Palo Alto Networks Prisma Cloud
This document provides guidance on how to integrate Palo Alto Networks PrismaCloud with the SOAR module of Google Security Operations. InGoogle SecOps platform, the integration for Palo Alto NetworksPrisma Cloud is calledPalo Alto Prisma Cloud.
Integration version: 3.0
Before you begin
Before configuring the integration in the Google SecOps platform,verify that you have the following:
Prisma Cloud Access Key: Generate the required API key forconnection and communication.
Required Permissions: Ensure the service account has thenecessary security roles assigned in Prisma Cloud.
Prisma Cloud Access Key generation
To enable Google SecOps to securely communicate with your PrismaCloud environment, you must first generate an Access Key. This key is used forAPI authentication.
For more information on how to generate the key, seehow to create access keys.
Grant required permissions in Prisma Cloud
The Access Key you generate must be associated with a service account or rolethat has the necessary permissions to pull and manage alert and asset data fromPrisma Cloud.
Ensure the service account or custom role used for this integration is grantedthe following minimum permissions:
Asset Inventory.OverviewAlerts.OverviewAlerts.Snooze/DismissAlerts.RemediationInvestigate.Asset
Integrate Prisma Cloud with Google SecOps
The integration requires the following parameters:
| Parameter | Description |
|---|---|
API Root | Required The API root of the Prisma Cloud instance. Default value is |
Access Key ID | Required The access key ID of the Prisma Cloud account. |
Secret Access Key | Required The secret access key of the Prisma Cloud account. |
Verify SSL | Required If selected, Google SecOps verifies that the SSL certificate for the connection to the Prisma Cloud server is valid. Selected by default. |
You can make changes at a later stage, if necessary. After you configure aPrisma Cloud instance, you can use the instance in playbooks. For information onconfiguring and supporting Prisma Cloud multiple instances, seeSupporting multipleinstances.
For instructions on how to configure an integration inGoogle SecOps, seeConfigureintegrations.
Actions
The following is the list of actions available in the Prisma Cloudintegration:
Enrich Assets
Use Prisma Cloud to enrich information about a resource.
This action doesn't run on Google SecOps entities. For moreinformation about supported entities, seeWhat entity types do wesupport.
Action inputs
The action requires the following parameters:
| Parameter | Description |
|---|---|
Asset Identifiers | Required A comma-separated list of asset identifiers that you want to fetch the details for. An asset identifier is either an asset ID or an asset Restricted Resource Name (RRN). |
Action outputs
The action provides the following outputs:
| Action output type | Action output availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
| Output messages | Available |
JSON result
The following example describes the JSON result output received when using theEnrich Assets action:
{"id":"2dcffa4a51d892bcf48ed80652e75650","externalAssetId":"5115585594921894848","cloudType":"gcp","createdTs":1707216238063,"insertTs":1707216238063,"dynamicData":null,"data":{"id":"5115585594921894848","kind":"compute#instance","name":"example-name-rgmn","tags":{"items":["example-name"],"fingerprint":"ycXN3kijHZc="},"zone":"https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/zones/us-central1-a" ,"disks":[{"boot":true,"kind":"compute#attachedDisk","mode":"READ_WRITE","type":"PERSISTENT","index":0,"source":"https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/zones/us-central1-a/disks/example-name-rgmn" ,"licenses":["https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/global/licenses/LICENSE_ID" ],"interface":"SCSI","autoDelete":true,"deviceName":"persistent-disk-0","diskSizeGb":"30","architecture":"X86_64","guestOsFeatures":[{"type":"GVNIC"},{"type":"SEV_CAPABLE"},{"type":"UEFI_COMPATIBLE"},{"type":"VIRTIO_SCSI_MULTIQUEUE"}],"shieldedInstanceInitialState":{"dbxs":[]}}],"labels":{"goog-ccm":"true","goog-solutions-console-solution-id":"java-application","goog-solutions-console-deployment-name":"java-application"},"status":"RUNNING","metadata":{"kind":"compute#metadata","items":[{"key":"created-by","value":"projects/PROJECT_ID/regions/us-central1/instanceGroupManagers/example-name" },{"key":"instance-template","value":"projects/PROJECT_ID/global/instanceTemplates/xwiki-us-central1-a-temp" },{"key":"startup-script","value":"#! /bin/bash\n\nsed -i \"s/$(echo JGROUP_BUCKET | sed -e 's/\\([[\/.