Overview

Prisma Cloud CSPM is a Cloud protection platform. Prisma inspects cloud products - AWS and Azure assets, for example - and identifies vulnerabilities and mis-configurations. It also holds capabilities to perform automatic actions in the cloud environment in order to re-configure and fix problems it finds.

Supported Data Types

  • Prisma Cloud Alerts

AWS alert for example
{
  "accountId": "<AccountID>",
  "accountName": "AWS Data",
  "alertAttribution": {},
  "alertDismissalNote": "null",
  "alertId": "P-12345",
  "alertRemediationCli": "aws rds modify-db",
  "alertRemediationCliDescription": "This CLI command requires...",
  "alertRemediationImpact": "Enable AWS RDS instance",
  "alertRuleId": "<AlertRuleID>",
  "alertRuleName": "All rules",
  "alertStatus": "open",
  "alertTs": 1647866040507,
  "anomaly": {},
  "callbackUrl": "https://app.prismacloud.io/alerts/overview",
  "cloudType": "aws",
  "complianceMetadata": [
    {
      "requirementId": "Specialised security obligations",
      "requirementName": "Specialised security obligations",
      "standardName": "CyberSecurity Law"
    },
    {
      "requirementId": "Risk assessment",
      "requirementName": "Risk assessment",
      "standardName": "CyberSecurity Law"
    },
    {
      "requirementId": "Incident management",
      "requirementName": "Incident management",
      "standardName": "Information Security"
    },
    {
      "requirementId": "Testing control effectiveness",
      "requirementName": "Testing control effectiveness",
      "standardName": "Information Security"
    },
    {
      "requirementId": "Internal audit",
      "requirementName": "Internal audit",
      "standardName": "Information Security"
    }
  ],
  "findingSummary": {},
  "firstSeen": 1623199999900,
  "hasFinding": false,
  "lastSeen": 1623199999900,
  "policyDescription": "This policy identifies RDS instances",
  "policyId": "<PolicyID>",
  "policyLabels": [],
  "policyName": "AWS RDS instance",
  "policyRecommendation": "1. Sign into the AWS console.",
  "policyType": "config",
  "reason": "RESOURCE_UPDATED",
  "resource": {
    "account": "AWS Data",
    "accountId": "<AccountID>",
    "additionalInfo": {},
    "cloudAccountGroups": [
      "Data Team"
    ],
    "cloudType": "aws",
    "data": {
      "activityStreamStatus": "stopped",
      "allocatedStorage": 10,
      "associatedRoles": [],
      "autoMinorVersionUpgrade": true,
      "availabilityZone": "us-west",
      "backupRetentionPeriod": 1,
      "cacertificateIdentifier": "rds",
      "copyTagsToSnapshot": true,
      "customerOwnedIpEnabled": false,
      "dbInstancePort": 0,
      "dbiResourceId": "db-id",
      "dbinstanceArn": "<arn>",
      "dbinstanceAutomatedBackupsReplications": [],
      "dbinstanceClass": "db",
      "dbinstanceIdentifier": "db",
      "dbinstanceStatus": "available",
      "dbname": "metabase",
      "dbparameterGroups": [
        {
          "dbparameterGroupArn": "<arn>",
          "dbparameterGroupName": "postgres",
          "parameterApplyStatus": "in-sync"
        }
      ],
      "dbsecurityGroups": [],
      "dbsubnetGroup": {
        "dbsubnetGroupDescription": "Created from the RDS",
        "dbsubnetGroupName": "vpc-name",
        "subnetGroupStatus": "Complete",
        "subnets": [
          {
            "subnetAvailabilityZone": {
              "name": "us-west"
            },
            "subnetIdentifier": "<subnet-id>",
            "subnetOutpost": {},
            "subnetStatus": "Active"
          },
          {
            "subnetAvailabilityZone": {
              "name": "us-west"
            },
            "subnetIdentifier": "<subnet-id>",
            "subnetOutpost": {},
            "subnetStatus": "Active"
          }
        ],
        "vpcId": "<vpc-id>"
      },
      "deletionProtection": true,
      "domainMemberships": [],
      "enabledCloudwatchLogsExports": [],
      "endpoint": {
        "address": "metabase-db.rds.amazonaws.com",
        "hostedZoneId": "<hostedZoneId>",
        "port": 5432
      },
      "engine": "postgres",
      "engineVersion": "11.11",
      "iamdatabaseAuthenticationEnabled": false,
      "instanceCreateTime": "2020-01-01T01:01:01.001Z",
      "kmsKeyId": "<arn>",
      "licenseModel": "postgresql-license",
      "masterUsername": "job",
      "maxAllocatedStorage": 10,
      "monitoringInterval": 10,
      "monitoringRoleArn": "<arn>",
      "multiAZ": false,
      "optionGroupMemberships": [
        {
          "optionGroupName": "default:postgress",
          "status": "in-sync"
        }
      ],
      "pendingModifiedValues": {
        "processorFeatures": []
      },
      "performanceInsightsEnabled": true,
      "performanceInsightsKMSKeyId": "<arn>",
      "performanceInsightsRetentionPeriod": 1,
      "preferredBackupWindow": "10:10-11:11",
      "preferredMaintenanceWindow": "fri:11:11-fri:11:31",
      "processorFeatures": [],
      "publiclyAccessible": false,
      "readReplicaDBClusterIdentifiers": [],
      "readReplicaDBInstanceIdentifiers": [],
      "statusInfos": [],
      "storageEncrypted": true,
      "storageType": "gp",
      "tagList": [],
      "tags": [],
      "vpcSecurityGroups": [
        {
          "status": "active",
          "vpcSecurityGroupId": "<sg-id>"
        }
      ]
    },
    "id": "<db-id>",
    "name": "name-db",
    "region": "AWS",
    "regionId": "us-west",
    "resourceApiName": "aws-rds",
    "resourceTs": 1647869090909,
    "resourceType": "MANAGED_DB",
    "rrn": "<rrn>",
    "url": "https://console.aws.amazon.com/rds/"
  },
  "resourceCloudService": "Amazon RDS",
  "resourceId": "<db-id>",
  "resourceName": "metabase",
  "resourceRegion": "AWS",
  "resourceRegionId": "us-west",
  "resourceType": "Managed Database",
  "severity": "medium",
  "source": "Prisma Cloud",
  "tags": []
}
JSON

Sending Data to Hunters

Exporting Prisma Alerts to an S3 bucket

To export the Data to an S3 bucket, follow this guide, and provide Hunters with the bucket arn for ingestion.