Introduction
Prisma Public Cloud provides continuous visibility, security, and compliance monitoring across public multi-cloud deployments. This enables organizations to safely embrace the public cloud through its intelligent SaaS security platform
OpsRamp configuration
Configuration involves the following:
- Installing the integration.
- Configuring the integration.
Step 1: Install the integration
To install:
- Select a client from the All Clients list.
- Go to Setup > Integrations > Integrations.
- From Available Integrations, select Monitoring > Prisma Public Cloud.
- Click Install.
Step 2: Configure the integration
To configure the integration:
- From the API tab, provide the following:
- Authentication: Copy Tenant Id, Token and Webhook URL for configuration. These settings are used for creating a HTTP Request template.
- Map Attributes: Provide the mapping information for the third-party.
- From the Monitoring of Integration tab, click Assign Templates.
- From the Audit Logs, set up audit log criteria and time frame.
Configuring the map attributes
To configure the mapping attributes:
- Select the required OpsRamp property from the drop-down.
- Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
- Click + to define the mappings.
- From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.
The following tables shows the attribute mappings.
OpsRamp Attributes | Prisma Public Cloud Attributes | ||||
---|---|---|---|---|---|
Alert metric | message | ||||
Alert state | message
| ||||
Alert time | sentTs | ||||
Alert subject | message | ||||
Alert resource name | message |
Mapping the first payload validation
To map the first payload validation:
- Provide the Webhook URL in Webhooks URL field, authentication token in the Auth Token field in the Integrations tab, and click Test. A success message is displayed.
- Prisma Public Cloud sends a response message as confirmation to OpsRamp.
The following show a sample response:
{
"sender":"RedLock",
"sentTs":'1557951571335',
"message":"HELLO"
}
Mapping the final payload
To map the final payload:
- May the webhook payload attributes to the OpsRamp alert attributes.
- The Prisma Public Cloud webhook sends a sample payload to OpsRamp.
The following table shows the mapping for the cloud security vulnerability events webhook payload attributes with the OpsRamp Alert entity attributes.
OpsRamp Attribute | Prisma Public Cloud Attribute | ||||||||
---|---|---|---|---|---|---|---|---|---|
External alert ID | >alertId | ||||||||
Alert metric | >resourceCloudService | ||||||||
Alert state | severity
| ||||||||
Alert time | >alertTs | ||||||||
Alert subject | >policyName | ||||||||
Alert description | >policyDescription | ||||||||
Alert resource name | >resourceName |
Sample response
{
"resourceId": "subnet-5c03e227",
"alertRuleName": "Kfarr Email Test",
"accountName": "2W-ProductDevelopment5",
"hasFinding": false,
"resourceRegionId": "ap-south-1",
"alertRemediationCli": null,
"source": "RedLock",
"cloudType": "aws",
"callbackUrl": "https://app.redlock.io/alerts?filters#alert.id=P-1975&timeType=to\_now&timeUnit=epoch",
"alertId": "P-1975",
"policyLabels": \[\],
"alertAttribution": null,
"severity": "medium",
"policyName": "AWS VPC subnets should not allow automatic public IP assignment",
"resourceName": "subnet-5c03e227",
"riskRating": "B",
"resourceRegion": "AWS Mumbai",
"policyDescription": "This policy identifies VPC subnets which allow automatic public IP assignment. VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.",
"policyRecommendation": "1. Sign into the AWS console.\\n2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.\\n3. Navigate to the 'VPC' service.\\n4. In the navigation pane, click 'Subnets'.\\n5. Select the identified Subnet and choose the option 'Modify auto-assign IP settings' under the Subnet Actions.\\n6. Disable the 'Auto-Assign IP' option and save it.",
"accountId": "162213212942",
"resourceConfig": {
"subnetId": "subnet-5c03e227",
"subnetArn": "arn:aws:ec2:ap-south-1:162213212942:subnet/subnet-5c03e227",
"availabilityZoneId": "aps1-az2",
"cidrBlock": "172.31.32.0/20",
"ownerId": "162213212942",
"availabilityZone": "ap-south-1c",
"assignIpv6AddressOnCreation": false,
"tags": \[\],
"vpcId": "vpc-f515f69c",
"mapPublicIpOnLaunch": true,
"defaultForAz": true,
"state": "available",
"ipv6CidrBlockAssociationSet": \[\]
},
"resourceCloudService": "Amazon VPC",
"alertTs": 1557856406801,
"findingSummary": null,
"resourceType": "Subnet"
}
]
Prisma Public Cloud configuration
Configuration involves:
- Integrating with OpsRamp.
- Creating a alert rule.
Step 1: Integrate with OpsRamp
Prerequisites
- The Webhook URL copied during Prisma Public Cloud installation.
- Authentication code generated during Prisma Public Cloud installation.
To integrate with OpsRamp using Webhooks URL:
- Log into Prisma Public Cloud Service and select Settings Integrations.
- Select + Add New and set the Integration type as Webhooks.
- Enter the Webhook URL and Auth Code and click Next.
- Click Test. Test successful confirmation message is displayed.
- Click Save.
Step 2: Create an alert rule
To create an alert rule:
- Select Secure Alert Rules and click +Add New.
- Provide a name for Alert Rule Name and a Description for rule and click Next.
- To apply the alert rule, select Account Groups and click Next.
- To see advanced settings for target setting, toggle View Advanced Settings.
- To exclude any cloud accounts from the selected Account Group, provide the accounts in Exclude Cloud Accounts.
- Choose your region.
- To manage or identify your resources, add Tags. Tags apply to Config and Network Policies only.
- Click Next.
- To add more details to this rule, click View Advanced Settings to provide more details in the following fields:
- To exclude more cloud accounts from triggering alerts, mention the cloud accounts in the Exclude Cloud Accounts.
- To trigger alerts only for specific regions for the cloud accounts in the selected account group, select one or more Regions from the list.
- To trigger alerts only for specific resources in the selected cloud accounts, enter the key and value of the Resource Tag you created for the resource in your cloud environment. Tags apply to Config and Network Policies only.
- Click Next.
- To trigger alerts for this rule, either Select all policies or select a Specific Policy.
- To send notifications to OpsRamp, configure Set Alert Notifications.
- On the Set Alert Notification page of the alert rule, select webhooks.
- Select the Webhook Channels to send alert notifications triggered by this alert rule.
- Set the Frequency at which to send POST notifications.
- As it Happens — A notification is sent to the selected Webhook channels when an alert is triggered by alert rule.
- Daily — A single notification is sent to the selected Webhook channels once every day with all alerts triggered by alert rule in a day.
- Weekly — A single notification is sent to the selected Webhook channels once a week with all alerts triggered by alert rule during a week.
- Monthly — A single notification is sent to the selected Webhook channels once a month with all alerts triggered by alert rule during a month.
- Save the alert rule to finish the integration process.
Note
After the successful integration of Prisma Public Cloud with OpsRamp, the security vulnerable events of Prisma Public Cloud are ingested into OpsRamp and displayed as alerts.What to do next
- View the Prisma Public Cloud security vulnerable events as alerts:
- In OpsRamp, go to Alerts. The Alert Browser is displayed.
- Click Edit Criteria and select Source as Prisma Public Cloud. The Alert Browser displays alerts matching the selected criteria.