All Collections
Connectors
Vulnerability Assessment
PrismaCloud Compute (CWPP) Connector
PrismaCloud Compute (CWPP) Connector

Learn all about integrating Prisma Cloud Compute into the Vulcan Platform

Updated over a week ago

Overview

About PrismaCloud Compute

Prisma™ Cloud Compute Edition delivers a cloud workload protection platform (CWPP) for modern enterprises, providing holistic protection across hosts, containers, and serverless deployments in any cloud throughout the software lifecycle.

Why integrate PrismaCloud Compute into the Vulcan platform?

The PrismaCloud Compute by Vulcan integrates with the PrismaCloud platform to pull and ingest Host and Image assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

PrismaCloud Compute Connector Details

Supported products

Category

Vulnerability Assessment

Ingested asset type(s)

Hosts

Images

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Supported products: Compute Edition (self-hosted) and Enterprise Edition.

Supported version: V.20.04 or cloud version

User and permissions: System administrator user

Retrieving PrismaCloud Server URL and User Credentials

Server URL - URL of your Prisma Cloud account.

You can get the relevant address under Compute > Manage > System Utilities.
For reference, see: https://docs.prismacloud.io/en/classic/cspm-admin-guide/get-started-with-prisma-cloud/enable-access-prisma-cloud-console

Username - The Access Key ID of a valid user with appropriate permissions

Password - Secret Key of the user.

Configuring the PrismaCloud Compute Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the PrismaCloud icon.

  4. Set up the Connector as follows:

    • Username - The Access Key ID of a valid user with appropriate permissions

    • Password - Secret Key of the user.

    • Unchecking the "Fetch CI images" option will exclude anything scanned by Prisma in a pipeline and stored under the CI heading.

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your PrismaCloud instance, then click Create (or Save Changes).

  6. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  7. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  8. To confirm the sync is complete, navigate to the Connectors page. Once the PrismaCloud icon shows Connected, the sync is complete.


PrismaCloud Compute in the Vulcan Platform

Viewing PrismaCloud Compute vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select PrismaCloud from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing PrismaCloud Compute assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select PrismaCloud from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by PrismaCloud Compute

To take remediation action on vulnerabilities and assets detected by PrismaCloud:

  1. Go to Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the PrismaCloud option to view all synced vulnerabilities/assets.

  4. Select the relevant vulnerability from the results list.

  5. Click Take Action.

Automating remediation actions on vulnerabilities detected by PrismaCloud

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the PrismaCloud Connector.


From PrismaCloud to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with PrismaCloud to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Host fields mapping

PrismaCloud Compute field

Vulcan field

host_id

Uniqueness criteria

hostname

Asset Name

Docker version (installedProducts.docker)

host id (_id)

host devices: templates (hostDevices), map type (list)

Asset details

Hosts

Asset type

hostDevices.ip

IP

osDistro

OS

distro

OS Version

firstscantime from prisma
if doesn’t exists - first scan time by vulcan

Created date

scantime

Last seen date

packegaename, packageversion

Packages

tags

Asset Tags - Vendor’s tags

collections

Asset Tags - Additional

cve, package name, packageversion

Vulnerability instance uniqueness criteria

first created on Vulcan date

Vulnerability instance first seen

cvss score

Vulnerability instance score

all vulnerable

Vulnerability instance status changes (including resurface)

cve, package name, packageversion

Unique Vulnerability uniqueness criteria

title/ text/ cve & package name & package version

Vulnerability title

cvss score

Vulnerability score

description

Vulnerability description

severity
cause
vec str
exploit
risk factors
link
asset type (type)
package name
package version
layer time
twist lock
published
binary pkgs
discovery date
vulnerability type (by id: 46 -Operating system/distro packages, 47- JAR files, 48 -Gem files, 49- Node.js, 410-Python, 411-MySql, 412-Custom, 415-Nuget

Vulnerability details

vulnerable when exists

Vulnerability status

cvss

CVSS

if contains ALAS - cve is fetched from description
else - cve

CVE/S

technical score - fields and fallback: ____________

Threats:

Tags impact - specify:

Risk calculation

fix for cve on packagename

Fix title

package name + status

Fix description

Image fields mapping

PrismaCloud Compute field

Vulcan field

for /api/v1/images?filterBaseImage=true
/api/v1/images?filterBaseImage=false
/api/v1/registry : _id
for /api/v1/scans?filterBaseImage=false
/api/v1/scans?filterBaseImage=true : asset_id

Asset details

instances.image

Asset type

account id
collections
Err
prismacloud id
registry
scan version
trust status
cloud metadata - template, map_type

Repository

Images

Repo type

repository type

OS version

path

Asset Tags - Additional

Tags

Last seen

Collection

Creation date

scan time

SLA settings

first scan time

Component - name

package name

Archive Mechanism

packages

Merging Mechanism and fallback fields

Specify fields and mapping from vendor

cve, package name, package details

Vulnerability instance Last seen

first created on Vulcan date

Vulnerability instance score

discovered

Vulnerability instance location path

cvss score

Vulnerability instance Fixed mechanism

package path

Vulnerability instance SLA settings

cve, package name, package version

Vulnerability score

{{ title or text or cve }} {{ packageName }}-{{ packageVersion }}

Vulnerability description

cvss score

Vulnerability details

description

Vulnerability status

severity

cause

vec str

exploit

risk factor

link

asset tyoe

package name

package version

layer time

twist lock

published

binary pkgs

discovery date

vulnerability type

filtered by base image

CVSS

vulnerable when fetched

CVE/S

cvss

CWE

cve

CVSS attack vector

technical score - fields and fallback: ____________

Threats:

Tags impact - specify:

Fix descriptions

fix for cve on package name

Fix references

{{ packageName }} + {{ status }} + os versions

Asset - Vulnerability instance connection (info tooltip)

package path,

is filtered by base image - template ,map_type

Vulnerability status mapping

PrismaCloud Status

Vulcan Status

<always>

Vulnerable

<when not returned>

Fixed

Vulnerability score mapping

CVSS score based

PrismaCloud score

Vulcan score

0-10

0-10

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the X connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not seen for X days according to "Last Seen".

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings.

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

The connector is using the following API calls. For each API call, attached the requested role in Prisma Cloud Compute to perform it:

  • POST /authenticate - Anyone

  • GET /registry - vulnerabilityManager

  • GET /images - vulnerabilityManager

  • GET /hosts - vulnerabilityManager


About asset and vulnerability data ingested into the Vulcan Platform

Vulcan provides the option to remediate vulnerabilities from 2 different angles:

  • Assets

  • Vulnerabilities

Assets

There are two types of assets types pulled from Prisma Cloud Compute:

  1. Hosts - These are the same hosts you have in your Prima Cloud interface under Monitor --> Vulnerabilities --> Hosts --> Running Hosts

  2. Images - These are the same hosts you have in your Prima Cloud interface under Monitor --> Vulnerabilities --> Images

About Remediation Status of Vulnerabilities

Prisma Cloud only reports information on a vulnerability if it is actively present and vulnerable on a specific asset. Because of this, the remediation status of a vulnerability is determined by its presence in the sync data, meaning that Vulcan recognizes a vulnerability as fixed only when the Prisma Cloud connector syncs and the new data does not contain the specific asset vulnerability.

Filter out base images

Users can also filter out base images on the vulnerabilities page to identify vulnerabilities that can help focus the remediation workflow.

The base image identifier is: "Exclude base images vulns"

Did this answer your question?