he Prisma Cloud connector brings data into Cisco Vulnerability Management for cloud security and runtime APIs, ingesting containers, Images, Hosts, Registries, Images, Serverless, Tanzu/Blobstore, alerts, fixes and tags data.
The connector works with the Prisma Cloud Enterprise and Compute Editions, and you can configure the type of assets that you want to ingest.
Important: Cisco Vulnerability Management does not support application security endpoints.
Setting up the Prisma Cloud Connector
Before setting up the Prisma Cloud Connector in Cisco Vulnerability Management, you must first create an Access Key and Secret Key in your Prisma Cloud console and obtain the URL to the Prisma Cloud Compute console.
Obtaining the URL to Prisma Cloud Compute console
1. On the Runtime Security > Manage > System > Utilities, take note of the URL in the Path to Console field to use later in the Cisco Vulnerability Management connector set up page.
Important: You must omit the https:// portion of the URL
Obtaining Access Key and Secret Key
Note: Cisco recommends using a Prisma user with the DevSecOps User role for interacting with Cisco Vulnerability Management.
Important note when using Prisma Collections: For API users that are restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections
Follow these steps to create a new username (Access Key) and password (Secret Key).
1. Select Settings > Access Control > Access Keys and select Add > Access Key.
2. On the Add User page, fill in the details, and click Save and Close.
3. Take note of your Access Key, and Secret Key. you will use these when you set up the Connector in Cisco Vulnerability Management.
Adding the Prisma Cloud Connector
Note: If you would like to use a VPN with the Prisma Cloud Compute Edition (PCCE) on-premises solution, contact Cisco Support.
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Prisma Cloud.
4. On the Prisma Cloud Connector page, enter the following information:
- Name: Enter a name for the connector or leave it as Prisma Cloud Compute Edition.
- Access Key: Enter the Access Key that you just created. Cisco recommends using a Prisma user with the DevSecOps User role for interacting with Cisco Vulnerability Management.
- Secret Key: Enter the Secret Key that you just created.
- Path to Console/Host: Enter the Path to Console URL that you noted above, or host to for on-prem scanner.
- Do Not Import Container Data: Select this option if you do not want to import container data.
- Do Not Import Image Data: Select this option if you do not want to import image data.
- Do Not Import Host Data: Select this option if you do not want to import host data.
- Do Not Import Serverless Data: Select this option if you do not want to import serverless data.
- Do Not Import Registry Data: Select this option if you do not want to import registry data.
- Do Not Import Compliance Data: Select this option if you do not want to import compliance data.
- Do Not Import TAS/Blobstore Data: Select this option if you do not want to import TAS/Blobstore data.
- Select Using Prisma Cloud Enterprise Edition option if applicable.
-
Asset Inactivity Limit (days): Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.
- Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. For more information, refer to Setting Asset Inactivity Limits.
Important note when using Prisma Collections: For API users that are restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.
5. Click Save And Verify.
6. Once complete, you can upload and run your connector.
Viewing Prisma Cloud Data in Cisco Vulnerability Management
When Prisma Cloud is used, the Type column in the VM Explore page will allow you to easily distinguish one type of asset from another.
Important: Only Images and Containers are currently ingested into the asset type field. Other asset types are denoted by tags.
Use the "Type" filter to view counts of the asset types: container, and image.
Use 'assettype:' tag to view counts of the asset types: Host, Compliance, and Registry.
Additionally, on the Vulnerability Management Explore page in the right-hand navigation bar, there are multiple filters that provide the ability to view the assets and vulnerabilities specific to your Prisma Cloud environment.
What data does Prisma Cloud Connector Import?
API Endpoints
/v1/images
/v1/containers
/v1/hosts
/v1/registry
/v1/serverless
/v1/tas-droplets
Compliance: api.prismacloud.io/alert
Note: The Alert endpoint is available only to Enterprise Edition customers.
Specific mappings can be found in the sections below.
All other mappings are generalized in the following three tables:
Asset Data Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
|
asset.hostname
Example: “” |
String | locators.hostname |
|
locators.container
Example: null |
||
| String |
locators.image
Example: null |
|
|
asset.cloudMetadata.
