Cloud computing provides a number of benefits to businesses including cost savings, network flexibility, scalability, and quick deployment. Almost everyone who touches a connected device uses the cloud. Individuals (ex: Google Photos), small businesses (ex: cloud storage), large enterprises (ex: Netflix), and even governments (see the Nimbus Project) use companies like Amazon Web Services and Google Cloud for the provision of public-platform-based cloud services to the government ministries and additional governmental units.
The ease of use in the cloud can lead to unintended risks, including assets connected to an organization but not managed by security teams, errors in API use, or misconfigurations. All of these risks leave openings for malicious actors, whether with zero-day vulnerabilities in unknown assets, or exposed sensitive data and cause headaches for security.
A wise man once wrote, “With great power comes great responsibility.” Storing all assets in the cloud is a large responsibility - and requires a lot of trust - because of the risks and threats associated with cloud environments. The cloud continues to be a big target, with just under 91% of all observed security issues present in cloud infrastructures.
The number of risks and threats make securing cloud-based infrastructure, applications, and data extremely critical. Fortunately, Prisma Cloud was designed to secure infrastructure, workloads, and applications, across the entire cloud-native technology stack - throughout the development lifecycle and across hybrid and multi-cloud environments.
What does Prisma Cloud do?
Prisma Cloud leverages both agent-based and agentless approach to tap into the cloud providers’ APIs for read-only access to your network traffic, user activity, and configuration of systems and services and correlates these disparate data sets to help the cloud compliance and security analytics teams prioritize risks and quickly respond to issues. It also uses Prisma Cloud Defender to enable micro-segmentation for workload isolation and to secure your host, container, and serverless computing environments against vulnerabilities, malware, and compliance violations.
Even with the robust functionality and protection that Prisma Cloud provides, organizations still need a dedicated team of security operations center (SOC) analysts to identify issues or threats to cloud deployments and respond to prioritized risks to maintain agility and operational efficiency.
But does the SOC team need to perform these tasks manually? No!
Automating Incident Response with the Prisma Cloud content pack
Cortex XSOAR integrates with Prisma Cloud to automate and unify security incident response across cloud environments, maintaining the right balance of machine-powered security automation and human intervention. The Prisma Cloud content pack includes playbooks that automate Prisma Cloud alert response and custom incident fields, views, and layouts to facilitate analyst investigation. The remediation playbooks orchestrate across multiple native cloud integrations (AWS, GCP, Azure) to automate actions like changing policies, revoking access, and creating new rules.
The playbooks within this pack help to:
- Take action on, remediate, and resolve incidents/alerts from Prisma Cloud.
- Track configuration issues across all your cloud environments.
- Ensure your cloud environments are compliant and up to date with the latest compliance standards.
- Configure your cloud environments using industry best practices.
Integrations also enable the fetching of alerts from Prisma Cloud into Cortex XSOAR incidents and also include mirroring (if an incident is closed in Cortex XSOAR, the associated alert will be dismissed/closed in Prisma Cloud).
With this content pack, you can significantly reduce the time your security analysts/cloud operations team spends on cloud security alerts and standardize the way you manage misconfiguration incidents.
Using the Prisma Cloud content pack
Once you configure the Prisma Cloud integration to fetch incidents, all incidents that are created in Cortex XSOAR are classified and mapped into the Prisma Cloud generic incident type unless a specific incident type for this alert is already supported. This incident type shows all of the generic alert information from Prisma Cloud but does not trigger any playbook.
For all other supported incident types, the incident triggers the parent playbook that is assigned with this incident type. The analyst can decide whether to use the automatic remediation path in the playbook or to handle the policy violation manually using the recommendations given in the layout.
Each incident type and assigned playbook can remediate several policy violations that are relevant to the use case based on the policy ID mapped from the incident.
For more information on the Prisma Cloud by Palo Alto Networks Content Pack, visit our Cortex XSOAR Developer Docs reference page.
Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.