Palo Alto Prisma Cloud
Visualize Palo Alto Prisma Cloud hosts, defender agents, container images, and vulnerabilities, and monitor changes through queries and alerts.
- Installation
- Data Model
- Types
Installation
This integration connects to Palo Alto Prisma Cloud Compute Edition to ingest hosts, defender agents, deployed images, and vulnerability data.
This integration currently supports Prisma Cloud Compute Edition. Support for Prisma Cloud Enterprise Edition will be added in a future release.
Prerequisites in Palo Alto Prisma Cloud
Before configuring the integration in JupiterOne, you need to gather the following information:
1. Console URL
Your Prisma Cloud Compute Console URL can be found by:
- Log into your Prisma Cloud Console
- Navigate to Compute > Manage > System > Downloads
- The Console URL is displayed on this page
The URL format varies by deployment type:
- SaaS deployments:
https://[region].cloud.twistlock.com/[tenant-id] - Self-hosted deployments: Your self-hosted Console URL
2. Version
Find your Prisma Cloud Compute version:
- Log into your Prisma Cloud Compute console
- Click the bell icon in the top right of the page
- Your version is displayed (e.g.,
34.02)
3. Username and Password
Create a dedicated service account for JupiterOne with read-only permissions to access the Compute API.
Required Permissions: The account must be able to:
- Read host information and vulnerabilities
- Read defender agent data
- Read container image information
A user with the Auditor role or any role with read access to Monitor and Vulnerabilities data will work for this integration.
Configuration in JupiterOne
To install the Palo Alto Prisma Cloud integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Palo Alto Prisma Cloud. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
-
The Account Name used to identify the Palo Alto Prisma Cloud account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled. -
Description to assist in identifying the integration instance, if desired.
-
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration. -
Your Palo Alto Prisma Cloud Compute Console URL, Version, Username, and Password.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Defender | palo_alto_prisma_cloud_defender | HostAgent |
| Deployed Image | palo_alto_prisma_cloud_deployed_image | Image |
| Host | palo_alto_prisma_cloud_host | Host |
| Host Vulnerability | palo_alto_prisma_cloud_host_vulnerability | Finding, Vulnerability |
| Image Vulnerability | palo_alto_prisma_cloud_image_vulnerability | Finding, Vulnerability |
| Service | palo_alto_prisma_cloud_service | Service |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
palo_alto_prisma_cloud_defender | MONITORS | palo_alto_prisma_cloud_host |
palo_alto_prisma_cloud_deployed_image | HAS | palo_alto_prisma_cloud_image_vulnerability |
palo_alto_prisma_cloud_host | HAS | palo_alto_prisma_cloud_host_vulnerability |
palo_alto_prisma_cloud_host | USES | palo_alto_prisma_cloud_deployed_image |
Palo Alto Prisma Cloud Defender�
palo_alto_prisma_cloud_defender inherits from HostAgent
| Property | Type | Description | Specifications |
|---|---|---|---|
category * | string | ||
cluster * | string | ||
collections * | array of strings | ||
compatibleVersion * | boolean | ||
connected * | boolean | ||
isARM64 * | boolean | ||
port * | number | ||
remoteLoggingSupported * | boolean | ||
remoteMgmtSupported * | boolean | ||
type * | string | ||
version * | string | ||
vpcObserver * | boolean |
Palo Alto Prisma Cloud Deployed Image
palo_alto_prisma_cloud_deployed_image inherits from Image
| Property | Type | Description | Specifications |
|---|---|---|---|
collections * | array of strings | ||
digest * | string | ||
distro * | string | ||
registry * | string | ||
repository * | string | ||
tag * | string |
Palo Alto Prisma Cloud Host
palo_alto_prisma_cloud_host inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
collections * | array | null | ||
distro * | string | null | ||
isARM64 * | boolean | null | ||
osDistroRelease * | string | null |
Palo Alto Prisma Cloud Host Vulnerability
palo_alto_prisma_cloud_host_vulnerability inherits from Finding, Vulnerability
| Property | Type | Description | Specifications |
|---|---|---|---|
cause | string | ||
cvss | number | ||
description | string | ||
firstSeenOn | number | ||
fixLink | string | ||
fixOn | number | ||
publishedOn | number | ||
status | string | ||
title | string | ||
type | string | ||
vecStr | string | ||
webLink | string |
Palo Alto Prisma Cloud Image Vulnerability
palo_alto_prisma_cloud_image_vulnerability inherits from Finding, Vulnerability
| Property | Type | Description | Specifications |
|---|---|---|---|
cause * | string | ||
complianceId * | string | ||
cvss * | number | ||
description * | string | ||
discoveredOn | number | ||
fixedOn | number | ||
fixStatus * | string | ||
graceDays * | string | ||
packageLicense * | string | ||
packagePath * | string | ||
packages * | string | ||
packageVersion * | string | ||
publishedOn | number | ||
purl * | string | ||
result * | string | ||
riskFactors * | string | ||
sourcePackage * | string | ||
type * | string | ||
vulnerabilityLink * | string | ||
vulnerabilityTags * | string |
Palo Alto Prisma Cloud Service
palo_alto_prisma_cloud_service inherits from Service