
Prisma Cloud
Cloud Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Prisma Cloud connector integrates with Palo Alto Networks' Prisma Cloud (CSPM) platform to synchronize cloud-account inventory, account groupings, scanned cloud resources, host assets, security policies, and the alerts those policies raise. Alert and asset retrieval is partitioned per cloud account and fetched in parallel, so syncs scale to tenants with millions of alerts without exceeding the connector's sync window.
Data retrieved from Prisma Cloud
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Account Group | Yes | Account Group |
| Cloud Account | Yes | Cloud Account |
| Cloud Resource | Yes | Cloud Resource |
| Host | Yes | Host |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
Model relationships
For detailed steps on how to view the data retrieved from Prisma Cloud in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Prisma Cloud from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API Url | Yes | https://api.prismacloud.io/ | Prisma Cloud API address |
| API key | Yes | — | Prisma Cloud API key |
| Secret key | Yes | — | Prisma Cloud API secret key |
| Page size | No | 1000 | Maximum number of records to get per API request |
| Parallel requests | No | min(4, cpu cores) | Maximum number of parallel API requests |
| Request timeout (secs) | No | 120 | Maximum seconds allotted before a request will time out. Enter zero (0) to disable timeouts (not recommended) |
| Maximum retries | No | 5 | Maximum number of retry attempts before giving up a request |
| Host custom properties | No | empty | Comma-delimited list of case-insensitive custom property names to promote as attributes on the host |
Authentication
Method
API access key + secret key exchanged for a short-lived JSON Web Token (JWT) via the /login endpoint. The JWT is then sent on every subsequent request via the x-redlock-auth header.
Endpoint
| Method | URL |
|---|---|
POST | {url}/login |
Request Headers
| Header | Value |
|---|---|
Content-Type | application/json |
Accept | application/json |
Request Body
{
"username": "<api-access-key>",
"password": "<api-secret-key>"
}
Sample Response
{
"token": "eyJhbGciOiJIUzI1NiJ9...",
"message": "login_successful",
"customerNames": [
{
"customerName": "...",
"tosAccepted": true
}
]
}
Response Fields
| Field | Type | Description |
|---|---|---|
token | string | JWT used to authorize all subsequent API requests. Lifetime ~10 minutes. |
message | string | Login result indicator. |
customerNames | array | Customer names tied to this credential (multi-tenant accounts). |
Usage
All subsequent API requests include the token as a custom header:
x-redlock-auth: <token>
Obtaining Credentials
In Prisma Cloud, Settings → Access Control → Access Keys → Add Access Key. By default only a System Admin can issue access keys and grant API access to other administrators. After generating an access key, the secret is shown once — capture it at that point.
The connector requires only Authorization with the access key + secret key sufficient to generate the JWT; no additional scopes are needed beyond the ability to call the listed endpoints.
How to obtain Prisma Cloud credentials
Generate Prisma Cloud API keys
For the Prisma Cloud connector to use the Prisma Cloud API, you must provide the API credentials from Prisma Cloud. To generate new API keys, follow these steps:
-
Log in to your organization's Prisma Cloud server as a System Administrator. By default, only the System Administrator has API access and can enable API access for other administrators.
-
Navigate to Settings > Access Control > Access Keys.
-
Click Add in the upper-right corner of the page, and then click Access Key. The Create Access Key window displays.
-
Enter a name for the key.
-
If your company's policies require it, enable key expiration and specify a date.
-
Click Save to generate the keys.
A window appears and displays your Access Key ID and Secret Access Key. The Access Key functions as the API key for authentication. Copy the Access Key and Secret Key and store them in a secure location. You cannot view the Secret Key again. If you need a new key, you must generate a new one.
In order for the Prisma Cloud connector to successfully retrieve data from the Prisma Cloud API, the access key and secret key must be tied to a user role with read-only access.
-
Click Done.
