Prisma Cloud Connectors: Compute & Enterprise Editions

The Prisma Cloud Connector (formerly Twistlock) is a comprehensive Cloud Native Security Platform (CNSP) for ingesting vulnerability data for images and containers. The Prisma Cloud Compute Edition (PCCE) is an on prem solution while the Prisma Cloud Enterprise Edition (PCEE) is a SaaS, cloud native security solution. Use the Prisma Cloud connector in Cisco Vulnerability Management to assist you in reducing risk across your containerized infrastructure. The Prisma Cloud connector ingests information from containers and the images they run.  In Cisco Vulnerability Management, containers inherit the same CVEs as the images that they are running. You therefore can manage risk by focusing on either containers or images, depending on your preferred workflow.

Important: The Cisco Vulnerability Management platform does not support other cloud native applications that live within PCEE. 

Adding the Prisma Cloud Connector

To add either connector to your environment, navigate to the Connectors tab on the navigation bar and select Add Connector. Scroll down and select the Prisma Cloud Connector.

Add

Select Prisma Cloud from the Vulnerability Management section as shown below.

Vuln_Mgmt_Prisma.png

Setting up the Compute Edition Connector

Once you click to add the Prisma Cloud Connector, a pop-up box will open where you will enter the following information for PCCE:

  • Name: Any name of your choosing to identify and label this specific connector.
  • Username: For the purpose of least-privilege access needed, it is recommended you use a Prisma user with the DevSecOps User role for interacting with Cisco Vulnerability Management.
  • Password
  • Host
  • Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
    • Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits
    • We recommend an asset inactivity limit of 2-3x the scan cadence of your Prisma Scans.

Important note when using Prisma Collections: For API users that are restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.

Screen_Shot_2021-10-26_at_1.16.59_PM.png

Click Save And Verify. Once complete, proceed to upload and run your connector. 

Setting up the Enterprise Edition Connector

Before setting up the Enterprise Edition Connector in Cisco Vulnerability Management, you must first create an Access Key and  Secret Key from within Prisma Cloud, and obtain the console's path URL. 

From the Prisma Cloud application menu, click Manage > System to begin the set up.

Manage_System.png

Select the Downloads tab to access the Path to Console section. Copy the path to console URL on a notepad to use later in the Cisco Vulnerability Management platform connector set up page.

Important: You must omit the https:// portion of the URL. 

Utilities.png

Now, you must create a new username (Access Key) and password (Secret Key) to not confuse your other credentials for the system. 

Access_Keys.png

Add a new key for the Cisco Vulnerability Management Integration.

New_Key.png

 

Once you have your Access Key, Secret Key, and the path URL, you can add a Prisma Cloud connector in the Cisco Vulnerability Management Platform. Make sure to check the "Using Prisma Cloud Computer Enterprise Edition (Twistlock Saas)" checkbox.

PCCE_Connector_Settings.png

If you wish to set an asset inactivity limit for assets ingested by this connector, you may add that in the "Asset Inactivity Limit (days)" box. Connector-level asset inactivity limits take precedence over the global inactivity limit. See Setting Asset Inactivity Limits

Click Save And Verify to complete the set up.

Viewing Prisma Cloud Data in Cisco Vulnerability Management

When Prisma Cloud is used, the new Type column in the Explore page will allow you to easily distinguish one type of asset from another.

New_Type_Column.png

Note: In order to see the Type column, enable it using the Display dropdown.

New_Display_Dropdown.png

Important: Currently, the only supported asset types are container and image; others will not have a Type value.

Additionally, on the VM Explore right-hand navigation bar, there are multiple filters that provide the ability to view the assets and vulnerabilities specific to your Prisma Cloud environment. Select the connector name you chose to see assets ingested by said connector.

Filters.png

Use the "Type" filter to show the counts of the asset types - container or image.

container or image.png

What Prisma Cloud Connector Data does Cisco Vulnerability Management Import?

Prisma source field Cisco Vulnerability Management field Description
  asset_type Describes if asset is container or image (Inferred from import)
  last_seen_time The last time at which Cisco Vulnerability Management saw an asset, set as the time of the last successful connector run (Inferred from import)
Tag, Registry, Repository for images, ['info']['imageName'] for containers tags All tags applying to an asset
Id for images, imageId for containers image_locator docker image id
Example: sha256:ba0c2ff8d3620c0910832424efef02787214013b1c5b1d9dc9d87d638e2ceb71"
['info']['id'] container_locator docker container id
Example: 6f6a37b164e6a1e44b59607ed0a4a71f830a5cdb3d64cba1ed4410251f63e2e4
Description details

Prisma-provided textual description of vuln

Note: Prisma’s Description field can also contain a list of other non CVE ID’s (e.g. ALAS and Prisma) that are space separated. These will be converted to individual vulnerabilities when they map to one or many CVEs or if they will appear as informational if they do not map to any CVEs.

  vulnerability_class Inferred from Prisma - will always be 'Host or network' for Prisma vulnerabilities
CVE ID CVE  
CVE ID identifiers  
Severity scanner_score 1-10 scale
other - 0
Low, Unimportant, Not Yet Assigned - 3
medium, moderate - 6
high, Important - 9
Critical - 10
Discovered found_on When the CVE was first discovered by the scanner.
  Created Date the Vulnerability or Asset was first imported to Cisco Vulnerability Management. Not mapped to a scanner field.
  Vulnerability Status Only maps open/closed vulnerabilities. We will autoclose any vulnerability not seen on the next Connector import (by the same connector).

API Endpoints

/v1/images or /v1/containers

/v1/images/download for images, /v1/images/container for containers

/v1/containers/download

 

Additional Settings

The following additional settings can be enabled in your connector.

Custom Ordered Locators

If a custom locator order is required, you must add the following additional two locators to the beginning of that list: container_locator, image_locator, ..., … . See Understanding Locator Order for more information.

Important: To have these enabled contact Support or your Customer Experience (CX) Team.

Importing Image Data Only

When setting up your connector, you have the option to only import image data. This can be done by selecting the Do Not Import Container Data checkbox.

Importing image.png

Frequently Asked Questions

Why is my connector run failing?

There may be several reasons for a failed connector run. First check the error code by clicking on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:

Screen_Shot_2021-10-26_at_2.06.11_PM.png

Reasons why the Prisma Cloud Connector may fail:

  1. Disconnected projects in the Prisma Cloud environment can lead to connector run failures. To prevent this, all disconnected projects within Prisma Cloud must either be reconnected or have access to these projects restricted via the Prisma Cloud console.
  2. If your API user is restricted to a specific set of Prisma Collections, the API requests will fail. For this reason, you must grant your API user access to all Collections.

Why do I see fewer or more containers and images in Cisco Vulnerability Management than I expect?

First, search Prisma Cloud for the same container or image to determine if assets appear as expected in Prisma Cloud. If assets do not appear as expected in Prisma Cloud, then you can adjust your Prisma scan settings to run more frequently.

Scheduling.png

 

Additionally, note that by default Prisma Cloud only present image vulnerabilities for those images which have been used by recent containers. You can disable this behavior, but it is recommended that you keep it enabled.

Running_images.png

Next, if the expected containers and images appear in Prisma Cloud but not in Cisco Vulnerability Management, a fresh connector run may be needed.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.