Palo Alto Prisma Cloud
App Vendor: Palo Alto Networks
App Category: Network Security
Connector Version: 1.1.0
API Version: 1.0.0
Note
This app is currently released as a beta version.
About App
The Palo Alto Prisma Cloud enables you to engage with Prisma Cloud services programmatically.
The Palo Alto Prisma Cloud app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add Access Key | This action adds a new access key for the current user. |
Add Cloud Account | This action onboards a new cloud account onto the Prisma Cloud platform |
Add IP Address to Allow List | This action adds a named list of CIDRs (IP addresses) that are in the allowed list to access Prisma Cloud. |
Add Policies | This action adds a new policy. |
Add Network | This action adds a public network. |
Alert Info | This action retrieves information about an alert for the specified ID. |
Dismiss Alerts | This action dismisses one or more alerts on the Prisma Cloud platform. |
Download Report | This action downloads the compliance report with the specified ID. |
Filter Event Search Results | This action filters the results of an event log search according to the specified parameters. |
Get Account Status | This action retrieves Prisma Cloud Security Capabilities with warning or error statuses for the specified account and provides remediation suggestions. |
Get All Compliance Statistics | This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections. |
Get Asset | This action retrieves the information of the specified asset. |
Get Asset Inventory Trend View | This action retrieves asset inventory pass/fail trends for the specified time period. |
Get Classification Report | This action retrieves a data classification report. |
Get Cloud Account | This action retrieves a list of cloud account IDs and names. |
Get Cloud Account Information | This action retrieves top-level information about the cloud account. |
Get Cloud Audit Logs | This action retrieves audit logs for events that took place on the Prisma Cloud platform. |
Get Code Issues from Periodic Scans | This action retrieves code issues from periodic scans. |
Get Compliance Statistics for Standard ID | This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections for the given compliance standard ID. |
Get Compliance Trend | This action retrieves a compliance posture summary that describes the passed/failed statistics trend. |
Get Dashboard Alerts | This action retrieves counts of total objects, public objects, sensitive objects, and malware. |
Get Dashboard Violations | This action lists violations for the dashboard. |
Get External Ingest Integrations for Resource | This action retrieves a list of external ingestion integrations for the specified resource. |
Get Inventory Resource Details | This action retrieves details for the resource (bucket) with the specified tenant ID and bucket name. |
Get Inventory Resource Objects | This action retrieves the objects for the specified bucket. |
Get Malware Report | This action retrieves a malware report. |
Get Permissions | This action retrieves a list of permissions. |
Get Policy | This action retrieves the policy that has the specified policy ID. |
Get Raw Event Data | This action retrieves the audit event data for the specified ID as raw metadata. |
Get Report Config | This action retrieves the compliance report generation configuration with the specified ID. |
Get Resource Lists | This action retrieves all the resource lists for the current customer. |
Get User Role Information | This action retrieves the user role information of the specified user. |
List Alert Filter Autocomplete Suggestions | This action retrieves autocomplete suggestions for an alert filter key based on a fuzzy search query. |
List Alert Filters | This action retrieves an object whose keys are the available policy filters. |
List Alert Remediation | This action generates and retrieves a list of remediation commands for the specified alerts and policies. |
List Alerts | This action retrieves a list of alerts that match the constraints specified in the query parameters. |
List Cloud Account Owners | This action retrieves the email addresses of all owners for the specified cloud account ID. |
