Prisma Public Cloud

Describes how to setup an integration to view Prisma Public Cloud’s cloud security vulnerability events.

Leave Feedback

Introduction

Prisma Public Cloud provides continuous visibility, security, and compliance monitoring across public multi-cloud deployments. This enables organizations to safely embrace the public cloud through its intelligent SaaS security platform

OpsRamp configuration

Configuration involves the following:

  1. Installing the integration.
  2. Configuring the integration.

Step 1: Install the integration

To install:

  1. From All Clients, select a client.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select Monitoring > Prisma Public Cloud.
  4. Click Install.

Step 2: Configure the integration

To configure the integration:

  1. From the API tab, provide the following:
    • Authentication: Copy Tenant Id, Token and Webhook URL for configuration. These settings are used for creating a HTTP Request template.
    • Map Attributes: Provide the mapping information for the third-party.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

To configure the mapping attributes:

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.

The following tables shows the attribute mappings.

Property Mappings
OpsRamp AttributesPrisma Public Cloud Attributes
Alert metricmessage
Alert statemessage
OpsRamp Property valuePrisma Public Cloud Property value
CriticalThis is a test message from Prisma Cloud initiated by $username to validate integration $intg_name
Alert timesentTs
Alert subjectmessage
Alert resource namemessage

Mapping the first payload validation

To map the first payload validation:

  1. Provide the Webhook URL in Webhooks URL field, authentication token in the Auth Token field in the Integrations tab, and click Test. A success message is displayed.
    Redlock Handshake

    Redlock Handshake

  2. Prisma Public Cloud sends a response message as confirmation to OpsRamp.

The following show a sample response:

{
    "sender":"RedLock",
    "sentTs":'1557951571335',
    "message":"HELLO"
}

Mapping the final payload

To map the final payload:

  1. May the webhook payload attributes to the OpsRamp alert attributes.
  2. The Prisma Public Cloud webhook sends a sample payload to OpsRamp.

The following table shows the mapping for the cloud security vulnerability events webhook payload attributes with the OpsRamp Alert entity attributes.

Property Mappings
OpsRamp AttributePrisma Public Cloud Attribute
External alert ID>alertId
Alert metric>resourceCloudService
Alert stateseverity
OpsRamp Property valuePrisma Public Cloud Property value
OKlow
WARNINGmedium
CRITICALhigh
Alert time>alertTs
Alert subject>policyName
Alert description>policyDescription
Alert resource name>resourceName

Sample response

{

        "resourceId": "subnet-5c03e227",
        "alertRuleName": "Kfarr Email Test",
        "accountName": "2W-ProductDevelopment5",
        "hasFinding": false,
        "resourceRegionId": "ap-south-1",
        "alertRemediationCli": null,
        "source": "RedLock",
        "cloudType": "aws",
        "callbackUrl": "https://app.redlock.io/alerts?filters#alert.id=P-1975&timeType=to\_now&timeUnit=epoch",
        "alertId": "P-1975",
        "policyLabels": \[\],
        "alertAttribution": null,
        "severity": "medium",
        "policyName": "AWS VPC subnets should not allow automatic public IP assignment",
        "resourceName": "subnet-5c03e227",
        "riskRating": "B",
        "resourceRegion": "AWS Mumbai",
        "policyDescription": "This policy identifies VPC subnets which allow automatic public IP assignment. VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.",
        "policyRecommendation": "1. Sign into the AWS console.\\n2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.\\n3. Navigate to the 'VPC' service.\\n4. In the navigation pane, click on 'Subnets'.\\n5. Select the identified Subnet and choose the option 'Modify auto-assign IP settings' under the Subnet Actions.\\n6. Disable the 'Auto-Assign IP' option and save it.",
        "accountId": "162213212942",
        "resourceConfig": {
            "subnetId": "subnet-5c03e227",
            "subnetArn": "arn:aws:ec2:ap-south-1:162213212942:subnet/subnet-5c03e227",
            "availabilityZoneId": "aps1-az2",
            "cidrBlock": "172.31.32.0/20",
            "ownerId": "162213212942",
            "availabilityZone": "ap-south-1c",
            "assignIpv6AddressOnCreation": false,
            "tags": \[\],
            "vpcId": "vpc-f515f69c",
            "mapPublicIpOnLaunch": true,
            "defaultForAz": true,
            "state": "available",
            "ipv6CidrBlockAssociationSet": \[\]
        },
     