Note: If you do not have the permissions to create access keys, contact your Prisma Cloud system administrator. For additional information see Prisma Cloud documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Account Group
| Source Field Name | SDM Attribute |
|---|---|
group.description | DESCRIPTION |
group.id | UID |
group.id (display name overwritten by group.name) | NAME |
group.lastModifiedTs | LAST_MODIFIED |
Instant.now() | LAST_CAPTURED |
Cloud Account
| Source Field Name | SDM Attribute |
|---|---|
(set by connector for enumerated children) | PARENT_ID |
account.accountId | UID |
account.accountId (overwritten by account.name) | NAME |
account.accountType | ACCOUNT_TYPE |
account.addedOn | ADDED_ON |
account.cloudType | CLOUD_TYPE |
account.enabled | ENABLED |
account.groupIds | ACCOUNT_GROUPS |
account.lastModifiedTs | LAST_MODIFIED |
account.numberOfChildAccounts | NUMBER_OF_CHILD_ACCOUNTS |
account.status | STATUS |
Instant.now() | LAST_CAPTURED |
Cloud Resource
| Source Field Name | SDM Attribute |
|---|---|
| composed from accountName and cloudAccountGroups | TAGS |
Instant.now() | LAST_CAPTURED |
resource.account (alert) or scannedAsset.accountName | ACCOUNT_NAME |
resource.accountId / scannedAsset.accountId | CLOUD_ACCOUNT_ID |
resource.cloudAccountGroups | ACCOUNT_GROUPS |
resource.cloudAccountOwners | ACCOUNT_OWNERS |
resource.cloudType / scannedAsset.cloudType | CLOUD_TYPE |
resource.data (full config blob) serialized as JSON | RESOURCE_CONFIG |
resource.name (alert) or scannedAsset.name | NAME |
resource.region (alert) or scannedAsset.regionName | REGION |
resource.resourceTs | LAST_SEEN |
resource.resourceType + scannedAsset.assetType + cloud-resource | CATEGORIES |
resource.rrn → falls back to scannedAsset.rrn | RRN |
resource.uid (alert) or scannedAsset.uid | UID |
scannedAsset.assetType | ASSET_TYPE |
Host
| Source Field Name | SDM Attribute |
|---|---|
| API name used to retrieve the host | HOST_API |
| composed from accountName | TAGS |
configCloudResource.accountId | CLOUD_ACCOUNT_ID |
configCloudResource.accountName | ACCOUNT_NAME |
configCloudResource.cloudType | CLOUD_TYPE |
configCloudResource.data serialized as JSON | RESOURCE_CONFIG |
configCloudResource.insertTs | LAST_SEEN |
configCloudResource.name | NAME |
configCloudResource.regionName | REGION |
configCloudResource.resourceType | ASSET_TYPE |
configCloudResource.rrn | RRN |
configCloudResource.service | CLOUD_PROVIDER |
configCloudResource.uid | UID |
data.platform | OPERATING_SYSTEM |
data.properties.networkProfile.networkInterfaces[].privateIpAddress | PRIVATE_IP_ADDRESSES |
data.properties.networkProfile.networkInterfaces[].publicIpAddress | PUBLIC_IP_ADDRESSES |
data.properties.osProfile.computerName (Azure) → data.privateDnsName (AWS) → name (fallback) | HOSTNAMES |
data.publicDnsName | PUBLIC_DNS_NAMES |
data.publicDnsName | DNS_NAMES |
data.tags[<name>] for each name in the customProperties config option | CUSTOM_<name> |
Instant.now() | LAST_CAPTURED |
resourceType + api (e.g., aws-ec2-describe-instances) + cloud-resource | CATEGORIES |
| union of public + private | IP_ADDRESSES |
Violation
| Source Field Name | SDM Attribute |
|---|---|
alert.alertTime | ALERT_TIME |
alert.firstSeen | FIRST_FOUND |
alert.id | UID |
alert.lastSeen | LAST_FOUND |
alert.policyId | TYPE |
alert.reason | RESULTS |
alert.resource.account | ACCOUNT_NAME |
alert.resource.accountId | CLOUD_ACCOUNT_ID |
alert.resource.cloudType | CLOUD_TYPE |
alert.resource.name | RESOURCE_NAME |
alert.resource.region | REGION |
alert.resource.resourceType | RESOURCE_TYPE |
alert.resource.uid | TARGETS |
alert.status | PROVIDER_STATUS |
| derived from STATUS | STATUS_CATEGORY |
Instant.now() | LAST_CAPTURED |
normalized from alert.status | STATUS |
normalized from alert.status | SOURCE_STATUS |
Violation Definition
| Source Field Name | SDM Attribute |
|---|---|
| derived from normalized severity | SEVERITY_SCORE |
Instant.now() | LAST_CAPTURED |
normalized from policy.severity | SEVERITY |
policy.cloudType | CLOUD_TYPE |
policy.complianceStandards | COMPLIANCE_STANDARD |
policy.createdOn | SOURCE_CREATED_DATE |
policy.deleted | DELETED |
policy.description + policy.remediation (concatenated) | DESCRIPTION |
policy.enabled | ENABLED |
policy.labels | TAGS |
policy.lastModifiedOn | SOURCE_LAST_MODIFIED |