List Cloud Accounts | This action lists all cloud accounts onboarded onto the Prisma Cloud platform. |
List Historical Reports Data | This action retrieves a list of metadata for the scheduled compliance reports for the specified report ID. |
List Inventory Filters | This action retrieves an object whose keys are supported asset inventory filters and values contain default recent options |
List Inventory Objects | This action lists data for objects. |
List IP Addresses Allowed for Login | This action retrieves a list of data objects that contain the CIDRs in the allowed list to access the Prisma Cloud tenant. |
List Networks | This action retrieves an array of public networks. |
List Policies | This action retrieves system default and custom policies. |
List Report Configs | This action retrieves a list of compliance report generation configurations. |
List Users | This action lists all users and service accounts for your tenant. |
Perform Config Search | This action searches for resources using an RQL config query to identify misconfigurations and policy violations. |
Perform Event Search | This action retrieves the results of an RQL (Resource Query Language) audit event query. |
Perform Network Search | This action performs a search against flow logs with an RQL (Resource Query Language) query. |
Remediate Alert | This action remediates the alert with the specified ID if that alert is associated with a remediable policy. |
Reopen Alerts | This action reopens dismissed or snoozed alerts by changing their status to open on the Prisma Cloud platform. |
Search Alerts | This action searches for alerts on the Prisma Cloud platform. |
Search Alerts by ID | This action retrieves search data to investigate the alert with the specified ID. |
Trigger Scan | This action triggers an asynchronous scan to refresh the state of resources. |
Update Policy | This action updates the existing policy that has the specified policy ID. |
View Asset Inventory | This action retrieves asset inventory pass/fail data for the specified time period. |
Generic Action | This is a generic action used to make requests to any Palo Alto Prisma Cloud endpoint. |
Configuration Parameters
The following configuration parameters are required for the Palo Alto Prisma Cloud app to communicate with the Palo Alto Prisma Cloud enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Prisma Cloud. Example: https://api.prismacloud.io | Text | Required | |
Access ID | Enter the access ID. | Text | Required | |
Password | Enter the password. | Password | Required | |
Customer Name | Enter the customer's name. | Text | Optional | |
Prisma ID | Enter the Prisma ID. | Text | Optional |
Action: Add Access Key
This action adds a new access key for the current user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Access Key Name | Enter the name of the access key. | Text | Required | |
Expires on | Enter the timestamp in milliseconds when the access key expires. | Integer | Optional | |
Service Account Name | Enter the service account name. | Text | Optional |
Action: Add Cloud Account
This action onboards a new cloud account onto the Prisma Cloud platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account ID | Enter the AWS account ID. | Text | Required | |
External ID | Enter the AWS account external ID. | Text | Required | |
Group IDs | Enter the list of account group IDs for this account. | List | Required | |
Role Arn | Enter the unique identifier for an AWS resource. | Text | Required | |
Name | Enter the name to be used for the account on the Prisma Cloud platform. | Text | Required | |
Enabled | Enter yes if the account is enabled. | Boolean | Optional | Default value: no |
Protective Mode | Enter the protective mode. Example: "monitor" | Text | Optional | |
Skip Status Checks | Enter your preference to skip account status checks to improve response time. Example: yes | Boolean | Optional | Default value: no |
Action: Add IP Address to Allow List
This action adds a named list of CIDRs (IP addresses) that are in the allow list to access Prisma Cloud.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CIDRs | Enter the list of CIDRs to allow the list for login access. | List | Required | You can include values from 1 to 10 CIDRs. |
