The Prisma Cloud Connector (formerly Twistlock) is a comprehensive Cloud Native Security Platform (CNSP) for ingesting vulnerability data for images and containers. The Prisma Cloud Compute Edition (PCCE) is an on-premises solution while the Prisma Cloud Enterprise Edition (PCEE) is an SaaS, cloud native security solution. Use the Prisma Cloud connector in Cisco Vulnerability Management to assist you in reducing risk across your containerized infrastructure. The Prisma Cloud connector ingests information from containers and the images they run. In Cisco Vulnerability Management, containers inherit the same CVEs as the images that they are running. Therefore you can focus on either containers or images, depending on your preferred workflow, to manage risk.
Important: Cisco Vulnerability Management does not support other cloud native applications that live within PCEE.
Setting up the Enterprise Edition Connector
Before setting up the Enterprise Edition Connector in Cisco Vulnerability Management, you must first create an Access Key and Secret Key in Prisma Cloud, and obtain the console's path URL.
1. From the Prisma Cloud application menu, click Manage > System.
2. To access the Path to Console section, click the Downloads tab. Take note of the URL in the Path to Console field to use later in the Cisco Vulnerability Management connector set up page.
Important: You must omit the https:// portion of the URL.
3. To create a new username (Access Key) and password (Secret Key) to not confuse your other credentials for the system, click Access Keys.
4. Click Add New to add a new key for the Cisco Vulnerability Management integration.
5. Take note of your Access Key, and Secret Key. you will use these when you set up the Connector in Cisco Vulnerability Management.
Adding the Prisma Cloud Connector
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Prisma Cloud.
4. On the Prisma Cloud Compute Edition page, enter the following information:
- Name: Enter a name for the connector, or leave it as Prisma Cloud Compute Edition.
- Username/Access Key: Enter the Access Key that you just created. Cisco recommends using a Prisma user with the DevSecOps User role for interacting with Cisco Vulnerability Management.
- Password/Secret Key: Enter the Secret Key that you just created.
- Host: Enter the Path to Console URL that you noted above.
- Do Not Import Container Data: Select this option if you want to import only image data.
- Select the Using Prisma Cloud Computer Enterprise Edition (Twistlock Saas) option.
-
Asset Inactivity Limit (days): Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.
- Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. For more information, refer to Setting Asset Inactivity Limits.
Important note when using Prisma Collections: For API users that are restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.
5. Click Save And Verify.
6. Once complete, you can upload and run your connector.
Viewing Prisma Cloud Data in Cisco Vulnerability Management
When Prisma Cloud is used, the new Type column in the VM Explore page will allow you to easily distinguish one type of asset from another.
Note: To see the Type column, enable it using the Display dropdown.
Important: Currently, the only supported asset types are container and image; others will not have a Type value.
Additionally, on the VM Explore page in the right-hand navigation bar, there are multiple filters that provide the ability to view the assets and vulnerabilities specific to your Prisma Cloud environment.
Use the "Type" filter to show the counts of the asset types - container or image.
What Prisma Cloud Connector Data does Cisco Vulnerability Management Import?
Prisma source field | Cisco Vulnerability Management field | Description |
asset_type | Describes if asset is container or image (Inferred from import) | |
last_seen_time | The last time at which Cisco Vulnerability Management saw an asset, set as the time of the last successful connector run (Inferred from import) | |
Tag, Registry, Repository for images, ['info']['imageName'] for containers | tags | All tags applying to an asset |
Id for images, imageId for containers | image_locator |
docker image id Example: sha256:ba0c2ff8d3620c0910832424efef02787214013b1c5b1d9dc9d87d638e2ceb71" |
['info']['id'] | container_locator |
docker container id Example: 6f6a37b164e6a1e44b59607ed0a4a71f830a5cdb3d64cba1ed4410251f63e2e4 |
Description | details |
Prisma-provided textual description of vuln Note: Prisma’s |
vulnerability_class | Inferred from Prisma - will always be 'Host or network' for Prisma vulnerabilities | |
CVE ID | CVE | |
CVE ID | identifiers | |
Severity | scanner_score |
1-10 scale other - 0 Low, Unimportant, Not Yet Assigned - 3 medium, moderate - 6 high, Important - 9 Critical - 10 |
Discovered | found_on | When the CVE was first discovered by the scanner. |
Created | Date the Vulnerability or Asset was first imported to Cisco Vulnerability Management. Not mapped to a scanner field. | |
Vulnerability Status | Only maps open/closed vulnerabilities. We will autoclose any vulnerability not seen on the next Connector import (by the same connector). |
API Endpoints
/v1/images or /v1/containers
/v1/images/download for images, /v1/images/container for containers
/v1/containers/download
Additional Settings
The following additional settings can be enabled in your connector.
Custom Ordered Locators
If a custom locator order is required, you must add the following additional two locators to the beginning of that list: container_locator, image_locator, ..., … . For more information, see Understanding Locator Order.
Important: To have these enabled contact Cisco Support or your Customer Experience (CX) Team.
Frequently Asked Questions
Why is my connector run failing?
There might be several reasons for a failed connector run. First check the error code. Click on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:
Reasons why the Prisma Cloud Connector might fail:
- Disconnected projects in the Prisma Cloud environment can lead to connector run failures. To prevent this, all disconnected projects within Prisma Cloud must either be reconnected or have access to these projects restricted through the Prisma Cloud console.
-
If your API user is restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.
Why do I see fewer or more containers and images in Cisco Vulnerability Management than I expect?
First, search Prisma Cloud for the same container or image to determine if assets appear as expected in Prisma Cloud. If assets do not appear as expected in Prisma Cloud, then you can adjust your Prisma scan settings to run more frequently.
Additionally, note that by default, Prisma Cloud only presents image vulnerabilities for those images that recent containers have used. You can disable this behavior, but it is recommended that you keep it enabled.
Next, if the expected containers and images appear in Prisma Cloud but not in Cisco Vulnerability Management, a new connector run might be needed.
Comments
Please sign in to leave a comment.