├── .drone.yml ├── LICENSE ├── README.md ├── SUPPORT.md ├── lab_deploy ├── README.md ├── ci_vulnerability_lab_guide.md └── compose_deploy │ ├── .gitignore │ ├── .secrets │ ├── docker-compose.yml │ └── volumes │ ├── grafana │ ├── dashboards │ │ ├── Prisma-Cloud-Dashboards │ │ │ ├── compute-counters.json │ │ │ └── compute-gauge.json │ │ └── System-Dashboards │ │ │ ├── grafana_metrics.json │ │ │ ├── prometheus_2_stats.json │ │ │ └── prometheus_stats.json │ └── provisioning │ │ ├── all_sources.yml │ │ └── dashboards │ │ └── all_dash.yml │ └── prometheus │ └── prometheus.yml ├── panw-partner-wiki-main ├── LICENSE ├── README.md └── contents │ ├── DevOps_Links │ └── DevOps_Resources.md │ ├── Wiki_Guidelines.md │ ├── labs │ ├── Install_Defenders_in_Public_Cloud.md │ ├── Prisma_Cloud_AWS_ECR_Set-up.md │ ├── Prisma_Cloud_Compute_Command_Injection_WAAS_Demo.md │ ├── Prisma_Cloud_Compute_Docker_RBAC_Tutorial.md │ ├── Prisma_Cloud_Compute_Ecosystem_Deploy_Docker_Compose.md │ ├── Prisma_Cloud_Compute_Minikube_Lab.md │ ├── Prisma_Cloud_Compute_Privileged_Mode_Container_Demo.md │ ├── Prisma_Cloud_Compute_SQL_Injection_Demo_Tutorial.md │ ├── Prisma_Cloud_Compute_Twistcli_Manual_Image_Scan.md │ ├── Prisma_Cloud_Compute_k3s_Lab_Build.md │ ├── Prisma_Cloud_Enterprise_API_Tutorial.md │ ├── SpringShell_Attack_&_Protect.md │ ├── access-key-rolling-blog │ │ ├── LICENSE │ │ ├── README.md │ │ ├── aws │ │ │ ├── README.md │ │ │ ├── lambda │ │ │ │ └── lambda_function.py │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── provider.tf │ │ │ └── variables.tf │ │ ├── azure │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── provider.tf │ │ │ ├── resources │ │ │ │ ├── eventGridTrigger │ │ │ │ │ ├── __init__.py │ │ │ │ │ └── function.json │ │ │ │ ├── host.json │ │ │ │ └── requirements.txt │ │ │ └── variables.tf │ │ ├── gcp │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── provider.tf │ │ │ ├── resources │ │ │ │ ├── main.py │ │ │ │ └── requirements.txt │ │ │ └── variables.tf │ │ ├── github │ │ │ ├── README.md │ │ │ ├── key-rolling-action.yml │ │ │ ├── main.py │ │ │ └── requirements.txt │ │ └── images │ │ │ ├── access_key_blog-aws.png │ │ │ ├── access_key_blog-azure.png │ │ │ ├── access_key_blog-gcp.png │ │ │ ├── access_key_blog-general.png │ │ │ └── access_key_blog-github.png │ ├── custom_compliance_checks_tutorial.md │ ├── microseg-lab │ │ ├── 0a_aporeto_config │ │ ├── 0b_aporeto_vm_prep.sh │ │ ├── 1_aporeto_install_apoctl.sh │ │ ├── 2_aporeto_generate_cert.sh │ │ ├── 3_aporeto_configure_apoctl.sh │ │ ├── 4a_aporeto_create_child_namespace.sh │ │ ├── 4b_aporeto_create_child_and_grand_child_namespace.sh │ │ ├── 5a_aporeto_linux_vm_enforcer_install.sh │ │ ├── 5c_aporeto_k8s_enforcer_install.sh │ │ ├── 5d_aporeto_k8s_enforcer_helm_generate.sh │ │ ├── 5e_aporeto_tanzukubernetesgridintegrated_enforcer_install.sh │ │ ├── 5f_aporeto-tanzukubernetesgridintegrated_helm_generate.sh │ │ ├── 5g_windows_vm_enforcer_install.ps1 │ │ ├── 6_aporeto_profile_app.sh │ │ ├── README.md │ │ └── secrets │ │ │ └── aporeto_admin_app_credentials │ ├── prisma_cloud_and_xdr_better_together.md │ ├── prisma_cloud_compute_gitlab_self_hosted_kaniko_rootless_container_building.md │ ├── prisma_code_security_gitlab_pre-receive_hook.md │ ├── prisma_code_security_on_prem_vcs_ci_pipeline.md │ └── terraform-cloud-sentinel-and-run-tasks-integration.md │ └── new_tenants │ ├── NEW_TENANT_SETUP.md │ └── images │ ├── .gitkeep │ └── default-policies.jpg ├── pca ├── README.md └── lunchbox_report.sh ├── powershell_toolbox ├── add_user.ps1 ├── ci_download_twistcli_and_scan_windows_container.ps1 ├── compliance_alert_summary_by_section.ps1 └── secrets │ └── example_access_key_file.csv └── prisma_bash_toolbox-main ├── .gitignore ├── LICENSE ├── README.md ├── account_group_alert_and_policy_report.sh ├── account_group_risk_report.sh ├── add_user.sh ├── alert_dismiss.sh ├── alert_rule_policy_report.sh ├── alerts_which_can_be_fixed_through_iac_policy.sh ├── asset_dashboard_vuln_report.sh ├── automated_vs_manual_events_report.sh ├── aws_instance_image_tags_report.sh ├── ci_container_image_runtime_learning_off.sh ├── ci_container_image_runtime_learning_on.sh ├── ci_container_image_scan.sh ├── ci_embed_dockerfile_and_prep_build_dir.sh ├── ci_fargate_task_defender_embed.sh ├── ci_host_image_scan.sh ├── ci_k8s_manifest_container_scan.sh ├── ci_local_repository_vulnerability_scan.sh ├── ci_retrieve_risks.sh ├── ci_retrieve_twistcli.sh ├── ci_serverless_function_scan.sh ├── cloud_discovery_report.sh ├── code_security_report.sh ├── code_security_suppression_report.sh ├── compliance_alert_summary_by_section.sh ├── compute_api_token.sh ├── compute_deployed_image_vuln_report.sh ├── container_registry_image_scan.sh ├── defender_report_cluster_api_server.sh ├── deploy_n-1_docker_defender.sh ├── deployed_hosts_config_and_vuln_report.sh ├── deployed_images_detailed_vuln_and_config_report.sh ├── detailed_code_security_vulnerability_report.sh ├── detailed_compliance_alert_report.sh ├── detailed_compliance_policy_report.sh ├── dspm_sizing_script_for_prisma_customers_using_cspm.sh ├── embed_python_lambda.sh ├── enterprise_edition_cspm_api_token.sh ├── export_bridgecrew_custom_yaml_policies_and_load_into_ccs.sh ├── export_bridgecrew_ui_policies_PLEASE_READ.sh ├── find_azure_resources_without_locks.sh ├── find_cloud_resources_without_tags.sh ├── func └── func.sh ├── generate_defender_helm_chart.sh ├── generate_ecs_task_definition.sh ├── generate_k8s_manifest.sh ├── image_tag_exception_association.sh ├── inventory_by_cloud_account_and_service_type.sh ├── network_anomaly_alert_policy_report.sh ├── onboard_aws_org.sh ├── policy_by_cloud_provider_report.sh ├── pull_all_active_cloud_assets.sh ├── pull_asset_summary_by_account.sh ├── pull_audit_logs.sh ├── quick_detailed_compliance_alert_report.sh ├── registry_image_report.sh ├── remove_run_tasks_tf_cloud_org.sh ├── remove_unused_credentials_compute_cloud_accounts.sh ├── report_aks_agent_node_pool_size.sh ├── report_all_licensable_resources.sh ├── report_all_vms.sh ├── reports ├── EXAMPLE_DETAILED_COMPLIANCE_ALERT_REPORT.xlsx └── report.example ├── resource_list_namespace_vuln_compliance_reports.sh ├── resource_type_inventory.sh ├── retrieve_compute_settings.sh ├── retrieve_iam_alert_data.sh ├── retrieve_latest_defender_image.sh ├── retrieve_latest_defender_image_arm.sh ├── s3_public_object_report.sh ├── secrets └── secrets ├── serverless_detailed_vuln_report.sh ├── setup.sh ├── snoozed_or_dismissed_alerts.sh ├── temp └── temp_example.json ├── update_SSO_bypass_allowed_users.sh ├── update_code_security_runtask_workspaces_with_hashi_api.sh ├── update_code_security_runtask_workspaces_without_hashi_api.sh ├── update_existing_user.sh └── workload_vulnerability_report.sh /.drone.yml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: pipeline 3 | type: docker 4 | name: test_bash_scripts 5 | 6 | steps: 7 | - name: shellcheck 8 | image: koalaman/shellcheck-alpine:stable 9 | commands: 10 | - "find . -name *.sh -exec shellcheck {} +" 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Palo Alto Networks 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Prisma Cloud Channel Resources 2 | 3 | [![CodeFactor](https://www.codefactor.io/repository/github/kyle9021/prisma_channel_resources/badge)](https://www.codefactor.io/repository/github/kyle9021/prisma_channel_resources) 4 | 5 | [![license](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE) [![support](https://img.shields.io/badge/Support%20Level-Community-yellowgreen)](./SUPPORT.md) 6 | 7 | 8 | A collection of resources for engineers who work with Prisma Cloud. This repository is broken into three main sections. Please click the links to explore: 9 | 10 | * [Unoffical Prisma Cloud Partner Wiki](https://github.com/PaloAltoNetworks/prisma_channel_resources/blob/main/panw-partner-wiki-main/README.md) - A collection of public facing documentation, presentations, calculators, walkthroughs and tutorials, GitHub collections, and NextWave Partner Portal resources all related to Prisma Cloud and it's respective ecosystem. 11 | 12 | * [Prisma Cloud Bash Script Toolbox](https://github.com/PaloAltoNetworks/prisma_channel_resources/tree/main/prisma_bash_toolbox-main) - A collection of bash shell scripts to showcase features/usecases and handle many of the day-to-day automation tasks and reporting requirements related to Prisma Cloud. 13 | 14 | * [Prisma Cloud Compute Local Lab Set-up](https://github.com/PaloAltoNetworks/prisma_channel_resources/tree/main/lab_deploy) - Instructions on how to deploy Prisma Cloud the self-hosted version of the platform, along with other tools and ecosystem technologies. Not for production, uses docker and docker-compose. Deploys the Iverson update 2 release, drone, gitea, the dvwa, a swagger petstore app, prometheus, grafana, and vault. 15 | 16 | Please take the time to review the [support policy](https://github.com/PaloAltoNetworks/prisma_channel_resources/blob/main/SUPPORT.md), [license](https://github.com/PaloAltoNetworks/prisma_channel_resources/blob/main/LICENSE), and other related content. Thank you for visiting! 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | ### Prisma Cloud Dev Community Highlights 25 | 26 | * [Prisma Cloud Agentless API Scripts](https://github.com/PaloAltoNetworks/pcs-cwp-agentless) 27 | * [Prisma Cloud DeamonSet Defender Auto Updater](https://github.com/PaloAltoNetworks/pcs-cwp-defender-updater) 28 | * [Prisma Cloud Helper Scripts - Thanks Stephen Gordon](https://github.com/PaloAltoNetworks/pcs-platform-helper-scripts) 29 | * [Pro-Serv Ryan Haney's version of Prisma Cloud Golang SDK - Thank you Ryan!](https://github.com/thathaneydude/prisma-cloud-sdk) 30 | * [Python CLI Tool - Thank you Steven de Boer](https://pypi.org/project/prismacloud-cli/) 31 | * [Prisma Universal Serverless Syslog to SIEM project - Thanks Eddie Beuerlein and Marc Hobson!](https://github.com/PaloAltoNetworks/pcs-serverless-syslog) 32 | * [Prisma Cloud Postman Collection](https://github.com/PaloAltoNetworks/pcs-postman) 33 | * [Prisma Cloud Python Toolbox](https://github.com/PaloAltoNetworks/pcs-toolbox) 34 | * [Prisma Cloud Commmunity Operator - Thank you Wyatt Gill](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator) 35 | * [Prisma Cloud Compute Sample Code - Thank you Stephen Gordon and Wyatt Gill](https://github.com/PaloAltoNetworks/prisma-cloud-compute-sample-code) 36 | * [Prisma Cloud Workshops - Azure Focused - Thank you David Okeyode!](https://github.com/davidokeyode/prismacloud-workshops-labs) 37 | * [BridgeCrew Toolbox - Thanks Mike Urbanski and Kartik](https://github.com/bridgecrewio/bc-toolbox) 38 | * [Prisma Cloud Terraform Provider - Thanks Garfield Freeman!](https://github.com/PaloAltoNetworks/terraform-provider-prismacloud) 39 | * [Prisma Cloud WaaS Terraform Provider - Thank you Geoff Sindel](https://github.com/PaloAltoNetworks/terraform-provider-prismacloud-waas) 40 | * [Prisma Cloud Golang SDK - Thanks Garfield Freeman!](https://github.com/PaloAltoNetworks/prisma-cloud-go) 41 | * [BridgeCrew Terraform Provider](https://github.com/PaloAltoNetworks/terraform-provider-bridgecrew) 42 | * [PANW + Hashi](https://pan.dev/terraform/) 43 | * [An excellent test container for cloud security - Thank you McKinsey Engineer - Petr Ruzicka](https://github.com/ruzickap/malware-cryptominer-container/blob/main/README.md) 44 | * [Prisma Cloud API Utils - example code (python) and helper methods for Auth](https://github.com/tmprender/prisma_cloud_utils) 45 | 46 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | Community Supported 2 | 3 | The software and templates in the repo are released under an as-is, best effort, 4 | support policy. This software should be seen as community supported and Palo 5 | Alto Networks will contribute our expertise as and when possible. We do not 6 | provide technical support or help in using or troubleshooting the components of 7 | the project through our normal support options such as Palo Alto Networks 8 | support teams, or ASC (Authorized Support Centers) partners and backline support 9 | options. The underlying product used (the VM-Series firewall) by the scripts or 10 | templates are still supported, but the support is only for the product 11 | functionality and not for help in deploying or using the template or script 12 | itself. Unless explicitly tagged, all projects or work posted in our GitHub 13 | repository (at https://github.com/PaloAltoNetworks) or sites other than our 14 | official Downloads page on https://support.paloaltonetworks.com are provided 15 | under the best effort policy. 16 | -------------------------------------------------------------------------------- /lab_deploy/compose_deploy/.gitignore: -------------------------------------------------------------------------------- 1 | .secrets 2 | -------------------------------------------------------------------------------- /lab_deploy/compose_deploy/.secrets: -------------------------------------------------------------------------------- 1 | # Secrets file for Prisma Compute Lab Set-up 2 | # Author Kyle Butler 3 | 4 | # Basic configuration: Assign values to the below variables. 5 | 6 | 7 | # Shared secret between drone runner and drone server - should be a password with reasonable complexity 8 | DRONE_RPC_SECRET="" 9 | 10 | # Your choice for this part 11 | DRONE_UI_USERNAME="" 12 | DRONE_UI_PASSWORD="" 13 | 14 | # Generate using the command: openssl rand -hex 16 15 | # Copy the value into this file and the prometheus.yml file 16 | DRONE_METRICS_API_TOKEN="" 17 | 18 | # Generate using the command: openssl rand -hex 16 19 | # Copy the value into this file and the prometheus.yml file 20 | GITEA_METRICS_API_TOKEN="" 21 | 22 | # Vault root token - should be a password with reasonable complexity 23 | VAULT_ROOT_TOKEN="" 24 | 25 | # Splunk Password 26 | SPLUNK_PASSWORD="" 27 | 28 | 29 | # DON'T ASSIGN THESE VARIABLES UNTIL AFTER DEPLOYING GITEA and GITEA-DB 30 | DRONE_GITEA_CLIENT_ID="" 31 | DRONE_GITEA_CLIENT_SECRET="" 32 | 33 | 34 | 35 | # Advanced Configuration Options not covered in the scope of this lab. 36 | 37 | # vault config 38 | VAULT_URL="0.0.0.0:7880" 39 | 40 | # Swagger config 41 | SWAGGER_URL="http://swagger:8082" 42 | 43 | # Gitea config 44 | USER_UID="1000" 45 | USER_GID="1000" 46 | ROOT_URL="http://gitea:3000" 47 | DB_TYPE="postgres" 48 | DB_HOST="gitea-db:5432" 49 | DB_NAME="gitea" 50 | DB_USER="postgres" 51 | DB_PASSWD="postgres" 52 | SKIP_TLS_VERIFY="true" 53 | GITEA_WEBHOOK_ALLOWED_HOST_LIST="drone*" 54 | 55 | # Gitea Db config 56 | POSTGRES_USER="postgres" 57 | POSTGRES_PASSWORD="postgres" 58 | POSTGRES_DB="gitea" 59 | 60 | # Drone config 61 | DRONE_AGENTS_ENABLED="true" 62 | DRONE_GITEA_SERVER="http://gitea:3000" 63 | DRONE_GIT_ALWAYS_AUTH="false" 64 | DRONE_TLS_AUTOCERT="false" 65 | DRONE_SERVER_PORT=":8000" 66 | DRONE_SERVER_HOST="drone:8000" 67 | DRONE_SERVER_PROTO="http" 68 | DRONE_USER_CREATE="username:prisma-presenter,admin:true,token:${DRONE_METRICS_API_TOKEN}" 69 | 70 | # Drone runner config 71 | DRONE_RUNNER_NETWORKS="gitea-drone_default" 72 | DRONE_RPC_HOST="drone:8000" 73 | DRONE_RPC_PROTO="http" 74 | DRONE_RUNNER_NAME="drone-runner" 75 | DRONE_RUNNER_NETWORKS="gitea-drone_default" 76 | 77 | # User for volume permissions 78 | CURRENT_UID=1000:1000 79 | 80 | -------------------------------------------------------------------------------- /lab_deploy/compose_deploy/volumes/grafana/provisioning/all_sources.yml: -------------------------------------------------------------------------------- 1 | apiVersion: 1 2 | 3 | datasources: 4 | - name: Prometheus 5 | type: prometheus 6 | access: proxy 7 | url: http://prometheus:9091 8 | isDefault: true 9 | version: 1 10 | editable: true 11 | -------------------------------------------------------------------------------- /lab_deploy/compose_deploy/volumes/grafana/provisioning/dashboards/all_dash.yml: -------------------------------------------------------------------------------- 1 | apiVersion: 1 2 | 3 | providers: 4 | # an unique provider name. Required 5 | - name: 'Grafana Dashboards' 6 | # Org id. Default to 1 7 | orgId: 1 8 | # name of the dashboard folder. 