Name | Enter the unique name for CIDR (IP addresses) allow list. | Text | Required | |
Description | Enter the description of CIDR (IP addresses) allow list. | Text | Optional |
Action: Add Network
This action adds a public network.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Network Name | Enter the network name. | Text | Required |
Action: Add Policies
This action adds a new policy.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy Name | Enter the policy name. | Text | Required | |
Policy Type | Enter the policy type. Example: "config" | Text | Required | |
Criteria | Enter the saved search ID that defines the rule criteria. | Text | Required | |
Rule Name | Enter the rule name. | Text | Required | |
Parameter | Enter the parameters. Example: {"savedsearch": "true"} | Key Value | Required | |
Type | Enter the type. Example: "network" | Text | Required | |
Severity | Enter the severity. Example: "high" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional | |
Cloud Type | Enter the cloud type. Example: "azure" | Text | Optional | Default value: all |
Data Criteria | Enter the data criteria. | Key Value | Optional |
Example Request
[
{
"policy_type":"config",
"parameter":{
"savedsearch":"true"
},
"type":"network",
"severity":"high"
}
]Action: Alert Info
This action retrieves information about an alert for the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. | Text | Required | |
Detailed | Enter your preference to retrieve detailed alert information. Example: yes | Boolean | Optional | Default value: no |
Action: Dismiss Alerts
This action dismisses one or more alerts on the Prisma Cloud platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters. | Key Value | Required | |
Alert IDs | Enter the alert IDs. | List | Optional | |
Dismissal Note | Enter the dismissal note. | Text | Optional | |
Time Range | Enter the time range. Example: {"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}} | Key Value | Optional | |
Policies | Enter the policy IDs. | List | Optional |
Action: Download Report
This action downloads the compliance report with the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID. | Text | Required | |
Filename | Enter the filename with its extension to save the downloaded report. Example: samplefile.csv | Text | Required | |
View Response | Choose true to view the response. | Boolean | Optional |
Action: Filter Event Search Results
This action filters the results of an event log search according to the specified parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Action: Get Account Status
This action retrieves Prisma Cloud Security Capabilities with warning or error statuses for the specified account and provides remediation suggestions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account ID | Enter the cloud account ID for which you want to retrieve the status. | Text | Required | You can retrieve the account ID using the action Action: List Cloud Accounts. |
Action: Get All Compliance Statistics
This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Time Type | Enter the type. Example: "relative" | Text | Required | |
Duration | Enter the duration. Example: "1" | "Text | Required | |
Time Unit | Enter the unit. Example: "day" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Example Request
[
{
"timetype":"relative",
"timeamount":"1",
"timeunit":"day"
}
]Action: Get Asset
This action retrieves the information of the specified asset.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset ID | Enter the asset ID or the Restricted Resource Name (RRN) to retrieve asset details. Example: rrn:xxx:xx:xx-xx-x:xxx:xxx:x-xxxx or unified-asset-id | Text | Required | |
Query Type | Enter the query type for the Asset Domain Service. | Text | Required | Allowed values: external_finding, asset, asset_lite, alerts, alerts_counts, alert_summary, finding_summary, attack_path, attack_path_summary, raw_config, network, timeline, external_integration, asset_data_indicators, relationships, findings, vulnerabilities, permissions, package_info, labels, vulnerability_aggregates, process_info, vulnerabilities_group_by_type, asset_cwp_vulns, app_contexts, attributes, data_security, data_security_summary |
