The pcs-inspect.py
script queries the Prisma Cloud API for all enabled Policies
and for all Alerts within a Relative Time Range (with a default of one month) for a Tenant,
and outputs results to an Excel spreadsheet, including worksheets for:
- Alerts By Compliance Standard
- Alerts By Policy
- Alert Summary
- Utilization Summary
- (Developed and tested on) Python 3.x with the
pandas
,requests
, andxlsxwriter
libraries. - Prisma Cloud Access Key with
ACCOUNT GROUP READ ONLY
orSYSTEM ADMIN
privileges.
- Download this repository
- If necessary, install the required libraries
- Identify the
--customer_name
parameter via Support -> Customers in the same stack as the Tenant - Create or select an Access Key with a Role higher than "Build and Deploy Security" in the Tenant
- Execute the
pcs-inspect.py
script to collect and process the data * - Import the results into Google Sheets, and/or Google Slides (for example: PCS Inspect Report)
- Profit!
(* You can independently execute the collect and process steps of the script by specifying --mode collect
or --mode process
)
As an alternative to using a Tenant Access Key,
you can inspect a subset of data by specifying an Access Key generated by a "LIGHT AGENT" Support User in the same stack as the Tenant
(for example: inspect the SESandBox
tenant in the https://app.prismacloud.io/
stack)
by specifying a Support User Access Key and --support_api
.
Use ./pcs-inspect.py -h
for a complete list of parameters.
pip3 install -r requirements.txt
chmod +x pcs-inspect.py
./pcs-inspect.py \
--customer_name "Example - 1234" \
--url "https://api.prismacloud.io" \
--access_key "aaaaaaaa-1111-aaaa-1111-aaaaaaaa1111" \
--secret_key "ssss1111ssss1111ssss1111="
Utilization Summary
includes a summary of Assets, Accounts, Account Groups, Alert Rules, Integrations, Policies, and Users.
Its data is collected from each of the associated endpoints.
Open Alerts by Standard
lists Compliance Standards, and the count of High, Medium, and Low Severity Alerts for each Standard.
Its data is collected from the policy
endpoint.
Open Alerts by Policy
lists Policies with details including Open Alert Count.
Its data is collected from the policy
endpoint.
Open Alerts Summary
includes a summary of the Open Alerts by Standard
and Open Alerts by Policy
worksheets.
Its data is collected from the policy
endpoint.
Open and Closed Alerts by Standard
lists Compliance Standards, and the count of High, Medium, and Low Severity Alerts for each Standard.
Its data is collected from the alerts
endpoint, is scoped to a time range, but is not collected or output when using Support API mode.
Open and Closed Alerts by Policy
lists Policies with details including Open and Closed Alert Count.
Its data is collected from the alerts
endpoint, is scoped to a time range, but is not collected or output when using Support API mode.
Open and Closed Alerts Summary
includes a summary of the Open and Closed Alerts by Standard
and Open and Closed Alerts by Policy
worksheets.
Its data is collected from the alerts
endpoint, is scoped to a time range, but is not collected or output when using Support API mode.
See: [PCEE_PYTHON_DOCKERFILE_PCS_INSPECT] (https://github.com/Kyle9021/PCEE_PYTHON_DOCKERFILE_PCS_INSPECT)
In general, specify -d
to enable debugging.
If you receive an error when the script generates an API token:
- Verify that the Access Key is valid for the specified Stack and Tenant
- Validate the URL, Access Key, and Secret Key parameters
If you receive an error when the script queries an API endpoint:
- Validate that the Customer Name is complete and correct as per Support -> Customers
- Validate that the Access Key has the necessary Role to access the API
- Do not use a Tenant Access Key when specifying
--support_api
- Do not use a Support User Access Key unless specifying
--support_api
- Validate that the Support User has "LIGHT AGENT" permissions when specifying
--support_api
Note that details for some server-side query errors not are returned by the API.
If the report does not contain the numbers you were expecting:
- If you are using Support API mode, remember that the script is limited to the data that the APIs return.
- Open the
.json
files created by the collect/query steps, and review the data that the APIs return. - Open the script review the
get_
functions for comments, and to identify the API endpoints used to return data. - Edit the script and add
print()
statements where appropriate.