Playbook of the Week: Prisma Cloud Compute - Audit Alert v3

Jan 25, 2024
4 minutes
654 views

Automating Prisma Cloud Compute Runtime Audit Events

Navigating Cloud Security Challenges

As applications are deployed across multiple clouds - public, private, hybrid - organizations are using a wide array of compute architectures. You have virtual machines (VMs), containers, Kubernetes, containers as a service (CaaS), platform as a service (PaaS) and serverless cloud entities that have to be monitored and secured.

Prisma Cloud Compute provides cloud workload protection, regardless of their underlying cloud technology or the cloud they run on. This includes runtime security, API protection, compliance coverage, and vulnerability management. Cortex XSOAR seamlessly integrates with Prisma Cloud through the Prisma Cloud Compute by Palo Alto Networks pack, providing a focused solution for efficiently handling various cloud security needs.

Why Opt for Cortex XSOAR's Prisma Cloud Compute - Audit Alert Playbook?

Imagine a scenario where a container within your infrastructure is compromised, triggering runtime audit events. The aftermath demands meticulous investigation, and this is where the Cortex XSOAR Prisma Cloud Compute - Audit Alert v3 playbook, a part of the Prisma Cloud Compute pack, steps in.

Empowering Teams with Automated Alert Handling and Response

Each incident processed through this playbook yields a wealth of information for the security analyst. This not only expedites the investigative process but also empowers teams for automatic handling and response, saving precious time and ensuring no runtime audit event goes unnoticed.

Breaking Down the Playbook

Before we delve into the incident layout, let's explore the playbook sections to see how automation is applied to remediation.

Container, images and hosts information enrichment: Gather comprehensive details, including compliance and vulnerability information, to help the analyst understand the context of the incident.

Fig 1: Data enrichment
Fig 1: Data enrichment

 

Defender logs: Access detailed logs to gain insights into potential threats and vulnerabilities.

Extract forensic data from containers and hosts: Extract forensic data for a deeper understanding of the incident.

Fig 2: Extract forensic data
Fig 2: Extract forensic data

 

Retrieve relevant alerts: Retrieve historical alerts to piece together the security puzzle.

Get potential owner information: Identify responsible parties swiftly for a targeted response.

Fig 3: Get account owners
Fig 3: Get account owners

 

Perform automated remediation: Leverage out-of-the-box playbooks like Block Indicators - Generic v3 and Cloud Response - Generic for effective remediation.

Fig 4: Run OOTB playbooks for automated remediation
Fig 4: Run OOTB playbooks for automated remediation

 

Incident Layout: Navigating the Information Maze

Now, let's explore how the playbook sections manifest in the incident layout, where key details are neatly organized:

  • Incident Details: Category, event message, image, host, and container names, and associated rule.
  • Case Details: Incident type, severity, external link, and owner email.
  • Quick Actions: Six buttons for rapid response, including severity adjustment, tagging, blocklisting, and reporting.
Fig 5: Incident layout with custom Quick Action buttons
Fig 5: Incident layout with custom Quick Action buttons

 

Incident detail Drill-down Tabs

Container Alerts Tab

  • Similar container alerts fetched from Prisma Cloud.
  • IP and File Indicators for added context.
Fig 6: Container alerts details tab
Fig 6: Container alerts details tab

 

Forensics Tab

  • Forensics data extracted from relevant containers or hosts.
  • Defenders data and logs for a deeper dive into the incident.
Fig 7: Forensic data details tab
Fig 7: Forensic data details tab

 

Compliance Tab

  • Identification of image compliance issues.
  • List of found CVEs for vulnerability assessment.
  • Quick email options for CVE and Compliance reports.
Fig 8: Compliance issue details
Fig 8: Compliance issue details

Use Case Scenario: Unraveling the Compromised Container

Consider a scenario where a container communicates with a C2 server, triggering a runtime audit event. This event is ingested into XSOAR, triggering the playbook. Cloud security and SOC analysts can swiftly access all relevant information, communicate with stakeholders, and implement automated or manual remediation.

The result?

A significant reduction in investigation time and fortified security defenses.

Conclusion: Leveraging the Full Power of Cortex XSOAR and Prisma Cloud Compute

The Cortex XSOAR Prisma Cloud Compute - Audit Alert v3 playbook, part of the versatile Prisma Cloud Compute by Palo Alto Networks pack, offers an automated approach to handling runtime audit events. As we navigate the complex terrain of cloud security, this playbook serves as a valuable asset, guiding security teams towards efficient incident resolution and comprehensive threat management.

In a dynamic cloud world where seconds matter, the Cortex XSOAR's Prisma Cloud Compute - Audit Alert v3 playbook emerges as a reliable ally, ensuring runtime audit events are not just responded to but proactively managed.

 


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.