Prisma

  • Updated on Mar 18, 2025
  • Published on May 29, 2023

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Prisma Cloud Alerts

prisma_cloud_alerts

NDJSON

S3

Prisma SaaS Log Events

prisma_saas_log_events

NDJSON

API

Overview

image.pngThe Prisma Suite by Palo Alto Networks is a cloud security platform that provides comprehensive protection for applications, data, and workloads across multi-cloud and hybrid environments. It includes multiple security solutions to help organizations enforce compliance, prevent threats, and secure cloud infrastructure. Prisma Cloud offers cloud security posture management, cloud workload protection, and container security to detect misconfigurations, vulnerabilities, and threats in cloud environments. Prisma Access is a secure access service edge solution that provides zero-trust network security for remote users and branch offices, ensuring secure and seamless connectivity. Together, these solutions help organizations maintain visibility, security, and compliance in their cloud operations.

Supported data types

Prisma Cloud Alerts

Table name: prisma_cloud_alerts

Prisma Cloud Alerts are security notifications generated by Palo Alto Networks' Prisma Cloud platform to help organizations detect and respond to potential risks in their cloud environments. These alerts provide real-time insights into misconfigurations, vulnerabilities, compliance violations, and suspicious activities across cloud workloads, containers, and infrastructure. By analyzing security posture and monitoring for threats, Prisma Cloud Alerts enable security teams to take proactive measures to mitigate risks, ensure compliance, and protect cloud resources from cyber threats.

Learn more here.

Prisma SaaS Log Events

Table name: prisma_saas_log_events

Prisma SaaS Log Events are detailed records generated by Palo Alto Networks' Prisma SaaS platform, providing visibility into user activities, security events, and policy violations across cloud applications. These logs capture important data such as file access, sharing activities, login attempts, and potential threats like malware or unauthorized access. By analyzing log events, security teams can monitor compliance, detect anomalies, and respond to incidents in real time, helping to protect sensitive data and maintain a secure cloud environment.

Learn more here.

Send data to Hunters

Prisma Cloud

Hunters supports the ingestion of Prisma logs via an intermediary AWS S3 bucket.

To connect Prisma Cloud logs:

  1. Export your logs from Prisma to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Prisma SaaS

The Prisma SaaS log events are shared via an API which is detailed here.

To connect Prisma SaaS logs:

  1. Retrieve Prisma SaaS API keys, following this guide by Prisma. Providing the api_access scope to the generated token.

  2. Complete the process on the Hunters platform, following this guide.

⚠️ Attention

The Prisma SaaS API implements an event stream, in which one event is sent on each API call. For large enterprises, this might lead to delay in ingestion while emptying the queue.

Expected format

Logs are expected in JSON format.

Prisma SaaS Event

Example incident event

{ "log_type": "incident", "severity": 1.0, "item_type": "File", "item_name": "helloworld.java", "asset_id": "5e9e3882xxxdb43cb015b460", "item_owner": "Admin User", "container_name": null, "item_creator": "Admin User", "exposure": "COMPANY", "occurrences_by_rule": null, "item_owner_email": "abc@emaildomain.com", "item_creator_email": "xyz@emaildomain.com", "serial": null, "cloud_app_instance": "Office 345 8", "timestamp": "2020-05-08T23:50:55Z", "incident_id": "5eb5ed492000032b37588a6c", "policy_rule_name": "java", "incident_category": null, "incident_owner": null, "collaborators": "", "datetime_edited": "2020-05-08T23:50:55Z", "item_cloud_url": "https://www.sharepoint.com/sites/xxx/Shared%20Documents/abc/helloworld.java", "item_owner_group": "O005_1_all", "item_sha256": "4953946b0bbcd10d872d09561bf0f0988e1xxx625e4af65c64691adf5af279d4", "item_size": 1005, "item_verdict": "not available"}

Prisma Cloud Alert

Example AWS Alert. The expected log format is JSON array.

