Add pagination and retries based on load, support queries - PrismaCloudDriver#834
Conversation
raj-axe
changed the title
|
There is a pylint and a few mypy errors. Looks like the mypy errors are mypy not tracking the typed dict. |
Thank you Ian for the feedback! i have addressed the comment :) |
|
Annoying - still one mypy issue. Could be that you can derive DriverConfig from a Protocol. |
@ianhelle sorry for the delay took some time in understanding query store and how reading from queries folder works, introduced support queries ,driver base inheritence, fixed all the errors , i have documented in the top of all the changes |
thank you 👍 |
raj-axe
changed the title
Updating query yaml test to print out more detail (i.e. > none)
|
I made a quick fix that was causing a bit of obscure unit test to fail. |
ianhelle
left a comment
ianhelle
left a comment
There was a problem hiding this comment.
Some comments about use of logging vs logger
|
At least it is now building without errors! Just fix the logging stuff and we should be good to go. |
Thank you @ianhelle |
2 participants
Summary - Pagination and query handling changes
Changes
_fetch_prisma_datamethod to include retry logic._paginate_prisma_searchto handle pagination properly.Summary Entity driven hunting additions
Introduced support queries that can be used as detection triggers in the playbook or for investigating purposes as well.The entire concept of these queries involve combining risk data with the threat data and perform entity driven hunting
Dynamic Query Definitions:
Query definitions for Prisma Cloud are stored in YAML files. The metadata in these files includes properties such as:
, name, and description: Identify the query set.
data_environments and data_families: Specify the environment (e.g., Prismacloud) and categorization for the queries.
tags and aliases: Help classify and reference queries (e.g., asset, event, config_resource queries).
defaults and sources: Provide default parameters (e.g., time unit, amount, start, end) and define dynamic query templates via macros.
Working with Query Provider:
The driver integrates with MSTICPy’s QueryProvider framework. With methods like list_queries() and browse_queries(), users can easily explore the available queries organized by family and environment. This makes it simpler to identify the appropriate query before executing it.
Query Types Implemented:
Asset Queries:
Methods like prisma_search_assets() and specialized queries such as search_asset_relative and search_asset_relative_with_prismafindings enable retrieval of asset data. These queries leverage dynamic query macros (using aliases like *asset_query_relative) to allow filtering by cloud service or asset type. This is essential for threat hunting across diverse cloud assets and analyze assets with findings.
This helps us to analyze cloud assets in an multicloud environment.
Event Queries:
Event queries are defined via aliases such as *event_query_relative and *event_query_absolute. They are designed to retrieve security event data by either using a relative time range (e.g., last N minutes) or absolute timestamps. The driver method prisma_search_events() handles these queries, ensuring that time parameters and result limits are applied correctly for effective event monitoring.
Event queries are similar to audit logs except the fact it is multicloud normalized.
Configuration Resource Queries:
Queries like prisma_search_config_resource() retrieve configuration or compliance data from Prisma Cloud. These queries are particularly useful for assessing configurations in cloud resources (e.g., Azure Key Vault) for security misconfigurations. The YAML metadata includes examples such as config_resource_firewall_disabled_azurekeyvault and config_resource_rbac_disabled_azurekeyvault, which help detect vulnerabilities in resource settings.
Testing
Notes