Example: "i-0a7d2bc8b1ead2798" |
String |
locators.ec2
Example: "i-0a7d2bc8b1ead2798" |
|
asset.hostname
Example: "" |
String | locators.netbios |
|
locators.url
Example: null |
||
|
locators.file
Example: null |
||
|
asset.hostname
Example: "" |
locators.fqdn
Example: null |
|
|
locators.database
Example: null |
||
|
locators.application
Example: null |
||
|
locators.ip_address
Example: null |
||
|
asset._id
Example: "sha256:6a6aeede783ddc |
String |
locators.external_id
Example: "Prisma Image Asset sha256:6a6aeede783ddc658 |
|
locators.mac_address
Example: null |
||
|
asset.distro
Example: “Debian GNU/Linux 10 (buster)" |
String |
os_vendor
Example: “Debian GNU/Linux 10 (buster)" |
|
asset.osDistro
Example: "debian" |
String |
os_family
Example: "debian" |
|
asset.osDistroVersion
Example: "10.8" |
String |
os_version
Example: "10.8" |
|
asset.scanTime
Example: 2024-01-24T02:39:27.896Z |
Datetime |
last_seen_time
Example: 2024-01-24T02:39:27.896Z |
|
ports
Example: null |
||
|
network_interfaces
Example: null |
||
|
asset.tags
Example: [] |
List of string | tags |
|
inactive
Example: false |
||
| String |
asset_type
Example: null |
Vulnerability Data Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
Notes |
|
asset.vulnerabilities[i].cve
Example: "CVE-2023-5981" "PRISMA-2023-0046" "GHSA-7ww5-4wqc-m92c" "ALAS-2024-2435" |
String |
vulnerabilities.identifier
Example: "CVE-2023-5981" |
|
|
asset.vulnerabilities[i].published
Example: 1670451309 |
Integer |
vulnerabilities.published_
Example: 2024-01-17T02:26:38Z |
|
| asset.vulnerabilities[i].discovered |
vulnerabilities.found_on
Example: null |
||
|
asset.vulnerabilities[i].fixDate
Example: 1704844800 |
Integer |
vulnerabilities.last_fixed_on
Example: 2024-01-17T02:26:38Z |
|
|
asset.vulnerabilities[i].discovered
Example: 2024-01-17T02:26:38Z |
Datetime |
vulnerabilities:last_found
Example: 2024-01-17T02:26:38Z |
|
| String |
vulnerabilities.is_open
Example: true |
||
|
asset.vulnerabilities[i].severity
Example: "low" |
String |
vulnerabilities.scanner_
Example: 3 |
Mapping { "critical" => 10, "important" => 9, "high" => 9, "medium" => 6, "moderate" => 6, "low" => 3," unimportant" => 3 "None" => 0} |
|
asset.vulnerabilities[i].cve
Example: "CVE-2023-5981" "PRISMA-2023-0046" "GHSA-7ww5-4wqc-m92c" "ALAS-2024-2435" |
String |
vulnerabilities.cve_raw_
Example: "CVE-2023-5981" "GHSA-7ww5-4wqc-m92c" |
|
|
asset.vulnerabilities[i].cve
Example: "CVE-2023-5981" "PRISMA-2023-0046" "GHSA-7ww5-4wqc-m92c" "ALAS-2024-2435" |
String |
vulnerabilities.name
Example: "CVE-2023-5981" "PRISMA-2023-0046" "GHSA-7ww5-4wqc-m92c" "ALAS-2024-2435" |
|
|
asset.vulnerabilities[i].cve
Example: "CVE-2023-5981" "PRISMA-2023-0046" "GHSA-7ww5-4wqc-m92c" "ALAS-2024-2435" |
String |
vulnerabilities.definition_
Example: "Prisma CVE-2023-5981" "Prisma PRISMA-2023-0046" "Prisma GHSA-7ww5-4wqc-m92c" "Prisma ALAS-2024-2435" |
|
|
asset.vulnerabilities[i].fixLink
Example: "" |
String | vulnerabilities.solution | |
| String |
vulnerabilities.description
Example: "" |
||
|
asset.vulnerabilities[i].templates
Example: "PCI" |
String |
vulnerabilities.pci_related
Example: true |
|
|
asset.vulnerabilities[i].description
Example: "description text" |
String |
vulnerabilities.details
Example: “description text” |
|
|
asset.vulnerabilities[i].link
Example: "https://security-tracker.debian.org/tracker/CVE-2023-46218"" |
String |
vulnerabilities.reference_
Example: ["https://security-tracker.debian.org/tracker |
|
|
vulnerabilities.port
Example: null |
Fix Data Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
Required |
|
asset.vulnerabilities[i].cve
Example: "CVE-2023-5981" |
String |
vulnerabilities.fix_hash.external_id
