- Print
- DarkLight
Palo Alto Prisma Cloud is a robust cloud security platform that safeguards data and applications across various cloud environments. It offers threat detection, vulnerability management, and compliance monitoring in a unified solution. Prisma Cloud provides real-time visibility and control over cloud resources.
Integration: API
Tables: Compliance Finding
Events: Device information, Alerts, Compute, Web Resources
This integration has been tested against Palo Alto Prisma Cloud platform v2 version.
Prisma Cloud Setup
In Palo Alto Prisma Cloud Platform, navigate to Settings > Access Control
Select Access Keys and then click on Add Button which is on right upper corner.
Add the name of that access key and click on Save.
Copy the Access Key ID, Secret Access Key. This is your unique API_SECRET_KEY.
Note: You will not be able to view the API Key again after you complete this step. Ensure that you copy it before closing the notification.
Document Reference: https://pan.dev/prisma-cloud/api/cspm/
DataBee Setup
To configure the Data Source, login into the DataBee UI, click the Data tab and click on Add New Data Source. Search and click on the Palo Alto Prisma Cloud
Click on the API Ingest option for collection method. Give the name of the Data Source and other relevant information as mentioned below.
In the connection dialog, enter the following:
Authorization Method: Token URL Auth
Username: Paste the Access Key ID saved earlier
Password: Paste the Secret Access Key saved earlier
Event Samples
Alerts
{
"totalRows": 257,
"items": [
{
"id": "N-3054",
"status": "open",
"reason": "NEW_ALERT",
"firstSeen": 1725882860893,
"lastSeen": 1725882860893,
"alertTime": 1725882860893,
"lastUpdated": 1725882860893,
"policyId": "2a07903d-9538-42ab-a3cd-80ce68fa9bf7",
"metadata": null,
"policy": {
"policyId": "2a07903d-9538-42ab-a3cd-80ce68fa9bf7",
"name": "GCP VM instance with network path from the internet (0.0.0.0/0) on Admin ports",
"policyType": "network",
"systemDefault": true,
"description": "This policy identifies GCP VM instances with network path from the internet (0.0.0.0/0) on ports 22/3389.\n\nGCP VM instances with network path from the internet increases the risk of unauthorized access, cyber attacks, and data breaches, as it may provide a larger attack surface for malicious actors. Such instances are especially prone to brute force or vulnerability exploits. Port 22 and 2289 are frequently targeted ports and utilized for remote access using SSH and RDP protocols respectively, making them susceptible to attacks like brute force and vulnerability exposure/exploitation.\n\nAs a best practice, restrict traffic from unknown IP addresses and limit the access from known hosts, services, or specific entities.",
"severity": "high",
"recommendation": "Restrict access to GCP VM instance by modifying VPC Firewall rules\n1. Login to the GCP Console\n2. Go to 'VM instance'\n3. Identify the VM instance that you want to restrict Internet access\n4. Update the VPC firewall rule that allows Internet access (0.0.0.0/0) on ports 22/3389 to a trusted IP address\nRefer to the following links for detailed steps to modify VPC firewall rules,\n- To list VPC firewall rules for a network interface of a VM instance\nhttps://cloud.google.com/firewall/docs/using-firewalls#listing-rules-vm\n- To Update VPC firewall rules\nhttps://cloud.google.com/firewall/docs/using-firewalls#updating_firewall_rules\n\nNOTE: When modifying Network security group rules, ensure that you don't lock yourself out of the instances. Always have a rule that allows you to access them for management purposes.",
"labels": [
"Prisma_Cloud",
"Attack Path Rule"
],
"lastModifiedOn": 1723655341663,
"lastModifiedBy": "template@redlock.io",
"deleted": false,
"findingTypes": [],
"hasSearchExecutionSupport": true,
"remediable": false
},
"alertRules": [],
"history": [],
"resource": {
"rrn": "rrn:gcp:instance:us-central1:msel-47280:a394eae9099d9296071a3b7b21fe5adb9c58617c:2210706072202838120",
"id": "2210706072202838120",
"name": "gke-cluster-1-default-pool-cc42b5b9-zrbr",
"account": "Google Cloud Account",
"accountId": "msel-47280",
"cloudAccountGroups": [
"Default Account Group",
"CDS Account Group"
],
"region": "GCP Iowa",
"regionId": "us-central1",
"resourceType": "INSTANCE",
"resourceApiName": "gcloud-compute-instances-list",
"cloudServiceName": "Google Compute Engine",
"url": "https://console.cloud.google.com/compute/instancesDetail/zones//instances/?project=","data": null,
"additionalInfo": null,
"cloudType": "gcp",
"resourceTs": 1725882854999,
"cloudAccountOwners": [
"mayank.joshi@crestdata.ai"
],
"unifiedAssetId": "308a9c30a5bfc347b4d4600c554c086f",
"resourceConfigJsonAvailable": false,
"resourceDetailsAvailable": true
},
"investigateOptions": {
"alertId": "N-3054"
}
}
],
"nextPageToken": "eyJ0aW1lUmFuZ2VUeXBlIjpudWxsLCJkZXRhaWxlZCI6dHJ1ZSwibGltaXQiOjEsInNvcnRCeSI6WyJhbGVydFRpbWU6ZGVzYyJdLCJzZWFyY2hBZnRlciI6WzE3MjU4ODI4NjA4OTMsMzA1NF0sImZpbHRlcnMiOltdLCJmaWVsZHMiOltdLCJ0aW1lUmFuZ2UiOnsidHlwZSI6ImFic29sdXRlIiwidmFsdWUiOnsic3RhcnRUaW1lIjoxNjM5NDg3NDI0MzQwLCJlbmRUaW1lIjoxNzI1ODg3NDI0MzQwfSwiZm9yRmllbGQiOiJsYXN0T3BlblN0YXRlVHMifSwid2ViQ2xpZW50IjpmYWxzZX0=","sortAllowedColumns": [
"firstseen",
"lastseen",
"resource.regionid",
"alerttime",
"id",
"resource.accountid",
"status",
"resource.id"
]
}