9 | folder: '' 10 | # folder UID. will be automatically generated if not specified 11 | folderUid: '' 12 | # provider type. Default to 'file' 13 | type: file 14 | # disable dashboard deletion 15 | disableDeletion: false 16 | # how often Grafana will scan for changed dashboards 17 | updateIntervalSeconds: 10 18 | # allow updating provisioned dashboards from the UI 19 | allowUiUpdates: true 20 | options: 21 | # path to dashboard files on disk. Required when using the 'file' type 22 | path: /var/lib/grafana/dashboards 23 | # use folder names from filesystem to create folders in Grafana 24 | foldersFromFilesStructure: true 25 | -------------------------------------------------------------------------------- /lab_deploy/compose_deploy/volumes/prometheus/prometheus.yml: -------------------------------------------------------------------------------- 1 | global: 2 | scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. 3 | evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. 4 | 5 | # Prisma Cloud scrape configuration. 6 | scrape_configs: 7 | 8 | - job_name: 'twistlock' 9 | static_configs: 10 | - targets: ['twistlock_console:8083'] 11 | metrics_path: /api/v1/metrics 12 | basic_auth: 13 | username: '' 14 | password: '' 15 | scheme: https 16 | tls_config: 17 | insecure_skip_verify: true 18 | 19 | - job_name: 'drone' 20 | bearer_token: 21 | static_configs: 22 | - targets: ['drone:8000'] 23 | 24 | - job_name: 'gitea' 25 | bearer_token: 26 | static_configs: 27 | - targets: ['gitea:3000'] 28 | 29 | 30 | # Grafana monitoring 31 | - job_name: grafana 32 | metrics_path: /metrics 33 | scheme: http 34 | static_configs: 35 | - targets: 36 | - grafana:3001 37 | 38 | # Prometheus self-monitoring 39 | - job_name: prometheus 40 | honor_timestamps: true 41 | metrics_path: /metrics 42 | scheme: http 43 | follow_redirects: true 44 | enable_http2: true 45 | static_configs: 46 | - targets: 47 | - localhost:9090 48 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/Prisma_Cloud_Compute_Docker_RBAC_Tutorial.md: -------------------------------------------------------------------------------- 1 | ## Purpose: 2 | 3 | To provide a "why" behind incorporating this feature and to provide a practical working example of implementation. 4 | 5 | ## Prerequisites: 6 | 7 | * Prisma Cloud Compute Deployed with a container defender deployed (Created with version 21.04). 8 | * Docker installed 9 | 10 | ## Why is this important? 11 | 12 | This is an incredibly useful feature for Prisma Cloud Compute and if operationalized correctly it has the potential to greatly increase the security for an organization which utilizes the docker engine. I've written a tutorial outlining why one might want to incorporate this into their workflow. See [Show why running a container in privilaged mode can create a risk](https://pa-partner-wiki.ml/Demo%20Security%20Risks%20of%20Running%20a%20Docker%20Container%20in%20Privileged%20Mode.md). This capability is also useful to incorporate the zero-trust principle into container operations as it pertains to the least privilege principle. 13 | 14 | ## Where this might make sense because of the organizational security policies: 15 | 16 | On the developer's machines who are creating containers. Create policies that restrict from pulling container images from public registries; etc. 17 | 18 | ## Where this definitely makes sense. 19 | 20 | Any vms/hosts utilizing the docker engine in staging or production environments. Not best practice to be using docker! 21 | Any vms/hosts where the docker api is exposed. 22 | 23 | ## How-to deploy: 24 | 25 | * Step 1: Log into your Prisma Cloud Compute console 26 | * Step 2: Go to Manage > Defenders 27 | * Step 3: On the Manage Tab select the Defenders subtab. Click the Actions `...` button and then the "Edit" button to bring up the container defender configuration. Turn on the setting "Set Defender as a TCP listener". Then hit save. 28 | * Step 4: On the left-hand side of the page under the Manage menu click the "Authentication" sub menu and then click the "User certificates tab" in the middle of the page. 29 | * Step 5: Copy the script to install the Client certificate, client private key, and the ca certificate. 30 | * Step 6: Open terminal and paste the script into the terminal window. 31 | * Step 7: In terminal run the following command `docker --tlsverify -H :9998 ps`. You should see the action is denied based on the Default rule - deny all. 32 | 33 | 34 | ## How-to-set-up for your demo in a box env: 35 | 36 | * Run these commands to make things more useful and usable: 37 | 38 | ```bash 39 | cd $HOME 40 | echo "export DOCKER_HOST=tcp://:9998" >> .bashrc 41 | echo "export DOCKER_TLS_VERIFY=1" >> .bashrc 42 | echo "alias docker ='docker --tlsverify -H :9998'" >> .bashrc 43 | source .bashrc 44 | ``` 45 | 46 | * Now you can try running a simple docker command on your machine: 47 | 48 | `docker ps` 49 | 50 | * You should see the same error as you saw when you intially ran this before. 51 | * Combine this with other host runtime rules and you have a very secure docker environment. 52 | * You can work on tuning and adjusting the rules based on Groups and Policies. 53 | * The policies can be found in the Prisma Compute Console under Defend > Access under the "Docker" tab. 54 | 55 | Offical Documentation around this feature can be found: 56 | https://docs.twistlock.com/docs/compute_edition/access_control/rbac.html 57 | 58 | 59 | ## Wait though, a developer can secure the docker daemon without Prisma Cloud Compute, so why do this process? 60 | 61 | [Docker Documentation on how to secure the docker daemon (without Prisma Compute)](https://docs.docker.com/engine/security/protect-access/) 62 | 63 | A well informed security minded developer will point to the documentation above and probably argue the value of this feature. What I'd point out is that following these security best practices isn't enabling "DevSecOps" but rather good developer hardening guidelines. The problem here is the lack of visability and auditability for other departments in the organization who require this information. A lot of what Prisma Cloud Compute is meant to do is provide visability and control to the IT team. DevSecOps is catering to everyone involved in managing technology, not just the development team. All of the features in this tutorial work hand-in-hand with the security recommendations outlined in the docker documentation above. 64 | 65 | Another important thing to keep in mind is the documentation above handles authentication but not authorizations, which is a critical differentiator for this feature. 66 | 67 | Hopefully you find this tutorial useful I'll look forward to any feedback you may have. 68 | 69 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/Prisma_Cloud_Compute_Privileged_Mode_Container_Demo.md: -------------------------------------------------------------------------------- 1 | ### Demonstrate why running containers in privileged mode can be a security risk to an organization. 2 | 3 | Requirements: 4 | 5 | * Ubuntu 20.04 VM 2 cores 4 GBs of RAM or greater 6 | 7 | * [Docker Installed](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04) 8 | 9 | 10 | ### Prepare your environment 11 | 12 | * After installing docker pull the latest image of alpine `docker pull alpine:latest` 13 | * Run the following command to gain shell access in the container `docker run --privileged -it --rm alpine sh` 14 | * Explain the reasoning one might have to run a container in a privileged mode. (Docker in a docker container is a good example) 15 | * Explain that by running a container in a privileged mode can open up an organization to a number of attacks. 16 | 17 | 18 | ### Show some examples of damage 19 | 20 | * Explain that if an attacker was able to get shell access to a container running in privileged mode this is some things they could do to further penetrate the organization. 21 | * Run this command in the container shell `mount` you're looking for a directory that starts with `/dev/sda` and if using the same OS mentioned above (Ubuntu 20.04) then it's `/dev/sda5` 22 | * Create a temp mount directory inside the container shell. `mkdir host_mount` 23 | * Then run the command `mount /dev/sda /host_mount` 24 | * `cd host_mount` and `ls` to show the hosts root file system. 25 | * `cat etc/shadow` to show the usernames and hashed passwords of users (John the Ripper Kali) 26 | * Create a fake exploit `touch exploit` 27 | * Exit the container shell to show that the fake exploit file still exists: 28 | * Typing `exit` will get back to your vm shell and `cd /` will get you to the root directory of the vm you're running. Once at the root directory run `ls` to see the exploit still on the host machine. 29 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/Prisma_Cloud_Compute_Twistcli_Manual_Image_Scan.md: -------------------------------------------------------------------------------- 1 | ## Step 1: Install twistcli tools, create access keys, and get path to console 2 | 3 | * Enterprise Edition 4 | * Go to settings 5 | * Access keys 6 | * Click '+Add New' button on the top left on window 7 | * provide name 8 | * Copy the access key and secret key to a secure location where the access key is `` and the secret key is `` ---note you won't be able to retrieve these later. 9 | * Compute Edition 10 | * Go to Manage 11 | * Authentication 12 | * Click the '+ Add credential' button 13 | * Provide a username ---recommending something like cliadmin 14 | * Set password 15 | * change role to CI user 16 | * Set permissions to all 17 | * Save the user name in a text file as `` and the password as `` (we'll use later) 18 | * Copy the console web address: 19 | * Enterprise Edition: 20 | * Compute > System > Downloads tab ---copy from Path to Console Field 21 | * Save to text doc as `` 22 | * Go to the Prisma Cloud Compute Tab if you're using Prisma Cloud Enterprise Edition (Skip this step if you're on the compute edition) 23 | * Go to the Manage Section and click system in the left hand menu 24 | * On the tabs towards the top of the page click downloads 25 | * On the downloads screen click the copy button 26 | * Paste the command copied into your linux shell 27 | 28 | 29 | ## Step 2: (Optional) Pull a docker image to scan 30 | 31 | * Must have docker installed in order to run 32 | * Docker command to pull a quick image `docker pull hello-world` 33 | * If you'd like to just scan an image that's already on the host run `docker images` you'll want to note the `` of the image and the `` 34 | 35 | ## Step 3: Scan the image using twistcli 36 | * (Optional) create an alias for the twistcli command in your users .bashrc profile 37 | 38 | ``` 39 | sudo cp twistcli /usr/bin 40 | su ${USER} 41 | ``` 42 | 43 | * `./twistcli images scan --address -u -p --details :` or if you added the alias `twistcli images scan --address -u -p --details :` 44 | * If using the demo-build on GCP use --address https://console-master-fill-this-in-with-yours.demo.twistlock.com and the username and password must be the one you use to log into the console (i.e. creating a new one doesn't work) 45 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/LICENSE: -------------------------------------------------------------------------------- 1 | ISC License 2 | 3 | Copyright (c) 2024, Palo Alto Networks Inc. 4 | 5 | Permission to use, copy, modify, and/or distribute this software for any 6 | purpose with or without fee is hereby granted, provided that the above 7 | copyright notice and this permission notice appear in all copies. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | There are multiple ways to achieve securely storing and rolling Prisma Cloud access keys, and we wanted to share some practical examples. This repository will explore securely storing and rotating access keys in AWS, Azure, GCP, and GitHub. 3 | 4 | # Solution 5 | 6 | ![General Solution](./images/access_key_blog-general.png?raw=true "General Solution") 7 | 8 | In general, the key rolling solution will be triggered by a time-based event **(1)** or administrator action **(2)**. The request will be generated by, or sent to the underlying secrets storage mechanism **(3)** - which in this case also acts as the workflow engine. The secrets storage will then use the existing credential to call Prisma Cloud and request a new credential **(4)**. Upon success, the new credential replaces the existing credential in the secrets storage **(5)**. The new credential is now available for downstream automation processes to consume it **(6)**. 9 | 10 | # Prerequisites 11 | Each of the solutions provided require that a Prisma Cloud Service Account with at least one valid Access Key be created. You can use an existing Service Account / key, or create a new one with the following procedure: 12 | 1. Log in to Prisma Cloud as an administrator 13 | 2. Navigate to Settings (upper right corner) 14 | 3. Navigate to Access Control (lower left menu) 15 | 4. Click on Add at the top of the page and select "Service Account" 16 | 5. Select Service Account 17 | 6. Enter a name for the account 18 | 7. Select the appropriate role for the account 19 | 8. Enter a name for the access key 20 | 9. Optionally, enable expiration and select a date 21 | 10. Click "Save & Create (1 of 2)" 22 | 11. Copy the Access Key ID and Secret Access Key for later use - once you click Done, you will no longer be able to retrieve the Secret Access Key 23 | 12. Optionally, download the .csv containing the credentials 24 | 13. Click Done 25 | 26 | # Explore the examples 27 | The next step is to explore the example solutions for your Provider of interest: 28 | - [AWS](./aws) 29 | - [Google Cloud](./gcp) 30 | - [Azure](./azure) 31 | - [GitHub](./github) 32 | 33 | # Support Policy 34 | The code and templates in the repo are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying products used by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy. 35 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/aws/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "id" { 2 | byte_length = 8 3 | } 4 | 5 | resource "aws_iam_role" "lambda_execution_role" { 6 | name = "prisma-cloud-key-rolling-${random_id.id.hex}" 7 | description = "Lambda execution role for Prisma Cloud secret rotation function" 8 | assume_role_policy = jsonencode({ 9 | Version = "2012-10-17" 10 | Statement = [ 11 | { 12 | Action = "sts:AssumeRole" 13 | Effect = "Allow" 14 | Sid = "" 15 | Principal = { 16 | Service = "lambda.amazonaws.com" 17 | } 18 | }, 19 | ] 20 | }) 21 | 22 | managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] 23 | 24 | inline_policy { 25 | name = "SecretsManagerRotation" 26 | policy = jsonencode({ 27 | Version = "2012-10-17" 28 | Statement = [ 29 | { 30 | Effect = "Allow" 31 | Action = [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ] 32 | Resource = "${aws_secretsmanager_secret.prisma_cloud_secret.id}" 33 | } 34 | ] 35 | }) 36 | } 37 | } 38 | 39 | resource "aws_secretsmanager_secret_rotation" "rotation_schedule" { 40 | secret_id = aws_secretsmanager_secret.prisma_cloud_secret.id 41 | rotation_lambda_arn = aws_lambda_function.secrets_rotation_function.arn 42 | 43 | rotation_rules { 44 | automatically_after_days = var.rotation_interval 45 | duration = "4h" 46 | } 47 | } 48 | 49 | resource "aws_lambda_permission" "allow_secrets_manager" { 50 | action = "lambda:InvokeFunction" 51 | function_name = aws_lambda_function.secrets_rotation_function.function_name 52 | principal = "secretsmanager.amazonaws.com" 53 | } 54 | 55 | data "archive_file" "lambda" { 56 | type = "zip" 57 | source_dir = "${path.module}/lambda/" 58 | output_path = "lambda_function_payload_${random_id.id.hex}.zip" 59 | } 60 | 61 | resource "aws_lambda_function" "secrets_rotation_function" { 62 | filename = data.archive_file.lambda.output_path 63 | function_name = "prisma-cloud-key-roller-${random_id.id.hex}" 64 | description = "Lambda function to roll Prisma Cloud Access Keys" 65 | role = aws_iam_role.lambda_execution_role.arn 66 | handler = "lambda_function.lambda_handler" 67 | source_code_hash = data.archive_file.lambda.output_base64sha256 68 | runtime = "python3.10" 69 | timeout = 20 70 | memory_size = 128 71 | layers = [ aws_lambda_layer_version.python_sdk_layer.arn ] 72 | } 73 | 74 | resource "aws_lambda_layer_version" "python_sdk_layer" { 75 | layer_name = "prisma-cloud-python-sdk-layer-${random_id.id.hex}" 76 | description = "Python SDK for Prisma Cloud - https://github.com/PaloAltoNetworks/prismacloud-api-python" 77 | s3_bucket = "${var.s3_bucket_for_layer}" 78 | s3_key = "${var.s3_key_for_layer}" 79 | compatible_runtimes = ["python3.10"] 80 | compatible_architectures = ["x86_64"] 81 | } 82 | 83 | resource "aws_secretsmanager_secret" "prisma_cloud_secret" { 84 | name = "${var.secret_name}" 85 | } 86 | 87 | resource "aws_secretsmanager_secret_version" "example" { 88 | secret_id = aws_secretsmanager_secret.prisma_cloud_secret.id 89 | secret_string = jsonencode({ "PRISMA_CLOUD_USER" = "${var.initial_access_key}", "PRISMA_CLOUD_PASS" = "${var.initial_secret_key}", "PRISMA_CLOUD_CONSOLE_URL" = "${var.prisma_cloud_console_url}" } ) 90 | } 91 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/aws/outputs.tf: -------------------------------------------------------------------------------- 1 | output "lambda_execution_role_arn" { 2 | description = "ARN of the lambda execution role - update for additional secrets if desired" 3 | value = aws_iam_role.lambda_execution_role.arn 4 | } 5 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/aws/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 5.2.0" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.6" 10 | } 11 | 12 | provider "aws" { 13 | region = "${var.region}" 14 | } 15 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/aws/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | type = string 3 | validation { 4 | condition = can(regex("[a-z][a-z]-[a-z]+-[1-9]", var.region)) 5 | error_message = "Must be valid AWS region name." 6 | } 7 | } 8 | 9 | variable "rotation_interval" { 10 | type = number 11 | description = "The number of days between automatic scheduled rotations of the secret" 12 | validation { 13 | condition = var.rotation_interval >= 1 && var.rotation_interval <= 365 && floor(var.rotation_interval) == var.rotation_interval 14 | error_message = "Value must be in the range: 1-365" 15 | } 16 | } 17 | 18 | variable "s3_bucket_for_layer" { 19 | type = string 20 | description = "S3 Bucket for the custom lambda layer with the prismacloud-sdk installed" 21 | } 22 | 23 | variable "s3_key_for_layer" { 24 | type = string 25 | description = "S3 object for the custom lambda layer with the prismacloud-sdk installed" 26 | } 27 | 28 | variable "initial_access_key" { 29 | type = string 30 | sensitive = true 31 | description = "The initial access key to import into the Secret" 32 | } 33 | 34 | variable "initial_secret_key" { 35 | type = string 36 | sensitive = true 37 | description = "The initial secret key to import into the Secret" 38 | } 39 | 40 | variable "prisma_cloud_console_url" { 41 | type = string 42 | description = "The Prisma Cloud console URL (for example - https://api.prismacloud.io)" 43 | } 44 | 45 | variable "secret_name" { 46 | type = string 47 | description = "Name of the Secret to store - recommend using the Prisma Cloud Service Account name" 48 | } 49 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/azure/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azurerm = { 4 | source = "hashicorp/azurerm" 5 | version = ">= 3.97.1" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.6" 10 | } 11 | 12 | provider "azurerm" { 13 | features {} 14 | } 15 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/azure/resources/eventGridTrigger/__init__.py: -------------------------------------------------------------------------------- 1 | import os 2 | import json 3 | import logging 4 | from azure.keyvault.secrets import SecretClient 5 | from azure.identity import DefaultAzureCredential 6 | from azure.identity import ManagedIdentityCredential 7 | from prismacloud.api import pc_api 8 | from datetime import datetime 9 | import azure.functions as func 10 | 11 | def main(event: func.EventGridEvent): 12 | logger = logging.getLogger() 13 | 14 | result = json.dumps({ 15 | 'id': event.id, 16 | 'data': event.get_json(), 17 | 'topic': event.topic, 18 | 'subject': event.subject, 19 | 'event_type': event.event_type, 20 | }) 21 | 22 | logger.info('Python EventGrid trigger processed an event: %s', result) 23 | 24 | secret_name = event.get_json()['ObjectName'] 25 | key_vault_name = event.get_json()['VaultName'] 26 | 27 | # create a SecretClient client 28 | key_vault_uri = f"https://{key_vault_name}.vault.azure.net" 29 | credential = ManagedIdentityCredential() 30 | az_secret_client = SecretClient(vault_url=key_vault_uri, credential=credential) 31 | 32 | # Get the current secret 33 | logger.info(f"Retrieving your secret from {key_vault_name}.") 34 | raw_secret = az_secret_client.get_secret(secret_name) 35 | current_secret = json.loads(raw_secret.value) 36 | 37 | # let's figure out what we have to do 38 | if event.event_type == "Microsoft.KeyVault.SecretNewVersionCreated": 39 | # get a dict of tags 40 | if raw_secret.properties.tags is None or 'ROTATE_ON_INITIAL' not in raw_secret.properties.tags.keys() or raw_secret.properties.tags['ROTATE_ON_INITIAL'] != "true": 41 | logger.info("SecretNewVersionCreated event but we don't have to do anything. Exiting.") 42 | return None 43 | 44 | # Create a PC API client 45 | settings = { 46 | "url": current_secret['PRISMA_CLOUD_CONSOLE_URL'], 47 | "identity": current_secret['PRISMA_CLOUD_USER'], 48 | "secret": current_secret['PRISMA_CLOUD_PASS'] 49 | } 50 | pc_api.configure(settings) 51 | pc_api.logger = logger 52 | 53 | # who am I? get the username from the current session 54 | # the email field is populated with the username even for service accounts 55 | current_user = pc_api.current_user().get('email') 56 | 57 | # get the current users key(s) for the user 58 | pc_access_keys = pc_api.access_keys_list_read() 59 | service_account_keys = [] #array of dicts - key_id/status pairs 60 | for item in pc_access_keys: 61 | if item.get('username') == current_user: 62 | service_account_keys.append( { 'id': item.get('id'), 'status': item.get('status') } ) 63 | 64 | # you can only have 2 keys, so delete the one that's not current (if exists) 65 | if len(service_account_keys) == 2: 66 | for pc_access_key in service_account_keys: 67 | if pc_access_key['id'] != current_secret['PRISMA_CLOUD_USER']: 68 | pc_api.access_key_delete( pc_access_key['id'] ) 69 | 70 | # create the new key 71 | keyname = f'{current_user}-{datetime.now().strftime("%d%m%Y%H%M%S")}' 72 | new_pc_key = pc_api.access_key_create({"name": keyname, "serviceAccountName": current_user}) 73 | 74 | # disable the current secret - but we can't be logged in as that or else it will error 75 | # first get the current (old) 76 | key_id_to_disable = current_secret['PRISMA_CLOUD_USER'] 77 | logger.info("setSecret: found this key to disable - %s" % (key_id_to_disable)) 78 | 79 | # log in with the new key 80 | pc_api.token = None 81 | settings = { 82 | "url": current_secret['PRISMA_CLOUD_CONSOLE_URL'], 83 | "identity": new_pc_key['id'], 84 | "secret": new_pc_key['secretKey'] 85 | } 86 | pc_api.configure(settings) 87 | pc_api.logger = logger 88 | pc_api.access_key_status_update(key_id_to_disable,'false') 89 | logger.info("setSecret: Successfully disabled current key %s." % (key_id_to_disable)) 90 | 91 | # if we got here, we successfully tested the new secret and disabled the existing 92 | # lets set the new secret 93 | logger.info("Setting the current secret in the Key Vault") 94 | current_secret['PRISMA_CLOUD_USER'] = new_pc_key['id'] 95 | current_secret['PRISMA_CLOUD_PASS'] = new_pc_key['secretKey'] 96 | az_secret_client.set_secret(secret_name, json.dumps(current_secret)) 97 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/azure/resources/eventGridTrigger/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "scriptFile": "__init__.py", 3 | "disabled": false, 4 | "bindings": [ 5 | { 6 | "type": "eventGridTrigger", 7 | "name": "event", 8 | "direction": "in" 9 | } 10 | ] 11 | } 12 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/azure/resources/host.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0", 3 | "logging": { 4 | "applicationInsights": { 5 | "samplingSettings": { 6 | "isEnabled": true, 7 | "excludedTypes": "Request" 8 | } 9 | } 10 | }, 11 | "extensionBundle": { 12 | "id": "Microsoft.Azure.Functions.ExtensionBundle", 13 | "version": "[3.3.0,4.0.0)" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/azure/resources/requirements.txt: -------------------------------------------------------------------------------- 1 | azure-functions 2 | azure-identity 3 | azure-keyvault 4 | azure-keyvault-secrets 5 | prismacloud-api 6 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/azure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | type = string 3 | default = "eastus" 4 | } 5 | 6 | variable "resource_group" { 7 | type = string 8 | default = "key-vault-test8" 9 | description = "Resource group for artifacts" 10 | } 11 | 12 | variable "secret_name" { 13 | type = string 14 | default = "test-secret" 15 | description = "Secret to store - recommend Prisma Cloud Service Account name" 16 | } 17 | 18 | variable "key_vault_name" { 19 | type = string 20 | default = "dschmidtkv0424202412" 21 | description = "Name of key vault to store secrets" 22 | } 23 | 24 | variable "initial_access_key" { 25 | type = string 26 | sensitive = true 27 | } 28 | 29 | variable "initial_secret_key" { 30 | type = string 31 | sensitive = true 32 | } 33 | 34 | variable "prisma_cloud_console_url" { 35 | type = string 36 | } 37 | 38 | variable "rotation_interval" { 39 | type = number 40 | description = "The number of days between automatic scheduled rotations of the secret" 41 | default = 90 42 | 43 | validation { 44 | condition = var.rotation_interval >= 1 && var.rotation_interval <= 365 && floor(var.rotation_interval) == var.rotation_interval 45 | error_message = "Value must be in the range: 1-365" 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/gcp/outputs.tf: -------------------------------------------------------------------------------- 1 | output "pubsub_topic_name" { 2 | description = "Name of the pubsub topic that will handle the key rolling events" 3 | value = google_pubsub_topic.key_rolling_topic.name 4 | } 5 | 6 | output "secret_id" { 7 | description = "Full path to the secret" 8 | value = google_secret_manager_secret.key_rolling_secret.id 9 | } 10 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/gcp/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | google = { 4 | source = "hashicorp/google" 5 | version = "5.22.0" 6 | } 7 | } 8 | required_version = ">= 1.3.6" 9 | } 10 | 11 | provider "google" { 12 | project = var.project_id 13 | region = var.region 14 | } 15 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/gcp/resources/requirements.txt: -------------------------------------------------------------------------------- 1 | prismacloud-api 2 | google-cloud-secret-manager==2.10.0 3 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/gcp/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | type = string 3 | default = "us-east1" 4 | } 5 | 6 | variable "project_id" { 7 | type = string 8 | } 9 | 10 | variable "secret_name" { 11 | type = string 12 | description = "Secret to store - recommend Prisma Cloud Service Account name" 13 | } 14 | 15 | variable "initial_access_key" { 16 | type = string 17 | sensitive = true 18 | } 19 | 20 | variable "initial_secret_key" { 21 | type = string 22 | sensitive = true 23 | } 24 | 25 | variable "prisma_cloud_console_url" { 26 | type = string 27 | } 28 | 29 | variable "rotation_interval" { 30 | type = number 31 | description = "The number of days between automatic scheduled rotations of the secret" 32 | default = 90 33 | 34 | validation { 35 | condition = var.rotation_interval >= 1 && var.rotation_interval <= 365 && floor(var.rotation_interval) == var.rotation_interval 36 | error_message = "Value must be in the range: 1-365" 37 | } 38 | } 39 | 40 | variable "cloudfunctions2_service_principal" { 41 | type = string 42 | description = "Principal to execute cloud functions (run.invoker) and manage secrets (secretmanager.secretAccessor,secretmanager.secretVersionAdder, secretmanager.secretVersionManager)" 43 | } 44 | 45 | variable "secretsmanager_service_principal" { 46 | type = string 47 | description = "Principal for secrets manager / pubsub interaction" 48 | } 49 | 50 | variable "pubsub_topic_name" { 51 | type = string 52 | default = "prisma-cloud-key-rolling-topic" 53 | description = "Name of the pubsub topic for this solution" 54 | } 55 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/github/README.md: -------------------------------------------------------------------------------- 1 | # GitHub 2 | 3 | Use the following procedure described below to implement rolling a Prisma Cloud Service Account access key with GitHub repository secrets. 4 | 5 | # Solution 6 | ![GitHub Example Solution](../images/access_key_blog-github.png?raw=true "GitHub Example Solution") 7 | 8 | The example key rolling solution will be triggered by a time-based event **(1)** or administrator action **(2)**. The request will be generated by, or sent to a GitHub action **(3)**. The GitHub Action workflow will use the current credentials from the repository secrets **(4)** and use them to make a call to Prisma Cloud to request a new access key **(5)**. The new access key is generated **(6)** and stored back in the repository secrets **(7)**. The new credential is now available for downstream automation processes to consume it **(8)**. 9 | 10 | # Prerequisites 11 | ## Prisma Cloud Service Account 12 | To deploy the sample solution, you will need a valid Service Account and Access Key. See [here](../README.md#prerequisites) for instructions on how to create one if necessary. 13 | 14 | ## Personal Access Token (PAT) 15 | The solution will require a Personal Access Token, as the workflow will make API calls to GitHub. To create a PAT - follow the instructoins [here](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) 16 | 17 | ## Repository Secrets 18 | Create the following repository secrets in the repository that will host the workflow: 19 | - PRISMA_CLOUD_ACCESS_KEY_SECRET_NAME - Secret that stores service account access key ID (i.e. "PRISMA_CLOUD_USER") 20 | - PRISMA_CLOUD_SECRET_KEY_SECRET_NAME - Secret that stores service account secret key (i.e. "PRISMA_CLOUD_PASS") 21 | - PRISMA_CLOUD_USER - Access key ID for the Service Account key (Note that this can have any key name - but it must correspond to the value in PRISMA_CLOUD_ACCESS_KEY_SECRET_NAME) 22 | - PRISMA_CLOUD_PASS - Secret key for the Service Account key (Note that this can have any key name - but it must correspond to the value in PRISMA_CLOUD_SECRET_KEY_SECRET_NAME) 23 | - PRISMA_CLOUD_CONSOLE_URL - Location of the Prisma Cloud console - i.e. "https://api.prismacloud.io" 24 | - PERSONAL_ACCESS_TOKEN - See [Personal Access Token (PAT)] above 25 | 26 | # Deployment 27 | Use the following procedure to deploy the solution: 28 | 29 | 1. Copy key-rolling-action.yml to .github/workflows in your repository 30 | 2. Copy main.py and requirements.txt to the root of your repository 31 | 32 | The workflow is configured to roll the keys on the 15th of every month at 00:00; update the schedule as appropriate. 