Finding Type | Enter the external finding types. | List | Optional | Allowed values for MOD1: COMPLIANCE_CIS, GUARD_DUTY_HOST, GUARD_DUTY_IAM, INSPECTOR_RBA, INSPECTOR_SBP, NETWORK_REACHABILITY, AZURE_SECURITY_CENTER_ALERTS, UNCLASSIFIED, COMMAND_AND_CONTROL, CREDENTIAL_ACCESS, CROSS_ACCOUNT_TRUST, DATA_EXFILTRATION, DEFENSE_EVASION, DISCOVERY, HIGH_PRIVILEGED_ROLE, INITIAL_ACCESS, INTERNET_EXPOSURE, KEYS_AND_SECRETS, LATERAL_MOVEMENT, MALWARE, MFA, MISCONFIGURATION, NETWORK_ANOMALY, PRIVILEGE_ESCALATION, RECONNAISSANCE, RESOURCE_HIJACKING, SSH_BRUTE_FORCE, UNAUTHORIZED_ACCESS, UNENCRYPTED_DATA, UNUSED_PRIVILEGES, USER_ANOMALY, WEAK_PASSWORD, SENSITIVE_DATA_EXPOSURE, INJECTIONS, VULNERABILITY_SCANNING, SHELLSHOCK, KNOWN_BOTS, UNKNOWN_BOTS, VIRTUAL_PATCHES, WEB_ATTACK, BOT_ACTIVITY, WEB_SCRAPING, CUSTOM, VULNERABILITY Allowed values for MOD2: HOST_VULNERABILITY_CVE, CONTAINER_IMAGE_VULNERABILITY_CVE, VIRTUAL_IMAGE_VULNERABILITY_CVE, SERVERLESS_VULNERABILITY, PACKAGE_VULNERABILITY |
Risk Factors | Enter the external finding risk factors. | List | Optional | Allowed values: CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, HAS_FIX, REMOTE_EXECUTION, DOS, RECENT_VULNERABILITY, EXPLOIT_EXISTS, ATTACK_COMPLEXITY_LOW, ATTACK_VECTOR_NETWORK, REACHABLE_FROM_THE_INTERNET, LISTENING_PORTS, CONTAINER_IS_RUNNING_AS_ROOT, NO_MANDATORY_SECURITY_PROFILE_APPLIED, RUNNING_AS_PRIVILEGED_CONTAINER, PACKAGE_IN_USE, DOS_LOW, DOS_HIGH, EXPLOIT_EXISTS_IN_THE_WILD, EXPLOIT_EXISTS_POC, SENSITIVE_INFORMATION, ROOT_MOUNT, RUNTIME_SOCKET, HOST_ACCESS |
Extra Fields | Enter the extra fields to make the request. | Key Value | Optional | Allowed keys: timelineItemId, limit, pageToken, alertIds, attackPathIds, permissionType, prismaCloudFindingsOnly, vulnerabilityInfoTypeId, vulnerabilityInfoType, filters |
Action: Get Asset Inventory Trend View
This action retrieves asset inventory pass/fail trends for the specified time period.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Time Type | Enter the type. Example: "relative' | Text | Required | |
Duration | Enter the duration. Example: "2" | Text | Required | |
Time Unit | Enter the unit. Example: "minute" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Example Request
[
{
"timetype":"relative",
"timeamount":"2",
"timeunit":"minute"
}
]Action: Get Classification Report
This action retrieves a data classification report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tenant ID | Enter the tenant ID to retrieve the data classification report. | Text | Required | |
Object ID | Enter the object ID to retrieve the data classification report. | Text | Required |
Action: Get Cloud Account
This action retrieves a list of cloud account IDs and names.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account group IDs | Enter the account group IDs. | List | Required | |
Cloud Type | Enter the cloud type. Example: "aws" | Text | Required | |
Only Active | Enter your preference to return the IDs and names of active accounts. Example: yes | Boolean | Optional | Default value: no |
Example Request
[
{
"cloud_type": "aws"
}
]Action: Get Cloud Account Information
This action retrieves top-level information about the cloud account.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cloud Type | Enter the cloud type. Example: "aws" | Text | Required | |
Account ID | Enter the account ID. | Text | Required | |
Include Group Info | Enter your preference to include account group information. Example: yes | Boolean | Optional | Default value: no |
Example Request
[
{
"cloud_type":"aws",
"include_group_info": yes
}
]Action: Get Cloud Audit Logs
This action retrieves audit logs for events that took place on the Prisma Cloud platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Time Type | Enter the type. Example: "relative" | Text | Optional | |
Duration | Enter the duration. Example: "2" | Text | Optional | |
Time Unit | Enter the unit. Example: "hour" | Text | Optional |
Example Request
[
{
"timetype":"relative",
"timeamount":"2",
"timeunit":"hour"
}
]Action: Get Code Issues from Periodic Scans
This action retrieves code issues from periodic scans.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters to retrieve selective issues. Example: $JSON[{\"repositories\": [\">= 2\"],\"benchmarks(\": [\"CIS KUBERNETES V1.5\"],\"checkStatus\": \"Error\",\"codeCategories\": [\"IacMisconfiguration\"],\"fileTypes\": [\"build.gradle\"],\"fixableOnly\": true}] | Any | Optional | For allowed values, see Palo Alto Prisma Cloud documentation. |
