWorld | Boolean | Asset open to world. | | ||
| | DSPM.AssetFiles.isDeleted | Boolean | Whether asset is deleted. | |
There was a problem hiding this comment.
Whether the asset...
| | DSPM.AssetFiles.size | String | Asset file size. | | ||
| | DSPM.AssetFiles.openToWorld | Boolean | Asset open to world. | | ||
| | DSPM.AssetFiles.isDeleted | Boolean | Whether asset is deleted. | | ||
| | DSPM.AssetFiles.isMalicious | Boolean | Whether asset is malicious. | |
There was a problem hiding this comment.
Whether the asset...
| | lifecycle_equal | Exact life cycle. | Optional | | ||
| | sort | Sorting criteria in the format: property,(asc\|desc). Default sort order is ascending. Multiple sort criteria are supported. | Optional | | ||
| | limit | The maximum number of data types findings to retrieve. Default is 50. | Optional | | ||
|
|
There was a problem hiding this comment.
In the above argument descriptions (to be consistent), use the following:
- A comma-separated list
- Where we use 'Exact" add "The" at the start. For eg The exact service type.
| | status_equals | Exact status. Possible values are: OPEN, CLOSED, UNIMPORTANT, WRONG, HANDLED, INVESTIGATING. | Optional | | ||
| | sort | Sort order (property,asc\|desc). | Optional | | ||
| | limit | The maximum number of alerts to retrieve. Default is 50. | Optional | | ||
|
|
There was a problem hiding this comment.
For the above arguments, lets add "The" at the start of each description, apart from where we have "A comma-separated list.." For example, "The exact category type."
richardbluestone
approved these changes
Oct 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
Status
Description
We are working with @Michal Goldshtein on this project of Prisma Cloud DSPM team. The contact person from DSPM team is @Yaron Zeevi
Must have