Skip to main content

Cyware Orchestrate

Palo Alto Prisma Cloud

App Vendor: Palo Alto Networks

App Category: Network Security

Connector Version: 1.1.0

API Version: 1.0.0

Note

This app is currently released as a beta version.

About App

The Palo Alto Prisma Cloud enables you to engage with Prisma Cloud services programmatically.

The Palo Alto Prisma Cloud app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Add Access Key

This action adds a new access key for the current user.

Add Cloud Account

This action onboards a new cloud account onto the Prisma Cloud platform

Add IP Address to Allow List

This action adds a named list of CIDRs (IP addresses) that are in the allowed list to access Prisma Cloud.

Add Policies

This action adds a new policy.

Add Network

This action adds a public network.

Alert Info

This action retrieves information about an alert for the specified ID.

Dismiss Alerts

This action dismisses one or more alerts on the Prisma Cloud platform.

Download Report

This action downloads the compliance report with the specified ID.

Filter Event Search Results

This action filters the results of an event log search according to the specified parameters.

Get Account Status

This action retrieves Prisma Cloud Security Capabilities with warning or error statuses for the specified account and provides remediation suggestions.

Get All Compliance Statistics

This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections.

Get Asset

This action retrieves the information of the specified asset.

Get Asset Inventory Trend View

This action retrieves asset inventory pass/fail trends for the specified time period.

Get Classification Report

This action retrieves a data classification report.

Get Cloud Account

This action retrieves a list of cloud account IDs and names.

Get Cloud Account Information

This action retrieves top-level information about the cloud account.

Get Cloud Audit Logs

This action retrieves audit logs for events that took place on the Prisma Cloud platform.

Get Code Issues from Periodic Scans

This action retrieves code issues from periodic scans.

Get Compliance Statistics for Standard ID

This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections for the given compliance standard ID.

Get Compliance Trend

This action retrieves a compliance posture summary that describes the passed/failed statistics trend.

Get Dashboard Alerts

This action retrieves counts of total objects, public objects, sensitive objects, and malware.

Get Dashboard Violations

This action lists violations for the dashboard.

Get External Ingest Integrations for Resource

This action retrieves a list of external ingestion integrations for the specified resource.

Get Inventory Resource Details

This action retrieves details for the resource (bucket) with the specified tenant ID and bucket name.

Get Inventory Resource Objects

This action retrieves the objects for the specified bucket.

Get Malware Report

This action retrieves a malware report.

Get Permissions

This action retrieves a list of permissions.

Get Policy

This action retrieves the policy that has the specified policy ID.

Get Raw Event Data

This action retrieves the audit event data for the specified ID as raw metadata.

Get Report Config

This action retrieves the compliance report generation configuration with the specified ID.

Get Resource Lists

This action retrieves all the resource lists for the current customer.

Get User Role Information

This action retrieves the user role information of the specified user.

List Alert Filter Autocomplete Suggestions

This action retrieves autocomplete suggestions for an alert filter key based on a fuzzy search query.

List Alert Filters

This action retrieves an object whose keys are the available policy filters.

List Alert Remediation

This action generates and retrieves a list of remediation commands for the specified alerts and policies.

List Alerts

This action retrieves a list of alerts that match the constraints specified in the query parameters.

List Cloud Account Owners

This action retrieves the email addresses of all owners for the specified cloud account ID.

List Cloud Accounts

This action lists all cloud accounts onboarded onto the Prisma Cloud platform.

List Historical Reports Data

This action retrieves a list of metadata for the scheduled compliance reports for the specified report ID.

List Inventory Filters

This action retrieves an object whose keys are supported asset inventory filters and values contain default recent options

List Inventory Objects

This action lists data for objects.

List IP Addresses Allowed for Login

This action retrieves a list of data objects that contain the CIDRs in the allowed list to access the Prisma Cloud tenant.

List Networks

This action retrieves an array of public networks.

List Policies

This action retrieves system default and custom policies.

List Report Configs

This action retrieves a list of compliance report generation configurations.

List Users

This action lists all users and service accounts for your tenant.

Perform Config Search

This action searches for resources using an RQL config query to identify misconfigurations and policy violations.

Perform Event Search

This action retrieves the results of an RQL (Resource Query Language) audit event query.

Perform Network Search

This action performs a search against flow logs with an RQL (Resource Query Language) query.