Limit | Enter the number of results to retrieve. Example: 100 | Integer | Optional | Maximum allowed value: 10000 Default value: 100 |
Offset | Enter a number to skip a specific number of items from the start of the results. | Integer | Optional | Default value is 0, which returns results starting from the first issue. |
Search After | Enter the opaque cursor for pagination. | List | Optional | If you pass Search After, you must also pass Use Search After Pagination and Limit. |
Use Search After Pagination | Choose true to use the Search After parameter for pagination instead of offset. | Boolean | Optional | |
Search | Enter the fields to search for issues. Example: $JSON[{\"scopes\": [\"IacMisconfiguration\"], \"term\": \"string\"}] | Any | Optional | Allowed keys: scopes, term |
Action: Get Compliance Statistics for Standard ID
This action retrieves a breakdown of the passed/failed statistics and associated policies for compliance standards, requirements, and sections for the given compliance standard ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Compliance ID | Enter the compliance ID. | Text | Required | |
Time Type | Enter the type. Example: "relative" | Text | Required | |
Duration | Enter the duration. Example: "1" | Text | Required | |
Time Unit | Enter the unit. Example: "minute" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Example Request
[
{
"timetype":"relative",
"timeamount":"2",
"timeunit":"minute"
}
]Action: Get Compliance Trend
This action retrieves a compliance posture summary that describes the passed/failed statistics trend.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Time Type | Enter the type. Example: "relative" | Text | Required | |
Duration | Enter the duration. Example: "1" | Text | Required | |
Time Unit | Enter the unit. Example: "minute" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Example Request
[
{
"timetype":"relative",
"timeamount":"1",
"timeunit":"minute"
}
]Action: Get Dashboard Alerts
This action retrieves counts of total objects, public objects, sensitive objects, and malware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account group IDs | Enter the list of cloud account group IDs. | List | Required | |
Account Group Names | Enter the list of AWS account group names. | List | Required | |
Account IDs | Enter the list of cloud account IDs. | List | Required | |
Classifications | Enter the list of data classifications. | List | Required | |
Limit | Enter the limit of the records returned. | Integer | Required | |
Time Range | Enter the time range. Example: {"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}} | Key Value | Required |
Example Request
[
{
"timerange":{
"relativetimetype":"backward",
"type":"relative",
"value":{
"amount":0,
"unit":"minute"
}
}
}
]Action: Get Dashboard Violations
This action list violations for the dashboard.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account Group IDs | Enter the list of cloud account group IDs. | List | Required | |
Account Group Names | Enter the list of AWS account group names. | List | Required | |
Account IDs | Enter the list of cloud account IDs. | List | Required | |
Classifications | Enter the list of data classifications. | List | Required | |
Limit | Enter a value to limit the records returned. | Integer | Required | |
Time Range | Enter the time range. Example: {"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}} | Key Value | Required |
Example Request
[
{
"timerange":{
"relativetimetype":"backward",
"type":"relative",
"value":{
"amount":0,
"unit":"minute"
}
}
}
]Action: Get External Ingest Integrations for Resource
This action retrieves a list of external ingestion integrations for the specified resource.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Exclude Severity List | Enter the external finding severities to exclude from the results. | List | Optional | |
Finding Type | Enter the external finding types. | List | Optional | |
