Prisma Cloud Compute Mapping (#30098)

* Created PrismaCloudCompute mapping * ParsingRule * RN * ParsingRule * Updated README * Updated README * Updated ModelingRules * Update Packs/PrismaCloudCompute/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/PrismaCloudCompute/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/PrismaCloudCompute/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/PrismaCloudCompute/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/PrismaCloudCompute/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated README * Updated README --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
demisto · Oct 17, 2023 · c02cd00 · c02cd00
1 parent 8fcf3ab
commit c02cd00
Show file tree

Hide file tree

Showing 8 changed files with 289 additions and 4 deletions.
diff --git a/Packs/PrismaCloudCompute/ModelingRules/PrismaCloudCompute/PrismaCloudCompute.xif b/Packs/PrismaCloudCompute/ModelingRules/PrismaCloudCompute/PrismaCloudCompute.xif
@@ -0,0 +1,47 @@
+[MODEL: dataset = prisma_cloud_compute_raw]
+alter
+	lowercase_tags = lowercase(tags),
+	lowercase_osDistro = lowercase(osDistro),
+	lowercase_provider = lowercase(provider),
+	get_label_image_name_1 = json_extract_scalar(labels, "$['baseimage.name']"),
+	get_label_image_name_2 = json_extract_scalar(labels, "$['org.opencontainers.image.ref.name']"),
+	get_label_image_name_3 = json_extract_scalar(labels, "$.Name"),									
+	get_label_image_name_4 = json_extract_scalar(labels, "$.name"),									
+	get_label_image_os = json_extract_scalar(labels, "$['org.opencontainers.image.version']"),
+	get_label_image_author = json_extract_scalar(labels, "$['org.opencontainers.image.authors']"),
+	get_label_app = json_extract_scalar(labels, "$.app"),
+	get_label_maintainer = json_extract_scalar(labels, "$.maintainer"),
+	get_label_osDistro = lowercase(json_extract_scalar(labels, "$.osDistro")),
+	get_label_osVersion = json_extract_scalar(labels, "$.osVersion")
+| alter
+	check_image = coalesce(image, get_label_image_name_1, get_label_image_name_2, get_label_image_name_3, get_label_image_name_4),
+	check_osDistro = coalesce(lowercase_osDistro, get_label_osDistro),
+	check_origin_vendor = coalesce(get_label_maintainer, get_label_image_author),
+	check_fullos_1 = get_label_osDistro + get_label_osVersion,
+	check_fullos_2 = get_label_image_name_2 + get_label_image_os
+| alter
+	xdm.target.user.username = user,
+	xdm.target.host.fqdn = fqdn,
+	xdm.target.host.hostname = host,
+	xdm.network.rule = rule,
+	xdm.event.tags = arraycreate(if(lowercase_tags ~= "auth", XDM_CONST.EVENT_TAG_AUTHENTICATION, lowercase_tags ~= "vpn", XDM_CONST.EVENT_TAG_VPN, lowercase_tags ~= "network", XDM_CONST.EVENT_TAG_NETWORK, lowercase_tags = null, null, to_string(lowercase_tags))),
+	xdm.event.type = type,
+	xdm.target.agent.identifier = check_image,
+	xdm.alert.description = coalesce(aggregatedAlerts, aggregated),
+	xdm.target.host.manufacturer = labels,
+	xdm.target.location.region = region,
+	xdm.event.description = message,
+	xdm.target.application.name = get_label_app,
+	xdm.alert.category = category,
+	xdm.target.resource.type = if(function != null, "function", check_image != null, "INSTANCE", container != null, "container", null),
+	xdm.target.resource.value = if(function != null, "function", check_image != null, check_image, container != null, container, null),