Remediate Alert

This action remediates the alert with the specified ID if that alert is associated with a remediable policy.

Reopen Alerts

This action reopens dismissed or snoozed alerts by changing their status to open on the Prisma Cloud platform.

Search Alerts

This action searches for alerts on the Prisma Cloud platform.

Search Alerts by ID

This action retrieves search data to investigate the alert with the specified ID.

Trigger Scan

This action triggers an asynchronous scan to refresh the state of resources.

Update Policy

This action updates the existing policy that has the specified policy ID.

View Asset Inventory

This action retrieves asset inventory pass/fail data for the specified time period.

Generic Action

This is a generic action used to make requests to any Palo Alto Prisma Cloud endpoint.

Configuration Parameters

The following configuration parameters are required for the Palo Alto Prisma Cloud app to communicate with the Palo Alto Prisma Cloud enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL

Enter the base URL to access Prisma Cloud.

Example:

https://api.prismacloud.io

Text

Required

Access ID

Enter the access ID.

Text

Required

Password

Enter the password.

Password

Required

Customer Name

Enter the customer's name.

Text

Optional

Prisma ID

Enter the Prisma ID.

Text

Optional

Action: Add Access Key

This action adds a new access key for the current user.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Access Key Name

Enter the name of the access key.

Text

Required

Expires on

Enter the timestamp in milliseconds when the access key expires.

Integer

Optional

Service Account Name

Enter the service account name.

Text

Optional

Action: Add Cloud Account

This action onboards a new cloud account onto the Prisma Cloud platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Account ID

Enter the AWS account ID.

Text

Required

External ID

Enter the AWS account external ID.

Text

Required

Group IDs

Enter the list of account group IDs for this account.

List

Required

Role Arn

Enter the unique identifier for an AWS resource.

Text

Required

Name

Enter the name to be used for the account on the Prisma Cloud platform.

Text

Required

Enabled

Enter yes if the account is enabled.

Boolean

Optional

Default value:

no

Protective Mode

Enter the protective mode.

Example:

"monitor"

Text

Optional

Skip Status Checks

Enter your preference to skip account status checks to improve response time.

Example:

yes

Boolean

Optional

Default value:

no

Action: Add IP Address to Allow List

This action adds a named list of CIDRs (IP addresses) that are in the allow list to access Prisma Cloud.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

CIDRs

Enter the list of CIDRs to allow the list for login access.

List

Required

You can include values from 1 to 10 CIDRs.

Name

Enter the unique name for CIDR (IP addresses) allow list.

Text

Required

Description

Enter the description of CIDR (IP addresses) allow list.

Text

Optional

Action: Add Network

This action adds a public network.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Network Name

Enter the network name.

Text

Required

Action: Add Policies

This action adds a new policy.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Policy Name

Enter the policy name.

Text

Required

Policy Type

Enter the policy type.

Example:

"config"

Text

Required

Criteria

Enter the saved search ID that defines the rule criteria.

Text

Required

Rule Name

Enter the rule name.

Text

Required

Parameter

Enter the parameters.

Example:

{"savedsearch": "true"}

Key Value

Required

Type

Enter the type.

Example:

"network"

Text

Required

Severity

Enter the severity.

Example:

"high"

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Cloud Type

Enter the cloud type.

Example:

"azure"

Text

Optional

Default value:

all

Data Criteria

Enter the data criteria.

Key Value

Optional

Example Request

[
   {
      "policy_type":"config",
      "parameter":{
         "savedsearch":"true"
      },
      "type":"network",
      "severity":"high"
   }
]
Action: Alert Info

This action retrieves information about an alert for the specified ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID.

Text

Required

Detailed

Enter your preference to retrieve detailed alert information.

Example:

yes

Boolean

Optional

Default value:

no

Action: Dismiss Alerts

This action dismisses one or more alerts on the Prisma Cloud platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filters

Enter the filters.

Key Value

Required

Alert IDs

Enter the alert IDs.

List

Optional

Dismissal Note

Enter the dismissal note.

Text

Optional

Time Range

Enter the time range.

Example:

{"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}}

Key Value

Optional

Policies

Enter the policy IDs.

List

Optional

Action: Download Report

This action downloads the compliance report with the specified ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the report ID.

Text

Required

Filename

Enter the filename with its extension to save the downloaded report.

