This article outlines how to leverage the Palo Alto XSOAR platform for effective remediation of risks identified within the Prisma Cloud DSPM (Data Security Posture Management) environment. Prisma Cloud DSPM plays a crucial role in helping organizations safeguard sensitive data across cloud environments by detecting vulnerabilities such as publicly exposed sensitive assets, data leakage, and misconfigurations. Through continuous monitoring and analysis of data flow, DSPM identifies risks like over-permissive access controls and ensures compliance with privacy regulations.

As the number of identified risks grows, managing them can become increasingly complex. Organizations often seek greater flexibility and deeper integration with their existing tools. Prisma Cloud DSPM meets this need by facilitating customized solutions that seamlessly integrate with platforms like Cortex XSOAR, providing a comprehensive and tailored approach to risk management.

In this article, we will explore the automated methods for addressing Prisma Cloud DSPM risks using Cortex XSOAR. We’ll examine how playbooks and the Prisma Cloud DSPM Pack streamline the remediation process, allowing organizations to prioritize security efforts and efficiently tackle critical risks.

Connecting to XSOAR

1. In Prisma Cloud DSPM, go to Preferences > Integrations.
2. Under Workflow, select XSOAR and click Connect.
   
3. In the DSPM - XSOAR window, do the following:
   • XSOAR link: Enter your XSOAR instance URL and append “/incident” to it at the end of the URL.
   • Severity Threshold: Select the severity threshold for receiving notifications. The recommended severity is Medium and above.
   • XSOAR API key: Click on "Advanced" and add the XSOAR API key and auth_id
   • Click Create.
     • The XSOAR integration is displayed in the integration list.
     • After integrating DSPM, risks are now flowing into your XSOAR. The DSPM pack in XSOAR uses these risks to trigger a playbook. For further information, see the section DSPM Risk Parameters.

Once the integration is established, DSPM risks are now being fed into your XSOAR platform, where the DSPM pack uses them as triggers to initiate a playbook.

To view the relevant information, enter dspm in the search field.

View the DSPM Pack

To view the DSPM pack, do the following:

1. In XSOAR, navigate to Instances.
   1. Click Settings located in the main menu.
   2. In the Settings menu, select Instances.
2. In the Search field, enter DSPM to access the Prisma Cloud DSPM pack.
3. Click Show commands to see a list of DSPM commands that users can utilize.
   

The DSPM pack includes commands that enable users to perform specific actions by leveraging the capabilities of both linked packs and the DSPM API. These commands allow users to utilize all available features of the DSPM API as building blocks within XSOAR.

Essential Packs for Complete Utilization of DSPM Risk Remediation Playbooks

The playbooks in the DSPM pack utilize commands from the following packs:

• Prisma Cloud DSPM
• Atlassian Jira v3
  
• AWS S3
  
• Azure Storage Container
  
• Google Cloud Storage
  
• Slack v3
  

Commands Overview

All commands can be utilized in any user-created playbook. The DSPM pack includes full API functionality, meaning all available API actions are covered by the DSPM pack commands. This feature enables XSOAR users to operate seamlessly in XSOAR without direct API interaction.

The DSPM pack includes various commands, such as:

• dspm-get-asset-details: Retrieves details for the specified asset ID.
• dspm-get-integration-config: Receives integration configuration details.
• dspm-list-alerts: Fetches a list of all alerts
  

To run a specific command, do the following:

1. Enter dspm in the search field.
2. Click the exclamation mark.
   
3. Navigate to the command you want to use.
4. Click Run.
   
5. If required, enter the command parameters. For example, to run the dspm-get-list-of-asset-fields-by-id command, enter the ID of the asset for which to retrieve details, and click Run.
   

Viewing the Results of a Command

After running a command, the results of the command are shown in the Playground.

For example, in the image below, the results for the command “!dspm-get-data-types” are viewable in the Playground.

To view the full results, do the following

1. Go to Settings > Instances.
2. Scroll down to the bottom of the Playground window.
3. Click View full artifact in a new tab.
   
4. The full results open in a new tab.
   

To export the results, click Export to CSV.

