Palo Alto Prisma Cloud

[jamiehynds]

Description

Prisma Cloud is a cloud infrastructure security solution that enables you to address risks and secure your workloads in a heterogeneous environment (hybrid and multicloud) from a single console. It provides complete visibility and control over risks within your public cloud infrastructure—Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), Alibaba Cloud— and enables you to manage vulnerabilities, detect anomalies, ensure compliance, and provide runtime defense in heterogeneous environments, such as Windows, Linux, Kubernetes, Red Hat OpenShift, AWS Lambda, Azure Functions, and GCP Cloud Functions.

Architecture

Prisma supports syslog, steps to configure syslog forwarding here and syslog field descriptions here.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

• [ ] Change follows the contributing guidelines
• [ ] Supported versions of the monitoring target are documented
• [ ] Supported operating systems are documented (if applicable)
• [ ] Integration or System tests exist
• [ ] Documentation exists
• [ ] Fields follow ECS and naming conventions
• [ ] At least a manual test with ES / Kibana / Agent has been performed.
• [ ] Required Kibana version set to:

New Package

• [ ] Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• [ ] Dashboards exists
• [ ] Screenshots added or updated
• [ ] Datastream filters added to visualizations

Log dataset changes

• [ ] Pipeline tests exist (if applicable)
• [ ] Generated output for at least 1 log file exists
• [ ] Sample event (sample_event.json) exists

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[jamiehynds]

Keeping this open.

[amemkdm]

We just received a request from one of our customers to integrate prisma logs in to the siem for monitoring.

[leandrojmp]

Hello,

We are starting to use Prisma and need to ingest the data in your Elastic, but since there is no integration for it we will need to collect and parse the data ourselves.

Since the tags In Progress and 8.11 candidate are added to this issue, I'm assuming that the work on this has started, is there any place where I can look how the work is going on, to use the same field names/mappings on our Logstash pipeline?

[jamiehynds]

Hi @leandrojmp - correct, we are actively working on a Prisma Cloud integration in partnership with Palo Alto. Unfortunately, I don't have a pipeline to share just yet, but we're expecting the PR to be raised very soon and you'll be able to see the mappings at that point.

Just so we're on the page, is it Prisma Cloud or Prisma Access you want to ingest data from? We're working on Cloud, but have plans to focus on Access in a future release.

[leandrojmp]

Hello @jamiehynds,

Is Prisma Cloud.

I will wait to check how the ingest pipeline/mappings are before starting to build or Logstash pipeline.

[jamiehynds]

@leandrojmp Prisma Cloud PR is up, if you'd like to check out the mappings - https://github.com/elastic/integrations/pull/8135

PR will be going through our review process and will be available as soon as it's merged. Happy to hear any feedback you may have on the mappings, dashboards, etc.

[jamiehynds]

@leandrojmp the integration is now available. Ingest pipelines are included, with dashboards to follow shortly. Stack version 8.10.1 is required. Happy to discuss any feedback you might have!

[leandrojmp]

Hello @jamiehynds,

We are on 8.10.2, so we can test this, I will ask the cloud team for the API credentials, but I got one question.

The Incident Audit dataset only works when using TCP/UDP inputs? Is that right?

EDIT:

Just saw the notes.

Currently, we are unable to collect logs of Incident Audit datastream via defined API. Hence, we have not added the configuration of Incident Audit data stream via REST API.

[jamiehynds]

@leandrojmp the Incident Audit events are not yet supported, as we couldn't generate the events manually. We're working with Palo Alto to get our hands on some sample events so we can add support. Do you happen to have some sample Incident Audit events you could share (privately)?

[leandrojmp]

Hello @jamiehynds,

We just started using the Prisma Cloud integration, I will check internally if we have any Incident Audit Events that we can share.

Also, I already opened an enhancement suggestion to the Audit Pipeline, it creates only user.email, but the user.name field is way more useful because it can be used to correlate with other data sources. #8311