Example:

samplefile.csv

Text

Required

View Response

Choose true to view the response.

Boolean

Optional

Action: Filter Event Search Results

This action filters the results of an event log search according to the specified parameters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Action: Get Account Status

This action retrieves Prisma Cloud Security Capabilities with warning or error statuses for the specified account and provides remediation suggestions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Account ID

Enter the cloud account ID for which you want to retrieve the status.

Text

Required

You can retrieve the account ID using the action Action: List Cloud Accounts.

Action: Get All Compliance Statistics

This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Time Type

Enter the type.

Example:

"relative"

Text

Required

Duration

Enter the duration.

Example:

"1"

"Text

Required

Time Unit

Enter the unit.

Example:

"day"

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Example Request

[
   {
      "timetype":"relative",
      "timeamount":"1",
      "timeunit":"day"
   }
]
Action: Get Asset

This action retrieves the information of the specified asset.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Asset ID

Enter the asset ID or the Restricted Resource Name (RRN) to retrieve asset details.

Example:

rrn:xxx:xx:xx-xx-x:xxx:xxx:x-xxxx or unified-asset-id

Text

Required

Query Type

Enter the query type for the Asset Domain Service.

Text

Required

Allowed values:

external_finding, asset, asset_lite, alerts, alerts_counts, alert_summary, finding_summary, attack_path, attack_path_summary, raw_config, network, timeline, external_integration, asset_data_indicators, relationships, findings, vulnerabilities, permissions, package_info, labels, vulnerability_aggregates, process_info, vulnerabilities_group_by_type, asset_cwp_vulns, app_contexts, attributes, data_security, data_security_summary

Finding Type

Enter the external finding types.

List

Optional

Allowed values for MOD1:

COMPLIANCE_CIS, GUARD_DUTY_HOST, GUARD_DUTY_IAM, INSPECTOR_RBA, INSPECTOR_SBP, NETWORK_REACHABILITY, AZURE_SECURITY_CENTER_ALERTS, UNCLASSIFIED, COMMAND_AND_CONTROL, CREDENTIAL_ACCESS, CROSS_ACCOUNT_TRUST, DATA_EXFILTRATION, DEFENSE_EVASION, DISCOVERY, HIGH_PRIVILEGED_ROLE, INITIAL_ACCESS, INTERNET_EXPOSURE, KEYS_AND_SECRETS, LATERAL_MOVEMENT, MALWARE, MFA, MISCONFIGURATION, NETWORK_ANOMALY, PRIVILEGE_ESCALATION, RECONNAISSANCE, RESOURCE_HIJACKING, SSH_BRUTE_FORCE, UNAUTHORIZED_ACCESS, UNENCRYPTED_DATA, UNUSED_PRIVILEGES, USER_ANOMALY, WEAK_PASSWORD, SENSITIVE_DATA_EXPOSURE, INJECTIONS, VULNERABILITY_SCANNING, SHELLSHOCK, KNOWN_BOTS, UNKNOWN_BOTS, VIRTUAL_PATCHES, WEB_ATTACK, BOT_ACTIVITY, WEB_SCRAPING, CUSTOM, VULNERABILITY

Allowed values for MOD2:

HOST_VULNERABILITY_CVE, CONTAINER_IMAGE_VULNERABILITY_CVE, VIRTUAL_IMAGE_VULNERABILITY_CVE, SERVERLESS_VULNERABILITY, PACKAGE_VULNERABILITY

Risk Factors

Enter the external finding risk factors.

List

Optional

Allowed values:

CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, HAS_FIX, REMOTE_EXECUTION, DOS, RECENT_VULNERABILITY, EXPLOIT_EXISTS, ATTACK_COMPLEXITY_LOW, ATTACK_VECTOR_NETWORK, REACHABLE_FROM_THE_INTERNET, LISTENING_PORTS, CONTAINER_IS_RUNNING_AS_ROOT, NO_MANDATORY_SECURITY_PROFILE_APPLIED, RUNNING_AS_PRIVILEGED_CONTAINER, PACKAGE_IN_USE, DOS_LOW, DOS_HIGH, EXPLOIT_EXISTS_IN_THE_WILD, EXPLOIT_EXISTS_POC, SENSITIVE_INFORMATION, ROOT_MOUNT, RUNTIME_SOCKET, HOST_ACCESS

Extra Fields

Enter the extra fields to make the request.