*]\\|\\]\\)/\\\\&/g')/$(echo xwiki-jgroup-PROJECT_ID-gce | sed -e 's/[\/&]/\\\\&/g')/g\" /usr/lib/xwiki/WEB-INF/observation/remote/jgroups/tcp.xml\nsed -i \"s/$(echo ACCESS_KEY | sed -e 's/\\([[\/.*]\\|\\]\\)/\\\\&/g')/$(echo GOOG1E | sed -e 's/[\/&]/\\\\&/g')/g\" /usr/lib/xwiki/WEB-INF/observation/remote/jgroups/tcp.xml\nsed -i \"s/$(echo SECRET_KEY | sed -e 's/\\([[\/.*]\\|\\]\\)/\\\\&/g')/$(echo IvgTtIJJq+68sI9XISo2qMXGyONmFDf7U9QuegN/ | sed -e 's/[\/&]/\\\\&/g')/g\" /usr/lib/xwiki/WEB-INF/observation/remote/jgroups/tcp.xml\n\nDB_PASS=\"$(gcloud secrets versions access --secret xwiki-db-password latest --projectPROJECT_NAME)\"\n\nbash /home/xwiki_startup.sh \"203.0.113.2\" \"xwiki\" \"${DB_PASS}\" \"203.0.113.242\"\nbash /home/xwiki_deploy_flavor.sh \"203.0.113.2\" \"xwiki\" \"${DB_PASS}\" \"203.0.113.242\"\n" }],"fingerprint":"_s0ui1yxFME="},"selfLink":"https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/zones/us-central1-a/instances/example-name-rgmn" ,"scheduling":{"preemptible":false,"automaticRestart":true,"onHostMaintenance":"MIGRATE","provisioningModel":"STANDARD"},"cpuPlatform":"Intel Cascade Lake","fingerprint":"YBMt5z3lxpI=","machineType":"https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/zones/us-central1-a/machineTypes/n2-standard-2" ,"minCpuPlatform":"Intel Cascade Lake","serviceAccounts":[{"email":"example@developer.gserviceaccount.com","scopes":["https://www.googleapis.com/auth/cloud-platform","https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/trace.append"]}],"startRestricted":false,"labelFingerprint":"Cy_Kdpu4cz8=","creationTimestamp":"2024-02-05T16:28:31.856-08:00","networkInterfaces":[{"kind":"compute#networkInterface","name":"nic0","network":"https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/global/networks/NETWORK_ID" ,"networkIP":"203.0.113.2","stackType":"IPV4_ONLY","subnetwork":"https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/regions/us-central1/subnetworks/SUBNETWORK_ID" ,"fingerprint":"lpKHF5wzhv4="}],"deletionProtection":false,"lastStartTimestamp":"2024-02-05T16:28:47.038-08:00","shieldedInstanceConfig":{"enableVtpm":true,"enableSecureBoot":false,"enableIntegrityMonitoring":true},"shieldedInstanceIntegrityPolicy":{"updateAutoLearnPolicy":true}},"name":"example-name-rgmn","regionId":"us-central1","regionName":"US","riskGrade":"B","stateId":null,"url":"https://console.cloud.google.com/compute/instancesDetail/zones/us-central1-a/instances/example-name-rgmn?project=PROJECT_NAME" ,"vpcId":null,"vpcName":null,"relationshipCounts":1,"vulnerabilityCounts":{"critical":17,"high":38,"knownExploits":{"critical":0,"high":0,"low":0,"medium":0},"low":31,"medium":59,"old":{"critical":0,"high":0,"low":0,"medium":0},"patchable":{"critical":17,"high":38,"low":5,"medium":26}},"vpcExternalAssetId":null,"tags":{"goog-ccm":true,"xwiki-us-central1-autoscale":"","goog-solutions-console-deployment-name":"java-application","goog-solutions-console-solution-id":"java-application"},"assetType":"Google Compute Engine VM Instance","serviceName":"Google Compute Engine","resourceType":"Google Compute Engine VM Instance","accountGroup":"account","accountName":"Example-Name","assetClassId":"compute","assetClass":"Compute","deleted":false,"problem":[],"alertsCount":[{"count":5,"severity":"high"},{"count":3,"severity":"critical"},{"count":2,"severity":"low"}],"attributes":{"altAssetId":"example-name-rgmn.us-central1-a.c.PROJECT_NAME.internal" ,"name":"example-name-rgmn.us-central1-a.c.PROJECT_NAME.internal" ,"provider":"gcp","accountID":"example-account","region":"us-central1-a","resourceName":"5115585594921894848","osRelease":"focal","osDistro":"ubuntu","distro":"Ubuntu 20.04.5 LTS","scannedBy":"Agentless","docker":"","kubernetes":"","cluster":"","vmImage":"hsa-xwiki-vm-img-latest","collections":["All"],"scanPassed":true,"stage":"run","lastScanTime":"2024-02-12T18:25:39.39Z"},"alertCountBySeverity":[{"severity":"high","count":5},{"severity":"critical","count":3},{"severity":"low","count":2}]}Script result