Utilizing the DSPM Multi-Cloud Risk Remediation Playbook

1. In the sidebar, click Playbooks.
2. In the Playbook Library, enter DSPM in the search field.
3. Locate the DSPM Multi-Cloud Risk Remediation playbook. The DSPM Multi-Cloud Risk Remediation playbook provides semi-automated remediation for the following DSPM risks:
   • Sensitive asset open to world
   • Empty storage assets
     

It is worth noting that the playbook can be customized to meet the user's specific requirements. For instance, instead of using Slack (which is included in the out-of-the-box DSPM playbook), the user can modify this step to utilize Microsoft Teams instead.

Playbook Workflow

This section briefly describes the playbook workflow.

1. All Risks are Sent From DSPM to XSOAR

The workflow begins by retrieving all the risks from the DSPM integration and sending them to XSOAR. For example, if a “Sensitive Asset Open to the World” risk is detected the following occurs:

2. DSPM Checks for Errors in Retrieving Information

• Errors are detected: ​​If errors occur during data retrieval, users are directed to a sub-playbook, indicated by a lightning icon. Clicking the icon displays the script used for that task or sub-playbook, providing insight into the error. If DSPM did not retrieve all the details, an internal process ascertains what details are missing and ensures the missing details are retrieved.
• No errors are detected: If no errors are detected during data retrieval, a Slack message is automatically generated and sent to the user associated with the identified risk. The user is identified based on the email tag associated with the asset where the risk was found. If no user email is associated with the asset, the message will be sent to a default email address, which can be defined at the pack level. The Slack message contains all relevant details about the identified risk.
  

3. User Response Options

The Slack message prompts the user to choose one of two actions:

1. Create a Jira ticket for the specific incident.
2. Automatically adjust the cloud configuration to ensure the asset is no longer exposed.
   

4. Automatic Cloud Configuration Adjustments

If the user confirms they want to proceed with the automatic cloud configuration adjustments, the following occurs:

1. The system adjusts the cloud configuration.
2. Once the configuration change has been completed, a notification is sent via Slack to the user confirming the configuration has been successfully updated.
   

5. Post-Remediation Process

• Before the risk is fully resolved, the XSOAR remediation playbook updates the risk status from Open to Investigating.
• In the next scan cycle, if the risk has been effectively remediated, it will no longer appear in the Risk list.

List of Commands

DSPM Risk Parameters

The DSPM pack in XSOAR triggers a playbook. It typically includes the following key pieces of information:

1. incidentId: The unique identifier for the incident, used to track and manage specific risk findings.
2. riskFindingId: The identifier for the specific risk finding.
3. ruleName: The name of the security rule or policy that was violated.
4. severity: The severity of the risk (e.g., High, Medium, Low).
5. assetName: The name of the affected asset (e.g., a storage bucket, virtual machine) that is associated with the incident.
6. assetId: The unique identifier for the affected asset.
7. status: The current state of the risk, showing whether it is open, under investigation, or resolved.
8. projectId: The identifier of the project within the cloud environment.
9. cloudProvider: The cloud platform (e.g., AWS, Azure, GCP) where the risk was detected.
10. serviceType: The specific type of cloud service name (e.g., compute, storage, networking).
11. firstDiscovered: The date and time when the risk was first discovered by the monitoring system.
12. assetDigTags: Metadata or tags associated with the affected asset, typically used for additional context or classification of the resource.
13. remediateDescription: Detailed description on how to remediate the risk or vulnerability associated with the risk/incident.
14. remediateSteps: Lists of steps required to remediate the identified DSPM risk.
15. incidentCreated: The timestamp indicating when the incident was created or logged in the system, marking its official start time for tracking purposes.
16. tags: Labels or metadata attached to the DSPM risk for categorization or identification.
17. cloudEnvironment: Represents the type of cloud environment where the asset is hosted (e.g., DEV, PROD).
18. complianceStandards: Lists of compliance standards that apply to the asset (e.g. GDPR).
19. openToWorld: Shows whether the asset is publicly accessible from the internet.
20. dataTypeGroups: Categorizes sensitive data types associated with the asset (e.g., PII, financial data).

This information is utilized by Cortex XSOAR to provide context for the incident, facilitating the triage and response process. The specific information included can vary depending on the type of risk, the configuration of Prisma Cloud, and the specific integrations set up with other security or management tools.

Summary

By following the steps outlined in this article, users can effectively set up XSOAR for DSPM remediation, leverage the available commands, and utilize the Multi-Cloud Risk Remediation playbook to manage risks efficiently. Once the remediation actions are confirmed via Slack, the playbook executes the necessary changes, ensuring a streamlined process for maintaining cloud security.