Prisma Cloud Connectors: Compute & Enterprise Editions

The Prisma Cloud Connector (formerly Twistlock) is a comprehensive Cloud Native Security Platform (CNSP) for ingesting vulnerability data for images and containers. The Prisma Cloud Compute Edition (PCCE) is an on-premises solution while the Prisma Cloud Enterprise Edition (PCEE) is an SaaS, cloud native security solution. Use the Prisma Cloud connector in Cisco Vulnerability Management to assist you in reducing risk across your containerized infrastructure. The Prisma Cloud connector ingests information from containers and the images they run. In Cisco Vulnerability Management, containers inherit the same CVEs as the images that they are running. Therefore you can focus on either containers or images, depending on your preferred workflow, to manage risk.

Important: Cisco Vulnerability Management does not support other cloud native applications that live within PCEE. 

Setting up the Enterprise Edition Connector

Before setting up the Enterprise Edition Connector in Cisco Vulnerability Management, you must first create an Access Key and Secret Key in Prisma Cloud, and obtain the console's path URL. 

1. From the Prisma Cloud application menu, click Manage > System.

Manage_System.png

2. To access the Path to Console section, click the Downloads tab. Take note of the URL in the Path to Console field to use later in the Cisco Vulnerability Management connector set up page.

Important: You must omit the https:// portion of the URL. 

Utilities.png

3. To create a new username (Access Key) and password (Secret Key) to not confuse your other credentials for the system, click Access Keys.

Access_Keys.png

4. Click Add New to add a new key for the Cisco Vulnerability Management integration.

New_Key.png

5. Take note of your Access Key, and Secret Key. you will use these when you set up the Connector in Cisco Vulnerability Management.

Adding the Prisma Cloud Connector

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Prisma Cloud.
Vuln_Mgmt_Prisma.png

4. On the Prisma Cloud Compute Edition page, enter the following information:
Screen_Shot_2021-10-26_at_1.16.59_PM.png

  • Name: Enter a name for the connector, or leave it as Prisma Cloud Compute Edition.
  • Username/Access Key: Enter the Access Key that you just created. Cisco recommends using a Prisma user with the DevSecOps User role for interacting with Cisco Vulnerability Management.
  • Password/Secret Key:  Enter the Secret Key that you just created.
  • Host: Enter the Path to Console URL that you noted above.
  • Do Not Import Container Data: Select this option if you want to import only image data.
  • Select the Using Prisma Cloud Computer Enterprise Edition (Twistlock Saas) option.
  • Asset Inactivity Limit (days): Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.
    • Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. For more information, refer to Setting Asset Inactivity Limits

Important note when using Prisma Collections: For API users that are restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.

5. Click Save And Verify.

6. Once complete, you can upload and run your connector. 

Viewing Prisma Cloud Data in Cisco Vulnerability Management

When Prisma Cloud is used, the new Type column in the VM Explore page will allow you to easily distinguish one type of asset from another.

New_Type_Column.png

Note: To see the Type column, enable it using the Display dropdown.

New_Display_Dropdown.png

Important: Currently, the only supported asset types are container and image; others will not have a Type value.

Additionally, on the VM Explore page in the right-hand navigation bar, there are multiple filters that provide the ability to view the assets and vulnerabilities specific to your Prisma Cloud environment.

Filters.png

Use the "Type" filter to show the counts of the asset types - container or image.

container or image.png

What Prisma Cloud Connector Data does Cisco Vulnerability Management Import?

Prisma source field Cisco Vulnerability Management field Description
  asset_type Describes if asset is container or image (Inferred from import)
  last_seen_time The last time at which Cisco Vulnerability Management saw an asset, set as the time of the last successful connector run (Inferred from import)
Tag, Registry, Repository for images, ['info']['imageName'] for containers tags All tags applying to an asset
Id for images, imageId for containers image_locator docker image id
Example: sha256:ba0c2ff8d3620c0910832424efef02787214013b1c5b1d9dc9d87d638e2ceb71"
['info']['id'] container_locator docker container id
Example: 6f6a37b164e6a1e44b59607ed0a4a71f830a5cdb3d64cba1ed4410251f63e2e4
Description details

Prisma-provided textual description of vuln

Note: Prisma’s Description field can also contain a list of other non CVE ID’s (e.g. ALAS and Prisma) that are space separated. These will be converted to individual vulnerabilities when they map to one or many CVEs or if they will appear as informational if they do not map to any CVEs.

  vulnerability_class Inferred from Prisma - will always be 'Host or network' for Prisma vulnerabilities
CVE ID CVE  
CVE ID identifiers  
Severity scanner_score 1-10 scale
other - 0
Low, Unimportant, Not Yet Assigned - 3
medium, moderate - 6
high, Important - 9
Critical - 10
Discovered found_on When the CVE was first discovered by the scanner.
  Created Date the Vulnerability or Asset was first imported to Cisco Vulnerability Management. Not mapped to a scanner field.
  Vulnerability Status Only maps open/closed vulnerabilities. We will autoclose any vulnerability not seen on the next Connector import (by the same connector).

API Endpoints

/v1/images or /v1/containers

/v1/images/download for images, /v1/images/container for containers

/v1/containers/download

Additional Settings

The following additional settings can be enabled in your connector.

Custom Ordered Locators

If a custom locator order is required, you must add the following additional two locators to the beginning of that list: container_locator, image_locator, ..., … . For more information, see Understanding Locator Order.

Important: To have these enabled contact Cisco Support or your Customer Experience (CX) Team.

Frequently Asked Questions

Why is my connector run failing?

There might be several reasons for a failed connector run. First check the error code. Click on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:

Screen_Shot_2021-10-26_at_2.06.11_PM.png

Reasons why the Prisma Cloud Connector might fail:

  1. Disconnected projects in the Prisma Cloud environment can lead to connector run failures. To prevent this, all disconnected projects within Prisma Cloud must either be reconnected or have access to these projects restricted through the Prisma Cloud console.
  2. If your API user is restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.

Why do I see fewer or more containers and images in Cisco Vulnerability Management than I expect?

First, search Prisma Cloud for the same container or image to determine if assets appear as expected in Prisma Cloud. If assets do not appear as expected in Prisma Cloud, then you can adjust your Prisma scan settings to run more frequently.

Scheduling.png

 

Additionally, note that by default, Prisma Cloud only presents image vulnerabilities for those images that  recent containers have used. You can disable this behavior, but it is recommended that you keep it enabled.

Running_images.png

Next, if the expected containers and images appear in Prisma Cloud but not in Cisco Vulnerability Management, a new connector run might be needed.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.