33 | 34 | # Validating the deployment 35 | Once deployed, you should be able to navigate to Actions within your repository and see the workflow "Roll Prisma Cloud Access Key". 36 | 37 | # Testing / Manually Rolling the key 38 | The workflow will trigger at the predefined time based on the cron schedule, however a manual trigger was also included. To kick off the workflow: 39 | 1. Navigate to Actions 40 | 2. Click on "Roll Prisma Cloud Access Key" workflow 41 | 3. Click "Run workflow" 42 | 4. Click "Run workflow" at the "Use workflow from" dialog 43 | 44 | # Cleanup 45 | To remove the sample solution from your environment: 46 | 1. Delete the file .github/workflows/key-rolling-action.yml 47 | 2. Delete the repository secrets created in [Repository Secrets] 48 | 3. Delete the Service Account and Access Keys from Prisma Cloud - while these don't incur cost, but best practice is to remove the credentials/accounts if you're not using them 49 | 50 | # Extending the solution 51 | ## Organizational Secrets 52 | Your organization may use a single workflow for Prisma Cloud-related activities, or there may be mulitple workflows. If there are multiple, you may have one Service Account or you may have multiple (e.g. one per workflow). The solution provides for management of a repository-level secret, which will handle a single workflow with a single Service Account, or multiple workflows with multiple service accounts. If you wish to use a single service account for multiple workflows - you will most likely want to implement GitHub secrets at the Organization level (see [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization)). The provided solution could be implemented as a workflow to manage Organization secrets but will require a few code updates specifically related to the get_pub_key() and upload_secret() methods, as the URL to the API calls for GitHub will be different. Note that Organization secrets require an upgraded GitHub subscription. 53 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/github/key-rolling-action.yml: -------------------------------------------------------------------------------- 1 | name: Roll Prisma Cloud Access Key 2 | 3 | on: 4 | schedule: 5 | - cron: '0 0 15 * *' 6 | 7 | workflow_dispatch: 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - uses: actions/checkout@v3 19 | - name: Set up Python 3.10 20 | uses: actions/setup-python@v3 21 | with: 22 | python-version: "3.10" 23 | - name: Install dependencies 24 | run: | 25 | python -m pip install --upgrade pip 26 | pip install -r requirements.txt 27 | - name: Roll the access keys 28 | env: 29 | PRISMA_CLOUD_USER: ${{ secrets.PRISMA_CLOUD_USER }} 30 | PRISMA_CLOUD_PASS: ${{ secrets.PRISMA_CLOUD_PASS }} 31 | PRISMA_CLOUD_CONSOLE_URL: ${{ secrets.PRISMA_CLOUD_CONSOLE_URL }} 32 | PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} 33 | OWNER_REPOSITORY: ${{ github.repository }} 34 | PRISMA_CLOUD_ACCESS_KEY_SECRET_NAME: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY_SECRET_NAME }} 35 | PRISMA_CLOUD_SECRET_KEY_SECRET_NAME: ${{ secrets.PRISMA_CLOUD_SECRET_KEY_SECRET_NAME }} 36 | run: | 37 | python main.py 38 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/github/requirements.txt: -------------------------------------------------------------------------------- 1 | pynacl 2 | requests 3 | prismacloud-api 4 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-aws.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-aws.png -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-azure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-azure.png -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-gcp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-gcp.png -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-general.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-general.png -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-github.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/panw-partner-wiki-main/contents/labs/access-key-rolling-blog/images/access_key_blog-github.png -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/microseg-lab/0a_aporeto_config: -------------------------------------------------------------------------------- 1 | 2 | APORETO_CHILD_NAMESPACE=on-prem-vm 3 | 4 | APORETO_GRANDCHILD_NAMESPACE=vm 5 | APORETO_GRANDCHILD_NAMESPACE2=k8s 6 | 7 | PRISMA_APP_STACK="app" 8 | 9 | PROFILE_MINUTES=5 10 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/microseg-lab/0b_aporeto_vm_prep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #for an ubuntu vm 4 | 5 | 6 | sudo systemctl disable ufw 7 | sudo systemctl stop ufw 8 | sudo systemctl disable iptables 9 | sudo systemctl stop iptables 10 | sudo systemctl disable firewalld 11 | sudo systemctl stop firewalld 12 | 13 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/microseg-lab/1_aporeto_install_apoctl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Requires jq to be installed 3 | # Author Kyle Butler & Goran Bogojevic 4 | 5 | 6 | source ./0a_aporeto_config 7 | 8 | sudo curl -o /usr/local/bin/apoctl \ 9 | --url https://download.aporeto.com/prismacloud/$PRISMA_APP_STACK/apoctl/linux/apoctl \ 10 | && sudo chmod 755 /usr/local/bin/apoctl 11 | 12 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/microseg-lab/2_aporeto_generate_cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Requires jq to be installed 3 | # Author Kyle Butler & Goran Bogojevic 4 | 5 | 6 | source ./secrets/aporeto_admin_app_credentials 7 | source ./secrets/secrets 8 | 9 | 10 | printf %s $APORETO_CREDENTIALS | jq -r '.certificateKey'| base64 -d > ./secrets/aporeto.pem 11 | printf %s $APORETO_CREDENTIALS | jq -r '.certificate'| base64 -d >> ./secrets/aporeto.pem 12 | 13 | 14 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/microseg-lab/3_aporeto_configure_apoctl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Requires jq to be installed 3 | # Author Kyle Butler & Goran Bogojevic 4 | 5 | source ./secrets/aporeto_admin_app_credentials 6 | 7 | APORETO_PARENT_NAMESPACE=$(printf %s $APORETO_CREDENTIALS | jq -r '.namespace') 8 | APORETO_APIURL=$(printf %s $APORETO_CREDENTIALS | jq -r '.APIURL') 9 | 10 | APORETO_TOKEN=$(curl --url $APORETO_APIURL/issue \ 11 | --request POST \ 12 | -E "./secrets/aporeto.pem" \ 13 | --header 'Content-Type: application/json' \ 14 | --data '{"realm": "Certificate"}' | jq -r '.token') 15 | 16 | apoctl configure -A "$APORETO_APIURL" -n "$APORETO_PARENT_NAMESPACE" -t "$APORETO_TOKEN" --force 17 | 18 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/labs/microseg-lab/4a_aporeto_create_child_namespace.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source ./0a_aporeto_config 4 | source ./secrets/aporeto_admin_app_credentials 5 | source ./secrets/secrets 6 | 7 | APORETO_CHILD_NAMESPACE=$APP_CHILD_NS 8 | 9 | 10 | 11 | 12 | APORETO_PARENT_NAMESPACE=$(printf %s $APORETO_CREDENTIALS | jq -r '.namespace') 13 | APORETO_APIURL=$(printf %s $APORETO_CREDENTIALS | jq -r '.APIURL') 14 | 15 | APORETO_TOKEN=$(curl --url $APORETO_APIURL/issue \ 16 | --request POST \ 17 | -E "./secrets/aporeto.pem" \ 18 | --header 'Content-Type: application/json' \ 19 | --data '{"realm": "Certificate"}' | jq -r '.token') 20 | 21 | cat < Projects and select the secret-repo project. 26 | 6. Locate the Relative path field. The value is similar to: 27 | ``` 28 | "@hashed/b1/7e/b17ef6d19c7a5b1ee83b907c595526dcb1eb06db8227d650d5dda0a9f4ce8cd9.git" 29 | ``` 30 | 7. Copy this for use later 31 | 32 | ## Configure pre-receive Hooks 33 | 1. SSH into the GitLab CE Instance 34 | 2. Install python, pip, and checkov as root 35 | ``` 36 | sudo apt-get update 37 | sudo apt-get install pip 38 | sudo pip install checkov 39 | ``` 40 | 3. Create a directory for the pre-receive hook, a file for the pre-receive hook, and copy the pre-receive hook code sample 41 | ``` 42 | mkdir custom_hooks 43 | touch ./custom_hooks/pre-receive 44 | chmod +x ./custom_hooks/pre-receive 45 | ``` 46 | 5. Copy the code from the [Prisma Cloud pre-receive sample](https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/get-started/add-pre-receive-hooks#pre-receive-hook-script) 47 | 6. Edit the script and provide your API Keys and Prisma Cloud URL. Update the lines in the sample code with the lines below 48 | ``` 49 | REPO_ID=$GL_PROJECT_PATH 50 | 51 | CHECKOV_COMMAND='/usr/local/bin/checkov -d' 52 | 53 | # cleanup 54 | echo "GL-HOOK-ERR: Your code contains secrets. Exit code: ${exit_code}" >&2 55 | ``` 56 | 8. Update the commands below with the GitLab project relative path and run the commands to register a pre-receive hook 57 | ``` 58 | tar -cf custom_hooks.tar custom_hooks 59 | cat custom_hooks.tar | sudo /opt/gitlab/embedded/bin/gitaly hooks set --storage default --repository {gitlab-repo-relative-path} --config /var/opt/gitlab/gitaly/config.toml 60 | ``` 61 | 62 | ## Test the pre-receive hook 63 | 1. In your secret-repo create a file called keys 64 | 2. Paste the code below and click on commit 65 | ``` 66 | "AWS-AAKI": { 67 | "positive": { 68 | "aaki1": "AKIAYPDIK3OCOFEZAOQQ AWS Key", 69 | "aaki2": "Access Key ID 022QF06E7MXBSH9DHM02", 70 | "aaki3": "022QF06E7MXBSH9DHM02 Key ID", 71 | "aaki4": "Amazon Web Services 022QF06E7MXBSH9DHM02" 72 | } 73 | } 74 | ``` 75 | 3. You should get the error message: Your code contains secrets Exit code:1. 76 | Note: An exit code of 127 means checkov was not found / not installed correctly. 77 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/new_tenants/images/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /panw-partner-wiki-main/contents/new_tenants/images/default-policies.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/panw-partner-wiki-main/contents/new_tenants/images/default-policies.jpg -------------------------------------------------------------------------------- /pca/README.md: -------------------------------------------------------------------------------- 1 | # pcee_lunchbox_pov_api_cspm 2 | Creates the report needed to pull high level KPIs from the Prisma Cloud Enterprise Edition Console 3 | 4 | # Last confirmed working 10.05.2021 5 | 6 | # Assumptions 7 | 8 | * You're using PRISMA CLOUD ENTERPRISE EDTION 9 | * You're using an OS that supports Bash, such as Linux or Mac OS to run this from 10 | * You understand how to harden this script for production environments 11 | 12 | * The biggest suggestion here is to not save the script with your secret key and access key in it. A better way to do this might be to have a seperate script which exports those credentials as environment variables. My goal with this script is to simplify the process for those who are learning to work with the Prisma Cloud Enterprise Edition API. 13 | 14 | * To simplify, we've provided the instructions to export the secret and access key as env variables. 15 | 16 | * If you decide to keep the keys in this script, then it's critical you: 17 | 18 | * Add it to your `.gitignore` (if using git) file and `chmod 700 lunchbox_report.sh` between steps 3 and 4 so that others can't read, write, or excute it. 19 | 20 | # Instructions 21 | 22 | Step 1: Install jq: https://stedolan.github.io/jq/download/: 23 | 24 | * debian/ubuntu `sudo apt-get install jq` 25 | * macOS `sudo brew install jq` 26 | * RHEL `sudo yum install jq` 27 | 28 | Step 2: `git clone https://github.com/PaloAltoNetworks/prisma_channel_resources` 29 | Step 3: `cd prisma_channel_resources/pca` 30 | Step 4: Export the following variables directly in your terminal/shell by replacing the values between the `"<>"` with the correct data from your console. Enter the below commands in your shell prior to running the script. 31 | 32 | NOTE: API URLs can be found here: https://prisma.pan.dev/api/cloud/api-urls & Access Key info is found in the Console under Settings > Access Keys (add new key if needed). 33 | 34 | ``` 35 | export API_URL="" 36 | export ACCESS_KEY="" 37 | export SECRET_KEY="" 38 | ``` 39 | _note: this will show up in your .bash_history if you have that turned on_ 40 | 41 | 42 | Step 5: `bash lunchbox_report.sh` 43 | Step 6: `ls` to see your report or go through the GUI to access the directory and open in excel/sheets. 44 | 45 | _note: this was made for a prisma cloud assessment report, you my need to adjust the time variables in the script (`TIMEUNIT` and `TIMEAMOUNT`)if working with an existing customer. By default will pull the last 1 month worth of data_ 46 | 47 | # Links to reference 48 | 49 | * [Official JQ Documentation](https://stedolan.github.io/jq/manual/) 50 | * [Exporting variables for API Calls and why I choose bash](https://apiacademy.co/2019/10/devops-rest-api-execution-through-bash-shell-scripting/) 51 | * [PAN development site](https://prisma.pan.dev/) 52 | -------------------------------------------------------------------------------- /powershell_toolbox/add_user.ps1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env pwsh 2 | <# 3 | Written by Kyle Butler 4 | 5 | Tested with Powershell version 7.2.1 6 | 7 | This script will add a user programmatically to the Prisma Cloud Enterprise edition of the console. 8 | 9 | In order to run you must first create a set of access keys in the Prisma Cloud Console. 10 | 11 | You'll need to download them as a csv. In the third row of the sheet in the second column add the API url which corresponds to the app url for prisma cloud. 12 | See this page for documentation https://prisma.pan.dev/api/cloud/api-urls 13 | 14 | If you're using the compute functionality in the Enterprise addition, copy the access key and paste it in cell B4 and the 15 | secret key to cell B5 in the csv. You'll also need to copy the Compute API url from the console under: Compute > Manage > System > Utilities > Path to console and place the URL in cell B6 16 | For documentation on where to find this URL see this page https://prisma.pan.dev/api/cloud/cwpp/how-to-eval-console 17 | 18 | If you're using the self-hosted edition, create a user in the console and place the username in cell B4 and the password in B5. Copy and paste the URL to the selfhosted edition of the platform 19 | along with the port and paste it in cell B6. 20 | 21 | Last, assign the variables under the USER CONFIG section below. 22 | #> 23 | 24 | # USER CONFIG SECTION 25 | 26 | # directory path to the access_key/secret_key csv. 27 | $PATH_TO_ACCESSKEY_FILE = "C:\DIR\PATH\TO\example_access_key_file.csv" 28 | 29 | 30 | $PC_USER_FIRSTNAME = "" 31 | $PC_USER_LASTNAME = "" 32 | $PC_USER_ROLE = "" 33 | $PC_USER_EMAIL = "" 34 | $PC_USER_TIMEZONE = "America/New_York" 35 | $PC_USER_KEY_EXPIRATION_DATE = "0" 36 | $PC_USER_ACCESSKEY_ALLOW = "true" 37 | 38 | $PC_USER_KEY_EXPIRATION = "false" 39 | 40 | 41 | # END OF USER CONFIG SECTION 42 | 43 | # Allows for self signed certs 44 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } 45 | 46 | # default powershell uses tls 1.0. This forces tls 1.2 47 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 48 | 49 | $PC_USERNAME = "$PC_USER_EMAIL" 50 | $PC_USER_ACCESSKEY_NAME = "$PC_USER_FIRSTNAME accesskey" 51 | 52 | # Reads the access_key/secret_key csv file and pulls the values from the second column of the table/sheet 53 | $KEY_ARRAY = foreach($line in [System.IO.File]::ReadLines("$PATH_TO_ACCESSKEY_FILE")){ 54 | $line.Split(",")[1] 55 | } 56 | 57 | $PC_ACCESSKEY = $KEY_ARRAY[0] 58 | $PC_SECRETKEY = $KEY_ARRAY[1] 59 | $PC_APIURL = $KEY_ARRAY[2] 60 | $TL_USER = $KEY_ARRAY[3] 61 | $TL_PASSWORD = $KEY_ARRAY[4] 62 | $TL_CONSOLE = $KEY_ARRAY[5] 63 | 64 | 65 | $AUTH_PAYLOAD = @{ 66 | "username" = "$PC_ACCESSKEY" 67 | "password" = "$PC_SECRETKEY" 68 | } 69 | 70 | $AUTH_PAYLOAD = $AUTH_PAYLOAD | ConvertTo-Json 71 | 72 | $PC_AUTH_RESPONSE = Invoke-RestMethod ` 73 | -Uri $("$PC_APIURL" + "/login") ` 74 | -body $AUTH_PAYLOAD ` 75 | -Method POST ` 76 | -Headers @{"Content-Type" = "application/json"} 77 | 78 | $PC_JWT = $PC_AUTH_RESPONSE.token 79 | 80 | $PC_AUTH_HEADERS = @{ 81 | "x-redlock-auth" = "$PC_JWT" 82 | "Content-Type" = "application/json" 83 | } 84 | 85 | $PC_USER_ROLES = Invoke-RestMethod ` 86 | -Uri $("$PC_APIURL" + "/user/role") ` 87 | -Headers $PC_AUTH_HEADERS 88 | 89 | $PC_USER_ROLE_ID_AND_NAME = $PC_USER_ROLES | Select-Object id,name | Where-Object {$_.name -eq "$PC_USER_ROLE"} 90 | 91 | $PC_USER_ROLE_ID = $PC_USER_ROLE_ID_AND_NAME.id 92 | 93 | $PC_ROLE_PAYLOAD = @{ 94 | "accessKeyExpiration" = "$PC_USER_KEY_EXPIRATION_DATE" 95 | "accessKeyName" = "$PC_USER_KEY_NAME" 96 | "accessKeysAllowed"= "$PC_USER_ACCESSKEY_ALLOW" 97 | "defaultRoleId" = "$PC_USER_ROLE_ID" 98 | "email" = "$PC_USER_EMAIL" 99 | "enableKeyExpiration" = "$PC_USER_KEY_EXPIRATION" 100 | "firstName" = "$PC_USER_FIRSTNAME" 101 | "lastName" = "$PC_USER_LASTNAME" 102 | "roleIds" = @( 103 | "$PC_USER_ROLE_ID" 104 | ) 105 | "timeZone" = "$PC_USER_TIMEZONE" 106 | "type" = "USER_ACCOUNT" 107 | "username" = "$PC_USERNAME" 108 | } 109 | 110 | $PC_ROLE_PAYLOAD = $PC_ROLE_PAYLOAD | ConvertTo-Json -Depth 99 111 | 112 | Invoke-RestMethod ` 113 | -uri $("$PC_APIURL" + "/v2/user") ` 114 | -Headers $PC_AUTH_HEADERS ` 115 | -Body $PC_ROLE_PAYLOAD ` 116 | -Method POST 117 | 118 | -------------------------------------------------------------------------------- /powershell_toolbox/compliance_alert_summary_by_section.ps1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env pwsh 2 | <# 3 | Written by Kyle Butler 4 | 5 | Tested with Powershell version 7.2.1 6 | 7 | This script will pull all the compliance sections from the framework assigned to the $COMPLIANCE_NAME variable and report back how many resources are passing and failing under each 8 | underlying sections of the compliance/security framework. 