+	xdm.target.host.os_family = if(check_osDistro ~= "win", XDM_CONST.OS_FAMILY_WINDOWS, check_osDistro ~= "mac", XDM_CONST.OS_FAMILY_MACOS, check_osDistro ~= "linux|amzn", XDM_CONST.OS_FAMILY_LINUX, get_label_maintainer ~= "Red Hat", XDM_CONST.OS_FAMILY_LINUX, check_osDistro ~= "android", XDM_CONST.OS_FAMILY_ANDROID, check_osDistro ~= "ios", XDM_CONST.OS_FAMILY_IOS, check_osDistro ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, check_osDistro ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, check_osDistro ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, check_osDistro ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, check_osDistro ~= "chromeos", XDM_CONST.OS_FAMILY_CHROMEOS, check_osDistro ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, check_osDistro ~= "scada", XDM_CONST.OS_FAMILY_SCADA, check_osDistro = null, null, to_string(lowercase_osDistro)),
+	xdm.target.cloud.provider = if(lowercase_provider ~= "aws|amazon|amz", XDM_CONST.CLOUD_PROVIDER_AWS, check_osDistro ~= "aws|amazon|amz", XDM_CONST.CLOUD_PROVIDER_AWS, lowercase_provider ~= "gcp|google", XDM_CONST.CLOUD_PROVIDER_GCP, lowercase_provider ~= "azure|microsoft", XDM_CONST.CLOUD_PROVIDER_AZURE, lowercase_provider ~= "baba|alibaba", XDM_CONST.CLOUD_PROVIDER_ALIBABA, lowercase_provider = null, null, to_string(lowercase_provider)),
+	xdm.target.cloud.project = accountID,
+	xdm.target.process.container_id = container,
+	xdm.target.host.os = coalesce(osRelease, check_fullos_1, check_fullos_2),
+	xdm.target.host.device_category = to_string(collections),
+	//xdm.alert.risks = vulnerabilities,
+	xdm.target.process.command_line = if(command = null, arraystring(regextract(message, "command:\s+(.*)"), ""), command),
+	xdm.target.process.name = if(startupProcess = "#startupProcess", null, startupProcess),
+	xdm.target.application.publisher = check_origin_vendor;
diff --git a/Packs/PrismaCloudCompute/ModelingRules/PrismaCloudCompute/PrismaCloudCompute.yml b/Packs/PrismaCloudCompute/ModelingRules/PrismaCloudCompute/PrismaCloudCompute.yml
@@ -0,0 +1,6 @@
+fromversion: 8.3.0
+id: Prisma_Cloud_Compute_ModelingRule
+name: Prisma Cloud Compute Modeling Rule
+rules: ''
+schema: ''
+tags: ''
diff --git a/Packs/PrismaCloudCompute/ModelingRules/PrismaCloudCompute/PrismaCloudCompute_schema.json b/Packs/PrismaCloudCompute/ModelingRules/PrismaCloudCompute/PrismaCloudCompute_schema.json
@@ -0,0 +1,136 @@
+{
+    "prisma_cloud_compute_raw": {
+        "type": {
+            "type": "string",
+            "is_array": false
+        },
+        "container": {
+            "type": "string",
+            "is_array": false
+        },
+        "image": {
+            "type": "string",
+            "is_array": false
+        },
+        "imageID": {
+            "type": "string",
+            "is_array": false
+        },
+        "tags": {
+            "type": "string",
+            "is_array": false
+        },
+        "host": {
+            "type": "string",
+            "is_array": false
+        },
+        "fqdn": {
+            "type": "string",
+            "is_array": false
+        },
+        "function": {
+            "type": "string",
+            "is_array": false
+        },
+        "region": {
+            "type": "string",
+            "is_array": false
+        },
+        "provider": {
+            "type": "string",
+            "is_array": false
+        },
+        "osRelease": {
+            "type": "string",
+            "is_array": false
+        },
+        "osDistro": {
+            "type": "string",
+            "is_array": false
+        },
+        "runtime": {
+            "type": "string",
+            "is_array": false
+        },
+        "appID": {
+            "type": "string",
+            "is_array": false
+        },
+        "rule": {
+            "type": "string",
+            "is_array": false
+        },
+        "message": {
+            "type": "string",
+            "is_array": false
+        },
+        "aggregated": {
+            "type": "string",
+            "is_array": false
+        },
+        "rest": {
+            "type": "string",
+            "is_array": false
+        },
+        "forensics": {
+            "type": "string",
