The Prisma Cloud Connector (formerly Twistlock) is a comprehensive Cloud Native Security Platform (CNSP) for ingesting vulnerability data for images and containers. The Prisma Cloud Compute Edition (PCCE) is an on prem solution while the Prisma Cloud Enterprise Edition (PCEE) is a SaaS, cloud native security solution. Use the Prisma Cloud connector in Cisco Vulnerability Management to assist you in reducing risk across your containerized infrastructure. The Prisma Cloud connector ingests information from containers and the images they run. In Cisco Vulnerability Management, containers inherit the same CVEs as the images that they are running. You therefore can manage risk by focusing on either containers or images, depending on your preferred workflow.
Important: The Cisco Vulnerability Management platform does not support other cloud native applications that live within PCEE.
Adding the Prisma Cloud Connector
To add either connector to your environment, navigate to the Connectors tab on the navigation bar and select Add Connector. Scroll down and select the Prisma Cloud Connector.
Setting up the Compute Edition Connector
Once you click to add the Prisma Cloud Connector, a pop-up box will open where you will enter the following information for PCCE:
- Name: Any name of your choosing to identify and label this specific connector.
- Username: For the purpose of least-privilege access needed, it is recommended you use a Prisma user with the DevSecOps User role for interacting with Cisco Vulnerability Management.
- Password
- Host
- Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
- Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits.
- We recommend an asset inactivity limit of 2-3x the scan cadence of your Prisma Scans.
Important note when using Prisma Collections: For API users that are restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.
Click Save And Verify. Once complete, proceed to upload and run your connector.
Setting up the Enterprise Edition Connector
Before setting up the Enterprise Edition Connector in Cisco Vulnerability Management, you must first create an Access Key and Secret Key from within Prisma Cloud, and obtain the console's path URL.
From the Prisma Cloud application menu, click Manage > System to begin the set up.
Select the Downloads tab to access the Path to Console section. Copy the path to console URL on a notepad to use later in the Cisco Vulnerability Management platform connector set up page.
Important: You must omit the https:// portion of the URL.
Now, you must create a new username (Access Key) and password (Secret Key) to not confuse your other credentials for the system.
Add a new key for the Cisco Vulnerability Management Integration.
Once you have your Access Key, Secret Key, and the path URL, you can add a Prisma Cloud connector in the Cisco Vulnerability Management Platform. Make sure to check the "Using Prisma Cloud Computer Enterprise Edition (Twistlock Saas)" checkbox.
If you wish to set an asset inactivity limit for assets ingested by this connector, you may add that in the "Asset Inactivity Limit (days)" box. Connector-level asset inactivity limits take precedence over the global inactivity limit. See Setting Asset Inactivity Limits.
Click Save And Verify to complete the set up.
Viewing Prisma Cloud Data in Cisco Vulnerability Management
When Prisma Cloud is used, the new Type column in the Explore page will allow you to easily distinguish one type of asset from another.
Note: In order to see the Type column, enable it using the Display dropdown.
Important: Currently, the only supported asset types are container and image; others will not have a Type value.
Additionally, on the VM Explore right-hand navigation bar, there are multiple filters that provide the ability to view the assets and vulnerabilities specific to your Prisma Cloud environment. Select the connector name you chose to see assets ingested by said connector.
Use the "Type" filter to show the counts of the asset types - container or image.
What Prisma Cloud Connector Data does Cisco Vulnerability Management Import?
| Prisma source field | Cisco Vulnerability Management field | Description |
| asset_type | Describes if asset is container or image (Inferred from import) | |
| last_seen_time | The last time at which Cisco Vulnerability Management saw an asset, set as the time of the last successful connector run (Inferred from import) | |
| Tag, Registry, Repository for images, ['info']['imageName'] for containers | tags | All tags applying to an asset |
| Id for images, imageId for containers | image_locator | docker image id Example: sha256:ba0c2ff8d3620c0910832424efef02787214013b1c5b1d9dc9d87d638e2ceb71" |
| ['info']['id'] | container_locator | docker container id Example: 6f6a37b164e6a1e44b59607ed0a4a71f830a5cdb3d64cba1ed4410251f63e2e4 |
| Description | details |
Prisma-provided textual description of vuln Note: Prisma’s |
| vulnerability_class | Inferred from Prisma - will always be 'Host or network' for Prisma vulnerabilities | |
| CVE ID | CVE | |
| CVE ID | identifiers | |
| Severity | scanner_score | 1-10 scale other - 0 Low, Unimportant, Not Yet Assigned - 3 medium, moderate - 6 high, Important - 9 Critical - 10 |
| Discovered | found_on | When the CVE was made public |
| Created | Date the Vulnerability or Asset was first imported to Cisco Vulnerability Management. Not mapped to a scanner field. | |
| Vulnerability Status | Only maps open/closed vulnerabilities. We will autoclose any vulnerability not seen on the next Connector import (by the same connector). |
API Endpoints
/v1/images or /v1/containers
/v1/images/download for images, /v1/images/container for containers
/v1/containers/download
Additional Settings
The following additional settings can be enabled in your connector.
Custom Ordered Locators
If a custom locator order is required, you must add the following additional two locators to the beginning of that list: container_locator, image_locator, ..., … . See Understanding Locator Order for more information.
Important: To have these enabled contact Support or your Customer Experience (CX) Team.
Importing Image Data Only
When setting up your connector, you have the option to only import image data. This can be done by selecting the Do Not Import Container Data checkbox.
Frequently Asked Questions
Why is my connector run failing?
There may be several reasons for a failed connector run. First check the error code by clicking on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:
Reasons why the Prisma Cloud Connector may fail:
- Disconnected projects in the Prisma Cloud environment can lead to connector run failures. To prevent this, all disconnected projects within Prisma Cloud must either be reconnected or have access to these projects restricted via the Prisma Cloud console.
-
If your API user is restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.
Why do I see fewer or more containers and images in Cisco Vulnerability Management than I expect?
First, search Prisma Cloud for the same container or image to determine if assets appear as expected in Prisma Cloud. If assets do not appear as expected in Prisma Cloud, then you can adjust your Prisma scan settings to run more frequently.
Additionally, note that by default Prisma Cloud only present image vulnerabilities for those images which have been used by recent containers. You can disable this behavior, but it is recommended that you keep it enabled.
Next, if the expected containers and images appear in Prisma Cloud but not in Cisco Vulnerability Management, a fresh connector run may be needed.
Comments
Please sign in to leave a comment.