Key Value

Optional

Allowed keys:

timelineItemId, limit, pageToken, alertIds, attackPathIds, permissionType, prismaCloudFindingsOnly, vulnerabilityInfoTypeId, vulnerabilityInfoType, filters

Action: Get Asset Inventory Trend View

This action retrieves asset inventory pass/fail trends for the specified time period.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Time Type

Enter the type.

Example:

"relative'

Text

Required

Duration

Enter the duration.

Example:

"2"

Text

Required

Time Unit

Enter the unit.

Example:

"minute"

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Example Request

[
   {
      "timetype":"relative",
      "timeamount":"2",
      "timeunit":"minute"
   }
]
Action: Get Classification Report

This action retrieves a data classification report.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Tenant ID

Enter the tenant ID to retrieve the data classification report.

Text

Required

Object ID

Enter the object ID to retrieve the data classification report.

Text

Required

Action: Get Cloud Account

This action retrieves a list of cloud account IDs and names.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Account group IDs

Enter the account group IDs.

List

Required

Cloud Type

Enter the cloud type.

Example:

"aws"

Text

Required

Only Active

Enter your preference to return the IDs and names of active accounts.

Example:

yes

Boolean

Optional

Default value: no

Example Request

[
    {
        "cloud_type": "aws"
    }
]
Action: Get Cloud Account Information

This action retrieves top-level information about the cloud account.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Cloud Type

Enter the cloud type.

Example:

"aws"

Text

Required

Account ID

Enter the account ID.

Text

Required

Include Group Info

Enter your preference to include account group information.

Example:

yes

Boolean

Optional

Default value:

no

Example Request

[
   {
      "cloud_type":"aws",
      "include_group_info": yes
   }
]
Action: Get Cloud Audit Logs

This action retrieves audit logs for events that took place on the Prisma Cloud platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Time Type

Enter the type.

Example:

"relative"

Text

Optional

Duration

Enter the duration.

Example:

"2"

Text

Optional

Time Unit

Enter the unit.

Example:

"hour"

Text

Optional

Example Request

[
   {
      "timetype":"relative",
      "timeamount":"2",
      "timeunit":"hour"
   }
]
Action: Get Code Issues from Periodic Scans

This action retrieves code issues from periodic scans.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filters

Enter the filters to retrieve selective issues.

Example:

$JSON[{\"repositories\": [\">= 2\"],\"benchmarks(\": [\"CIS KUBERNETES V1.5\"],\"checkStatus\": \"Error\",\"codeCategories\": [\"IacMisconfiguration\"],\"fileTypes\": [\"build.gradle\"],\"fixableOnly\": true}]

Any

Optional

For allowed values, see Palo Alto Prisma Cloud documentation.

Limit

Enter the number of results to retrieve.

Example:

100

Integer

Optional

Maximum allowed value:

10000

Default value:

100

Offset

Enter a number to skip a specific number of items from the start of the results.

Integer

Optional

Default value is 0, which returns results starting from the first issue.

Search After

Enter the opaque cursor for pagination.

List

Optional

If you pass Search After, you must also pass Use Search After Pagination and Limit.

Use Search After Pagination

Choose true to use the Search After parameter for pagination instead of offset.

Boolean

Optional

Search

Enter the fields to search for issues.

Example:

$JSON[{\"scopes\": [\"IacMisconfiguration\"], \"term\": \"string\"}]

Any

Optional

Allowed keys:

scopes, term

Action: Get Compliance Statistics for Standard ID

This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections for the given compliance standard ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Compliance ID

Enter the compliance ID.

Text

Required

Time Type

Enter the type.

Example:

"relative"

Text

Required

Duration

Enter the duration.

Example:

"1"

Text

Required

Time Unit

Enter the unit.

Example:

"minute"

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Example Request

[
   {
      "timetype":"relative",
      "timeamount":"2",
      "timeunit":"minute"
   }
]
Action: Get Compliance Trend

This action retrieves a compliance posture summary that describes the passed/failed statistics trend.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Time Type

Enter the type.

Example:

"relative"

Text

Required

Duration

Enter the duration.

Example:

"1"

Text

Required

Time Unit

Enter the unit.

