Prisma Cloud
The Prisma Cloud connector integrates with Palo Alto Networks' Prisma Cloud (CSPM) platform to synchronize cloud-account inventory, account groupings, scanned cloud resources, host assets, security policies, and the alerts those policies raise. Alert and asset retrieval is partitioned per cloud account and fetched in parallel, so syncs scale to tenants with millions of alerts without exceeding the connector's sync window.
This document details the information you must provide for the connector to authenticate with Prisma Cloud and how to obtain that information from Prisma Cloud. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Prisma Cloud from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Prisma Cloud with Brinqa:
-
API URL: The Prisma Cloud API URL. The default URL is
https://api.prismacloud.io- To identify the appropriate API URL, you must determine the location or group to which your account or organization is assigned within Prisma Cloud. The API URL corresponds to this location or group. Consult Prisma Cloud documentation for a complete list of admin console and API URLs.
-
API key and Secret key: The API key and Secret key associated with the Prisma Cloud account, which must have permissions to log in to the API server and return data.
Generate Prisma Cloud API keys
For the Prisma Cloud connector to use the Prisma Cloud API, you must provide the API credentials from Prisma Cloud. To generate new API keys, follow these steps:
-
Log in to your organization's Prisma Cloud server as a System Administrator. By default, only the System Administrator has API access and can enable API access for other administrators.
-
Navigate to Settings > Access Control > Access Keys.
-
Click Add in the upper-right corner of the page, and then click Access Key. The Create Access Key window displays.
-
Enter a name for the key.
-
If your company's policies require it, enable key expiration and specify a date.
-
Click Save to generate the keys.
A window appears and displays your Access Key ID and Secret Access Key. The Access Key functions as the API key for authentication. Copy the Access Key and Secret Key and store them in a secure location. You cannot view the Secret Key again. If you need a new key, you must generate a new one.
In order for the Prisma Cloud connector to successfully retrieve data from the Prisma Cloud API, the access key and secret key must be tied to a user role with read-only access.
-
Click Done.
If you do not have the permissions to create access keys, contact your Prisma Cloud system administrator. For additional information see Prisma Cloud documentation.
Additional settings
The Prisma Cloud connector contains additional options for configuration:
-
Host custom properties: Specify a comma-separated list of case-insensitive custom property names to promote as attributes on the Host object.
-
Page size: The maximum number of records to get per API request. The default setting is 1000. Capped at 10,000 (Prisma's hard upper limit).
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Prisma Cloud API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Prisma Cloud connector can retrieve the following types of data from the Prisma Cloud API:
Table 1: Data retrieved from Prisma Cloud
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Account Group | No | Not mapped |
| Cloud Account | No | Not mapped |
| Cloud Resource | Yes | Cloud Resource |
| Host | Yes | Host |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
For detailed steps on how to view the data retrieved from Prisma Cloud in the Brinqa Platform, see How to view your data.
