Prisma Cloud
Prisma Cloud provides visibility, threat prevention, and data protection across your cloud environments. By bringing your cloud data from Prisma Cloud into Brinqa, you can build a clear view of your security risks, prioritize them effectively, simplify remediation processes, and improve compliance reporting to strengthen your overall cybersecurity approach.
This document details the information you must provide for the connector to authenticate with Prisma Cloud and how to obtain that information from Prisma Cloud. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Prisma Cloud from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Prisma Cloud with Brinqa:
-
API URL: The Prisma Cloud API URL. The default URL is
https://api.prismacloud.io- To identify the appropriate API URL, you must determine the location or group to which your account or organization is assigned within Prisma Cloud. The API URL corresponds to this location or group. Consult Prisma Cloud documentation for a complete list of admin console and API URLs.
-
API key and Secret key: The API key and Secret key associated with the Prisma Cloud account, which must have permissions to log in to the API server and return data.
Generate Prisma Cloud API keys
For the Prisma Cloud connector to use the Prisma Cloud API, you must provide the API credentials from Prisma Cloud. To generate new API keys, follow these steps:
-
Log in to your organization's Prisma Cloud server as a System Administrator. By default, only the System Administrator has API access and can enable API access for other administrators.
-
Navigate to Settings > Access Control > Access Keys.
-
Click Add in the upper-right corner of the page, and then click Access Key. The Create Access Key window displays.
-
Enter a name for the key.
-
If your company's policies require it, enable key expiration and specify a date.
-
Click Save to generate the keys.
A window appears and displays your Access Key ID and Secret Access Key. The Access Key functions as the API key for authentication. Copy the Access Key and Secret Key and store them in a secure location. You cannot view the Secret Key again. If you need a new key, you must generate a new one.
In order for the Prisma Cloud connector to successfully retrieve data from the Prisma Cloud API, the access key and secret key must be tied to a user role with read-only access.
-
Click Done.
If you do not have the permissions to create access keys, contact your Prisma Cloud system administrator. For additional information see Prisma Cloud documentation.
Additional settings
The Prisma Cloud connector contains additional options for configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Prisma Cloud connector can retrieve the following types of data from the Prisma Cloud API:
Table 1: Data retrieved from Prisma Cloud
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Account Group | No | Not mapped |
| Cloud Account | No | Not mapped |
| Cloud Resource | Yes | Cloud Resource |
| Control Signature | Yes | Violation Definition |
| Host | Yes | Host |
| Security Alert | Yes | Violation |
For detailed steps on how to view the data retrieved from Prisma Cloud in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Cloud Resource
- Control Signature
- Security Alert
Table 2: Cloud Resource attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| account_groups | Local variable |
| account_id | cloudAccountId |
| account_name | Local variable |
| account_owners | Local variable |
| cloud_provider_url | Local variable |
| cloud_service_name | cloudProvider |
| cloud_type | Local variable |
| last_seen | lastSeen |
| name | name |
| region | cloudRegion |
| resource_config | Local variable |
| resource_type | categories |
| rrn | Local variable |
| sys_id | uid |
Table 3: Control Signature attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cloud_type | Local variable |
| compliance_standard | Local variable |
| created_on | sourceCreatedDate |
| deleted | Local variable |
| description | description |
| enabled | Local variable |
| labels | tags |
| last_modifed | sourceLastModified |
| name | name |
| open_alerts_counts | Local variable |
| owner | Local variable |
| patchable | patchAvailable |
| policy_mode | Local variable |
| policy_type | categories |
| recommendation | recommendation |
| remediable | patchable |
| remediation | description |
| rule | Local variable |
| severity | severity, severityScore |
| sys_id | uid |
| system_default | Local variable |
Table 4: Security Alert attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| account_id | cloudAccountId |
| account_name | Local variable |
| alert_time | Local variable |
| cloud_type | Local variable |
| first_seen | firstSeen |
| last_seen | lastSeen |
| policy_id | type |
| reason | results |
| region | Local variable |
| resource_id | targets |
| resource_name | Local variable |
| resource_type | Local variable |
| status | status, statusCategory |
| sys_id | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Prisma Cloud connector supports the following operation options. See connector operation options for information about how to apply them.
Table 5: Prisma Cloud connector operation options
| Connector Object | Operation Options |
|---|---|
| Cloud Resource | See Prisma Cloud documentation on List Alert Filters |
| Security Alert | See Prisma Cloud documentation on List Alert Filters |
The option keys and values are case-sensitive as they are shown in the Prisma Cloud documentation.
APIs
The Prisma Cloud connector uses the Cloud Security Posture Management (CSPM) API. Specifically, it uses the following endpoints:
Table 6: Prisma Cloud API endpoints
| Connector Object | API Endpoint |
|---|---|
| Account Group | GET /cloud/group |
| Cloud Account | GET /cloud |
| Cloud Resource | GET /v2/resource/scan_info |
| Control Signature | GET /policy |
| Host | GET /v2/resource/scan_info |
| Security Alert | GET /v2/alert GET alert/jobs/{jobId}/status |
Changelog
The Prisma Cloud connector has undergone the following changes:
3.1.1
- No change.
3.1.0
- No change.
3.0.13
- No change.
3.0.12
- No change.
3.0.11
- No change.
3.0.10
- Fixed a sync issue with the Cloud Resource object. As a result, two new connection settings were added to make the timeout configurable: Maximum retries and Request timeout.
3.0.9
- No change.
3.0.8
- Increased the Read timeout setting to account for slower-than-expected API responses.
3.0.7
-
Started fetching asset type information from Prisma Cloud.
-
Added Host to the list of connector objects retrieved.
-
Added an
excludeAssetTypesoperation option in the Cloud Resource object. -
Added an
includeAssetTypesoperation option in the Host object.
3.0.6
- Added 'Account' and 'Account Groups' as tags in the Cloud Resource object.
3.0.3
- Started to sync all Violation Definition records, including the ones that have been deleted.
3.0.1
- Initial Integration+ release.