PrismaCloud Connector

Prisma Cloud by Palo Alto Networks is a comprehensive cloud-native security platform (CNSP) that provides visibility, compliance, and threat detection across multiple cloud environments. 

What is the Prisma Cloud API Connector?

The Prisma Cloud API Connector creates a secure bridge between your Prisma Cloud environment and Qualys ETM. When configured, it automatically transfers cloud asset inventory and security findings through scheduled API calls. Qualys ETM then processes this data by:

  • Deduplicating redundant entries

  • Normalizing data formats

  • Enriching findings with additional context

  • Calculating risk scores using TruRisk

Category Supported Asset Type Supported Finding Type
API Connector Cloud Asset Vulnerability

Prerequisites

These are the required configurations to successfully create a Prisma Cloud connection with Qualys ETM.

User Roles and Permissions

To generate the credentials needed for integration, you must have access to Access Control in Prisma Cloud.

How to Generate Key ID and Secret

  1. Sign in to Prisma Cloud Console

  2. Navigate to Settings > Access Control

  3. Select the Access Keys tab and click Add Access Key

  4. Provide a name and generate the key.

  5. The Key ID (Username) and Key Secret (Password) is displayed—store them securely for connector setup in Qualys ETM.

If the API key expires, it must be regenerated and updated in Qualys ETM.

Create a New API Connector

Basic Details

  1. Provide the Connector's Name and Description.
  2. Select the type of Data Model you want to import or export - currently, we support Vulnerability / Host Asset.
  3. Select the Data Model Type - currently we support Host Asset.
    The following screenshot displays the Basic Details fields.

  4. Next, provide the API authentication details of the Prisma Cloud environment. You need to provide the following.

    1. Base URL

    2. Username

    3. Password

Refer to the steps in the prerequisites section obtain these values.

Data Model

The Prisma Cloud Connector offers an out-of-box data model mapping for you to map with Qualys ETM schema. You can view the schema to understand the attributes in the data model.

Transform Maps

Transform Maps ensure the data is transformed correctly during the import or export process.

The Prisma Cloud Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation or clone the map to edit its configurations.

Click Create New for a new Transform Map.

Perform the following steps to configure a Transform Model:

  1. Transform Map Name: Enter a unique name for the Transform Map. This name helps identify the specific transformation configuration within this connector.
  2. Source Data Model: Select the data model that serves as the input for the transformation. This is the model from which data will be extracted.
  3. Target Data Model: Choose the data model that receives the transformed data. This model defines how the data will be structured after the transformation.
Fields Mapping

The Fields Mapping section maps fields from the Source Data Model to the Target Data Model.

  1. Source Field: Specify the field in the Source Data Model containing the transformed data.
  2. Data Type: Indicate the data type of the Source Field (e.g., string, integer, date).
  3. Target Field: Designate the corresponding field where the transformed data will be placed in the Target Data Model.

Click Add to create and display the mapping for the Source Field, Data Type, and Target Field below the section. This visual helps ensure that all necessary fields are mapped correctly and allows easy verification and adjustments.

Profile

Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Click the "+" to create a new profile.

In the Add Profile screen, provide the necessary inputs for your new profile.

Provide a Name and Description.

Select the required Transform Map for the data mapping.

The Detection of DataTypes determine which findings to select for the profile. The Asset Types determine the required resource whose findings should be ingested by Qualys ETM.

The Filter field let's you add snippets of code to further determine what data should be parsed.

The Status field determines whether the connector should be in Active or Inactive state after creation. 

Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurence execution and provide the Start and End date/time for the Recurring schedule.

Scoring

The Scoring screen lets you map non-CVE vulnerability scores from your vendors to Qualys Detection Score (QDS) system.

Score mapping screen.

You have two columns with 5 input fields in each of them. These fields correspond to a specific severity starting from the least severe (1), to the most severe (5).

Fill out all 5 rows to create a comprehensive score mapping. This allows for translation between various vendor scoring systems and Qualys' Detection Score.

The specifics of the mapping is explained below.

Expected Source Values - Enter the vendor's original score or rating for non-CVE vulnerabilities.
This can be alphanumeric values. (e.g., "High", "Critical", "A", "3", etc.).

Severity - This column is pre-populated with severity levels from 1-5. These represent the severity levels in Qualys. The Source Value must be mapped such that it utilizes these 5 severity levels.

QDS - Enter the corresponding Qualys Detection Score. Use values from 0-100, where higher numbers indicate higher severity.

Default Severity

Below the scoring map, find the 'Default Severity' dropdown menu.

Select a default severity level from 1-5, this is applied when a vendor's score for a non-CVE vulnerability doesn't match any 'Expected Source Value' in your mapping table.

Select Identification Rules

The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.

You can proceed to the next step without making any changes to this screen.

Select Identification Rules screen.

If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.

To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.