+            "is_array": false
+        },
+        "accountID": {
+            "type": "string",
+            "is_array": false
+        },
+        "cluster": {
+            "type": "string",
+            "is_array": false
+        },
+        "category": {
+            "type": "string",
+            "is_array": false
+        },
+        "labels": {
+            "type": "string",
+            "is_array": false
+        },
+        "collections": {
+            "type": "string",
+            "is_array": false
+        },
+        "complianceIssues": {
+            "type": "string",
+            "is_array": false
+        },
+        "vulnerabilities": {
+            "type": "string",
+            "is_array": false
+        },
+        "aggregatedAlerts": {
+            "type": "string",
+            "is_array": false
+        },
+        "dropped": {
+            "type": "string",
+            "is_array": false
+        },
+        "command": {
+            "type": "string",
+            "is_array": false
+        },
+        "startupProcess": {
+            "type": "string",
+            "is_array": false
+        },
+        "namespaces": {
+            "type": "string",
+            "is_array": false
+        },
+        "user": {
+            "type": "string",
+            "is_array": false
+        },        
+        "accountIDs": {
+            "type": "string",
+            "is_array": false
+        }
+    }
+}                                                        
diff --git a/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif b/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif
@@ -0,0 +1,6 @@
+[INGEST:vendor="prisma", product="cloud_compute", target_dataset="prisma_cloud_compute_raw", no_hit=keep]
+alter
+    tmp_extract_time = replex(arraystring(regextract(time, ".*\d{2}:\d{2}:\d{2}"), ""), ",", "")
+| alter
+    _time = parse_timestamp("%h %d %Y %H:%M:%S", tmp_extract_time)
+| fields -tmp_extract_time;
diff --git a/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.yml b/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.yml
@@ -0,0 +1,6 @@
+name: Prisma Cloud Compute Parsing Rule
+id: Prisma_Cloud_Compute_ParsingRule
+fromversion: 8.3.0
+tags: []
+rules: ''
+samples: ''
diff --git a/Packs/PrismaCloudCompute/README.md b/Packs/PrismaCloudCompute/README.md
@@ -1,6 +1,77 @@
-![image](https://user-images.githubusercontent.com/49071222/72906531-0e452a00-3d3b-11ea-8703-8b97ddf30be0.png)
-
-
+# Prisma Cloud Compute
+This pack includes Cortex XSIAM content.
+
+<~XSIAM>
+A step-by-step configuration process is available at Cortex XSIAM Administrator Guide- [Ingest Alerts from Prisma Cloud Compute](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Alerts-from-Prisma-Cloud). 
+
+## Configuration on XSIAM
+1. Click **Settings** > **Data Sources**.
+2. In the Prisma Cloud Compute Collector configuration, click **Add Instance** to begin a new alerts integration.
+3. Specify the name for the Prisma Cloud Compute Collector displayed in Cortex XSIAM.
+4. Save & Generate Token. The token is displayed in a blue box, which is blurred in the image below.
+   * Click the Copy icon next to the Username and Password, and record them in a safe place, as you will need to provide them when you configure the Prisma Cloud Compute Collector for alerts integration. If you forget to record the key and close the window, you will need to generate a new key and repeat this process. When you are finished, click **Done** to close the window.
+5. Copy api url.
+   * In the Data Sources page for the Prisma Cloud Compute Collector that you created, click **Copy api url**, and record it somewhere safe. You will need to provide this API URL when you set the Incoming Webhook URL as part of the configuration in Prisma Cloud Compute.