Example:

"minute"

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Example Request

[
   {
      "timetype":"relative",
      "timeamount":"1",
      "timeunit":"minute"
   }
]
Action: Get Dashboard Alerts

This action retrieves counts of total objects, public objects, sensitive objects, and malware.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Account group IDs

Enter the list of cloud account group IDs.

List

Required

Account Group Names

Enter the list of AWS account group names.

List

Required

Account IDs

Enter the list of cloud account IDs.

List

Required

Classifications

Enter the list of data classifications.

List

Required

Limit

Enter the limit of the records returned.

Integer

Required

Time Range

Enter the time range.

Example:

{"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}}

Key Value

Required

Example Request

[
   {
      "timerange":{
         "relativetimetype":"backward",
         "type":"relative",
         "value":{
            "amount":0,
            "unit":"minute"
         }
      }
   }
]
Action: Get Dashboard Violations

This action list violations for the dashboard.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Account Group IDs

Enter the list of cloud account group IDs.

List

Required

Account Group Names

Enter the list of AWS account group names.

List

Required

Account IDs

Enter the list of cloud account IDs.

List

Required

Classifications

Enter the list of data classifications.

List

Required

Limit

Enter a value to limit the records returned.

Integer

Required

Time Range

Enter the time range.

Example:

{"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}}

Key Value

Required

Example Request

[
   {
      "timerange":{
         "relativetimetype":"backward",
         "type":"relative",
         "value":{
            "amount":0,
            "unit":"minute"
         }
      }
   }
]
Action: Get External Ingest Integrations for Resource

This action retrieves a list of external ingestion integrations for the specified resource.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Exclude Severity List

Enter the external finding severities to exclude from the results.

List

Optional

Finding Type

Enter the external finding types.

List

Optional

Risk Factors

Enter the external finding risk factors. Allowed values are CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, and more.

List

Optional

Allowed values:

CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, HAS_FIX, REMOTE_EXECUTION, DOS, RECENT_VULNERABILITY, EXPLOIT_EXISTS, ATTACK_COMPLEXITY_LOW, ATTACK_VECTOR_NETWORK, REACHABLE_FROM_THE_INTERNET, LISTENING_PORTS, CONTAINER_IS_RUNNING_AS_ROOT, NO_MANDATORY_SECURITY_PROFILE_APPLIED, RUNNING_AS_PRIVILEGED_CONTAINER, PACKAGE_IN_USE

Restricted Resource Name

Enter the restricted resource name (RRN) to filter the result.

Example:

rrn:xxx:xx:xx-xx-x:xxx:xxx:x-xxxx

Text

Optional

RRN List

Enter a list of restricted resource names (RRN) to filter the response.

Example:

$LIST[\"rrn:xxx:xx:xx-xx-x:xxx:xxx:x-xxxx\"]

List

Optional

Timeline Item ID

Enter the ID of the timeline item.

Text

Optional

Action: Get Inventory Resource Details

This action retrieves details for the resource (bucket) with the specified tenant ID and bucket name.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Tenant ID

Enter the tenant ID.

Text

Required

Object ID

Enter the object ID.

Text

Required

Action: Get Inventory Resource Objects

This action retrieves the objects for the specified bucket.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Tenant ID

Enter the tenant ID.

Text

Required

Object ID

Enter the object ID.

Text

Required

Action: Get Malware Report

This action retrieves a malware report.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Tenant ID

Enter the tenant ID.

Text

Required

Object ID

Enter the object ID.

Text

Required

File Hash

Enter the file hash value.

Text

Required

Action: Get Permissions

This action retrieves a list of permissions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

RQL Query

Enter the Resource Query Language (RQL) to retrieve permissions.

Example:

config from iam where dest.cloud.type='AWS'

Text

Required

Limit

Enter the number of results to retrieve on each page.

Example:

100

Integer

Optional

Search ID

Enter the ID of the saved search.

Example:

ff4fcb80-03f6-41dd-8bd8-6179fd46b3a4

Text

Optional

Next Page Token

Enter the page token to retrieve the next page of results.

Example:

++fdfkjsdlfsdfdFDSFDFSDFdfdssfdFDS

Text

Optional

Group by Fields

Enter the fields to group the results.