9 | 10 | In order to run you must first create a set of access keys in the Prisma Cloud Console. 11 | 12 | You'll need to download them as a csv. In the third row of the sheet in the second column add the API url which corresponds to the app url for prisma cloud. 13 | See this page for documentation https://prisma.pan.dev/api/cloud/api-urls 14 | 15 | If you're using the compute functionality in the Enterprise addition, copy the access key and paste it in cell B4 and the 16 | secret key to cell B5 in the csv. You'll also need to copy the Compute API url from the console under: Compute > Manage > System > Utilities > Path to console and place the URL in cell B6 17 | For documentation on where to find this URL see this page https://prisma.pan.dev/api/cloud/cwpp/how-to-eval-console 18 | 19 | If you're using the self-hosted edition, create a user in the console and place the username in cell B4 and the password in B5. Copy and paste the URL to the selfhosted edition of the platform 20 | along with the port and paste it in cell B6. 21 | 22 | Last, assign the variables under the USER CONFIG section below. 23 | #> 24 | 25 | # USER CONFIG SECTION 26 | 27 | # directory path to the access_key/secret_key csv. 28 | $PATH_TO_ACCESSKEY_FILE = "C:\DIR\PATH\TO\example_access_key_file.csv" 29 | $COMPLIANCE_NAME = "PCI DSS v3.2.1" 30 | $TIME_TYPE = "relative" 31 | $TIME_AMOUNT = "1" 32 | $TIME_UNIT = "month" 33 | 34 | 35 | # END OF USER CONFIG SECTION 36 | 37 | # allows for self-signed certs 38 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } 39 | 40 | # default powershell uses tls version 1.0 this forces tls 1.2 41 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 42 | 43 | 44 | # Reads the access_key/secret_key csv file and pulls the values from the second column of the table/sheet 45 | $KEY_ARRAY = foreach($line in [System.IO.File]::ReadLines("$PATH_TO_ACCESSKEY_FILE")){ 46 | $line.Split(",")[1] 47 | } 48 | 49 | $PC_ACCESSKEY = $KEY_ARRAY[0] 50 | $PC_SECRETKEY = $KEY_ARRAY[1] 51 | $PC_APIURL = $KEY_ARRAY[2] 52 | $TL_USER = $KEY_ARRAY[3] 53 | $TL_PASSWORD = $KEY_ARRAY[4] 54 | $TL_CONSOLE = $KEY_ARRAY[5] 55 | 56 | 57 | $AUTH_PAYLOAD = @{ 58 | "username" = "$PC_ACCESSKEY" 59 | "password" = "$PC_SECRETKEY" 60 | } 61 | 62 | $AUTH_PAYLOAD = $AUTH_PAYLOAD | ConvertTo-Json 63 | 64 | $PC_AUTH_RESPONSE = Invoke-RestMethod ` 65 | -Uri $("$PC_APIURL" + "/login") ` 66 | -body $AUTH_PAYLOAD ` 67 | -Method POST ` 68 | -Headers @{"Content-Type" = "application/json"} 69 | 70 | $PC_JWT = $PC_AUTH_RESPONSE.token 71 | 72 | $PC_AUTH_HEADERS = @{ 73 | "x-redlock-auth" = "$PC_JWT" 74 | "Content-Type" = "application/json" 75 | } 76 | 77 | $COMPLIANCE_IDS = Invoke-RestMethod ` 78 | -Uri $("$PC_APIURL" + "/compliance") ` 79 | -Headers $PC_AUTH_HEADERS ` 80 | -Method GET 81 | 82 | $FILTERED_COMPLIANCE_ID_AND_NAME = $COMPLIANCE_IDS | select-object id,name | where-object {$_.name -eq "$COMPLIANCE_NAME"} 83 | 84 | $FILTERED_COMPLIANCE_ID = $FILTERED_COMPLIANCE_ID_AND_NAME.id 85 | 86 | $REQUIREMENT_IDS = Invoke-RestMethod ` 87 | -Uri $("$PC_APIURL" + "/compliance/" + "$FILTERED_COMPLIANCE_ID" + "/requirement") ` 88 | -Headers $PC_AUTH_HEADERS ` 89 | -Method GET 90 | 91 | 92 | $REQUIREMENT_ID_ARRAY = $REQUIREMENT_IDS.id 93 | 94 | foreach($REQUIREMENT_ID in $REQUIREMENT_ID_ARRAY){ 95 | Invoke-RestMethod ` 96 | -Uri $("$PC_APIURL" + "/compliance/posture/" + "$FILTERED_COMPLIANCE_ID" + "/" + "$REQUIREMENT_ID" + "?timeType=" + "$TIME_TYPE" + "&timeAmount=" + "$TIME_AMOUNT" + "&timeUnit=" + "$TIME_UNIT") ` 97 | -Headers $PC_AUTH_HEADERS ` 98 | -Method GET 99 | } 100 | 101 | -------------------------------------------------------------------------------- /powershell_toolbox/secrets/example_access_key_file.csv: -------------------------------------------------------------------------------- 1 | Access Key ID, 2 | Secret Key, 3 | PC_API_URL, 4 | TL_USERNAME, 5 | TL_PASSWORD, 6 | TL_API_URL, 7 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/.gitignore: -------------------------------------------------------------------------------- 1 | temp/ 2 | secrets/ 3 | reports/ 4 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Kyle Butler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/README.md: -------------------------------------------------------------------------------- 1 | # Prisma Bash Tool Box 2 | [![CodeFactor](https://www.codefactor.io/repository/github/kyle9021/prisma_channel_resources/badge)](https://www.codefactor.io/repository/github/kyle9021/prisma_channel_resources) 3 | 4 | 5 | ## A collection of bash scripts/tools to assist engineers with the day-to-day maintenance and reporting for Prisma Cloud. 6 | 7 | Disclaimer: 8 | 9 | This is a community toolkit and IS NOT supported nor maintained by Palo Alto Networks. Please review license before using. 10 | 11 | 12 | ## Requirements: 13 | 14 | * Linux/Unix shell. All instructions will be written for a debian/ubuntu distro. 15 | * Jq 16 | 17 | ## How to use: 18 | 19 | * install jq - for ubuntu: `sudo apt-get install jq` 20 | * install jq - for RHEL: 21 | ```bash 22 | sudo yum install epel-release -y 23 | sudo yum update 24 | sudo yum install jq 25 | ``` 26 | * clone the repo `git clone https://github.com/PaloAltoNetworks/prisma_channel_resources` 27 | * `cd ./prisma_channel_resources/prisma_bash_toolbox-main/` 28 | * `bash ./setup.sh` 29 | * edit the script you want to run, then `bash ./.sh` or `chmod a+x .sh` and run by entering `./.sh` 30 | 31 | Each Script Has it's own set of variables which need to be assigned prior to running them. 32 | 33 | * edit the script you'd like to run (for self-hosted versions ensure that `curl` is ran with `-k` if using the default deployment method) 34 | * run! modify enjoy! 35 | 36 | # Security recommendations 37 | 38 | * Recommending the user has a strong password for their account and ensuring that the permissions on the ./secrets/secrets file are set accordingly. ie `chmod 700 ./secrets/secrets` 39 | 40 | # Errors, debugging, and known gotchas 41 | 42 | * Debugging the scripts. All you need to do to get the RESPONSE code is add `-v` to any `curl` command in the script. 43 | 44 | 45 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/account_group_risk_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Requires jq to be installed 3 | # Author Kyle Butler 4 | # Creates a Risk report in the Prisma Cloud Console and selects the cloud accounts associated to the account group for a specific $CLOUD_TYPE (aws, gcp, azure, oci, alibaba) 5 | # Recommending that once it's created you edit the report and look over the time zones and frequency. I've defaulted this to US East time. This can be changed after the report is created in the console. 6 | # Solves the issue of filters applying when creating the report 7 | 8 | source ./secrets/secrets 9 | source ./func/func.sh 10 | 11 | #################################################################-USER CONFIG-##################################################### 12 | 13 | REPORT_NAME="" 14 | 15 | # 1-24 corresponds to the hour of day to send report. US East timezone. Example below is 7 AM ET 16 | HOUR_ET="7" 17 | MINUTE_ET="0" 18 | 19 | # Pick day(s) to send report. For monday and tuesday the value should be "MO,TU" etc. Available options: "MO,SU,TU,WE,TH,FR,SA" 20 | REPORT_DAY="MO" 21 | 22 | # gcp, aws, azure, oci, or alibaba_cloud 23 | CLOUD_TYPE="aws" 24 | 25 | # account group name exactly as it appears in the Prisma Console 26 | ACCOUNT_GROUP_FOR_REPORT="" 27 | 28 | # Put a space between each email address and wrap each email address in quotes. Example ( "email1@email.com" "email2@email.com") 29 | EMAIL_ARRAY=( "" "") 30 | 31 | ##############################################################-END OF USER CONFIG-################################################## 32 | 33 | REPORT_START_DATE=$(date +%Y%m01T000000) 34 | 35 | 36 | AUTH_PAYLOAD=$(cat < Accesskeys 9 | 10 | 11 | source ./secrets/secrets 12 | source ./func/func.sh 13 | 14 | 15 | DISMISS_NOTE="dismissal note here" # your custom note to dismiss 16 | ALERT_ID="2378dbf4-b104-4bda-9b05-7417affbba3f" # alert ID 17 | POLICY_NAME="AWS Default Security Group does not restrict all traffic" # policy name 18 | TIMEUNIT="year" # minute, hour, day, week, month, year 19 | TIMEAMOUNT="1" # integer value 20 | 21 | ### NO EDITS BELOW 22 | 23 | pce-var-check 24 | 25 | AUTH_PAYLOAD=$(cat <&2 15 | exit 1 16 | fi 17 | } 18 | 19 | pce-var-check 20 | 21 | AUTH_PAYLOAD=$(cat < ./policy_temp.json 53 | 54 | REPORT_LOCATION="./reports/alert_rule_policy_report.csv" 55 | 56 | printf '%s' "$ALERT_RULE_RESPONSE" | jq '[.[] |{name: .name, enabled: .enabled, policies: .policies[]}] | map({name, enabled, policies, policyName: (.policies as $policyId | $policydata |..|select(.name? and .policyId==$policyId))})' --slurpfile policydata ./policy_temp.json \ 57 | | jq '[.[] |{name: .name, enabled: .enabled, policyId: .policies, policyName: .policyName.name}]' \ 58 | | jq -r 'map({name, enabled, policyId, policyName}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' > "$REPORT_LOCATION" 59 | 60 | printf '\n\n%s\n%s\n\n' "All done! Your report is in the ./reports directory saved as: alert_rule_policy_report.csv" \ 61 | "You are welcome to delete the policy_temp.json file if you'd like." 62 | 63 | exit 64 | 65 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/alerts_which_can_be_fixed_through_iac_policy.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | #------------------------------------------------------------------------------------------------------------------# 3 | # Written By Kyle Butler 4 | # 5 | # REQUIREMENTS: 6 | # Requires jq to be installed: 'sudo apt-get install jq' 7 | 8 | 9 | ### NO USER CONFIG REQUIRED 10 | 11 | # SCRIPT WILL REPORT HOW MANY OPEN ALERTS COULD BE RESOLVED BY USING PRISMA CODE SECURITY BUILD POLICIES 12 | # IT TAKES A WHILE TO RUN, expect to leave running for 10 mins. 13 | 14 | source ./secrets/secrets 15 | source ./func/func.sh 16 | 17 | 18 | 19 | 20 | #### NO EDITS NEEDED BELOW 21 | pce-var-check 22 | 23 | AUTH_PAYLOAD=$(cat < ./temp/"$(printf '%05d' "$policy")".json & 60 | done 61 | wait 62 | 63 | cat ./temp/*.json | jq '.[] | {policyName: .policy.name, numberOfAlerts: .alertCount} ' | jq -r -n '[inputs] | map({policyName, numberOfAlerts}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' > ./reports/"alerts_able_to_be_remediated_by_code_security_$REPORT_DATE.csv" 64 | 65 | 66 | { 67 | rm -rf ./temp/*.json 68 | } 69 | 70 | 71 | printf '\n%s\n' "Process completed! The number of alerts which could be remediated using code security is in a report in the ./reports directory named: alerts_able_to_be_remediated_by_code_security_$REPORT_DATE.csv" 72 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/automated_vs_manual_events_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Written by Kyle Butler 3 | # Shows how many events are performed by a user vs automation task 4 | 5 | # choose aws, azure, gcp, oci....capitilization matters 6 | CLOUD_TYPE="aws" 7 | # choose hour, day, month, year 8 | TIME_UNIT="hour" 9 | # choose integer amount 10 | TIME_AMOUNT="24" 11 | 12 | 13 | 14 | ########### END OF USER CONFIG ############################ 15 | 16 | 17 | source ./secrets/secrets 18 | source ./func/func.sh 19 | pce-var-check 20 | 21 | AUTH_PAYLOAD=$(cat < unprotected.json 6 | 7 | source ./secrets/secrets 8 | source ./func/func.sh 9 | 10 | # Directory path to fargate task 11 | FARGATE_TASK_LOCATION="./unprotected.json" 12 | 13 | # What you want the new task to be named and where you want it go. 14 | PROTECTED_DEFINITION_OUTPUT="./protected.json" 15 | 16 | # Not user defined 17 | 18 | tl-var-check 19 | 20 | HOSTNAME_FOR_CONSOLE=$(printf %s $TL_CONSOLE | awk -F / '{print $3}' | sed s/':\S*'//g) 21 | 22 | # -k will need to be added for the self hosted vesion if using the default deploy method with a self-signed cert. 23 | 24 | curl --url "$TL_CONSOLE/api/v1/defenders/fargate.json?consoleaddr=$HOSTNAME_FOR_CONSOLE&defenderType=appEmbedded" \ 25 | -u $TL_USER:$TL_PASSWORD \ 26 | -H 'Content-Type: application/json' \ 27 | -X POST \ 28 | --data-binary "@$FARGATE_TASK_LOCATION" \ 29 | --output $PROTECTED_DEFINITION_OUTPUT 30 | 31 | quick_check "/api/v1/defenders/fargate.json?consoleaddr=$HOSTNAME_FOR_CONSOLE&defenderType=appEmbedded" 32 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/ci_host_image_scan.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Author Kyle Butler 3 | # For CI pipeline 4 | # Scans VM Image as it's being built using something like packer 5 | # Ideally done before using the image in production 6 | # Add twistcli to runner prior to executing script 7 | 8 | source ./secrets/secrets 9 | source ./func/func.sh 10 | 11 | tl-var-check 12 | # must be run as root user 13 | ./twistcli hosts scan --address $TL_CONSOLE -u $TL_USER -p $TL_PASSWORD --details --skip-docker 14 | 15 | exit 16 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/ci_k8s_manifest_container_scan.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Author Kyle Butler 3 | # For CI pipeline 4 | # Scan all the container images in a k8s manifest prior to deployment 5 | # Add twistcli and bash to runner prior to executing script 6 | 7 | source ./secrets/secrets 8 | source ./func/func.sh 9 | 10 | K8S_MANIFEST_LOCATION="./dir/path/to/manifest.yml" 11 | 12 | 13 | tl-var-check 14 | declare -a IMAGE_ARRAY=($(cat $K8S_MANIFEST_LOCATION | awk -F "image:" '/image/ {print $2}')) 15 | 16 | # docker login may be required if using a private container registry 17 | 18 | for i in ${IMAGE_ARRAY[@]}; do 19 | # podman pull $i if using podman 20 | docker pull $i 21 | # ./twistcli images scan --podman or --podman-path PATH depending on install --address $TL_CONSOLE -u $TL_USER -p $TL_PASSWORD --details $i 22 | ./twistcli images scan --address $TL_CONSOLE -u $TL_USER -p $TL_PASSWORD --details $i 23 | done 24 | 25 | exit 26 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/ci_local_repository_vulnerability_scan.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Written by Kyle Butler 3 | # Scans a local repository for vulnerabilities in the application dependencies and provides other useful information. 