Example: "prisma-fix-CVE-2023-5981" |
Yes |
|
vulnerabilities.fix_hash.source
Example: "Prisma" |
Yes | ||
|
asset.vulnerabilities[i].cve
Example: "CVE-2023-5981" |
String |
vulnerabilities.fix_hash.title
Example: "Prisma Remediation for: CVE-2023-5981" |
Yes |
|
asset.vulnerabilities[i].fixLink
Example: "" |
String | vulnerabilities.fix_hash.diagnosis | Yes |
| vulnerabilities.fix_hash. consequence |
No | ||
| asset.vulnerabilities[i].fixLink | String | vulnerabilities.fix_hash.solution | No |
| vulnerabilities.fix_hash.vendor | No | ||
| vulnerabilities.fix_hash.product | No | ||
| vulnerabilities.fix_hash.published_by_ source_datetime |
No | ||
| vulnerabilities.fix_hash.last_modified_ by_source_datetime |
No | ||
|
asset.vulnerabilities[i].fixLink
Example: "" |
String | vulnerabilities.fix_hash.reference_link | No |
|
asset.vulnerabilities[i].fixLink
Example: "" |
String | vulnerabilities.fix_hash.url | No |
|
asset.vulnerabilities[i].fixLink
Example: "" |
String | vulnerabilities.fix_hash.urls | No |
| vulnerabilities.fix_hash.client_id | Yes | ||
|
vulnerabilities.fix_hash.kind
Example: 0 |
Yes |
Image Field Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
|
images._id
Example: "sha256:6a6aeede783ddc658de3b071c |
String |
locators.image
Example: "sha256:6a6aeede783ddc658de3b071cfd6
|
|
images.type
Example: "image" |
String |
asset_type
Example: "image" |
Container Field Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
Notes |
|
containers._id
Example: "6b661311450100d85a385e0 |
String |
locators.container
Example: "6b661311450100d85a385e0e |
|
|
containers.info.imageID
Example: "sha256:bdff4838c1724f55f0 |
String |
locators.image
Example: "sha256:bdff4838c1724f |
Note that multiple containers might be associated with one image. |
|
containers.info.cloudMetadata.
Example: "i-0a7d2bc8b1ead2798" |
String |
locators.ec2
Example: i-0a7d2bc8b1ead2798 |
Note that multiple containers might be associated with one cloud provider. |
|
containers.info.network
Example: "172.17.0.2" |
String |
locators.ip_address
Example: "172.17.0.2" |
|
|
containers.info.networkSettings.
Example: "02:42:ac:11:00:02" |
String |
locators.mac_address
Example: "02:42:AC:11:00:02" |
Convert the mac_address to the formatted mac_address in Cisco Vulnerability Management (use “:” to separate every two characters, and the letters should only be in uppercase) |
|
containers.info.imageName
Example: “Image” |
tags
Example: ["image"] |
This field is not available on container types. | |
| String |
asset_type
Example: “container” |
This field is set to “container” by default. |
Prisma does not provide vulnerability information for the container asset type. Instead, Cisco Vulnerability Management uses the relevant vulnerabilities from the image assets.
Hosts Field Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
|
tags
Example: [...,"AssetType:Host"] |
Serverless Assets Field Mapping
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
|
serverless.image.id
Example: "" |
String |
locators.image
|
| List of string |
tags
Example: [….,”AssetType:Serverless”] |
Registry Field Mapping
The following table shows how Prisma registry fields map to fields in Cisco Vulnerability Management.
Asset Data
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
|
registry.id
Example: "sha256:2d0c3b6b1a9b0f6 |
String |
locators.image
Example: "sha256:2d0c3b6b1a9b0f6 |
| List of string |
tags
Example: […,'AssetType:Registry'] |
TAS Field Mapping
Asset Data
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
|
tags
Example: [...,"AssetType:TAS-Droplet"] |
Prisma Alerts/Compliance
The following tables show how Prisma alerts/compliance fields map to fields in Cisco Vulnerability Management.
