Prisma Public Cloud provides continuous visibility, security, and compliance monitoring across public multi-cloud deployments. This enables organizations to safely embrace the public cloud through its intelligent SaaS security platform

OpsRamp configuration

Step 1: Install the integration

  1. From All Clients, select a client.
  2. Go to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also yu can use the All Categories option to search.
  6. Click ADD in the Prisma Public Cloud application and click Install.
  7. Select authentication type as WEBHOOK and click Save.
  8. Make a note of Tenant ID, Token and Webhook URL.
    These details are used while creating an HTTP Request template during Prisma Public Cloud configuration.
  9. Click Save.

Step 2: Configure the integration

  1. From the API tab, enter:
    • Authentication: Copy Tenant Id, Token, and Webhook URL for configuration. These settings are used for creating an HTTP Request template.
    • Map Attributes: Enter the mapping information for the third-party.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.

The following table shows the attribute mappings.

OpsRamp AttributesPrisma Public Cloud Attributes
Alert metricmessage
Alert statemessage
OpsRamp Property valuePrisma Public Cloud Property value
CriticalThis is a test message from Prisma Cloud initiated by $username to validate integration $intg_name
Alert timesentTs
Alert subjectmessage
Alert resource namemessage

Mapping the first payload validation

  1. Enter the Webhook URL in Webhooks URL field, authentication token in the Auth Token field in the Integrations tab, and click Test. A success message is displayed.
    Redlock Handshake
  2. Prisma Public Cloud sends a response message as confirmation to OpsRamp.

The following show a sample response:

{
    "sender":"RedLock",
    "sentTs":'1557951571335',
    "message":"HELLO"
}

Mapping the final payload

  1. May the webhook payload attributes to the OpsRamp alert attributes.
  2. The Prisma Public Cloud webhook sends a sample payload to OpsRamp.

The following table shows the mapping for the cloud security vulnerability events webhook payload attributes with the OpsRamp Alert entity attributes.

OpsRamp AttributePrisma Public Cloud Attribute
External alert ID>alertId
Alert metric>resourceCloudService
Alert stateseverity
OpsRamp Property valuePrisma Public Cloud Property value
OKlow
WARNINGmedium
CRITICALhigh
Alert time>alertTs
Alert subject>policyName
Alert description>policyDescription
Alert resource name>resourceName

Example response

{

        "resourceId": "subnet-5c03e227",
        "alertRuleName": "Kfarr Email Test",
        "accountName": "2W-ProductDevelopment5",
        "hasFinding": false,
        "resourceRegionId": "ap-south-1",
        "alertRemediationCli": null,
        "source": "RedLock",
        "cloudType": "aws",
        "callbackUrl": "https://app.redlock.io/alerts?filters#alert.id=P-1975&timeType=to\_now&timeUnit=epoch",
        "alertId": "P-1975",
        "policyLabels": \[\],
        "alertAttribution": null,
        "severity": "medium",
        "policyName": "AWS VPC subnets should not allow automatic public IP assignment",
        "resourceName": "subnet-5c03e227",
        "riskRating": "B",
        "resourceRegion": "AWS Mumbai",
        "policyDescription": "This policy identifies VPC subnets which allow automatic public IP assignment. VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances
 in this subnet to the internet and should be edited to 'No' post creation of the Subnet.",
        "policyRecommendation": "1. Sign into the AWS console.\\n2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated.\\n3. Navigate to the 'VPC' service.\\n4. In the navigation pane, click 'Subnets'.\\n5. Select the identified Subnet and choose the option 'Modify auto-assign IP settings' under the Subnet Actions.\\n6. Disable the 'Auto-Assign IP' option and save it.",
        "accountId": "162213212942",
        "resourceConfig": {
            "subnetId": "subnet-5c03e227",
            "subnetArn": "arn:aws:ec2:ap-south-1:162213212942:subnet/subnet-5c03e227",
            "availabilityZoneId": "aps1-az2",
            "cidrBlock": "172.31.32.0/20",
            "ownerId": "162213212942",
            "availabilityZone": "ap-south-1c",
            "assignIpv6AddressOnCreation": false,
            "tags": \[\],
            "vpcId": "vpc-f515f69c",
            "mapPublicIpOnLaunch": true,
            "defaultForAz": true,
            "state": "available",
            "ipv6CidrBlockAssociationSet": \[\]
        },

        "resourceCloudService": "Amazon VPC",
        "alertTs": 1557856406801,
        "findingSummary": null,
        "resourceType": "Subnet"
    }
]

Prisma Public Cloud configuration

Prerequisites

  • The Webhook URL copied during Prisma Public Cloud installation.
  • Authentication code generated during Prisma Public Cloud installation.

Step 1: Integrate with OpsRamp

  1. Log into Prisma Public Cloud Service and select Settings Integrations.
  2. Select + Add New and set the Integration type as Webhooks.
  3. Enter the Webhook URL and Auth Code and click Next.
  4. Click Test. Test successful confirmation message is displayed.
  5. Click Save.

Step 2: Create an alert rule

  1. Select Secure Alert Rules and click +Add New.
  2. Enter a name for Alert Rule Name and a Description for rule and click Next.
    Create Alert Rule
  3. To apply the alert rule, select Account Groups and click Next.
    1. To see advanced settings for target setting, toggle View Advanced Settings.
    2. To exclude any cloud accounts from the selected Account Group, enter the accounts in Exclude Cloud Accounts.
    3. Choose your region.
    4. To manage or identify your resources, add Tags. Tags apply to Config and Network Policies only.
    5. Click Next.
  4. To add more details to this rule, click View Advanced Settings to provide more details in the following fields:
    1. To exclude more cloud accounts from triggering alerts, mention the cloud accounts in the Exclude Cloud Accounts.
    2. To trigger alerts only for specific regions for the cloud accounts in the selected account group, select one or more Regions from the list.
    3. To trigger alerts only for specific resources in the selected cloud accounts, enter the key and value of the Resource Tag you created for the resource in your cloud environment. Tags apply to Config and Network Policies only.
      Create Alert Rule Allowed Accounts
  5. Click Next.
  6. To trigger alerts for this rule, either Select all policies or select a Specific Policy.
    Create Alert Rule Select Policy
  7. To send notifications to OpsRamp, configure Set Alert Notifications.
    1. On the Set Alert Notification page of the alert rule, select webhooks.
    2. Select the Webhook Channels to send alert notifications triggered by this alert rule.
    3. Set the Frequency at which to send POST notifications.
      • As it Happens: A notification is sent to the selected Webhook channels when an alert is triggered by the alert rule.
      • Daily: A single notification is sent to the selected Webhook channels once every day with all alerts triggered by the alert rule in a day.
      • Weekly: A single notification is sent to the selected Webhook channels once a week with all alerts triggered by the alert rule during a week.
      • Monthly: A single notification is sent to the selected Webhook channels once a month with all alerts triggered by the alert rule during a month.
  8. Save the alert rule to finish the integration process.
Create Alert Rule Channel

After the successful integration of Prisma Public Cloud with OpsRamp, the security vulnerable events of Prisma Public Cloud are ingested into OpsRamp and displayed as alerts.

Next steps

  • View the Prisma Public Cloud security vulnerable events as alerts:
    1. In OpsRamp, go to Alerts. The Alert Browser is displayed.
    2. Click Edit Criteria and select Source as Prisma Public Cloud. The Alert Browser displays alerts matching the selected criteria.
Prisma Public Cloud Alerts