The following table describes the values for the script result output when usingthe Enrich Assets action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Output messages
On a Case Wall, the Enrich Assets action provides the following output messages:
| Output message | Message description |
|---|---|
| Action succeeded. |
Error executing action "Enrich Assets". Reason:ERROR_REASON | Action failed. Check the connection to the server, input parameters, or credentials. |
Ping
Use this action to test connectivity to the Prisma Cloud server.
Action inputs
None.
Action outputs
The action provides the following outputs:
| Action output type | Action output availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
| Output messages | Available |
Script result
The following table describes the values for the script result output when usingthe Ping action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Output messages
On a Case Wall, the Ping action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Palo Alto Prisma Cloud server with the provided connection parameters! | Action succeeded. |
Failed to connect to the Palo Alto Prisma Cloud server! Error isERROR_REASON | Action failed. Check the connection to the server, input parameters, or credentials. |
Respond To Alert
Use Prisma Cloud to respond to an alert.
This action doesn't run on Google SecOps entities. For moreinformation about supported entities, seeWhat entity types do wesupport.
Action inputs
The action requires the following parameters:
| Parameter | Description |
|---|---|
Alert ID | Required ID of the response alert. |
Response Type | Optional An alert status. If the
|
Snooze Time | Optional The snooze time in hours. |
Dismiss Note | Optional A note to justify a dismissal. |
Action outputs
The action provides the following outputs:
| Action output type | Action output availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
| Output messages | Available |
JSON result
The following example describes the JSON result output received when using theRespond To Alert action:
{"response_status":{"Reopened","Snoozed","Dismissed","Remediated","No Remediation Applied."}}Script result
The following table describes the values for the script result output when usingthe Respond to Alert action:
| Script result name | Value |
|---|---|
| is_success | True or False |
Output messages
On a Case Wall, the Ping action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully responded to an alert with IDALERT_ID in Palo Alto Prisma Cloud. | Action succeeded. |
Error executing action "Respond To Alert". Reason: Alert with IDALERT_ID wasn't found in Palo Alto Prisma Cloud. Please check the spelling. | Action failed. Alert is not found. Check the spelling. |
Error executing action "Respond To Alert". Reason: The Response Type parameter is misconfigured. Select a valid value for the Response Type parameter. | Action failed. Check theResponse Type parameter value. |
Error executing action "Respond To Alert". Reason: Action couldn't respond to alert with IDALERT_ID in Palo Alto Prisma Cloud. Please check the action configuration parameters. | Action failed. Check the input parameter values. |
Error executing action "Respond To Alert". Reason: The Response Type parameter was set to "Snooze". Make sure that the Snooze Time parameter value is configured and valid. | Action failed. Check theSnooze Time parameter value. |
Error executing action "Respond To Alert". Reason:ERROR_REASON | Action failed. Check the connection to the server, input parameters, or credentials. |
Connectors
For detailed instructions about configuring a connector inGoogle SecOps, seeConfiguring theconnector.
