Palo Alto Prisma Cloud

Community Platform

runZero integrates with Palo Alto Prisma Cloud by importing data from the Prisma API. This integration allows you to sync data about your cloud assets and vulnerabilities from Prisma to provide better visibility of your cloud assets and security posture. The supported Prisma cloud sources are AWS, Azure, and GCP.

Getting started with Prisma

To set up an integration with Prisma, you’ll need to:

  1. Create a Palo Alto Prisma Cloud credential in runZero.
  2. Choose whether to configure the integration as a scan probe or connector task.
  3. Activate the integration to pull your data into runZero.

Step 1: Obtain your Prisma API credentials

  1. Follow the Prisma documentation to create a Prisma cloud user role with sufficient permissions. See user role descriptions for more information.
  2. Obtain your Prisma Cloud API access key and secret key. These will be used to authenticate against the Prisma Cloud API. Follow the Prisma documentation to configure them properly.
  3. Identify your API URL. This will be sent to you from Palo Alto in your fulfillment email. See possible URL values.

Step 2: Add the Prisma credential to runZero

  1. Go to the Credentials page in runZero. Provide a name for the credentials, like Palo Alto Networks Prisma Cloud.
  2. Choose Prisma Client Secret from the list of credential types.
  3. Create your Prisma service account via the settings page in the Prisma portal, and then provide the following information:
    • Prisma Cloud Access Key - The access key you obtained from the steps above.
    • Prisma Cloud Secret Key - The secret key you obtained from the steps above.
    • Prisma API URL - The API Endpoint URL used to access the Prisma API.
  4. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
  5. Save the credential.

You’re now ready to set up and activate the connection to bring in data from Prisma Cloud.

Step 3: Choose how to configure the Prisma integration

The Prisma integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.

Step 4: Set up and activate the integration to sync data

After you add your Prisma credential, you’ll need to sync your data from Prisma.

Step 4a: Configure the Prisma integration as a connector task

A connection requires you to specify a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Prisma-only assets are created.

  1. Activate a connection to Prisma. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.
  2. Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
  3. Set the Exclude importing vulnerabilities toggle if you want vulnerability records to be saved or not.
  4. Set the Exclude importing software toggle if you want software records to be saved or not.
  5. Set the Exclude assets that can not be merged into an existing asset toggle if you want no new asset records created, only enrich existing assets.
  6. Set the severity and risk levels you want to import.
  7. Enter a name for the task, like Prisma Sync (optional).
  8. In the Run task with section, choose the Explorer or Explorer Group to perform this connector task from (optional).
  9. Choose the site you want to add your assets to. All newly discovered assets will be stored in this site.
  10. Enter a description for the task (optional).
  11. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  12. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4b: Configure the Prisma integration as a scan probe

You can run the Prisma integration as a scan probe so that the runZero Explorer will pull your Prisma assets into the runZero Console.

In a new or existing scan configuration:

  • Ensure that the Prisma option is set to Yes in the Probes and SNMP tab and change any of the default options if needed.
  • Optionally, set the severity and risk levels for ingested vulnerability results.
  • Set the correct Prisma credential to Yes in the Credentials tab.

Step 5: View Prisma assets, and vulnerabilities

After a successful sync, you can go to your inventory to view your Prisma assets. These assets will have a Prisma icon listed in the Source column.

The Prisma integration gathers details about vulnerabilities detected in addition to enriching asset inventory data. Go to Inventory > Vulnerabilities to view the vulnerability data provided by Prisma.

To filter by Prisma assets, consider running the following queries:

Click into each asset to see its individual attributes. runZero will show you the attributes gathered from Prisma Cloud.

Troubleshooting

If you see authentication or access errors when running the integration, it is likely that the API URL set for your credential is incorrect. Refer to the fulfillment email you received from Palo Alto. This will contain the correct API URL to use.

Updated
Previous: Qualys VMDR Next: Rapid7