Asset Data
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
Notes |
|
Alert.resource.account
|
String |
locators.hostname
Example: "desktop-u3p9aqj" "ip-172-31-22-80"
|
|
| String | locators.ec2 | ||
|
locators.netbios
|
|||
|
Alert.resource.url
|
locators.url
Example: null |
||
|
Alert.resource.rrn
|
locators.file
Example: null |
||
|
locators.fqdn
Examples: null
|
|||
| Alert.resource.id | String |
locators.external_id
Example: "Prisma Host Asset ip-172-31-22-80.ec2.internal" |
|
| String |
os_vendor
Example: "Ubuntu 22.04.3 LTS" |
||
| String |
os_family
Example: "ubuntu" |
||
| String |
os_version
Example: "22.04" |
||
| Alert.lastSeen | Datetime |
last_seen_time
Example: 2024-01-25T02:39:26.829Z |
|
|
[Cloud: "resource.cloudType", Cloud AcctID:"resource.accountId", |
List of string |
tags
Example: ["osDistro:amzn", "osVersion:2023", "AssetType:Compliance"] |
Tags are parsed from the source. AssetType is appended to the end. |
| Prisma Field and Example | Data Type in Prisma |
Cisco Vulnerability Management Field and Example |
Notes |
|
Alert.id
|
String |
vulnerabilities.identifier
Example: "CVE-2023-5981" |
|
| Alert.alertTime | Integer |
vulnerabilities.published_date
Example: 2024-01-17T02:26:38Z |
|
|
Alert.alertTime
|
vulnerabilities.found_on
Example: 2024-01-17T02:26:38Z |
||
| Integer |
vulnerabilities.last_fixed_on
Example: null |
||
|
Alert.alertTime
|
Datetime |
vulnerabilities.last_found_on
Example: 2024-01-17T02:26:38Z |
|
| String |
vulnerabilities.scanner_score
Example: 0 |
Mapping { "critical" => 10, "important" => 9, "high" => 9, "medium" => 6, "moderate" => 6, "low" => 3," unimportant" => 3 "None" => 0} |
|
| String |
vulnerabilities.cve_raw_data
Examples: " " |
||
| Alert.id | String |
vulnerabilities.definition_identifier
Examples: "Prisma {id}"
|
|
|
policy.recommendation
|
String |
vulnerabilities.solution
|
Can be an empty string. |
|
policy.description
|
String |
vulnerabilities.description
Examples: "a denial of service (dos) vulnerability was found in the go library go-git. this issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a git server, which can trigger resource exhaustion in go-git clients." |
Can be an empty string. |
|
vulnerabilities.pci_related
Example: None |
|||
| String | vulnerabilities.details | ||
|
vulnerabilities.reference_links
Example: [] |
Additional Settings
The following additional settings can be enabled in your connector.
Custom Ordered Locators
If a custom locator order is required, you must add the following additional two locators to the beginning of that list: container_locator, image_locator, ..., … . For more information, see Understanding Locator Order.
Important: To have these enabled contact Cisco Support or your Customer Experience (CX) Team.
Frequently Asked Questions
Why is my connector run failing?
There might be several reasons for a failed connector run. First check the error code. Click on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:
Reasons why the Prisma Cloud Connector might fail:
- Disconnected projects in the Prisma Cloud environment can lead to connector run failures. To prevent this, all disconnected projects within Prisma Cloud must either be reconnected or have access to these projects restricted through the Prisma Cloud console.
-
If your API user is restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.
Why do I see fewer or more containers and images in Cisco Vulnerability Management than I expect?
First, search Prisma Cloud for the same container or image to determine if assets appear as expected in Prisma Cloud. If assets do not appear as expected in Prisma Cloud, then you can adjust your Prisma scan settings to run more frequently.
Additionally, note that by default, Prisma Cloud only presents image vulnerabilities for those images that recent containers have used. You can disable this behavior, but it is recommended that you keep it enabled.
Next, if the expected containers and images appear in Prisma Cloud but not in Cisco Vulnerability Management, a new connector run might be needed.
Comments
Please sign in to leave a comment.