In this article you will find:

  1. Pre-requisite

  2. How to configure Prisma Cloud connector in Vulcan platform

  3. How to pull assets and vulnerabilities from Prisma Cloud into Vulcan platform

  4. How to automate remediation actions with Prisma Cloud

  5. Used API Calls

1. Pre-requisite

Supported products: Compute Edition (self hosted) and Enterprise Edition.

Supported version: V.20.04 or cloud version

User and permissions: System administrator user

2. Configure Prisma Cloud Connector

On the Connectors page, click on Add a Connector.

Click on the Prisma Cloud connector

Fill all relevant fields:

Server URL - URL of your Prisma Cloud account.

You can get the relevant address under Manage --> System --> Downloads. For example:

Username - The Access Key ID of a valid user with relevant permissions

Password - Secret Key of the user.

3. How to pull assets and vulnerabilities from Prisma Cloud into Vulcan platform

Vulcan's provides the option to remediate vulnerabilities from 2 different angles:

  • Assets

  • Vulnerabilities

Assets

There are 2 types of assets types pulled from Prisma Cloud Compute:

  1. Hosts - These are the same hosts you have in your Prima Cloud interface under Monitor --> Vulnerabilities --> Hosts --> Running Hosts

  2. Images - These are the same hosts you have in your Prima Cloud interface under Monitor --> Vulnerabilities --> Images

Hosts

This data from Prisma Cloud Compute will be displayed under Hosts - This tab gathers all data that came from Vulnerability Scanners, Cloud Providers, CMDBs and more. To filter only Prisma Cloud Compute data, simply use the Search Bar.

This view is similar in its data to Monitor --> Vulnerabilities --> Hosts --> Running Hosts

The Name column will indicate the running hosts you have in Prisma Cloud Compute.

The OS column will indicate the hosts' OS as reported from Prisma Cloud Compute.

The IP column will indicate the hosts' IP as reported from Prisma Cloud Compute.

The Sources column will indicate the connectors which reported the host. For example, Prisma Cloud Compute and AWS both reported the same host.

The Last Seen column will indicate the last scanned time in Prisma Cloud Compute.

The Vulnerabilities column will indicate the number of vulnerabilities that exist on a host.

The Top Risk column will indicate the highest risk-value from all risks that exist on a host.

The Tags column will indicate all the tags that related to host. Note that by default, there are no tags associated with Prisma Cloud Compute to Vulcan

Clicking on each host will open its Asset Card where you can see all the vulnerabilities, packages, and relevant details.

Images

This data from Prisma Cloud Compute will be displayed under Images. To filter only Prisma Cloud Compute data, simply use the Search Bar.

This view is similar in its data to Monitor --> Vulnerabilities --> Hosts --> Deployed Images and Monitor --> Vulnerabilities --> Hosts --> Registries

The Name column will indicate the Image name as you have in Prisma Cloud Compute.

The Type column will indicate if the image is reported from Deployed Images or Registries from Prisma Cloud Compute.

The Repository column will indicate the image's repository as reported from Prisma Cloud Compute.

The Sources column will indicate the connectors which reported the image. For example, Prisma Cloud Compute and AWS ECR both reported the same image.

The Last Seen column will indicate the last scanned time in Prisma Cloud Compute.

The Vulnerabilities column will indicate the number of vulnerabilities that exist on a host.

The Top Risk column will indicate the highest risk-value from all risks that exist on a host.

The Tags column will indicate all the tags that related to host. Note that by default, there are no tags associated with Prisma Cloud Compute to Vulcan

Clicking on each image will open its Asset Card where you can see all the vulnerabilities, components and relevant details.

Vulnerabilities

You can view all vulnerabilities data from Prisma Cloud Compute in Vulnerabilities. In order to filter only Prisma Cloud Compute data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Prisma Cloud Compute account.

Remediation Status of Vulnerabilities

Prisma Cloud only reports information on an asset-vulnerability if it is actively present and vulnerable on a specific asset. Because of this, the remediation status of a vulnerability is determined by its presence in the sync data; meaning that Vulcan recognizes a vulnerability as fixed only when the Prisma Cloud connector syncs and the new data does not contain the specific asset-vulnerability.

Filter out base images

Users can also filter out base images on the vulnerabilities page, to identify vulnerabilities that can help focus the remediation worfklow.

5. Used API Calls

The following API calls are being used by the connector. For each API call attached the requested role in Prisma Cloud Compute to perform it:

  • POST /authenticate - Anyone

  • GET /registry - vulnerabilityManager

  • GET /images - vulnerabilityManager

  • GET /hosts - vulnerabilityManager

Did this answer your question?