Risk Factors | Enter the external finding risk factors. Allowed values are CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, and more. | List | Optional | Allowed values: CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, HAS_FIX, REMOTE_EXECUTION, DOS, RECENT_VULNERABILITY, EXPLOIT_EXISTS, ATTACK_COMPLEXITY_LOW, ATTACK_VECTOR_NETWORK, REACHABLE_FROM_THE_INTERNET, LISTENING_PORTS, CONTAINER_IS_RUNNING_AS_ROOT, NO_MANDATORY_SECURITY_PROFILE_APPLIED, RUNNING_AS_PRIVILEGED_CONTAINER, PACKAGE_IN_USE |
Restricted Resource Name | Enter the restricted resource name (RRN) to filter the result. Example: rrn:xxx:xx:xx-xx-x:xxx:xxx:x-xxxx | Text | Optional | |
RRN List | Enter a list of restricted resource names (RRN) to filter the response. Example: $LIST[\"rrn:xxx:xx:xx-xx-x:xxx:xxx:x-xxxx\"] | List | Optional | |
Timeline Item ID | Enter the ID of the timeline item. | Text | Optional |
Action: Get Inventory Resource Details
This action retrieves details for the resource (bucket) with the specified tenant ID and bucket name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tenant ID | Enter the tenant ID. | Text | Required | |
Object ID | Enter the object ID. | Text | Required |
Action: Get Inventory Resource Objects
This action retrieves the objects for the specified bucket.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tenant ID | Enter the tenant ID. | Text | Required | |
Object ID | Enter the object ID. | Text | Required |
Action: Get Malware Report
This action retrieves a malware report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tenant ID | Enter the tenant ID. | Text | Required | |
Object ID | Enter the object ID. | Text | Required | |
File Hash | Enter the file hash value. | Text | Required |
Action: Get Permissions
This action retrieves a list of permissions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
RQL Query | Enter the Resource Query Language (RQL) to retrieve permissions. Example: config from iam where dest.cloud.type='AWS' | Text | Required | |
Limit | Enter the number of results to retrieve on each page. Example: 100 | Integer | Optional | |
Search ID | Enter the ID of the saved search. Example: ff4fcb80-03f6-41dd-8bd8-6179fd46b3a4 | Text | Optional | |
Next Page Token | Enter the page token to retrieve the next page of results. Example: ++fdfkjsdlfsdfdFDSFDFSDFdfdssfdFDS | Text | Optional | |
Group by Fields | Enter the fields to group the results. Example: $LIST["source","sourceCloudAccount"] | List | Optional | Allowed values: source, sourceCloudAccount, grantedByEntity, entityCloudAccount, grantedByPolicy, policyCloudAccount, grantedByLevel, action, destination, destCloudAccount, lastAccess |
Action: Get Policy
This action retrieves the policy that has the specified policy ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy ID | Enter the policy ID. | Text | Required |
Action: Get Raw Event Data
This action retrieves the audit event data for the specified ID as raw metadata.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Audit Event ID | Enter the audit event ID. | Text | Required |
Action: Get Report Config
This action retrieves the compliance report generation configuration with the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID. | Text | Required |
Action: Get Resource Lists
This action retrieves all the resource lists for the current customer.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource List Type | Enter the type of the resource list. | Text | Required | Allowed value: TAG |
Action: Get User Role Information
This action retrieves the user role information of the specified user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the ID of the user to retrieve information. | Text | Required | You can retrieve the user ID using the action Action: List Users. |
Action: List Alert Filter Autocomplete Suggestions
This action retrieves autocomplete suggestions for an alert filter key based on a fuzzy search query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Name | Enter the name of the alert filter key. | Text | Required | |
Filter Query | Enter a fuzzy search query to match items. | Text | Optional |
Action: List Alert Filters
This action retrieves an object whose keys are the available policy filters.
Action Input Parameters
There are no input parameters required for this action.