Example:

$LIST["source","sourceCloudAccount"]

List

Optional

Allowed values:

source, sourceCloudAccount, grantedByEntity, entityCloudAccount, grantedByPolicy, policyCloudAccount, grantedByLevel, action, destination, destCloudAccount, lastAccess

Action: Get Policy

This action retrieves the policy that has the specified policy ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Policy ID

Enter the policy ID.

Text

Required

Action: Get Raw Event Data

This action retrieves the audit event data for the specified ID as raw metadata.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Audit Event ID

Enter the audit event ID.

Text

Required

Action: Get Report Config

This action retrieves the compliance report generation configuration with the specified ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the report ID.

Text

Required

Action: Get Resource Lists

This action retrieves all the resource lists for the current customer.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Resource List Type

Enter the type of the resource list.

Text

Required

Allowed value:

TAG

Action: Get User Role Information

This action retrieves the user role information of the specified user.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User ID

Enter the ID of the user to retrieve information.

Text

Required

You can retrieve the user ID using the action Action: List Users.

Action: List Alert Filter Autocomplete Suggestions

This action retrieves autocomplete suggestions for an alert filter key based on a fuzzy search query.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter Name

Enter the name of the alert filter key.

Text

Required

Filter Query

Enter a fuzzy search query to match items.

Text

Optional

Action: List Alert Filters

This action retrieves an object whose keys are the available policy filters.

Action Input Parameters

There are no input parameters required for this action.

Action: List Alert Remediation

This action generates and retrieves a list of remediation commands for the specified alerts and policies.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filters

Enter the filters.

Key Value

Required

Alert IDs

Enter the alert IDs

List

Optional

Policies

Enter the policy IDs.

List

Optional

Action: List Alerts

This action retrieves a list of alerts that match the constraints specified in the query parameters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Use V2

Enter your preference to use V2.

Example:

yes

Boolean

Required

Time Type

Enter the time type.

Example:

"relative"

Text

Required

Duration

Enter the duration.

Example:

"2"

Text

Required

Time Unit

Enter the unit.

Example:

"minute"

Text

Required

Detailed

Enter your preference to retrieve the detailed result.

Example:

yes

Boolean

Required

Filters

Enter the filters to narrow down the result.

Key Value

Optional

Example Request

[
    {
        "use_v2": yes,
        "timetype":"relative",
        "timeamount": "2",
        "timeunit": "minute",
        "detailed": yes
    }
]
Action: List Cloud Account Owners

This action retrieves the email addresses of all owners for the specified cloud account ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Account ID

Enter the cloud account ID for which you want to retrieve the list of owners.

Text

Required

You can retrieve the account ID using the action Action: List Cloud Accounts.

Action: List Cloud Accounts

This action lists all cloud accounts onboarded onto the Prisma Cloud platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Exclude Account Group Details

Enter your preference to exclude account group details.

Example:

yes

Boolean

Optional

Default value:

no

Include Pending Accounts

Choose true to include pending accounts in the response.

Boolean

Optional

Action: List Historical Reports Data

This action retrieves a list of metadata for the scheduled compliance reports that have been run for the specified report ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Report ID

Enter the report ID.

Text

Required

Action: List Inventory Filters

This action retrieves an object whose keys are supported asset inventory filters and values containing default recent options.

Action Input Parameters

This action does not require any input parameters.

Action: List Inventory Objects

This action lists data for objects.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Table Level

Enter the table level.

Example:

4

Integer

Required

The response data depends on the table level you specify in the request body parameters.

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Supported parameters:

  • "detailed"

  • "fields"

  • "groupby"

  • "limit"

  • "sortby"

Example Request

[
   {
      "table_level": 4
   }
]
Action: List IP Addresses Allowed for Login

This action retrieves a list of data objects that contain the CIDRs in the allow list to access the Prisma Cloud tenant.

Action Input Parameters

There are no input parameters required for this action.

Action: List Networks

This action returns an array of public networks.

Action Input Parameters

There are no input parameters required for this action.

Action: List Policies

This action retrieves all available policies, both system default, and custom.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filters

Enter the filters to narrow down the returned policy list.

Key Value

Optional

You can apply filters to narrow the returned policy list to a subset of policies or potentially to a specific policy.

Action: List Report Configs

This action retrieves a list of compliance report generation configurations, including the ID for each configuration.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Parameters

Enter the extra parameters to narrow down the returned policy list.

Key Value

Optional

Accepts query parameters to narrow the list.

