Overview
About PrismaCloud Compute
Prisma™ Cloud Compute Edition delivers a cloud workload protection platform (CWPP) for modern enterprises, providing holistic protection across hosts, containers, and serverless deployments in any cloud throughout the software lifecycle.
Why integrate PrismaCloud Compute into the Vulcan platform?
The PrismaCloud Compute by Vulcan integrates with the PrismaCloud platform to pull and ingest Host and Image assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
PrismaCloud Compute Connector Details
Supported products | |
Category | Vulnerability Assessment |
Ingested asset type(s) | Hosts Images |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Supported products: Compute Edition (self-hosted) and Enterprise Edition.
Supported version: V.20.04 or the cloud version.
Required Permissions:
Ensure the role being used has sufficient access permissions. A System Administrator role can be used, but if a custom role is preferred, the following must be configured:
Assign the role to a specific Account Group. The Account Group should include the resources you want to sync (e.g., cloud accounts or on-prem Kubernetes clusters).
For on-premises Kubernetes clusters, enable the On-Prem / Other Cloud Providers checkbox in the Advanced Options of the role configuration.
Verify the Account Group is not empty and contains the necessary resources.
Credentials Required:
Server URL: The URL of your Prisma Cloud account, which can be found under Compute > Manage > System Utilities. For detailed steps, see the Prisma Cloud documentation.
Username: The Access Key ID of a valid user with the role configured as mentioned above.
Password: The Secret Key associated with the Access Key ID.
Configuring the PrismaCloud Compute Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the PrismaCloud icon.
Set up the Connector as follows:
Enter the Access Key ID of a valid user with appropriate permissions
Enter the Secret Key of the user.
Select which asset types you want to fetch from PrismaCloud. The options are Hosts, Images, CI Images, and Registries.
Check the "Fetch CI images" option to fetch anything scanned by Prisma in a pipeline and stored under the CI heading.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your PrismaCloud instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the PrismaCloud icon shows Connected, the sync is complete.
PrismaCloud Compute in the Vulcan Platform
Viewing PrismaCloud Compute vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select PrismaCloud from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing PrismaCloud Compute assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select PrismaCloud from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by PrismaCloud Compute
To take remediation action on vulnerabilities and assets detected by PrismaCloud:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the PrismaCloud option to view all synced vulnerabilities/assets.
Select the relevant vulnerability from the results list.
Click Take Action.
Automating remediation actions on vulnerabilities detected by PrismaCloud
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the PrismaCloud Connector.
From PrismaCloud to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with PrismaCloud to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Host fields mapping
PrismaCloud Compute field | Vulcan field |
host_id | Uniqueness criteria |
hostname | Asset Name |
Docker version (installedProducts.docker) host id (_id) host devices: templates (hostDevices), map type (list) | Asset details |
Hosts | Asset type |
hostDevices.ip | IP |
osDistro | OS |
distro | OS Version |
firstscantime from prisma | Created date |
scantime | Last seen date |
packegaename, packageversion | Packages |
tags | Asset Tags - Vendor’s tags |
collections | Asset Tags - Additional |
cve, package name, packageversion | Vulnerability instance uniqueness criteria |
first created on Vulcan date | Vulnerability instance first seen |
cvss score | Vulnerability instance score |
all vulnerable | Vulnerability instance status changes (including resurface) |
cve, package name, packageversion | Unique Vulnerability uniqueness criteria |
title/ text/ cve & package name & package version | Vulnerability title |
cvss score | Vulnerability score |
description | Vulnerability description |
severity | Vulnerability details |
vulnerable when exists | Vulnerability status |
cvss | CVSS |
if contains ALAS - cve is fetched from description | CVE/S |
technical score - fields and fallback: ____________ Threats: Tags impact - specify: | Risk calculation |
fix for cve on packagename | Fix title |
package name + status | Fix description |
Image fields mapping
PrismaCloud Compute field | Vulcan field |
for /api/v1/images?filterBaseImage=true | Asset details |
instances.image | Asset type |
account id | Repository |
Images | Repo type |
repository type | OS version |
path | Asset Tags - Additional |
Tags | Last seen |
Collection | Creation date |
scan time | SLA settings |
first scan time | Component - name |
package name | Archive Mechanism |
packages | Merging Mechanism and fallback fields Specify fields and mapping from vendor |
cve, package name, package details | Vulnerability instance Last seen |
first created on Vulcan date | Vulnerability instance score |
discovered | Vulnerability instance location path |
cvss score | Vulnerability instance Fixed mechanism |
package path | Vulnerability instance SLA settings |
cve, package name, package version | Vulnerability score |
{{ title or text or cve }} {{ packageName }}-{{ packageVersion }} | Vulnerability description |
cvss score | Vulnerability details |
description | Vulnerability status |
severity cause vec str exploit risk factor link asset tyoe package name package version layer time twist lock published binary pkgs discovery date vulnerability type filtered by base image | CVSS |
vulnerable when fetched | CVE/S |
cvss | CWE |
cve | CVSS attack vector |
technical score - fields and fallback: ____________ Threats: Tags impact - specify: | Fix descriptions |
fix for cve on package name | Fix references |
{{ packageName }} + {{ status }} + os versions | Asset - Vulnerability instance connection (info tooltip) |
package path, is filtered by base image - template ,map_type |
|
Vulnerability status mapping
PrismaCloud Status | Vulcan Status |
<always> | Vulnerable |
<when not returned> | Fixed |
Vulnerability score mapping
CVSS score based
PrismaCloud score | Vulcan score |
0-10 | 0-10 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the X connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not seen for X days according to "Last Seen". |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
The connector is using the following API calls. For each API call, attached the requested role in Prisma Cloud Compute to perform it:
POST /authenticate - Anyone
GET /registry - vulnerabilityManager
GET /images - vulnerabilityManager
GET /hosts - vulnerabilityManager
About asset and vulnerability data ingested into the Vulcan Platform
Vulcan provides the option to remediate vulnerabilities from 2 different angles:
Assets
Vulnerabilities
Assets
There are two types of assets types pulled from Prisma Cloud Compute:
Hosts - These are the same hosts you have in your Prima Cloud interface under Monitor --> Vulnerabilities --> Hosts --> Running Hosts
Images - These are the same hosts you have in your Prima Cloud interface under Monitor --> Vulnerabilities --> Images
About Remediation Status of Vulnerabilities
Prisma Cloud only reports information on a vulnerability if it is actively present and vulnerable on a specific asset. Because of this, the remediation status of a vulnerability is determined by its presence in the sync data, meaning that Vulcan recognizes a vulnerability as fixed only when the Prisma Cloud connector syncs and the new data does not contain the specific asset vulnerability.
Filter out base images
Users can also filter out base images on the vulnerabilities page to identify vulnerabilities that can help focus the remediation workflow.
The base image identifier is: "Exclude base images vulns
"