Collect data from Prisma Cloud
Overview
Get a list of all audit logs. Retrieves paginated audit logs based on the provided filter criteria.
Configuration
Parameters
Name - Domain
Value - PrismaCloudEndpoint
Secrets
After entering the required parameters and secrets, you can choose to manually enter the Cortex incident Management fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your Cortex XDR API YAML.
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 5m
tz: UTC
format: Epoch
withAuthentication: true
authentication:
token:
request:
method: POST
url: "${parameters.PrismaCloudEndpoint}/login"
headers:
- name: Content-Type
value: application/json
bodyType: raw
bodyRaw: |
{
"username": "${secrets.PrismaCloudAccessKeyId}",
"password": "${secrets.PrismaCloudAccessKeySecret}"
}
responseType: json
tokenPath: ".token"
authInjection:
name: "Authorization"
in: "header"
prefix: "Bearer "
withEnumerationPhase: false
collectionPhase:
paginationType: "cursor"
cursor: ".nextPageToken"
initialRequest:
method: POST
url: "${parameters.PrismaCloudEndpoint}/audit/api/v1/log"
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/json
responseType: json
bodyType: raw
bodyRaw: |
{
"timeRange": {
"type": "absolute",
"value": {
"startTime": ${temporalWindow.from},
"endTime": ${temporalWindow.to},
}
}
}
nextRequest:
method: POST
url: "{parameters.PrismaCloudEndpoint}/audit/api/v1/log"
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/json
responseType: json
bodyType: raw
bodyRaw: |
{
"timeRange": {
"type": "absolute",
"value": {
"startTime": ${temporalWindow.from},
"endTime": ${temporalWindow.to},
}
},
"nextPageToken": ${pagination.cursor}
}
output:
select: ".value"
map: "."
outputMode: element Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Authentication Phase
Type -
tokenRequest -
Method -
POSTURL -
${parameters.PrismaCloudEndpoint}/loginHeaders
Name - Content-Type
Value -
application/json
Body Type -
rawBody Raw -
| { "username": "${secrets.PrismaCloudAccessKeyId}", "password": "${secrets.PrismaCloudAccessKeySecret}" }Response Type -
json
Token Path -
.tokenAuth injection
Name -
AuthorizationIn -
headerPrefix -
Bearer
Enumeration Phase
Off
Collection Phase
Pagination Type* -
cursorCursor* - .
nextPageTokenInitial Request
Method* -
POSTURL* -
${parameters.PrismaCloudEndpoint}/audit/api/v1/logHeaders
Name - Accept
Value -
application/jsonName - Content-Type
Value -
application/json
Response Type* -
jsonBody type* - raw
Body content* -
{ "timeRange": { "type": "absolute", "value": { "startTime": ${temporalWindow.from}, "endTime": ${temporalWindow.to}, } } }
Next Request
Method* -
POSTURL* -
${parameters.PrismaCloudEndpoint}/audit/api/v1/logHeaders
Name - Accept
Value -
application/jsonName - Content-Type
Value -
application/json
Response Type* -
jsonBody type* - raw
Body content* -
{ "timeRange": { "type": "absolute", "value": { "startTime": ${temporalWindow.from}, "endTime": ${temporalWindow.to}, } }, "nextPageToken": ${pagination.cursor} }
Output
Select -
.valueMap -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract audit logs.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?