Action: List Users

This action lists all users and service accounts for your tenant.

Parameter

Description

Field Type

Required/Optional

Comments

API Version

Enter the API version to make the request.

Example:

v2

Text

Optional

Default value:

v3

Action: Remediate Alert

This action remediates the alert with the specified ID if that alert is associated with a remediable policy.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID.

Text

Required

Finding ID

Enter the finding ID.

Text

Optional

Action: Reopen Alerts

This action reopens dismissed or snoozed alerts by changing their status to open on the Prisma Cloud platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert IDs

Enter one or more alert IDs to reopen.

List

Optional

You can retrieve the alert IDs using the action Action: List Alerts.

Extra Params

Enter the extra fields to reopen alerts.

Key value

Optional

Filter

Enter the filters to select alerts.

Example:

$JSON["detailed": "True", "groupBy": ["string"], "limit": 0]

Any

Optional

Allowed keys:

detailed, fields, groupBy, limit, offset, pageToken, sortBy, timeRange

Policy IDs

Enter the policy IDs associated with the alerts.

List

Optional

You can retrieve the policy IDs using the action Action: List Policies.

Action: Search Alerts

This action searches for alerts on the Prisma Cloud platform.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Use V2

Choose true if you want to use V2.

Boolean

Optional

Default value:

true

Detailed

Choose true to include detailed alert data in the response.

Boolean

Optional

Default value:

false

Fields

Enter the fields to retrieve in the response.

Example:

$LIST[alert.id]

List

Optional

Filters

Enter the filters to search for alerts.

Example:

$JSON[[{"name": "string","operator": "=", "value": "string"}]]

Any

Optional

Allowed keys:

name, operator, value

Group By

Enter the attributes to group the returned items.

Example:

$LIST[cloud.type]

List

Optional

Allowed values:

cloud.type, cloud.service, cloud.region, cloud.account, resource.type

Extra Fields

Enter the extra fields to search for alerts.

Key-Value

Optional

Allowed keys:

limit, offset, pageToken, sortBy, timeRange

Action: Search Alerts by ID

This action retrieves search data that can be used to investigate the alert with the specified ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID.

Text

Required

Action: Trigger Scan

This action triggers an asynchronous scan to refresh the state of resources.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Is Executed

Choose true to indicate if the scan was executed before.

Boolean

Required

Message

Enter a message providing additional information about the request.

Text

Required

Action: Update Policy

This action updates the existing policy that has the specified policy ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Policy ID

Enter the policy ID.

Text

Required

Policy Name

Enter the policy name.

Text

Required

Policy Type

Enter the policy type.

Example:

"config"

Text

Required

Criteria

Enter the saved search ID that defines the rule criteria.

Text

Required

Rule Name

Enter the rule name.

Text

Required

Parameter

Enter the parameters.

Example:

{"savedsearch": "true"}

Key Value

Required

Type

Enter the type.

Example:

"auditevent"

Text

Required

Severity

Enter the severity.

Example:

"medium"

Text

Required

Extra Parameters

Enter the extra parameters.

Key Value

Optional

Cloud Type

Enter the cloud type.

Example:

"aws"

Text

Optional

Default value:all

Data Criteria

Enter the data criteria.

Key Value

Optional

Example Request

[
   {
      "policy_type":"config",
      "parameter":{
         "savedsearch":"true"
      },
      "type":"network",
      "severity":"high"
   }
]
Action: View Asset Inventory

This action retrieves asset inventory pass/fail data for the specified time period.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Time Type

Enter the type.

Example:

"relative"

Text

Required

Duration

Enter the duration.

Example:

"2"

Text

Required

Time unit

Enter the unit.

Example:

"minute"

Text

Required

Extra parameters

Enter the extra parameters.

Key Value

Optional

Example Request

[
   {
      "timetype":"relative",
      "timeamount":"2",
      "timeunit":"minute"
   }
]
Action: Generic Action

This is a generic action used to make requests to any Palo Alto Prisma Cloud endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint

Enter the endpoint to make the request to.

Example:

dlp/api/v1/inventory/resource/objects

Text

Required

Query Params

Enter the query parameters to pass to the API.

Key Value

Optional

Payload

Enter the payload to pass to the API.

Any

Optional

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

headers, payload_json, download, files, filename, retry_wait, retry_count, custom_output, response_type