Collect data from Prisma Cloud

Overview

Get a list of all audit logs. Retrieves paginated audit logs based on the provided filter criteria.

Configuration

Parameters

Name - Domain

Value - PrismaCloudEndpoint

Secrets

PrismaCloudAccessKeyId corresponds to the authorization Access Key ID number.
PrismaCloudAccessKeySecret corresponds to the Access Key itself.

To add a Secret, open the Secret fields and click New secret:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the Cortex incident Management fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your Cortex XDR API YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: "token"
  token:
    request:
      method: POST
      url: "${parameters.PrismaCloudEndpoint}/login"
      headers:
        - name: Content-Type
          value: application/json
      bodyType: raw
      bodyRaw: |
        {
          "username": "${secrets.PrismaCloudAccessKeyId}",
          "password": "${secrets.PrismaCloudAccessKeySecret}"
        }
      responseType: json
    tokenPath: ".token"
    authInjection:
      name: "Authorization"
      in: "header"
      prefix: "Bearer "
withEnumerationPhase: false
collectionPhase:
  paginationType: "cursor"
  cursorSelector: ".nextPageToken"
  initialRequest:
    method: POST
    url: "${parameters.PrismaCloudEndpoint}/audit/api/v1/log"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "timeRange": {
          "type": "absolute",
          "value": {
            "startTime": ${temporalWindow.from},
            "endTime": ${temporalWindow.to},
          }
        }
      }
  nextRequest:
    method: POST
    url: "{parameters.PrismaCloudEndpoint}/audit/api/v1/log"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "timeRange": {
          "type": "absolute",
          "value": {
            "startTime": ${temporalWindow.from},
            "endTime": ${temporalWindow.to},
          }
        },
        "nextPageToken": ${pagination.cursor}
      }
  output:
    select: ".value"
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the data export API to extract audit logs.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousIncident Management - Incidents Extradata NextCollect data from PingIdentity

Last updated 5 months ago

Was this helpful?

Collect data from Prisma Cloud

Overview

Configuration

Parameters

Secrets

Enumeration Phase

Collection Phase