        "resourceCloudService": "Amazon VPC",
        "alertTs": 1557856406801,
        "findingSummary": null,
        "resourceType": "Subnet"
    }
]

 

Prisma Public Cloud configuration

Configuration involves:

  1. Integrating with OpsRamp.
  2. Creating a alert rule.

Step 1: Integrate with OpsRamp

Prerequisites

  • The Webhook URL copied during Prisma Public Cloud installation.
  • Authentication code generated during Prisma Public Cloud installation.

To integrate with OpsRamp using Webhooks URL:

  1. Log into Prisma Public Cloud Service and select Settings Integrations.
  2. Select + Add New and set the Integration type as Webhooks.
  3. Enter the Webhook URL and Auth Code and click Next.
  4. Click Test. Test successful confirmation message is displayed.
  5. Click Save.

Step 2: Create an alert rule

To create an alert rule:

  1. Select Secure Alert Rules and click +Add New.
  2. Provide a name for Alert Rule Name and a Description for rule and click Next.
    Create Alert Rule

    Create Alert Rule

  3. To apply the alert rule, select Account Groups and click Next.
    1. To see advanced settings for target setting, toggle View Advanced Settings.
    2. To exclude any cloud accounts from the selected Account Group, provide the accounts in Exclude Cloud Accounts.
    3. Choose your region.
    4. To manage or identify your resources, add Tags. Tags apply to Config and Network Policies only.
    5. Click Next.
  4. To add more details to this rule, click View Advanced Settings to provide additional details in the following fields:
    1. To exclude more cloud accounts from triggering alerts, mention the cloud accounts in the Exclude Cloud Accounts.
    2. To trigger alerts only for specific regions for the cloud accounts in the selected account group, select one or more Regions from the list.
    3. To trigger alerts only for specific resources in the selected cloud accounts, enter the key and value of the Resource Tag you created for the resource in your cloud environment. Tags apply to Config and Network Policies only.
      Create Alert Rule Allowed Accounts

      Create Alert Rule Allowed Accounts

  5. Click Next.
  6. To trigger alerts for this rule, either Select all policies or select a Specific Policy.
    Create Alert Rule Select Policy

    Create Alert Rule Select Policy

  7. To send notifications to OpsRamp, configure Set Alert Notifications.
    1. On the Set Alert Notification page of the alert rule, select webhooks.
    2. Select the Webhook Channels to send alert notifications triggered by this alert rule.
    3. Set the Frequency at which to send POST notifications.
      • As it Happens — A notification is sent to the selected Webhook channels when an alert is triggered by alert rule.
      • Daily — A single notification is sent to the selected Webhook channels once every day with all alerts triggered by alert rule in a day.
      • Weekly — A single notification is sent to the selected Webhook channels once a week with all alerts triggered by alert rule during a week.
      • Monthly — A single notification is sent to the selected Webhook channels once a month with all alerts triggered by alert rule during a month.
  8. Save the alert rule to finish the integration process.
Create Alert Rule Channel

Create Alert Rule Channel

What to do next

  • View the Prisma Public Cloud security vulnerable events as alerts:
    1. In OpsRamp, go to Alerts. The Alert Browser is displayed.
    2. Click Edit Criteria and select Source as Prisma Public Cloud. The Alert Browser displays alerts matching the selected criteria.
Prisma Public Cloud Alerts

Prisma Public Cloud Alerts