+
+**Note**:
+The URL format for the tenant is `https://api-<tenant name>.xdr.us.paloaltonetworks.com/logs/v1/prisma`.
+
+## Configuration on Prisma Cloud Compute
+1. In Prisma Cloud Compute, create a webhook as explained in the [Webhook Alerts](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alerts/webhook) section of the Prisma Cloud Administrator’s Guide (Compute).
+   * Config file for Webhook:
+```json
+//{
+  "type": "#type",
+  "time": "#time",
+  "container": "#container",
+  "containerID": "#containerID",
+  "image": "#image",
+  "imageID": "#imageID",
+  "tags": "#tags",
+  "host": "#host",
+  "fqdn": "#fqdn",
+  "function": "#function",
+  "region": "#region",
+  "provider": "#provider",
+  "osRelease": "#osRelease",
+  "osDistro": "#osDistro",
+  "runtime": "#runtime",
+  "appID": "#appID",
+  "rule": "#rule",
+  "message": "#message",
+  "aggregatedAlerts": #aggregatedAlerts,
+  "dropped": #dropped,
+  "forensics": "#forensics",
+  "accountID": "#accountID",
+  "category": "#category",
+  "command": "#command",
+  "startupProcess": "#startupProcess",
+  "labels": #labels,
+  "collections": #collections,
+  "complianceIssues": #complianceIssues,
+  "vulnerabilities": #vulnerabilities,
+  "clusters": #clusters,
+  "namespaces": #namespaces,
+  "accountIDs": #accountIDs,
+  "user": "#user"
+//}
+```
+2. Use the **Webhook** option to configure the webhook.
+3. In **Incoming Webhook URL**, paste the API URL that you copied and recorded from **Copy api url**.
+4. In **Credential Options**, select **Basic Authentication**, and use the Username and Password that you saved when you generated the token.
+5. Select **Container Runtime**.
+6. Click **Save**.
+   * In Cortex XSIAM, once alerts start to come in, a green checkmark appears underneath the Prisma Cloud Compute Collector configuration with the amount of data received.
+7. After Cortex XSIAM begins receiving data from Prisma Cloud Compute, you can use XQL Search to search for specific data using the `prisma_cloud_compute_raw` dataset.
+
+
+**Pay Attention**:
+Timestamp parsing support is available for the **time** field in `%h %d, %Y %H:%M:%S UTC` format (E.g `Oct 14, 2023 09:16:04 UTC`)
+
+
+</~XSIAM>
+
+<~XSOAR>
 ## Overview
 
 This integration lets you import **Palo Alto Networks - Prisma Cloud Compute** alerts into Demisto
@@ -68,3 +139,4 @@ At this point, you can add tasks that extend the playbook to check and respond t
 If any alerts are missing in Demisto, check the status of the integration:
 
 ![image](https://raw.githubusercontent.com/demisto/content/f808c78aa6c94a09450879c8702a1b7f023f1d4b/Packs/PrismaCloudCompute/doc_files/prisma_instance.png)
+</~XSOAR>
diff --git a/Packs/PrismaCloudCompute/ReleaseNotes/1_4_17.md b/Packs/PrismaCloudCompute/ReleaseNotes/1_4_17.md
@@ -0,0 +1,12 @@
+
+#### Modeling Rules
+
+##### New: Prisma Cloud Compute Modeling Rule
+
+Added a Modeling Rule for the pack (Available from Cortex XSIAM 2.0).
+
+#### Parsing Rules
+
+##### New: Prisma Cloud Compute Parsing Rule
+
+Added a Parsing Rule for the pack (Available from Cortex XSIAM 2.0).
diff --git a/Packs/PrismaCloudCompute/pack_metadata.json b/Packs/PrismaCloudCompute/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Prisma Cloud Compute by Palo Alto Networks",
     "description": "Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.",
     "support": "xsoar",
-    "currentVersion": "1.4.16",
+    "currentVersion": "1.4.17",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",