Review and Confirm

Review the configurations provided in the previous steps. Ensure all details are correct and complete. Confirm the setup to finalize the configuration of the API connector.

This streamlined process allows for efficient data integration, ensuring accuracy and consistency across systems.

Saving and Running the Connector

Save and run the connector to process the data accordingly, transforming and importing it as per the configurations set.

How Does a Connection Work?

The Prisma Cloud connector functions through configured profiles that determine what data gets synchronized and when.

A connection usually involves creating a profile that defines which asset or vulnerability data to import using detection types and filter queries (e.g., by cloud region or resource type). The connector executes automatically based on the configured schedule, retrieving asset and finding data from Prisma Cloud into Qualys ETM.

With the Prisma Cloud API Connector successfully configured, you are ready to view all synced assets and findings from your Prisma Cloud environment.

In the Connector screen, your newly configured connector will be listed and marked in the Processed state.

Connector States

A successfully configured connector goes through the following states:

  • Registered – Connector created and registered to fetch data from Prisma Cloud

  • Scheduled – Connector is queued for execution

  • Processing – Connector is actively fetching data from APIs

  • Processed – Data has been successfully imported; findings may still be in process

This process may take up to 2 hours to complete. Once complete, data will be available in Enterprise TruRisk Management (ETM).

View Assets and Findings in ETM

Navigate to Enterprise TruRisk Management (ETM) to begin analyzing the Prisma Cloud data.

Navigate to Enterprise TruRisk Management (ETM) to get started with analyzing your connector's vulnerability findings.

You can view the assets imported from the Prisma Cloud AppScan connection by navigating to the Inventory tab in ETM.

Go to Assets > Application to find all of your imported assets.

Use the token:inventory: (source: 'Prisma Cloud')to view all the imported Prisma Cloud AppScan assets.

Here, you can learn about your assets' criticality and associated Risk Scores. Click on any asset to find more details.

Next, you can navigate to the Risk Management tab to view your vulnerability findings.

Go to Findings > Vulnerability to view all discovered vulnerabilities.

Use the token:finding.vendorProductName: 'prisma cloud' to filter and view all the discovered Prisma Cloud AppScan vulnerabilities.

The imported vulnerability findings from Prisma Cloud AppScan provide rich context and integrate seamlessly with Qualys' native TruRisk scoring system. Use these findings in Qualys ETM to enhance your risk prioritization workflows and make informed security decisions.

To know more about ETM, refer to the Qualys ETM Documentation.

Additional Information

API Reference

Name Endpoint Info
Auth API https://api.prismacloud.io/login Returns auth token. Valid for 30 minutes. Auto-refreshed during scheduled pulls.
Fetch Asset List https://api.prismacloud.io/v2/resource/scan_info Retrieves list of cloud assets. Default batch size: 100. Limit: 5 req/sec
Fetch Asset Details/Vulns https://api.prismacloud.io/uai/v1/asset Retrieves vulnerability data for cloud assets. Default batch size: 100. Limit: 5 req/sec

Data Model Mapping

This section explains the attribute mappings of the values from Prisma Cloud and Qualys ETM.

Prisma Cloud Vulnerability Transformation Mapping

Here's the Prisma Cloud Transformation Map:

Source Attribute Key Target Attribute Label
asset.externalAssetId externalAssetId 
vulnerabilities[].normalizedName findingName
vulnerabilities[].id externalFindingId

vulnerabilities[].severity

Informational | Low | Medium | High

findingSeverity

1 | 2 | 3 |4
asset.attributes.osDistro operatingSystemVersion
asset.attributes.osRelease operatingSystemName
asset.attributes.resourceName assetName
asset.data.networkInterfaces[].association.publicIp ipAddress
asset.data.networkInterfaces[].macAddress macAddress
asset.data.instanceId cloudInstanceId
asset.assetType System Type
vulnerabilities[].createdOn findingFirstFoundOn
vulnerabilities[].cveId cveId
vulnerabilities[].description findingDescription
vulnerabilities[].sourceData.link sourceFindingURL
vulnerabilities[].sourceData.cvss cvss3Base
vulnerabilities[].sourceData.vecStr vector

vulnerabilities[].status


pending | no_error | error | enabled | disabled | open | dismissed | resolved | descoped | risk_scoring_error | active | closed | suppressed

findingStatus


ACTIVE | NONE | ACTIVE | ACTIVE | NONE | ACTIVE | NONE | FIXED | NONE | NONE | ACTIVE | FIXED | NONE

vulnerabilities[].updatedOn findingLastFoundOn

asset_cloudType


aws | alibaba | azure | gcp | oci | other | EC2

cloudProvider


EC2 | ALIBABA | AZURE | GCP | OCI | SOURCE_TYPE_UNKNOWN | EC2

© Qualys , Inc. All rights reserved. Privacy Policy.