Prisma Cloud Alerts
Collects security alerts from Palo Alto Prisma Cloud Security Posture Management
Details
This input collects security alerts from the Palo Alto Prisma Cloud API. It periodically fetches alerts and handles pagination automatically. Key features include:
- Incremental sync support with state management
- Support for detailed alert information
Requirements
- A Prisma Cloud account with API access
- Access Key ID and Secret Key from Prisma Cloud console
- Your Prisma Cloud API URL (e.g., https://api.prismacloud.io)
Setup Instructions
- Log in to your Prisma Cloud Console
- Navigate to Settings > Access Control
- Create a new Access Key and Secret Key pair
- Note down your Prisma Cloud API URL (varies by region). Refer to this documentation for the correct URL:
- Configure the input using the credentials and URL
Related Articles
Settings
| Field | Description | Type | Required |
|---|---|---|---|
| url | Base URL for the Prisma Cloud API (e.g., https://api.prismacloud.io) | string | Yes |
| backfill start time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Field | Description | Type | Required |
|---|---|---|---|
| username | Username or Access Key ID | string | Yes |
| password | Password or Secret Key | string | Yes |
Note on Collection Behavior
The input follows an incremental collection pattern:
- First run: Collects all available alerts
- Subsequent runs: Collects only new alerts since the last successful run
- Implements state management to track the last collection timestamp
Troubleshooting
Common issues and their solutions:
-
Authentication failures
- Verify Access Key ID and Secret Key are correct
- Ensure the API keys have not expired
- Check if the keys have required permissions
-
Connection issues
- Verify the API URL is correct for your region
- Check network connectivity and firewall rules
- Ensure proper SSL/TLS configuration
-
Rate limiting
- The input implements automatic rate limiting handling
- Consider adjusting the polling interval if needed
Sample Record
{
"id": "N-301",
"status": "suppressed",
"reason": "RESOURCE_ADDED",
"firstSeen": 1742340436008,
"lastSeen": 1744456299142,
"alertTime": 1744098242691,
"lastUpdated": 1744181047491,
"policyId": "1b69c6f8-c38b-b004-e28a-e5a132cc0ea4",
"metadata": {
"riskFactors": [
"Public exposure",
"Admin port"
]
},
"policy": {
"policyId": "53b8912d-7774-515e-2f05-cdb769b05b19",
"name": "AWS S3 bucket publicly accessible",
"policyType": "data",
"systemDefault": true,
"description": "AWS EC2 instances accessible from the internet (0.0.0.0/0) on ports 22 and 3389 are highly susceptible to unauthorized access. This misconfiguration exposes critical systems to attacks.",
"severity": "low",
"recommendation": "Follow the principle of least privilege for IAM permissions",
"labels": [
"CIS_Benchmark",
"Attack Path Rule"
],
"aiRemediable": false,
"lastModifiedOn": 1742361843157,
"lastModifiedBy": "admin@example.com",
"deleted": false,
"findingTypes": [],
"hasSearchExecutionSupport": true,
"remediable": true
},
"alertRules": [],
"history": [],
"resource": {
"rrn": "rrn:azure:instance:us-east-1:585501320820:70d7d620-1c6f-0b09-6f49-a05d54c79875:vm-47cdd149-2d3e-3c28-c645-6518401e93a2",
"id": "db-d5cadcd4-ca8c-48d0-6279-35e3eb82e9c9",
"name": "web-server-prod",
"account": "AWS Cloud Account",
"accountId": "596105122472",
"cloudAccountGroups": [
"Production"
],
"region": "AWS Frankfurt",
"regionId": "us-west-2",
"resourceType": "DATABASE",
"resourceApiName": "azure-compute-virtualmachines",
"cloudServiceName": "Amazon S3",
"url": "https://us-central1.console.cloud.google.com/compute/home?region=us-east-1#NetworkDetails:networkId=vm-320b8d2e-a897-17af-ce7f-f39c12dc8d1b",
"data": null,
"additionalInfo": null,
"cloudType": "azure",
"resourceTs": 1743482280099,
"unifiedAssetId": "e293f7e0-c909-ac7c-87fd-62530637e0b3",
"resourceConfigJsonAvailable": false,
"resourceDetailsAvailable": true
},
"investigateOptions": {
"alertId": "N-213"
}
}