4 | # For use during CI 5 | 6 | 7 | source ./secrets/secrets 8 | source ./func/func.sh 9 | 10 | tl-var-check 11 | # The name of the repository. Usually sourced from the ENV VARS available to the runner. Ultimately, this name will be the one that shows up in the Prisma Compute Console 12 | CI_REPO_NAME="" 13 | 14 | twistcli coderepo scan --address $TL_CONSOLE -u $TL_USER -p $TL_PASSWORD $PWD/ --details --repository $CI_REPO_NAME 15 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/ci_retrieve_twistcli.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # author Kyle Butler 3 | # for CI 4 | # downloads the twistcli tool from the Prisma Cloud Compute side of the console. 5 | 6 | source ./secrets/secrets 7 | source ./func/func.sh 8 | 9 | 10 | tl-var-check 11 | 12 | wget --header "Authorization: Basic $(echo -n $TL_USER:$TL_PASSWORD | base64 | tr -d '\n')" "$TL_CONSOLE/api/v1/util/twistcli" 13 | 14 | quick_check "/api/v1/util/twistcli" 15 | 16 | chmod a+x ./twistcli 17 | 18 | exit 19 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/ci_serverless_function_scan.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Written by Kyle Butler 3 | # Use to surface the apis and permissions for serverless functions during CI. Recommending to use the CI_local_repo_scan.sh script along with this one to get vulnerability information about the workload. 4 | # ZIPS ALL THE FILES IN THE CURRENT WORKING DIRECTORY TO SCAN will output a temp zip file. 5 | 6 | # Can use ENV VAR available to to the runner to populate this value 7 | FUNCTION_NAME="CODE_REPO" 8 | 9 | # Location and name for the temp.zip file that's created prior to the scan 10 | TEMP_ZIP_NAME="./temp.zip" 11 | 12 | 13 | source ./secrets/secrets 14 | source ./func/func.sh 15 | 16 | 17 | tl-var-check 18 | # Checks to ensure zip is installed and available to the runner 19 | if ! type "zip" > /dev/null; then 20 | echo "zip not installed or not in execution path, zip is required for this script; please add zip to the runner prior to executing this script in the workflow"; 21 | exit 1; 22 | fi 23 | 24 | 25 | # Zips all files in the current working directory 26 | zip -r $TEMP_ZIP_NAME . 27 | 28 | # Scans the serverless function files and will return the vulnerabilities, config, and api's. see ./twistcli --help for more options. 29 | twistcli serverless scan --address $TL_CONSOLE -u $TL_USER -p $TL_PASSWORD --details --function $FUNCTION_NAME --output-used-apis $TEMP_ZIP_NAME 30 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/cloud_discovery_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Steve Brown ([stebrown@paloaltonetworks.com](mailto:stebrown@paloaltonetworks.com)) 4 | # Cloud Discovery Report 1/12/23 5 | # Community work product, not supported nor maintained by Palo Alto Networks. 6 | # Ensure that $TL_USER, $TL_PASSWORD, and $TL_CONSOLE variables are assigned in ./secrets/secrets file. 7 | 8 | 9 | source ./secrets/secrets 10 | 11 | REPORT_DATE=$(date +%m_%d_%y) 12 | 13 | # Authenticate with Prisma Cloud to retrieve access token 14 | 15 | AUTH_PAYLOAD=$(cat < "$CLOUD_DISCOVERY_REPORT_LOCATION" 37 | 38 | 39 | # Print output filename and location 40 | 41 | printf '\n%s\n\n' "All done! Your report is saved as: ./reports/cloud_discovery_report_$REPORT_DATE.csv" 42 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/compliance_alert_summary_by_section.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | #------------------------------------------------------------------------------------------------------------------# 3 | # Written By Kyle Butler 4 | # 5 | # REQUIREMENTS: 6 | # Requires jq to be installed: 'sudo apt-get install jq' 7 | # 8 | # SET-UP: 9 | # Create Access Key and Secret Key in the Prisma Cloud Console 10 | # Access keys and Secret keys are created in the Prisma Cloud Console under: Settings > Access Keys 11 | # Find the Prisma Cloud Enterprise Edition API URL specific to your deployment: https://prisma.pan.dev/api/cloud/api-url 12 | # 13 | 14 | 15 | source ./secrets/secrets 16 | source ./func/func.sh 17 | 18 | 19 | 20 | COMPLIANCE_NAME="PCI DSS v3.2.1" 21 | TIME_TYPE="relative" 22 | TIME_AMOUNT="1" 23 | TIME_UNIT="month" 24 | 25 | 26 | 27 | #### NO EDITS BELOW 28 | 29 | pce-var-check 30 | 31 | 32 | AUTH_PAYLOAD=$(cat < "$REPORT_LOCATION" 76 | 77 | for REQUIREMENT_ID in ${REQUIREMENT_ID_ARRAY[@]}; do 78 | COMPLIANCE_POSTURE_RESPONSE=$(curl --request GET \ 79 | --url "$PC_APIURL/compliance/posture/{$COMPLIANCE_ID}/{$REQUIREMENT_ID}?timeType=$TIME_TYPE&timeAmount=$TIME_AMOUNT&timeUnit=$TIME_UNIT" \ 80 | --header "x-redlock-auth: $PC_JWT" ) 81 | loop_response_check "/compliance/posture/{$COMPLIANCE_ID}/{$REQUIREMENT_ID}?timeType=$TIME_TYPE&timeAmount=$TIME_AMOUNT&timeUnit=$TIME_UNIT" 82 | printf %s "$COMPLIANCE_POSTURE_RESPONSE" | jq '.complianceDetails[] | {sectionName: .name, description: .description, assignedPolicies: .assignedPolicies, failedResources: .failedResources, passedResources: .passedResources, totalResources: .totalResources, HighSeverityFailedResources: .highSeverityFailedResources, mediumSeverityFailedResources: .mediumSeverityFailedResources, lowSeverityFailedResources: .lowSeverityFailedResources}'| jq -r '[.] | map({sectionName, description, assignedPolicies, failedResources, passedResources, totalResources, HighSeverityFailedResources, mediumSeverityFailedResources, lowSeverityFailedResources}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $rows[] | @csv' >> "$REPORT_LOCATION" 83 | 84 | done 85 | printf '\n%s\n\n' "All done! Your report is in the ./reports directory saved as: compliance_section_summary_data_$REPORT_DATE.csv" 86 | 87 | 88 | exit 89 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/compute_api_token.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq to be installed 4 | 5 | # retrieves the variables from the secrets file 6 | source ./secrets/secrets 7 | source ./func/func.sh 8 | 9 | # Ensures proper formatting of json in bash 10 | 11 | tl-var-check 12 | 13 | AUTH_PAYLOAD=$(cat <&2 25 | exit 1 26 | fi 27 | } 28 | 29 | 30 | # authenticates to the prisma compute console using the access key and secret key. If using a self-signed cert with a compute on-prem version, add -k to the curl command.· 31 | PRISMA_COMPUTE_API_AUTH_RESPONSE=$(curl --header "Content-Type: application/json" \ 32 | --request POST \ 33 | --data-raw "$AUTH_PAYLOAD" \ 34 | --url $TL_CONSOLE/api/v1/authenticate ) 35 | 36 | quick_check "/api/v1/authenticate" 37 | 38 | #create some space 39 | echo 40 | echo 41 | echo "API token is:" 42 | 43 | printf %s $PRISMA_COMPUTE_API_AUTH_RESPONSE | jq -r '.token' 44 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/compute_deployed_image_vuln_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Written by Kyle Butler 4 | # Will pull down a vulnerability report for all deployed images visable to the prisma cloud compute platform 5 | # Ensure that $TL_USER, $TL_PASSWORD, and $TL_CONSOLE variables are assigned in ./secrets/secrets file. 6 | 7 | 8 | # No user configuration required. Expectations are you'd schedule this with cron 9 | 10 | source ./secrets/secrets 11 | source ./func/func.sh 12 | 13 | REPORT_DATE=$(date +%m_%d_%y) 14 | 15 | tl-var-check 16 | 17 | TL_API_LIMIT=50 18 | 19 | AUTH_PAYLOAD=$(cat < $REPORT_LOCATION 42 | 43 | quick_check "/api/v1/images/download" 44 | 45 | printf '\n%s\n\n' "All done! Your report is in the ./reports directory saved as: deployed_images_report_$REPORT_DATE.csv" 46 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/detailed_compliance_policy_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | 4 | # Pulls all the policies associated with a particular compliance framework in Prisma Cloud 5 | 6 | source ./secrets/secrets 7 | source ./func/func.sh 8 | 9 | # Only variable that needs to be assigned in script 10 | COMPLIANCE_NAME="PCI DSS v3.2.1" 11 | 12 | 13 | 14 | 15 | 16 | #### NO EDITS NEEDED BELOW 17 | 18 | pce-var-check 19 | 20 | AUTH_PAYLOAD=$(cat < $POLICY_REPORT_NAME 49 | 50 | exit 51 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/embed_python_lambda.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # requires jq 3 | # written by kyle butler 4 | # demonstrates how to embed a defender in a python 3.6 - 3.9 aws lambda function: 5 | 6 | 7 | source ./secrets/secrets 8 | 9 | PATH_TO_PYTHON_FUNCTION=./lambda_function.py 10 | FUNCTION_NAME="kb-test" 11 | FUNCTION_HANDLER_NAME="" 12 | 13 | ######## end of user config ################## 14 | 15 | 16 | # request body for /api/v1/authenticate endpoint 17 | AUTH_PAYLOAD=$(cat < "./serverless_temp/temp_$FUNCTION_FILE_NAME" 43 | 44 | # places the annotation above the handler in a finished file 45 | awk -v function_handler=$FUNCTION_HANDLER_NAME '!found && $0~function_handler { print "@twistlock.serverless.handler"; found=1 } 1' "./serverless_temp/temp_$FUNCTION_FILE_NAME" > "./serverless_temp/$FUNCTION_FILE_NAME" 46 | 47 | # removes the temp file 48 | rm "./serverless_temp/temp_$FUNCTION_FILE_NAME" 49 | 50 | # request body for the defender serverless bundle 51 | SERVERLESS_BUNDLE_REQUEST_BODY=$(cat < Access Keys 11 | # Find the Prisma Cloud Enterprise Edition API URL specific to your deployment: https://prisma.pan.dev/api/cloud/api-url 12 | # 13 | # INFO: 14 | # Exports all the custom policies written as code from the BridgeCrew console and imports them into prisma cloud. 15 | # As of Dec 21st 20222 only the custom policies written in YAML syntax can be exported this way. 16 | 17 | source ./secrets/secrets 18 | source ./func/func.sh 19 | 20 | # CREATE BRIDGECREW API KEY IN BRIDGECREW CONSOLE AND ASSIGN IT TO THE VAR BELOW 21 | BC_API_KEY="" 22 | 23 | if [[ $BC_API_KEY = "" ]] || [[ -z $BC_API_KEY ]]; then 24 | printf '%s\n' "The BridgeCrew API key is not assigned in the script, please assign the key to the BC_API_KEY var in the script and run again" 25 | exit 1 26 | fi 27 | 28 | ###### NO EDITS BELOW NECESSARY 29 | 30 | REPORT_DATE=$(date +%m_%d_%y) 31 | 32 | BRIDGECREW_POLICY_RESPONSE=$(curl --request GET \ 33 | --url https://www.bridgecrew.cloud/api/v1/policies/table/data \ 34 | --header 'Accept: application/json' \ 35 | --header "authorization: $BC_API_KEY") 36 | 37 | quick_check "https://www.bridgecrew.cloud/api/v1/policies/table/data" 38 | 39 | 40 | printf '%s' "$BRIDGECREW_POLICY_RESPONSE" > ./temp/bridgecrew_policies_table_data.json 41 | 42 | # Takes the response file and filters the response on policies which were written in yaml. 43 | cat ./temp/bridgecrew_policies_table_data.json | jq --arg DATE "$REPORT_DATE" '[.data[] | select(.code != null) | {cloudType: .provider, complianceMetadata: [], description: .guideline, labels: [], name: (.title + "_" + $DATE), policySubTypes: ["build"], policyType: "config", recommendation: "", rule: { children: [{metadata: {code: .code}, type: "build", recommendation: ""}], name: (.title + "_" + $DATE), parameters: {savedSearch: " false", withIac: "true"}, type: "Config" }, severity: .severity }]' | sed 's/\"severity\"\: \"CRITICAL\"/\"severity\"\: \"HIGH\" /g' > ./temp/transformed_code_policies.json 44 | 45 | NUMBER_OF_POLICIES=$(cat ./temp/transformed_code_policies.json | jq '. |length') 46 | 47 | NUMBER_MINUS_ONE=$(printf '%04d' "$(( NUMBER_OF_POLICIES - 1 ))"| tr -d '"') 48 | 49 | for number in $(seq 0 "$NUMBER_MINUS_ONE"); do 50 | 51 | cat ./temp/transformed_code_policies.json | jq --argjson number "$number" '.[$number]' > "./temp/policy_$(printf '%04d' "$number").json" 52 | 53 | done 54 | 55 | 56 | 57 | pce-var-check 58 | 59 | AUTH_PAYLOAD=$(cat <.sh` 7 | # requires jq to be installed 8 | 9 | # cloud account name you'd like to filter results on 10 | 11 | cloud_account_name="" 12 | 13 | 14 | source ./secrets/secrets 15 | source ./func/func.sh 16 | 17 | pce-var-check 18 | 19 | csp_pfix_array=( "azure-" ) 20 | 21 | 22 | date=$(date +%Y%m%d-%H%M) 23 | 24 | 25 | AUTH_PAYLOAD=$(cat < "./temp/rql_api_response_$csp.json" 65 | 66 | 67 | done 68 | 69 | 70 | rql_api_array=($(cat ./temp/rql_api_response_* | jq -r '.suggestions[]')) 71 | 72 | 73 | for api_query in "${!rql_api_array[@]}"; do \ 74 | 75 | rql_request_body=$(cat < "./temp/api_response_$api_query.json" & 94 | 95 | 96 | done 97 | wait 98 | 99 | 100 | printf '%s\n' "cloudType,id,accountId,name,accountName,regionId,regionName,service,resourceType" > "./reports/azure_resources_without_lock_$date.csv" 101 | 102 | 103 | cat temp/api_response* | jq -r '.data.items[] | {"cloudType": .cloudType, "id": .id, "accountId": .accountId, "name": .name, "accountName": .accountName, "regionId": .regionId, "regionName": .regionName, "service": .service, "resourceType": .resourceType }' | jq -r '[.[]] | @csv' >> "./reports/azure_resources_without_lock_$date.csv" 104 | 105 | 106 | printf '\n\n\n%s\n\n' "All done your report is in the reports directory and is named ./reports/azure_resources_without_lock_$date.csv" 107 | 108 | { 109 | rm -f ./temp/*.json 110 | } 111 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/find_cloud_resources_without_tags.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Jonathan Hurtt with collaboration from Kyle Butler 3 | 4 | # creates a csv report showing all active cloud resources without a tag 5 | # no user configuration required 6 | # to run: `bash ./.sh` 7 | # requires jq to be installed 8 | 9 | 10 | source ./secrets/secrets 11 | source ./func/func.sh 12 | 13 | pce-var-check 14 | 15 | csp_pfix_array=("aws-" "azure-" "gcp-" "gcloud-" "alibaba-" "oci-") 16 | 17 | 18 | date=$(date +%Y%m%d-%H%M) 19 | 20 | 21 | AUTH_PAYLOAD=$(cat < "./temp/rql_api_response_$csp.json" 61 | 62 | 63 | done 64 | 65 | 66 | rql_api_array=($(cat ./temp/rql_api_response_* | jq -r '.suggestions[]')) 67 | 68 | 69 | for api_query in "${!rql_api_array[@]}"; do \ 70 | 71 | rql_request_body=$(cat < "./temp/other_$api_query.json" & 90 | 91 | done 92 | wait 93 | 94 | printf '%s\n' "cloudType,id,accountId,name,accountName,regionId,regionName,service,resourceType" > "./reports/cloud_resources_without_tags_$date.csv" 95 | 96 | cat ./temp/other_* | jq -r '.data.items[] | {"cloudType": .cloudType, "id": .id, "accountId": .accountId, "name": .name, "accountName": .accountName, "regionId": .regionId, "regionName": .regionName, "service": .service, "resourceType": .resourceType }' | jq -r '[.[]] | @csv' >> "./reports/cloud_resources_without_tags_$date.csv" 97 | 98 | printf '\n\n\n%s\n\n' "All done your report is in the reports directory and is named ./reports/cloud_resources_without_tags_$date.csv" 99 | 100 | { 101 | rm -f ./temp/*.json 102 | } 103 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/generate_defender_helm_chart.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq to be installed 4 | 5 | source ./secrets/secrets 6 | source ./func/func.sh 7 | 8 | 9 | AUTH_PAYLOAD=$(cat </:. leaving an example assigned for reference. 11 | IMAGE_NAME="vulnerables/web-dvwa:latest" 12 | 13 | # Prisma Compute resource tag for prisma cloud. Tag must exist. Capitilization matters 14 | TAG="test" 15 | 16 | # choose one: low, medium, high, critical. Capitilization matters 17 | SEVERITY="critical" 18 | 19 | #####END USER CONFIG############################################################################ 20 | 21 | 22 | 23 | 24 | 25 | 26 | # retrieves the variables from the secrets file 27 | source ./secrets/secrets 28 | source ./func/func.sh 29 | 30 | # Ensures proper formatting of json in bash 31 | 32 | tl-var-check 33 | 34 | AUTH_PAYLOAD=$(cat < "./reports/asset_inventory_by_service_and_accounts_$REPORT_DATE.csv" 51 | 52 | printf '\n%s\n' "All done! Your report is in the reports directory saved as: asset_inventory_by_service_and_accounts_$REPORT_DATE.csv" 53 | 54 | exit 55 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/network_anomaly_alert_policy_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # requires jq 3 | # written by Teo De Las Heras 4 | # shows all the network anomaly alerts and includes the target host IP as a column 5 | 6 | source ./secrets/secrets 7 | source ./func/func.sh 8 | 9 | REPORT_DATE=$(date +%m_%d_%y) 10 | 11 | AUTH_PAYLOAD=$(cat < $REPORT_LOCATION 37 | curl -L -X GET \ 38 | --url "$PC_APIURL/v2/alert?timeType=relative&timeAmount=2&timeUnit=year&detailed=false&alert.status=open&policy.id=$POLICY_ID" \ 39 | --header "accept: application/json; charset=UTF-8" \ 40 | --header "content-type: application/json" \ 41 | --header "x-redlock-auth: $PC_JWT" | jq ' .items[]' | jq -r '[.id, .resource.name, .resource.id, .resource.accountId, .resource.account, .resource.region, .resource.resourceType, .anomalyDetail.targetHost.ip] | @csv' >> $REPORT_LOCATION 42 | done 43 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/onboard_aws_org.