/pcs-inspect

Inspect Policies and Alerts, mapping Alerts to Compliance Standards and Policies, and count Alerts.

Primary LanguagePython

Prisma Cloud Inspection Script

Description

The pcs-inspect.py script queries the Prisma Cloud API for all enabled Policies and for all Alerts within a Relative Time Range (with a default of one month) for a Tenant, and outputs results to an Excel spreadsheet, including worksheets for:

  • Alerts By Compliance Standard
  • Alerts By Policy
  • Alert Summary
  • Utilization Summary

Requirements

  • (Developed and tested on) Python 3.x with the pandas, requests, and xlsxwriter libraries.
  • Prisma Cloud Access Key with ACCOUNT GROUP READ ONLY or SYSTEM ADMIN privileges.

Usage

  • Download this repository
  • If necessary, install the required libraries
  • Identify the --customer_name parameter via Support -> Customers in the same stack as the Tenant
  • Create or select an Access Key with a Role higher than "Build and Deploy Security" in the Tenant
  • Execute the pcs-inspect.py script to collect and process the data *
  • Import the results into Google Sheets, and/or Google Slides (for example: PCS Inspect Report)
  • Profit!

(* You can independently execute the collect and process steps of the script by specifying --mode collect or --mode process)

As an alternative to using a Tenant Access Key, you can inspect a subset of data by specifying an Access Key generated by a "LIGHT AGENT" Support User in the same stack as the Tenant (for example: inspect the SESandBox tenant in the https://app.prismacloud.io/ stack) by specifying a Support User Access Key and --support_api.

Use ./pcs-inspect.py -h for a complete list of parameters.

Example

pip3 install -r requirements.txt

chmod +x pcs-inspect.py

./pcs-inspect.py \
  --customer_name "Example - 1234" \
  --url "https://api.prismacloud.io" \
  --access_key "aaaaaaaa-1111-aaaa-1111-aaaaaaaa1111" \
  --secret_key "ssss1111ssss1111ssss1111="

Output (Worksheets in the Spreadsheet)

Utilization Summary includes a summary of Assets, Accounts, Account Groups, Alert Rules, Integrations, Policies, and Users. Its data is collected from each of the associated endpoints.

Open Alerts by Standard lists Compliance Standards, and the count of High, Medium, and Low Severity Alerts for each Standard. Its data is collected from the policy endpoint.

Open Alerts by Policy lists Policies with details including Open Alert Count. Its data is collected from the policy endpoint.

Open Alerts Summary includes a summary of the Open Alerts by Standard and Open Alerts by Policy worksheets. Its data is collected from the policy endpoint.

Open and Closed Alerts by Standard lists Compliance Standards, and the count of High, Medium, and Low Severity Alerts for each Standard. Its data is collected from the alerts endpoint, is scoped to a time range, but is not collected or output when using Support API mode.

Open and Closed Alerts by Policy lists Policies with details including Open and Closed Alert Count. Its data is collected from the alerts endpoint, is scoped to a time range, but is not collected or output when using Support API mode.

Open and Closed Alerts Summary includes a summary of the Open and Closed Alerts by Standard and Open and Closed Alerts by Policy worksheets. Its data is collected from the alerts endpoint, is scoped to a time range, but is not collected or output when using Support API mode.

Containerized Usage

See: [PCEE_PYTHON_DOCKERFILE_PCS_INSPECT] (https://github.com/Kyle9021/PCEE_PYTHON_DOCKERFILE_PCS_INSPECT)

Troubleshooting

In general, specify -d to enable debugging.

If you receive an error when the script generates an API token:

  • Verify that the Access Key is valid for the specified Stack and Tenant
  • Validate the URL, Access Key, and Secret Key parameters

If you receive an error when the script queries an API endpoint:

  • Validate that the Customer Name is complete and correct as per Support -> Customers
  • Validate that the Access Key has the necessary Role to access the API
  • Do not use a Tenant Access Key when specifying --support_api
  • Do not use a Support User Access Key unless specifying --support_api
  • Validate that the Support User has "LIGHT AGENT" permissions when specifying --support_api

Note that details for some server-side query errors not are returned by the API.

If the report does not contain the numbers you were expecting:

  • If you are using Support API mode, remember that the script is limited to the data that the APIs return.
  • Open the .json files created by the collect/query steps, and review the data that the APIs return.
  • Open the script review the get_ functions for comments, and to identify the API endpoints used to return data.
  • Edit the script and add print() statements where appropriate.