Remediate assets on prisma cloud
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook provides/updates the compliance security posture details of asset in comments section of triggered incident so that SOC analysts can directly take corrective measure to prevent the attack
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | PaloAltoPrismaCloud |
| Source | View on GitHub |
Additional Documentation
📄 Source: PrismaCloudCSPMPlaybooks/PrismaCloudCSPM-Remediation/readme.md
PrismaCloudCSPM-Remediation Info Playbook
## Summary When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions 1. Fetches the list of assets from incident entities . 2. Make the API call to get the latest alert lists of provided assets from cloud console and then post the message on teams channel and wait for the user input and then act accordingly later update the same incidents comments with remediation result. 3. Note : Asset column for which the remediation needs to be done, should be mapped with hostname entity while creating analytics rule.
Prerequisites
- PrismaCloudCSPM Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
- API Key and User ID . To get this, login into your Prisma cloud instance dashboard and navigate to Settings --> Access Control --> Access Keys --> Add
- TeamsID and channelID of your tenant is needed for posting messages on Microsoft teams",
- [Important step]Store the API secret key in Key vault then provide the keyvault name and key name of the stored secret during deployment
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex: PrismaCloudCSPM-Enrichment).
- Custom Connector Name: Enter the Prisma cloud custom connector name here (Ex: PrismaCloudCSPMCustomConnector).
- Keyvault name: Enter the key vault name where secret key is stored.
- Prisma Secret Name : Your Key name for the stored API secret.
- Prisma User ID : Enter the prisma user id.
- TeamsID : Enter value for TeamsID
- ChannelID : Enter value for Teams ChannelID
Post-Deployment instructions
a. Authorize connections (Perform this action if needed)
Once deployment is complete, you will need to authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for playbooks other API Connection.
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with risky asset.
- Configure the automation rules to trigger this playbook , mapping of hostname entity is necessary
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
D. Assign access policy on key vault for Playbook to fetch the secret key
- Select the Keyvault resource where you have stored the secret
- Click on Access policies Blade
- Click on Create
- Under Secret permissions column , Select Get , List from "Secret Management Operations"
- Click next to go to Principal tab and choose your deployed playbook name
- Click Next leave application tab as it is .
- Click Review and create
- Click Create
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