[{'accountId': '<AccountID>', 'accountName': 'AWS Data', 'alertAttribution': {}, 'alertDismissalNote': 'null', 'alertId': 'P-12345', 'alertRemediationCli': 'aws rds modify-db', 'alertRemediationCliDescription': 'This CLI command requires...', 'alertRemediationImpact': 'Enable AWS RDS instance', 'alertRuleId': '<AlertRuleID>', 'alertRuleName': 'All rules', 'alertStatus': 'open', 'alertTs': 1647866040507, 'anomaly': {}, 'callbackUrl': 'https://app.prismacloud.io/alerts/overview', 'cloudType': 'aws', 'complianceMetadata': [{'requirementId': 'Specialised security obligations', 'requirementName': 'Specialised security obligations', 'standardName': 'CyberSecurity Law'}, {'requirementId': 'Risk assessment', 'requirementName': 'Risk assessment', 'standardName': 'CyberSecurity Law'}, {'requirementId': 'Incident management', 'requirementName': 'Incident management', 'standardName': 'Information Security'}, {'requirementId': 'Testing control effectiveness', 'requirementName': 'Testing control effectiveness', 'standardName': 'Information Security'}, {'requirementId': 'Internal audit', 'requirementName': 'Internal audit', 'standardName': 'Information Security'}], 'findingSummary': {}, 'firstSeen': 1623199999900, 'hasFinding': False, 'lastSeen': 1623199999900, 'policyDescription': 'This policy identifies RDS instances', 'policyId': '<PolicyID>', 'policyLabels': [], 'policyName': 'AWS RDS instance', 'policyRecommendation': '1. Sign into the AWS console.', 'policyType': 'config', 'reason': 'RESOURCE_UPDATED', 'resource': {'account': 'AWS Data', 'accountId': '<AccountID>', 'additionalInfo': {}, 'cloudAccountGroups': ['Data Team'], 'cloudType': 'aws', 'data': {'activityStreamStatus': 'stopped', 'allocatedStorage': 10, 'associatedRoles': [], 'autoMinorVersionUpgrade': True, 'availabilityZone': 'us-west', 'backupRetentionPeriod': 1, 'cacertificateIdentifier': 'rds', 'copyTagsToSnapshot': True, 'customerOwnedIpEnabled': False, 'dbInstancePort': 0, 'dbiResourceId': 'db-id', 'dbinstanceArn': '<arn>', 'dbinstanceAutomatedBackupsReplications': [], 'dbinstanceClass': 'db', 'dbinstanceIdentifier': 'db', 'dbinstanceStatus': 'available', 'dbname': 'metabase', 'dbparameterGroups': [{'dbparameterGroupArn': '<arn>', 'dbparameterGroupName': 'postgres', 'parameterApplyStatus': 'in-sync'}], 'dbsecurityGroups': [], 'dbsubnetGroup': {'dbsubnetGroupDescription': 'Created from the RDS', 'dbsubnetGroupName': 'vpc-name', 'subnetGroupStatus': 'Complete', 'subnets': [{'subnetAvailabilityZone': {'name': 'us-west'}, 'subnetIdentifier': '<subnet-id>', 'subnetOutpost': {}, 'subnetStatus': 'Active'}, {'subnetAvailabilityZone': {'name': 'us-west'}, 'subnetIdentifier': '<subnet-id>', 'subnetOutpost': {}, 'subnetStatus': 'Active'}], 'vpcId': '<vpc-id>'}, 'deletionProtection': True, 'domainMemberships': [], 'enabledCloudwatchLogsExports': [], 'endpoint': {'address': 'metabase-db.rds.amazonaws.com', 'hostedZoneId': '<hostedZoneId>', 'port': 5432}, 'engine': 'postgres', 'engineVersion': '11.11', 'iamdatabaseAuthenticationEnabled': False, 'instanceCreateTime': '2020-01-01T01:01:01.001Z', 'kmsKeyId': '<arn>', 'licenseModel': 'postgresql-license', 'masterUsername': 'job', 'maxAllocatedStorage': 10, 'monitoringInterval': 10, 'monitoringRoleArn': '<arn>', 'multiAZ': False, 'optionGroupMemberships': [{'optionGroupName': 'default:postgress', 'status': 'in-sync'}], 'pendingModifiedValues': {'processorFeatures': []}, 'performanceInsightsEnabled': True, 'performanceInsightsKMSKeyId': '<arn>', 'performanceInsightsRetentionPeriod': 1, 'preferredBackupWindow': '10:10-11:11', 'preferredMaintenanceWindow': 'fri:11:11-fri:11:31', 'processorFeatures': [], 'publiclyAccessible': False, 'readReplicaDBClusterIdentifiers': [], 'readReplicaDBInstanceIdentifiers': [], 'statusInfos': [], 'storageEncrypted': True, 'storageType': 'gp', 'tagList': [], 'tags': [], 'vpcSecurityGroups': [{'status': 'active', 'vpcSecurityGroupId': '<sg-id>'}]}, 'id': '<db-id>', 'name': 'name-db', 'region': 'AWS', 'regionId': 'us-west', 'resourceApiName': 'aws-rds', 'resourceTs': 1647869090909, 'resourceType': 'MANAGED_DB', 'rrn': '<rrn>', 'url': 'https://console.aws.amazon.com/rds/'}, 'resourceCloudService': 'Amazon RDS', 'resourceId': '<db-id>', 'resourceName': 'metabase', 'resourceRegion': 'AWS', 'resourceRegionId': 'us-west', 'resourceType': 'Managed Database', 'severity': 'medium', 'source': 'Prisma Cloud', 'tags': []}]