Action: List Alert Remediation
This action generates and retrieves a list of remediation commands for the specified alerts and policies.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters. | Key Value | Required | |
Alert IDs | Enter the alert IDs | List | Optional | |
Policies | Enter the policy IDs. | List | Optional |
Action: List Alerts
This action retrieves a list of alerts that match the constraints specified in the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Use V2 | Enter your preference to use V2. Example: yes | Boolean | Required | |
Time Type | Enter the time type. Example: "relative" | Text | Required | |
Duration | Enter the duration. Example: "2" | Text | Required | |
Time Unit | Enter the unit. Example: "minute" | Text | Required | |
Detailed | Enter your preference to retrieve the detailed result. Example: yes | Boolean | Required | |
Filters | Enter the filters to narrow down the result. | Key Value | Optional |
Example Request
[
{
"use_v2": yes,
"timetype":"relative",
"timeamount": "2",
"timeunit": "minute",
"detailed": yes
}
]Action: List Cloud Account Owners
This action retrieves the email addresses of all owners for the specified cloud account ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account ID | Enter the cloud account ID for which you want to retrieve the list of owners. | Text | Required | You can retrieve the account ID using the action Action: List Cloud Accounts. |
Action: List Cloud Accounts
This action lists all cloud accounts onboarded onto the Prisma Cloud platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Exclude Account Group Details | Enter your preference to exclude account group details. Example: yes | Boolean | Optional | Default value: no |
Include Pending Accounts | Choose true to include pending accounts in the response. | Boolean | Optional |
Action: List Historical Reports Data
This action retrieves a list of metadata for the scheduled compliance reports that have been run for the specified report ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID. | Text | Required |
Action: List Inventory Filters
This action retrieves an object whose keys are supported asset inventory filters and values containing default recent options.
Action Input Parameters
This action does not require any input parameters.
Action: List Inventory Objects
This action lists data for objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Table Level | Enter the table level. Example: 4 | Integer | Required | The response data depends on the table level you specify in the request body parameters. |
Extra Parameters | Enter the extra parameters. | Key Value | Optional | Supported parameters:
|
Example Request
[
{
"table_level": 4
}
]Action: List IP Addresses Allowed for Login
This action retrieves a list of data objects that contain the CIDRs in the allow list to access the Prisma Cloud tenant.
Action Input Parameters
There are no input parameters required for this action.
Action: List Networks
This action returns an array of public networks.
Action Input Parameters
There are no input parameters required for this action.
Action: List Policies
This action retrieves all available policies, both system default, and custom.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters to narrow down the returned policy list. | Key Value | Optional | You can apply filters to narrow the returned policy list to a subset of policies or potentially to a specific policy. |
Action: List Report Configs
This action retrieves a list of compliance report generation configurations, including the ID for each configuration.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter the extra parameters to narrow down the returned policy list. | Key Value | Optional | Accepts query parameters to narrow the list. |
Action: List Users
This action lists all users and service accounts for your tenant.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Version | Enter the API version to make the request. Example: v2 | Text | Optional | Default value: v3 |
Action: Perform Config Search
This action searches for resources using an RQL config query to identify misconfigurations and policy violations.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
RQL Query | Enter the Resource Query Language (RQL) to search config. | Text | Required | |
Limit | Enter the number of results to retrieve on each page. | Integer | Optional | |
Include Resource JSON | Choose true to include resource JSON in the response. | Boolean | Optional | Default value: false |
Start Time | Enter the start time to define the beginning of the config search. The end time is automatically set to the current system time. | Integer | Optional | |
Skip Result | Choose true to skip the search results and only return metadata. | Boolean | Optional | |
Sort by | Specify the order to sort the response. For example, $JSON[[{"field": "ID", "direction": "asc"}]] | Any | Optional | Allowed keys: field, direction |
Next Page Token | Enter the page token to retrieve the next page of results. | Text | Optional |
Action: Perform Event Search