Model Relationship Diagram
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Account Group
Table 2: Account Group attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| group.description | DESCRIPTION |
| group.id | NAME, SYS_ID, UID |
| group.lastModifiedTs | LAST_MODIFIED |
Cloud Account
Table 3: Cloud Account attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| (set by connector for enumerated children) | PARENT_ID |
| account.accountId | NAME, SYS_ID, UID |
| account.accountType | ACCOUNT_TYPE |
| account.addedOn | ADDED_ON |
| account.cloudType | CLOUD_TYPE |
| account.enabled | ENABLED |
| account.groupIds | ACCOUNT_GROUPS |
| account.lastModifiedTs | LAST_MODIFIED |
| account.numberOfChildAccounts | NUMBER_OF_CHILD_ACCOUNTS |
| account.status | STATUS |
Cloud Resource
Table 4: Cloud Resource attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| accountName and cloudAccountGroups | TAGS |
| resource.account (alert) or scannedAsset.accountName | ACCOUNT_NAME |
| resource.accountId / scannedAsset.accountId | CLOUD_ACCOUNT_ID |
| resource.cloudAccountGroups | ACCOUNT_GROUPS |
| resource.cloudAccountOwners | ACCOUNT_OWNERS |
| resource.cloudType / scannedAsset.cloudType | CLOUD_TYPE |
| resource.data (full config blob) serialized as JSON | RESOURCE_CONFIG |
| resource.name (alert) or scannedAsset.name | NAME |
| resource.region (alert) or scannedAsset.regionName | REGION |
| resource.resourceTs | LAST_SEEN |
| resource.resourceType + scannedAsset.assetType + cloud-resource | CATEGORIES |
| resource.rrn → falls back to scannedAsset.rrn | RRN |
| resource.uid (alert) or scannedAsset.uid | UID |
| scannedAsset.assetType | ASSET_TYPE |
Host
Table 5: Host attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| API name used to retrieve the host | HOST_API |
| accountName | TAGS |
| configCloudResource.accountId | CLOUD_ACCOUNT_ID |
| configCloudResource.accountName | ACCOUNT_NAME |
| configCloudResource.cloudType | CLOUD_TYPE |
| configCloudResource.data serialized as JSON | RESOURCE_CONFIG |
| configCloudResource.insertTs | LAST_SEEN |
| configCloudResource.name | NAME |
| configCloudResource.regionName | REGION |
| configCloudResource.resourceType | ASSET_TYPE |
| configCloudResource.rrn | RRN |
| configCloudResource.service | CLOUD_PROVIDER |
| configCloudResource.uid | UID |
| data.platform | OPERATING_SYSTEM |
| data.properties.networkProfile.networkInterfaces[].privateIpAddress | PRIVATE_IP_ADDRESSES |
| data.properties.networkProfile.networkInterfaces[].publicIpAddress | PUBLIC_IP_ADDRESSES |
| data.properties.osProfile.computerName (Azure) → data.privateDnsName (AWS) → name (fallback) | HOSTNAMES |
| data.publicDnsName | DNS_NAMES, PUBLIC_DNS_NAMES |
| data.tags[<name>] for each name in the customProperties config option | CUSTOM_<name> |
| resourceType + api + cloud-resource | CATEGORIES |
| union of public + private | IP_ADDRESSES |
Violation
Table 6: Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| alert.alertTime | ALERT_TIME |
| alert.firstSeen | FIRST_FOUND |
| alert.id | NAME, UID |
| alert.lastSeen | LAST_FOUND |
| alert.policyId | TYPE |
| alert.reason | RESULTS |
| alert.resource.account | ACCOUNT_NAME |
| alert.resource.accountId | CLOUD_ACCOUNT_ID |
| alert.resource.cloudType | CLOUD_TYPE |
| alert.resource.name | RESOURCE_NAME |
| alert.resource.region | REGION |
| alert.resource.resourceType | RESOURCE_TYPE |
| alert.resource.uid | TARGETS |
| alert.status | STATUS |
| derived from STATUS | STATUS_CATEGORY |
Violation Definition
Table 7: Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| derived from normalized severity | SEVERITY_SCORE |
| normalized from policy.severity | SEVERITY |
| policy.cloudType | CLOUD_TYPE |
| policy.complianceStandards | COMPLIANCE_STANDARD |
| policy.createdOn | SOURCE_CREATED_DATE |
| policy.deleted | DELETED |
| policy.description + policy.remediation (concatenated) | DESCRIPTION |
| policy.enabled | ENABLED |
| policy.labels | TAGS |
| policy.lastModifiedOn | SOURCE_LAST_MODIFIED |
| policy.name | NAME |
| policy.openAlertsCount | OPEN_ALERTS_COUNT |
| policy.owner | OWNER |
| policy.policyId | UID |
| policy.policyMode | POLICY_MODE |
| policy.policyType | CATEGORIES |
| policy.recommendation | RECOMMENDATION |
| policy.remediable | PATCHABLE |
| policy.rule.name | RULE |
| policy.severity | SOURCE_SEVERITY |
| policy.systemDefault | SYSTEM_DEFAULT |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Prisma Cloud connector supports the following operation options. See connector operation options for information about how to apply them.