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # REQUIRES Jq to be installed 5 | # Written by Kyle Butler 6 | 7 | # This onboard an AWS org into Prisma Cloud through the prisma cloud apis. It does not cover all the possible usecases. Example: excluding specific accounts within the org. 8 | # Full api documentaiton on this endpoint can be found here: https://prisma.pan.dev/api/cloud/cspm/cloud-accounts/#operation/add-cloud-account 9 | source ./secrets/secrets 10 | source ./func/func.sh 11 | 12 | 13 | # ORG Level AWS account ID 14 | AWS_ACCOUNT_ID="" 15 | 16 | # id of account group you'd like to addd the onboarded account to. 17 | PRISMA_ACCOUNT_GROUP_ID= 18 | 19 | # external ID created to secure access between Prisma and AWS org level 20 | AWS_EXTERNAL_ID="" 21 | 22 | # external ID created to secure access between Prisma and AWS member/account level 23 | AWS_MEMBER_EXTERNAL_ID="" 24 | 25 | # name of the IAM role created when deploying the CFT stack default should be PrismaCloudReadOnlyRole or PrismaCloudOrgReadOnyRole. 26 | MEMBER_ROLE_NAME="" 27 | 28 | # Name of the AWS account/in prisma cloud. Like HR AWS accounts...etc. 29 | NAME="" 30 | 31 | # protection mode MONITOR or MONITOR_AND_PROTECT 32 | PROTECTION_MODE="" 33 | 34 | # Role arn assigned to the IAM role created 35 | ROLE_ARN="" 36 | 37 | # onboarding type ACCOUNT or ORG 38 | ONBOARDING_TYPE="" 39 | 40 | 41 | 42 | AUTH_PAYLOAD=$(cat < "$REPORTS_DIR/policy_$CLOUD_TYPE.csv" 38 | exit 39 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/pull_audit_logs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Requires jq to be installed 3 | # Author Kyle Butler 4 | 5 | 6 | source ./secrets/secrets 7 | source ./func/func.sh 8 | 9 | # Time filter. Assign the appropriate values. This will pull the last month's worth of audit logs. 10 | TIMEAMOUNT=1 11 | TIMEUNIT="month" 12 | TIMETYPE="relative" 13 | 14 | 15 | #### NO EDITS NEEDED BELOW 16 | 17 | pce-var-check 18 | 19 | AUTH_PAYLOAD=$(cat < Access Keys 11 | # Find the Prisma Cloud Enterprise Edition API URL specific to your deployment: https://prisma.pan.dev/api/cloud/api-url 12 | # 13 | # SECURITY RECOMMENDATIONS: 14 | 15 | source ./secrets/secrets 16 | source ./func/func.sh 17 | 18 | ### THIS SCRIPT IS USABLE WHEN THERE ARE LESS THAN 10,000 resources in scope for the report. Use the detailed_compliance_alert_report.sh when there are more than 10,000 resources 19 | #### This will pull all the alerts by the policy ids associated to the compliance framework and export everything as a CSV. 20 | 21 | # comes from the console 22 | COMPLIANCE_STD_NAME="CIS v1.4.0 (AWS)" 23 | 24 | 25 | TIME_TYPE="relative" 26 | TIME_UNIT="month" 27 | TIME_AMOUNT="1" 28 | STATUS="open" 29 | 30 | 31 | #### NO EDITS NEEDED BELOW 32 | pce-var-check 33 | 34 | AUTH_PAYLOAD=$(cat < "$REPORT_LOCATION" 63 | 64 | printf '%s' "$ALERT_RESPONSE" | jq -r --arg COMPLIANCE_NAME "$COMPLIANCE_STD_NAME" '.items[] | select(.status == "open" ) | {policyName: .policy.name, policyDescription: .policy.description, policySeverity: .policy.severity, policyType: .policy.policyType, policyRecommendation: .policy.recommendation, account: .resource.account, resourceName: .resource.name, resourceType: .resource.resourceType, resourceId: .resource.rrn, complianceMetadata: [.policy.complianceMetadata[] | select( .standardName == $COMPLIANCE_NAME )]} | {policyName: .policyName, policyDescription: .policyDescription, policySeverity: .policySeverity, policyType: .policyType, policyRecommendation: .policyRecommendation, account: .account, resourceName: .resourceName, resourceType: .resourceType, resourceId: .resourceId, complianceMetadata: .complianceMetadata[]} | [{policyName: .policyName, policyDescription: .policyDescription, policySeverity: .policySeverity, policyType: .policyType, policyRecommendation: .policyRecommendation, account: .account, resourceName: .resourceName, resourceType: .resourceType, resourceId: .resourceId, standardName: .complianceMetadata.standardName, requirementName: .complianceMetadata.requirementName, sectionId: .complianceMetadata.sectionId}] | map({policyName, policyDescription, policySeverity, policyType, policyRecommendation, account, resourceName, resourceType, resourceId, standardName, requirementName, sectionId})| (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $rows[] | @csv' >> "$REPORT_LOCATION" 65 | 66 | printf '\n%s\n\n' "All done! Your report is saved in the ./reports directory as $REPORT_DATE-$COMPLIANCE_STD_NAME-detailed-compliance-report.csv" 67 | 68 | exit 69 | 70 | 71 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/registry_image_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Written by Kyle Butler 3 | # No user configuration required 4 | # Requires jq to be installed 5 | # Tested with jq-1.7.1 6 | # Script assumes you have two relative directories: ./temp and ./reports in the directory you run the script from 7 | 8 | # brings in the $TL_USER and $TL_PASSWORD values from the secrets file 9 | source ./secrets/secrets 10 | source ./func/func.sh 11 | 12 | 13 | # report date added to the final reports 14 | REPORT_DATE=$(date +%m_%d_%y) 15 | 16 | 17 | 18 | # Ensures proper formatting of json in bash 19 | AUTH_PAYLOAD=$(cat < ./reports/registry_image_report_$REPORT_DATE.csv 48 | 49 | 50 | echo "done. your report is located here: ./reports/registry_image_report_$REPORT_DATE.csv" 51 | exit 52 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/remove_run_tasks_tf_cloud_org.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # written by Kyle Butler 4 | # removes all associated TF Run Tasks across all workspaces in a Terraform Cloud Org 5 | 6 | #Terraform user api token 7 | TF_TOKEN="" 8 | 9 | #Terraform cloud organization name 10 | ORGANIZATION="" 11 | 12 | # no user input required below 13 | 14 | TF_WORKSPACES_REQUEST=$(curl --header "Authorization: Bearer $TF_TOKEN" \ 15 | --header "Content-Type: application/vnd.api+json" \ 16 | --url "https://app.terraform.io/api/v2/organizations/$ORGANIZATION/workspaces?page%5Bnumber=1&page%5Bsize=100") 17 | 18 | HUNDRED_WORKSPACES_IN_TF=$(printf '%s' "$TF_WORKSPACES_REQUEST" | jq -r '.meta.pagination."total-pages"') 19 | 20 | # handles the api page limits and numbers in the request 21 | for TF_WORKSPACES in $(seq 1 "$HUNDRED_WORKSPACES_IN_TF"); do \ 22 | curl --header "Authorization: Bearer $TF_TOKEN" \ 23 | --header "Content-Type: application/vnd.api+json" \ 24 | --url "https://app.terraform.io/api/v2/organizations/$ORGANIZATION/workspaces?page%5Bnumber=$TF_WORKSPACES&page%5Bsize=100" > ./temp_tf_workspace_$TF_WORKSPACES.json 25 | done 26 | 27 | # creates array of workspace ID's 28 | WS_ID_ARRAY=( $(cat ./temp_tf_workspace_*.json| jq -r '.data[].id')) 29 | 30 | # for each workspace ID get the associated run task ID and turn that into an array. Finally make another request to delete the ws run task using the run task and workspace ID. 31 | for WSID in "${!WS_ID_ARRAY[@]}"; do \ 32 | 33 | TASK_ID_ARRAY=($(curl --header "Authorization: Bearer $TF_TOKEN" \ 34 | --url "https://app.terraform.io/api/v2/workspaces/${WS_ID_ARRAY[WSID]}/tasks" | jq -r '.data[].id')) 35 | 36 | for TASK_ID in "${TASK_ID_ARRAY[@]}"; do \ 37 | curl --header "Authorization: Bearer $TF_TOKEN" \ 38 | --header "Content-Type: application/vnd.api+json" \ 39 | --request DELETE \ 40 | --url "https://app.terraform.io/api/v2/workspaces/${WS_ID_ARRAY[WSID]}/tasks/$TASK_ID" 41 | done 42 | done 43 | 44 | exit 45 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/report_aks_agent_node_pool_size.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq and curl 4 | # purpose: queries the prisma cloud api to report how many nodes are in Azure AKS clusters. Reports both the active and deleted clusters 5 | 6 | 7 | 8 | source ./secrets/secrets 9 | source ./func/func.sh 10 | 11 | 12 | AUTH_PAYLOAD=$(cat < "./temp/response_$REPORT_DATE.json" 53 | 54 | cat ./temp/response_$REPORT_DATE.json | jq -r '[.data.items[] | {name: .name, service: .service, accountName: .accountName, regionName: .regionName, deleted: .deleted, propertiesAgentPoolProfilesCount: .data.properties.agentPoolProfiles[].count?}] | map({name, service, accountName, regionName, deleted, propertiesAgentPoolProfilesCount})| (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' > "./reports/azure_aks_nodepool_report_$REPORT_DATE.csv" 55 | 56 | 57 | 58 | printf '\n\n%s\n\n' "All done, your report is located here: ./reports/azure_aks_nodepool_report_$REPORT_DATE.csv" 59 | 60 | { 61 | rm ./temp/response_$REPORT_DATE.json 62 | } 63 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/report_all_licensable_resources.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Author Kyle Butler 3 | # to run: `bash ./.sh` 4 | # requires jq to be installed 5 | 6 | # Lists out all the licensable resources in Prisma Cloud by cloud account 7 | 8 | source ./secrets/secrets 9 | source ./func/func.sh 10 | 11 | pce-var-check 12 | 13 | date=$(date +%Y%m%d-%H%M) 14 | 15 | AUTH_PAYLOAD=$(cat < "./temp/rql_cloud_account_response.json" 56 | 57 | rql_cloud_account_array=() 58 | while IFS= read -r line; do 59 | rql_cloud_account_array+=("$line") 60 | done < "./temp/rql_cloud_account_response.json" 61 | 62 | 63 | for cloud_account in "${!rql_cloud_account_array[@]}"; do \ 64 | 65 | 66 | 67 | mkdir -p ./temp/$(printf '%05d' "$cloud_account") 68 | 69 | for api_query in "${!rql_api_array[@]}"; do \ 70 | 71 | rql_request_body=$(cat < "./temp/$(printf '%05d' "$cloud_account")/other_$(printf '%05d' "$api_query").json" & 102 | 103 | done 104 | wait 105 | 106 | cat ./temp/$(printf '%05d' "$cloud_account")/*.json > ./temp/finished_$(printf '%05d' "$cloud_account").json 107 | 108 | done 109 | 110 | printf '%s\n' "cloudType,id,accountId,name,accountName,regionId,regionName,service,resourceType" > "./reports/all_cloud_resources_$date.csv" 111 | 112 | rm ./temp/rql_cloud_account_response.json 113 | 114 | 115 | cat ./temp/finished_*.json | jq -r '.data.items[] | {"cloudType": .cloudType, "id": .id, "accountId": .accountId, "name": .name, "accountName": .accountName, "regionId": .regionId, "regionName": .regionName, "service": .service, "resourceType": .resourceType }' | jq -r '[.[]] | @csv' >> "./reports/all_cloud_resources_$date.csv" 116 | 117 | printf '\n\n\n%s\n\n' "All done your report is in the reports directory and is named ./reports/all_cloud_resources_$date.csv" 118 | 119 | { 120 | rm -rf ./temp/* 121 | } 122 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/report_all_vms.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Author Kyle Butler 3 | # to run: `bash ./.sh` 4 | # requires jq to be installed 5 | 6 | # Lists out all the licensable resources in Prisma Cloud by cloud account 7 | 8 | source ./secrets/secrets 9 | source ./func/func.sh 10 | 11 | pce-var-check 12 | 13 | date=$(date +%Y%m%d-%H%M) 14 | 15 | AUTH_PAYLOAD=$(cat < "./temp/rql_cloud_account_response.json" 56 | 57 | rql_cloud_account_array=() 58 | while IFS= read -r line; do 59 | rql_cloud_account_array+=("$line") 60 | done < "./temp/rql_cloud_account_response.json" 61 | 62 | 63 | for cloud_account in "${!rql_cloud_account_array[@]}"; do \ 64 | 65 | 66 | 67 | mkdir -p ./temp/$(printf '%05d' "$cloud_account") 68 | 69 | for api_query in "${!rql_api_array[@]}"; do \ 70 | 71 | rql_request_body=$(cat < "./temp/$(printf '%05d' "$cloud_account")/other_$(printf '%05d' "$api_query").json" & 102 | 103 | done 104 | wait 105 | 106 | cat ./temp/$(printf '%05d' "$cloud_account")/*.json > ./temp/finished_$(printf '%05d' "$cloud_account").json 107 | 108 | done 109 | 110 | printf '%s\n' "cloudType,id,accountId,name,accountName,regionId,regionName,service,resourceType" > "./reports/all_cloud_vms_$date.csv" 111 | 112 | rm ./temp/rql_cloud_account_response.json 113 | 114 | 115 | cat ./temp/finished_*.json | jq -r '.data.items[] | {"cloudType": .cloudType, "id": .id, "accountId": .accountId, "name": .name, "accountName": .accountName, "regionId": .regionId, "regionName": .regionName, "service": .service, "resourceType": .resourceType }' | jq -r '[.[]] | @csv' >> "./reports/all_cloud_vms_$date.csv" 116 | 117 | printf '\n\n\n%s\n\n' "All done your report is in the reports directory and is named ./reports/all_cloud_vms_$date.csv" 118 | 119 | { 120 | rm -rf ./temp/* 121 | } 122 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/reports/EXAMPLE_DETAILED_COMPLIANCE_ALERT_REPORT.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma_channel_resources/e9ebf7cfafdda06d17fd1bdf8a818995bd16e22d/prisma_bash_toolbox-main/reports/EXAMPLE_DETAILED_COMPLIANCE_ALERT_REPORT.xlsx -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/reports/report.example: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/resource_type_inventory.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Author Kyle Butler 3 | # REQUIREMENTS: 4 | # jq needs to be installed: 5 | # debian/ubuntu: sudo apt install jq 6 | # rhel/fedora: sudo yum install jq 7 | # macos: sudo brew install jq 8 | 9 | 10 | # Access key should be created in the Prisma Cloud Enterprise Edition Console under: Settings > Accesskeys 11 | 12 | 13 | # INSTRUCTIONS: 14 | # install requirement jq 15 | 16 | source ./secrets/secrets 17 | source ./func/func.sh 18 | 19 | # adjust as needed default is to look back 3 months 20 | TIMEUNIT="month" # could be day, month, year 21 | TIMEAMOUNT="3" # integer value 22 | 23 | ####### No edits needed below this line 24 | 25 | pce-var-check 26 | 27 | AUTH_PAYLOAD=$(cat <> "$REPORT_LOCATION" 57 | printf '%s' "$RESPONSE_JSON" | jq -r '.aws | select(. != null) | map({resourceTypeName, highSeverityIssues, mediumSeverityIssues, lowSeverityIssues, passedResources, failedResources, totalResources}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' >> "$REPORT_LOCATION" 58 | 59 | printf '\n%s\n' "azure" >> "$REPORT_LOCATION" 60 | printf '%s' "$RESPONSE_JSON" | jq -r '.azure | select(. != null) | map({resourceTypeName, highSeverityIssues, mediumSeverityIssues, lowSeverityIssues, passedResources, failedResources, totalResources}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' >> "$REPORT_LOCATION" 61 | 62 | printf '\n%s\n' "gcp" >> "$REPORT_LOCATION" 63 | printf '%s' "$RESPONSE_JSON" | jq -r '.gcp | select(. != null) | map({resourceTypeName, highSeverityIssues, mediumSeverityIssues, lowSeverityIssues, passedResources, failedResources, totalResources}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' >> "$REPORT_LOCATION" 64 | 65 | printf '\n%s\n\n' "All done! Your report is saved in the ./reports directory as pcee_asset_inventory_with_alerts_$REPORT_DATE.csv" 66 | 67 | 68 | exit 69 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/retrieve_compute_settings.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq to be installed 4 | # pulls the console settings from the CWPP side of Prisma Cloud the CNAPP platform 5 | 6 | 7 | # retrieves the variables from the secrets file 8 | 9 | source ./secrets/secrets 10 | source ./func/func.sh 11 | 12 | 13 | 14 | #### END OF USER CONFIG 15 | AUTH_PAYLOAD=$(cat < ./reports/compute_console_settings.json 31 | 32 | printf '\n%s\n' "compute settings have been pulled and are in the reports folder named: ./reports/compute_console_settings.json" 33 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/retrieve_iam_alert_data.