Palo Alto Prisma Cloud — Alerts Connector
Use this connector to pull alerts from Prisma Cloud.
The dynamic list works with thepolicy.name parameter as shown in the following example:
"filters": [ { "operator": "=", "name": "policy.name", "value": "Google Cloud VM instance that is internet reachable with unrestricted access (203.0.113.0/24)" }, { "operator": "=", "name": "policy.name", "value": "Compute Engine with IAM write access level" }]Connector inputs
The connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name | Required The source field name to retrieve the product field name. The default value is |
Event Field Name | Required The source field name to retrieve the event field name. Default value is |
Environment Field Name | Optional The name of the field where the environment name is stored. If the environment field isn't found, the environment is set to the default environment. |
Environment Regex Pattern | Optional A regular expression pattern to run on the value found in the Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
API Root | Required The API root of the Prisma Cloud instance. Default value is |
Access Key ID | Required The access key ID of the Prisma Cloud account. |
Secret Access Key | Required The secret access key of the Prisma Cloud account. |
Lowest Severity to Fetch | Optional The lowest severity of the alerts to fetch. If you provide no value, the connector ingests alerts with all severities. Possible values:
|
Max Hours Backwards | Optional The number of hours before the connector first starts retrieving incidents. This parameter applies only once to the initial connector iteration after you enable the connector for the first time. The default value is 1 hour. |
Max Alerts To Fetch | Optional The number of alerts to process in one connector iteration. The default value is 100. The maximum value is 1000. |
Use dynamic list as a blocklist | Required If selected, the dynamic list is used as a blocklist. Not selected by default. |
Verify SSL | Required If selected, Google SecOps verifies that the SSL certificate for the connection to the Prisma Cloud server is valid. Not selected by default. |
Proxy Server Address | Optional Address of the proxy server to use. |
Proxy Username | Optional Proxy username to authenticate with. |
Proxy Password | Optional Proxy password to authenticate with. |
Connector events
The following is an example of a connector event:
{"id":"ID","status":"open","reason":"NEW_ALERT","firstSeen":1706971601230,"lastSeen":1706971601230,"alertTime":1706971601230,"lastUpdated":1707806767098,"saveSearchId":"b1ccf7df-d2c8-4588-8d06-b62738fd9745","policy":{"policyId":"45488d62-6abe-4938-9b7a-aaa44858540e","name":"Data destruction risk due to a publicly exposed and vulnerable Google Cloud VM instance with delete permissions","policyType":"attack_path","systemDefault":true,"description":"This policy idnces as soon as possible.","severity":"critical","recommendation":"The followinge vulnerabilities quickly.","labels":["Prisma_Cloud"],"lastModifiedOn":1702006359544,"lastModifiedBy":"user@example.com","deleted":false,"findingTypes":[],"remediable":false},"alertRules":[{"policyScanConfigId":"9612cba4-4f76-44ec-b11f-9c01ba9a4c04","name":"Default Alert Rule","enabled":true,"scanAll":true,"target":{"accountGroups":[],"excludedAccounts":[],"regions":[],"tags":[]},"createdBy":"example@example.com","alertRuleNotificationConfig":[],"allowAutoRemediate":false,"notifyOnOpen":true,"notifyOnSnoozed":false,"notifyOnDismissed":false,"notifyOnResolved":false}],"resource":{"id":"ID","name":"gke-gke-pc-pool-1-4e52a225-12id","account":"Example-Account","accountId":"ACCOUNT_ID","cloudAccountGroups":["Default Account Group"],"region":"US","regionId":"us-central1","resourceType":"INSTANCE","resourceApiName":"gcloud-compute-instances-list","cloudServiceName":"Google Compute Engine","data":{},"cloudType":"gcp","resourceTs":1706915178410,"internalResourceId":"INTERNAL_RESOURCE_ID","cloudAccountOwners":["user1@example.com","user2@example.com"],"unifiedAssetId":"393924d2b306c07490b19615c6e1a265","resourceConfigJsonAvailable":false,"resourceDetailsAvailable":true},"networkAnomaly":false}Need more help?Get answers from Community members and Google SecOps professionals.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.