This action retrieves the results of an RQL (Resource Query Language) audit event query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Action: Perform Network Search
This action performs a search against flow logs with an RQL (Resource Query Language) query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the RQL query. | Text | Required | |
Time Range | Enter the time range. Example: {"relativetimetype": "backward","type": "relative","value": {"amount": 0,"unit": "minute"}} | Key Value | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Example Request
[
{
"timerange":{
"relativetimetype":"backward",
"type":"relative",
"value":{
"amount":0,
"unit":"minute"
}
}
}
]Action: Remediate Alert
This action remediates the alert with the specified ID if that alert is associated with a remediable policy.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. | Text | Required | |
Finding ID | Enter the finding ID. | Text | Optional |
Action: Reopen Alerts
This action reopens dismissed or snoozed alerts by changing their status to open on the Prisma Cloud platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert IDs | Enter one or more alert IDs to reopen. | List | Optional | You can retrieve the alert IDs using the action Action: List Alerts. |
Extra Params | Enter the extra fields to reopen alerts. | Key value | Optional | |
Filter | Enter the filters to select alerts. Example: $JSON["detailed": "True", "groupBy": ["string"], "limit": 0] | Any | Optional | Allowed keys: detailed, fields, groupBy, limit, offset, pageToken, sortBy, timeRange |
Policy IDs | Enter the policy IDs associated with the alerts. | List | Optional | You can retrieve the policy IDs using the action Action: List Policies. |
Action: Search Alerts
This action searches for alerts on the Prisma Cloud platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Use V2 | Choose true if you want to use V2. | Boolean | Optional | Default value: true |
Detailed | Choose true to include detailed alert data in the response. | Boolean | Optional | Default value: false |
Fields | Enter the fields to retrieve in the response. Example: $LIST[alert.id] | List | Optional | |
Filters | Enter the filters to search for alerts. Example: $JSON[[{"name": "string","operator": "=", "value": "string"}]] | Any | Optional | Allowed keys: name, operator, value |
Group By | Enter the attributes to group the returned items. Example: $LIST[cloud.type] | List | Optional | Allowed values: cloud.type, cloud.service, cloud.region, cloud.account, resource.type |
Extra Fields | Enter the extra fields to search for alerts. | Key-Value | Optional | Allowed keys: limit, offset, pageToken, sortBy, timeRange |
Action: Search Alerts by ID
This action retrieves search data that can be used to investigate the alert with the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. | Text | Required |
Action: Trigger Scan
This action triggers an asynchronous scan to refresh the state of resources.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Is Executed | Choose true to indicate if the scan was executed before. | Boolean | Required | |
Message | Enter a message providing additional information about the request. | Text | Required |
Action: Update Policy
This action updates the existing policy that has the specified policy ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy ID | Enter the policy ID. | Text | Required | |
Policy Name | Enter the policy name. | Text | Required | |
Policy Type | Enter the policy type. Example: "config" | Text | Required | |
Criteria | Enter the saved search ID that defines the rule criteria. | Text | Required | |
Rule Name | Enter the rule name. | Text | Required | |
Parameter | Enter the parameters. Example: {"savedsearch": "true"} | Key Value | Required | |
Type | Enter the type. Example: "auditevent" | Text | Required | |
Severity | Enter the severity. Example: "medium" | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional | |
Cloud Type | Enter the cloud type. Example: "aws" | Text | Optional | Default value:all |
Data Criteria | Enter the data criteria. | Key Value | Optional |
Example Request
[
{
"policy_type":"config",
"parameter":{
"savedsearch":"true"
},
"type":"network",
"severity":"high"
}
]Action: View Asset Inventory
This action retrieves asset inventory pass/fail data for the specified time period.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Time Type | Enter the type. Example: "relative" | Text | Required | |
Duration | Enter the duration. Example: "2" | Text | Required | |
Time unit | Enter the unit. Example: "minute" | Text | Required | |
Extra parameters | Enter the extra parameters. | Key Value | Optional |
Example Request
[
{
"timetype":"relative",
"timeamount":"2",
"timeunit":"minute"
}
]Action: Generic Action
This is a generic action used to make requests to any Palo Alto Prisma Cloud endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: dlp/api/v1/inventory/resource/objects | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: headers, payload_json, download, files, filename, retry_wait, retry_count, custom_output, response_type |