policy.name | NAME |
policy.openAlertsCount | OPEN_ALERTS_COUNT |
policy.owner | OWNER |
policy.policyId | UID |
policy.policyMode | POLICY_MODE |
policy.policyType | CATEGORIES |
policy.recommendation | RECOMMENDATION |
policy.remediable | PATCHABLE |
policy.rule.name | RULE |
policy.severity | SOURCE_SEVERITY |
policy.systemDefault | SYSTEM_DEFAULT |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Account Group
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /cloud/group
Cloud Account
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint
Cloud Resource
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (two sources merged into one asset)
Host
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (RQL config search) · Endpoint:
POST /search/api/v2/config
Violation
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
POST /v2/alert
Violation Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /policy?policy.allowDeleted=true
Changelog
The Prisma Cloud connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.4.2 | Improvements - Upgraded Prisma Cloud connector to the latest platform standards for improved reliability and consistency - Updated connector to align with model SDK changes to use the latest storage and schema registration across all models - Added a Last Captured timestamp to all synced data types, making it easier to track when data was last refreshed - Improved alert status reporting — Violations and Vulnerabilities now include both the original source status ( Provider Status) and a normalized status (Source Status) for clearer filtering and analysis. - Account Group & Cloud Account date fields improved — The "Last Modified" and "Added On" fields on Account Groups and Cloud Accounts now store proper date-and-time values instead of raw numbers - Standardized attribute naming and definitions across all data types to align with other Brinqa connectors - Refreshed connector documentation to reflect all current capabilities and configuration options | • Prisma Cloud Connector — Account Group: The Last Modified attribute type changed from Long to Instant — Action: re-sync • Prisma Cloud Connector — Cloud Account: The Last Modified and Added On attribute types changed from Long to Instant — Action: re-sync |
| 3.4.1 | No changes in this release. | N/A |
| 3.4.0 | Improvements Faster Violation and Cloud Resource Sync for Large Tenants Switched the Violation and Cloud Resource sources from the asynchronous /alert/jobs job-export endpoint to the paginated /v2/alert endpoint. Tenants with large alert volumes — where Prisma's job-export side could not return a downloadable result within the connector's sync window — now stream alerts page by page and complete within normal sync intervals. Parallel Per-Account Alert Fetching Alert retrieval is now partitioned by cloud account and fetched in parallel. The fan-out is bounded by the existing Parallel requests configuration property (default 4), and can be adjusted per environment without a connector upgrade. Page Size Upper Bound The Page size configuration property is now capped at 10,000 (Prisma's hard limit per page). Values larger than 10,000 entered in the UI are silently clamped. Host: Cloud Provider, Last Seen, and Hostname Mappings - Cloud provider is now populated from the Prisma service field (e.g., Azure Compute, AWS EC2). - Last seen is now populated from the Prisma insertTs timestamp. - Hostnames now uses the OS-level computer name for Azure VMs (properties.osProfile.computerName), the private DNS name for AWS EC2 (privateDnsName), and falls back to the resource's top-level name for other clouds. This improves cross-source asset correlation against the Hostnames identifier. Host: Schema Cleanup Removed three attributes from the Host schema that were declared but never populated by the connector: Cloud provider url, Account owners, Account groups. No data is lost — these were always empty. Cloud Resource: Schema Cleanup Removed Cloud provider and Cloud provider url from the Cloud Resource schema. These attributes were sourced from fields that Prisma's /v2/alert endpoint does not return, so they would have been empty after the migration. Identifying and config attributes (UID, Name, Cloud account ID, Region, Resource configuration, RRN, Account owners, Account groups) are unaffected. Bug Fixes Cloud Resource RRN Coverage Preserved For cloud resources surfaced through alerts, the RRN attribute now falls back to the scan-inventory side when the alert payload does not include it. This preserves existing RRN coverage across the migration to /v2/alert. | N/A |