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq to be installed 4 | # gets the full alert data for each IAM alert which is open 5 | # specifically the granted by fields 6 | 7 | source ./secrets/secrets 8 | 9 | AUTH_PAYLOAD=$(cat < "$file_name" 42 | } 43 | 44 | IAM_ALERT_RESPONSE_FILE="./temp/iam_alert_response.json" 45 | 46 | gather_iam_alerts "$ALERT_URL" "$IAM_ALERT_RESPONSE_FILE" 47 | 48 | 49 | while true; do 50 | 51 | NEXT_PAGE_TOKEN=$(jq -r '.nextPageToken // empty' "$IAM_ALERT_RESPONSE_FILE") 52 | 53 | if [[ -z "$NEXT_PAGE_TOKEN" ]]; then 54 | echo "no more alerts. exiting loop" 55 | break 56 | fi 57 | ((FILE_COUNTER++)) 58 | 59 | NEXT_URL="$ALERT_URL&pageToken=$NEXT_PAGE_TOKEN" 60 | IAM_ALERT_RESPONSE_FILE="./temp/iam_alert_response_$FILE_COUNTER.json" 61 | 62 | echo "gathering next page: $NEXT_URL" 63 | gather_iam_alerts "$NEXT_URL" "$IAM_ALERT_RESPONSE_FILE" 64 | done 65 | 66 | 67 | # parses the response and gets a single alert id for each policy 68 | IAM_ALERTS=( $(cat ./temp/iam_alert_response*.json | jq -r '[.items[] | {alertId: .id, policyName: .policy.name}] | group_by(.policyName) | map({policyName: .[0].policyName, alertIds: map(.alertId)}) |sort | .[] | {policyName: .policyName, alertId: .alertIds[0]} | .alertId') ) 69 | 70 | 71 | 72 | 73 | 74 | # for each alertId get the RQL logic behind the policy 75 | for alert in "${!IAM_ALERTS[@]}"; do \ 76 | curl --url "$PC_APIURL/api/v1/permission/alert/search?alertId=${IAM_ALERTS[$alert]}" \ 77 | --header 'Accept: application/json' \ 78 | --header "x-redlock-auth: $PC_JWT" > ./temp/rql_$(printf '%04d' "$alert").json& 79 | done 80 | wait 81 | 82 | # parse the response for the rql query and write it to a file 83 | cat ./temp/rql_* | jq -r '.query' > ./temp/rql_array.json 84 | 85 | # read each line in the file into an array 86 | IAM_RQL_ARRAY=() 87 | while IFS= read -r line; do 88 | IAM_RQL_ARRAY+=("$line") 89 | done < ./temp/rql_array.json 90 | 91 | 92 | # for each rql query in the array get all the alert data 93 | for rql_query in "${!IAM_RQL_ARRAY[@]}"; do \ 94 | 95 | 96 | PAYLOAD=$(cat < ./temp/alert_$(printf '%08d' "$rql_query").json& 123 | done 124 | wait 125 | 126 | # combine all the alert data from the temp folder into a combined_alert.json 127 | cat ./temp/alert_* > ./reports/finished_combined_alert.json 128 | 129 | 130 | echo "all IAM alert data is in the ./reports/finished_combined_alert.json file" 131 | 132 | ## Remove to keep temp 133 | { 134 | rm -rf ./temp/* 135 | } 136 | 137 | exit 138 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/retrieve_latest_defender_image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq to be installed 4 | # retrieves the latest defender image version from the prisma cloud compute api endpoint 5 | 6 | 7 | # retrieves the variables from the secrets file 8 | source ./secrets/secrets 9 | source ./func/func.sh 10 | 11 | 12 | 13 | #### END OF USER CONFIG 14 | AUTH_PAYLOAD=$(cat < licensing 10 | TENANT_ID="2312312321891921" 11 | 12 | # time unit choose: hour, day, week, month, year 13 | TIME_UNIT="year" 14 | 15 | # integer number of the time units above 16 | TIME_AMOUNT="1" 17 | 18 | ########### END OF USER CONFIG ############################ 19 | 20 | REPORT_DATE=$(date +%m_%d_%y) 21 | 22 | JSON_LOCATION="./temp" 23 | 24 | REPORTS_LOCATION="./reports" 25 | 26 | source ./secrets/secrets 27 | source ./func/func.sh 28 | 29 | AUTH_PAYLOAD=$(cat <> "$JSON_LOCATION/object.json" & 100 | 101 | done 102 | 103 | 104 | 105 | printf '%s' "$INVENTORY_RESPONSE" | jq -r '[.[] |select(.objectExposure=="public")] | map({cloudType, accountId, accountName, regionName, serviceName, resourceName, publicResource, objectId, objectName, objectExposure, objectOwner, contentType, dataProfiles, dataPatterns, malware, rrn, objectInformation: [(.objectName as $objectName | $objectData |..|select(.objectName? and .objectName==$objectName))]})' --slurpfile objectData "$JSON_LOCATION/object.json" | jq -r '[.[] | select(.accountId==.objectInformation[].awsAccountId ) |{cloudType, accountId, accountName, regionName, serviceName, resourceName, publicResource, objectId, objectName, objectExposure, objectOwner, contentType, dataProfiles, dataPatterns, malware, rrn, url: .objectInformation[].objectUrl } ] | map({cloudType, accountId, accountName, regionName, serviceName, resourceName, serviceName, resourceName, publicResource, objectId, objectName, objectExposure, objectowner, contentType, dataProfiles: .dataProfiles[], dataPatterns: .dataPatterns[], malware, rrn, url}) |(first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[]| @csv' > "$REPORTS_LOCATION/s3_object_report_$REPORT_DATE.csv" 106 | 107 | 108 | printf '\n\n%s\n\n%s' "All done! Your report is in the reports directory saved as s3_object_report_$REPORT_DATE.csv" \ 109 | "cleaning temp json folder" 110 | 111 | 112 | { 113 | rm "$JSON_LOCATION/*.json" 114 | } 115 | 116 | 117 | exit 118 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/secrets/secrets: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # api url for the console found here https://prisma.pan.dev/api/cloud/api-urls 4 | PC_APIURL="" 5 | PC_ACCESSKEY="" 6 | PC_SECRETKEY="" 7 | 8 | # api url found in the Enterprise edition under compute > manage > system > utilities > path to console 9 | TL_CONSOLE="" 10 | 11 | # If using the Enterprise edition just use the access key from above 12 | TL_USER="" 13 | 14 | # If using the Enterprise edition just use the secret key from above 15 | TL_PASSWORD="" 16 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/serverless_detailed_vuln_report.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # written by Kyle Butler 3 | # requires jq to be installed 4 | # creates a vulnerability report with more data than is available through the UI through compute api endpoint 5 | 6 | # retrieves the variables from the secrets file 7 | source ./secrets/secrets 8 | source ./func/func.sh 9 | 10 | 11 | REPORT_DATE=$(date +%m_%d_%y) 12 | 13 | retrieve_token () { 14 | 15 | AUTH_PAYLOAD=$(cat < ./temp/response_temp_dl.csv 45 | 46 | TOTAL_FUNCTIONS_PLUS_ONE=$( cat ./temp/response_temp_dl.csv | awk -F "," '{ print $4}' | sort | uniq | wc -l) 47 | 48 | TOTAL_FUNCTIONS=$(( $TOTAL_FUNCTIONS_PLUS_ONE - 1)) 49 | 50 | echo "$TOTAL_FUNCTIONS" 51 | 52 | for function_offset in $(seq 0 50 "$TOTAL_FUNCTIONS"); do \ 53 | if [ $(( $function_offset % 1500 )) -eq 0 ]; then \ 54 | echo "sleeping for 60 seconds to avoid rate limit"; 55 | sleep 60 56 | retrieve_token 57 | fi 58 | 59 | curl --request GET "$TL_CONSOLE/api/v1/serverless?offset=$function_offset&limit=50" \ 60 | --header 'Accept: application/json' \ 61 | --header "Authorization: Bearer $TL_JWT" > "./temp/serverless_$(printf '%06d' "$function_offset").json" 62 | done 63 | 64 | 65 | cat ./temp/serverless* | jq '.[] | {provider: .provider, accountID: .accountID, applicationName: .applicationName,id: ._id,architecture: .architecture,platform: .platform, vulnerabilities: .vulnerabilities[]?} | {provider, accountID, applicationName, id, architecture, platform, cveId: .vulnerabilities.cve, packages: .vulnerabilities.packageName, sourcePkg: .vulnerabilities.binaryPkgs, packageVersion: .vulnerabilities.packageVersion, cvss: .vulnerabilities.cvss, status: .vulnerabilities.status, fixDate: .vulnerabilities.fixDate, graceDays: .vulnerabilities.gracePeriodDays, riskFactors: (.vulnerabilities.riskFactors|keys|@sh), vulnerabilityTags: .vulnerabilities.vulnTagInfos, description: .vulnerabilities.description, cause: .vulnerabilities.cause, customLabel: .vulnerabilities.custom, published: .vulnerabilities.published, discovered: .vulnerabilities.discovered,vulnerabilityLink: .vulnerabilities.link, vulnerableLayer: .vulnerabilities.functionLayer, collections: .collections?}' > ./temp/combined_serverless_temp.json 66 | 67 | 68 | cat ./temp/combined_serverless_temp.json| jq -n -r '[inputs] | map({provider, accountID, applicationName, id, architecture, platform, cveId, packages, sourcePkg, packageVersion, cvss, status, fixDate, graceDays, riskFactors, vulnerabilityTags, description, cause, customLabel, published, discovered, vulnerabilityLink, vulnerabilityLayer, collections}) | (first | keys_unsorted) as $keys | map([to_entries[] | .value]) as $rows | $keys,$rows[] | @csv' > ./reports/serverless_vulnerability_report_$REPORT_DATE.csv 69 | 70 | printf '\n%s\n' "All done your report is in the reports directory saved as: serverless_vulnerability_report_$REPORT_DATE.csv" 71 | 72 | ## Remove to keep temp 73 | { 74 | rm -rf ./temp/* 75 | } 76 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/snoozed_or_dismissed_alerts.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | #------------------------------------------------------------------------------------------------------------------# 3 | # Written By dschmidt@paloaltonetworks.com 4 | # 5 | # REQUIREMENTS: 6 | # Requires jq to be installed: 'sudo apt-get install jq' 7 | 8 | 9 | # SCRIPT WILL REPORT ALERTS THAT HAVE BEEN DISMISSED OR SNOOZED OVER THE SPECIFIED TIME PERIOD 10 | 11 | ### 12 | # User Configuration Section 13 | ### 14 | TIME_AMOUNT="3" # Represents amount of time (e.g. 3 months). Valid values: Any positive integer 15 | UNIT="month" # Time unit to search on. Valid values: minute|hour|day|week|month|year 16 | 17 | #### NO EDITS NEEDED BELOW 18 | source ./secrets/secrets 19 | source ./func/func.sh 20 | 21 | pce-var-check 22 | 23 | AUTH_PAYLOAD=$(cat < ./temp/with_raw_policy_ids.json 52 | 53 | # reconcile the policy id 54 | jq -r '.[].policyId' ./temp/with_raw_policy_ids.json | xargs -i \ 55 | curl -s -L -X GET "$PC_APIURL/policy/{}" \ 56 | -H 'Accept: application/json; charset=UTF-8' \ 57 | -H "x-redlock-auth: $PC_JWT" | jq '. | [ { name, policyId } ]' > ./temp/policy_id_to_name_mapping.json 58 | 59 | 60 | # set the csv headers 61 | echo "id,status,dismissedBy,dismissalNote,dismissalUntilTs,dismissalDuration,policyId,policyName" > ./reports/snoozed_or_dismissed_$REPORT_DATE.csv 62 | 63 | # add the csv data 64 | jq -r --slurp 'flatten | group_by( .policyId ) | map(add) | .[] | [.id,.status,.dismissedBy,.dismissalNote,.dismissalUntilTs,.dismissalDuration,.policyId,.name] | @csv' ./temp/with_raw_policy_ids.json ./temp/policy_id_to_name_mapping.json >> ./reports/snoozed_or_dismissed_$REPORT_DATE.csv 65 | 66 | # get rid of the temp files 67 | rm -rf ./temp/*.json 68 | 69 | # great success! 70 | printf '\n%s\n' "Process completed! Snoozed alerts for the past 3 months is in a report in the ./reports directory named: snoozed_or_dismissed_$REPORT_DATE.csv" 71 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/temp/temp_example.json: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /prisma_bash_toolbox-main/update_SSO_bypass_allowed_users.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # requires jq and curl 3 | # must have a sysadmin role in Prisma Cloud to work and created access/secret keys for that user. 4 | # adds a user to the SSO Bypass list in case people have made a mistake in the SSO configuration section of the platform 5 | # author Kyle Butler 6 | 7 | # assign user email to variable below 8 | 9 | USER_EMAIL="" 10 | 11 | source ./secrets/secrets 12 | source ./func/func.sh 13 | 14 | AUTH_PAYLOAD=$(cat < ./prisma_code_security_integrations.json 53 | 54 | 55 | # parses the integrations file for the tfc integration data 56 | EXISTING_TFC_RUN_TASK_INTEGRATIONS=$(jq --arg org_name "$TFC_ORG_NAME" '[.data[] | select( .type == "tfcRunTasks") | select(.params.organization.name == $org_name)] | .[0] | {organization: .params.organization, workspaces: .params.workspaces, integrationId: .id}' < ./prisma_code_security_integrations.json) 57 | 58 | # makes a request with the Terraform cloud api token to the workspaces endpoint for the org 59 | TFC_WORKSPACES_REQUEST=$(curl --header "Authorization: Bearer $TFC_API_TOKEN" \ 60 | --header "Content-Type: application/vnd.api+json" \ 61 | --url "https://app.terraform.io/api/v2/organizations/$TFC_ORG_NAME/workspaces?page%5Bnumber=1&page%5Bsize=100") 62 | 63 | # finds out how many pages to loop through (counting by 100) 64 | HUNDRED_WORKSPACES_IN_TFC=$(printf '%s' "$TFC_WORKSPACES_REQUEST" | jq -r '.meta.pagination."total-pages"') 65 | 66 | # loops through the pages and puts the response into a temp json file 67 | for TFC_WORKSPACES in $(seq 1 "$HUNDRED_WORKSPACES_IN_TFC"); do \ 68 | curl --header "Authorization: Bearer $TFC_API_TOKEN" \ 69 | --header "Content-Type: application/vnd.api+json" \ 70 | --url "https://app.terraform.io/api/v2/organizations/$TFC_ORG_NAME/workspaces?page%5Bnumber=$TFC_WORKSPACES&page%5Bsize=100" > ./temp_tf_workspace_$(printf '%05d' "$TFC_WORKSPACES").json 71 | done 72 | 73 | # parses the responses for the workspace id and name 74 | EXISTING_TFC_WORKSPACES=$(cat ./temp_tf_workspace_* | jq '[.data[] |{id: .id, name: .attributes.name}]') 75 | 76 | 77 | 78 | # parses the integrations data for for the eventHookid 79 | TFC_TASK_ID=$(printf '%s' "$EXISTING_TFC_RUN_TASK_INTEGRATIONS" | jq -r '.organization.eventHook.id') 80 | 81 | # parses the integrations data for the tfc integrationId 82 | INTEGRATION_ID=$(printf '%s' "$EXISTING_TFC_RUN_TASK_INTEGRATIONS" | jq -r '.integrationId') 83 | 84 | 85 | # assigns vars to the request body for the update 86 | TFC_CLOUD_CREATE_REQUEST_BODY=$(cat < ./prisma_code_security_integrations.json 53 | 54 | 55 | # parses the integrations file for the tfc integration data 56 | EXISTING_TFC_RUN_TASK_INTEGRATIONS=$(jq --arg org_name "$TFC_ORG_NAME" '[.data[] | select( .type == "tfcRunTasks") | select(.params.organization.name == $org_name)] | .[0] | {organization: .params.organization, workspaces: .params.workspaces, integrationId: .id}' < ./prisma_code_security_integrations.json) 57 | 58 | 59 | # requests the selectable workspaces from the /bridgecrew/api/v1/tfRunTasks/cloud//workspaces endpoint 60 | EXISTING_TFC_WORKSPACES=$(curl --url "$PC_APIURL/bridgecrew/api/v1/tfRunTasks/cloud/$TFC_ORG_NAME/workspaces" \ 61 | --header 'accept: application/json, text/plain, */*' \ 62 | --header "authorization: $PC_JWT" \ 63 | --compressed | jq -r '.data') 64 | 65 | # parses the integrations data for for the eventHookid 66 | TFC_TASK_ID=$(printf '%s' "$EXISTING_TFC_RUN_TASK_INTEGRATIONS" | jq -r '.organization.eventHook.id') 67 | 68 | # parses the integrations data for the tfc integrationId 69 | INTEGRATION_ID=$(printf '%s' "$EXISTING_TFC_RUN_TASK_INTEGRATIONS" | jq -r '.integrationId') 70 | 71 | 72 | # assigns vars to the request body for the update 73 | TFC_CLOUD_CREATE_REQUEST_BODY=$(cat <]} in the $USER_PAYLOAD_VAR 57 | 58 | USER_PAYLOAD=$(cat < "$IMAGE_REPORT_LOCATION" 43 | 44 | quick_check "/api/v1/images/download" 45 | 46 | HOST_REPORT_LOCATION="./temp/deployed_hosts_report_$REPORT_DATE.csv" 47 | 48 | # add -k to curl if using self-hosted version with a self-signed cert 49 | curl -H "Authorization: Bearer $TL_JWT" \ 50 | -H 'Content-Type: application/json' \ 51 | -X GET \ 52 | --url "$TL_CONSOLE/api/v1/hosts/download?" > "$HOST_REPORT_LOCATION" 53 | 54 | quick_check "/api/v1/hosts/download" 55 | 56 | 57 | SERVERLESS_REPORT_LOCATION="./reports/deployed_serverless_report_$REPORT_DATE.csv" 58 | 59 | # add -k to curl if using self-hosted version with a self-signed cert 60 | curl -H "Authorization: Bearer $TL_JWT" \ 61 | -H 'Content-Type: application/json' \ 62 | -X GET \ 63 | --url "$TL_CONSOLE/api/v1/serverless/download?" > "$SERVERLESS_REPORT_LOCATION" 64 | 65 | quick_check "/api/v1/serverless/download" 66 | 67 | 68 | cat ./temp/deployed_*_report_$REPORT_DATE.csv > ./temp/temp_report.csv 69 | 70 | cat ./temp/temp_report.csv | grep "$KEYWORD" > ./reports/workload_vulnerability_report_$REPORT_DATE.csv 71 | 72 | { 73 | rm ./temp/* 74 | } 75 | 76 | 77 | 78 | printf '\n%s\n\n' "All done! Your report is in the ./reports directory saved as: workload_vulnerability_report_$REPORT_DATE.csv" 79 | --------------------------------------------------------------------------------