Table 8: Prisma Cloud connector operation options
| Connector Object | Operation Options |
|---|---|
| Cloud Resource | See Prisma Cloud documentation on List Alert Filters |
| Host | includeAssetTypes |
| Violation | See Prisma Cloud documentation on List Alert Filters |
The option keys and values are case-sensitive as they are shown in the Prisma Cloud documentation.
APIs
The Prisma Cloud connector uses the Cloud Security Posture Management (CSPM) API. Specifically, it uses the following endpoints:
Table 9: Prisma Cloud API endpoints
| Connector Object | API Endpoint |
|---|---|
| Account Group | GET /cloud/group |
| Cloud Account | GET /cloud GET /cloud/{cloudType}/{accountId}/project |
| Cloud Resource | POST /v2/alert GET /v2/resource/scan_info |
| Host | POST /search/api/v2/config |
| Violation | POST /v2/alert |
| Violation Definition | GET /policy?policy.allowDeleted=true |
Changelog
The Prisma Cloud connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 10: Prisma Cloud connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.4.0 | Improved sync performance for Violations and Cloud Resources with paginated and parallel alert fetching, updated Host and Cloud Resource schemas and mappings, and enforced a page size upper bound. No migration required. | May 20th, 2026 |
| 3.3.5 | No change. | May 12th, 2026 |
| 3.3.4 | No change. | May 12th, 2026 |
| 3.3.3 | No change. | May 12th, 2026 |
| 3.3.2 | No change. | February 26th, 2026 |
| 3.3.1 | No change. | February 23rd, 2026 |
| 3.3.0 | No change. | February 3rd, 2026 |
| 3.2.4 | No change. | October 22nd, 2025 |
| 3.2.3 | Fixed an issue where the Cloud Resource and Violation object syncs were failing. | September 30th, 2025 |
| 3.2.2 | Changed the FIRST_FOUND and LAST_SEEN attribute types on the Violation object from long to instant to resolve a data type mismatch error, which was causing the connector sync to fail. | July 28th, 2025 |
| 3.2.1 | - Fixed an issue where the Host object was not retrieving the correct resourceType. - Added the HOST_API attribute to the Host object. | June 18th, 2025 |
| 3.2.0 | - Fixed an issue where IP addresses on tags were not populating. - The Host object now uses the search/api/v2/config API endpoint. - Added the following attributes to the Host object:
| February 10th, 2025 |
| 3.1.3 | Added a new additional setting that enables you to specify custom property names to promote as attributes on the Host object during data integration: Host custom properties. | December 30th, 2024 |
| 3.1.2 | No change. | November 22nd, 2024 |
| 3.1.1 | No change. | July 17th, 2024 |
| 3.1.0 | No change. | July 15th, 2024 |
| 3.0.13 | No change. | May 30th, 2024 |
| 3.0.12 | No change. | May 20th, 2024 |
| 3.0.11 | No change. | May 2nd, 2024 |
| 3.0.10 | Fixed an issue where the Cloud Resource object sync was failing. As a result, two new connection settings were added to help manage API throttling and make the timeout configurable: Maximum retries and Request timeout | April 5th, 2024 |
| 3.0.9 | No change. | March 1st, 2024 |
| 3.0.8 | Increased the Read timeout setting to account for slower-than-expected API responses. | February 29th, 2024 |
| 3.0.7 | - Started fetching asset type information from Prisma Cloud. - The connector now retrieves the Host object from Prisma. - Added a new operation option to the Cloud Resource object: excludeAssetTypes - Added a new operation option to the Host object: includeAssetTypes | February 26th, 2024 |
| 3.0.6 | Added 'Account' and 'Account Groups' as tags in the Cloud Resource object. | May 24th, 2023 |
| 3.0.5 | Code cleanup and general maintenance. | May 19th, 2023 |
| 3.0.4 | Code cleanup and general maintenance. | May 12th, 2023 |
| 3.0.3 | The connector now syncs all Violation Definition records from Prisma, including the ones that have been deleted. | April 26th, 2023 |
| 3.0.2 | Code cleanup and general maintenance. | April 24th, 2023 |
| 3.0.1 | Initial Integration+ release. | March 29th, 2023 |