| 3.3.5 | No changes in this release. | N/A |
| 3.3.4 | No changes in this release. | N/A |
| 3.3.3 | No changes in this release. | N/A |
| 3.3.2 | No changes in this release. | N/A |
| 3.3.1 | No changes in this release. | N/A |
| 3.3.0 | No changes in this release. | N/A |
| 3.2.4 | No changes in this release. | N/A |
| 3.2.3 | Improvements - Local storage handling during sync was reworked to release and clean up the on-disk asset store more reliably, reducing leftover temporary data between runs. | N/A |
| 3.2.2 | Improvements - Time-based attributes on Violation (First seen, Last seen, Alert time, Last updated) and the Cloud Resource timestamp are now parsed as proper date/time values rather than raw numeric epochs, so they display and sort correctly as dates. | • Violation, Cloud Resource: The affected time attributes changed from numeric to date/time values — Action: re-sync the Prisma Cloud connector so existing assets are repopulated with the corrected types. |
| 3.2.1 | Improvements - The Account Group and Cloud Account schemas were standardized for consistent attribute titling and population (Sys ID, Name, Type, Cloud, Enabled, Status, Account groups, Added on). | N/A |
| 3.2.0 | Improvements - Host now reports network and platform details: public and private IP addresses, public and private DNS names, and operating system. - Corrected the asset-type filtering option so the configured list is applied as an exclusion as intended. | N/A |
| 3.1.3 | Improvements - Cloud Resource details are now sourced from Prisma's configuration inventory, improving the completeness and accuracy of resource attributes. | • Cloud Resource: The unique identifier is now derived from the configuration inventory record instead of the prior resource record — Action: re-sync the Prisma Cloud connector so Cloud Resource assets are re-keyed correctly. |
| 3.1.2 | No changes in this release. | N/A |
| 3.1.1 | No changes in this release. | N/A |
| 3.1.0 | No changes in this release. | N/A |
| 3.0.13 | No changes in this release. | N/A |
| 3.0.12 | No changes in this release. | N/A |
| 3.0.11 | No changes in this release. | N/A |
| 3.0.10 | New Features - Added Request timeout and Max retries configuration properties, allowing per-environment tuning of how long the connector waits for Prisma responses and how many times it retries transient failures. | N/A |
| 3.0.9 | No changes in this release. | N/A |
| 3.0.8 | Improvements - Increased the read timeout for the resource scan-info endpoint, which can be slow to respond on large tenants, reducing sync failures from premature timeouts. | N/A |
| 3.0.7 | New Features - Added the Host model, populated from Prisma's resource scan-inventory data, so host assets are synchronized alongside cloud resources. | N/A |
| 3.0.6 | Improvements - Cloud Resource now populates the Tags attribute with the originating account name and account groups, improving asset correlation and filtering. | N/A |
| 3.0.5 | No changes in this release. | N/A |
| 3.0.4 | No changes in this release. | N/A |
| 3.0.3 | Improvements - Violation Definitions now include deleted and disabled policies, so historical and inactive policy definitions remain available for reference. | N/A |
| 3.0.2 | No changes in this release. | N/A |
| 3.0.1 | New Features - Reworked the Prisma Cloud schema around a violation-centric model: added Cloud Resource, Violation, and Violation Definition models, replacing the prior Policy and Alert models. Account Group and Cloud Account remain. | • Prisma Cloud schema: The synchronized model set changed — the Policy and Alert models were replaced by Violation Definition, Violation, and Cloud Resource — Action: purge the prior Policy/Alert data and re-sync the Prisma Cloud connector to populate the new models. |
| 3.0.0 | Overview The Prisma Cloud connector integrates with Palo Alto Networks Prisma Cloud to synchronize cloud accounts, account groups, security policies, and security alerts for cloud posture visibility. Category: Cloud Security Models | N/A |