Palo Alto Networks Prisma Cloud (CSPM) 

The Prisma Cloud Connector centralizes cloud asset inventory from AWS, Azure, and GCP into Qualys Enterprise TruRisk Management, enabling security teams to correlate and analyze cloud resources within a unified platform.

By normalizing metadata and retaining cloud tags from Prisma Cloud, it provides consistent visibility across multiple cloud environments without manual data collection.

The connector supports incremental synchronization, allowing teams to maintain current asset information with minimal overhead. This integration solves the fragmentation problem by consolidating cloud assets across separate systems for comprehensive risk analysis and asset correlation.

Connector Details

The following table provides details related to the Prisma connector.

Vendor	Palo Alto Networks
Product	Prisma Cloud
Connector Category	Cloud Security
Asset Types Supported	Cloud Resources
Finding Types Supported	Yes
Supported Version & Type	SaaS (Prisma Cloud API / latest)
Integration Method	API Integration (REST)
Direction	Unidirectional (Prisma > Qualys)
Incremental Sync (Delta)	Supported (connector supports incremental inventory pulls)
Import of Source Tags	Supported (cloud tags retained)

Connection Settings

User Roles and Permissions

The connector requires a Prisma Cloud access key/secret created in Prisma Cloud Settings > Access Control > Access Keys. The access key must have permissions to read asset inventory and resource listings.

Click Add to add new Access Keys.

These credentials can be used for the Twistlock Client ID and URL field in the Authentication details.

Authentication Details

Provide the following values in the connector configuration screen:

Name	Key	Type	Description / Example
Base URL (Prisma Pod)	domainName	String	Prisma Cloud API base URL (e.g. https://api.prismacloud.io or region-specific pod).
Access Key	access_key	String	Prisma Cloud Access Key ID generated from Access Keys.
Secret Key	secret_key	Encrypted	Prisma Cloud Secret corresponding to the Access Key (store encrypted).
Twistlock url	Twistlock Url	String	Base URL for the Twistlock instance
Twistlock Client Secret	Client Secret	String	The same Cloud Secret generated for Secret Keys.
Twistlock Client ID	Client ID	String	The same Cloud Access Key ID generated for Access Keys.

Connector Configuration

Minimal steps to register the connector in ETM:

1. Log in to Qualys ETM.
2. Navigate to Connectors > Integration and locate Prisma Connector.
3. Click Manage, provide Name and Description.
4. Enter authentication values: Base URL, Access Key, Secret Key.
   
   You can select the Use the Prisma Compute (Twistlock) as vulnerability source checkbox to provide Twistlock credentials and fetch findings from Twistlock.
5. Save the connector. Create profiles (schedules) as required. 

Schedule

Schedules control ingestion frequency and transform maps used during execution.

1. Configure a Schedule: Single Occurrence or Recurring (start/end dates/times).
2. Set Assets and Findings to ingest during the connector run.

How Does a Connection Work?

On schedule (or on-demand), the connector authenticates to Prisma using the configured access key/secret, fetches resource inventory and related metadata, applies the selected transform map, and imports the normalized assets into ETM where Identification Rules correlate them with existing assets. After a successful run, the connector state appears as Processed. 

Connector States

A successfully configured connector goes through 4 states.

1. Registered - The connector is successfully created and registered to fetch data from the vendor.
2. Scheduled - The connector is scheduled to execute a connection with the vendor.
3. Processing - A connection is executed and the connector is fetching the asset and findings data.
4. Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.

This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).

Viewing Assets and Findings in ETM

After ingestion, view Prisma assets in ETM Inventory.

• Assets: Enterprise TruRisk Management > Inventory > Assets > Cloud. Use the tag or vendor filter: tags.name:"Prisma Cloud" or finding.vendorProductName:"Palo Alto Networks". 
• Findings: Enterprise TruRisk Management > Risk Management > Findings > Vulnerability. Filter by vendor product name as above. 
  

API Endpoints

Auth API	https://api.prismacloud.io/login	Authentication token validity 30 mins. Its refreshed in every 30 mins
Fetch asset list	https://api.prismacloud.io/v2/resource/scan_info	Default Params: batch size: 100 API Limitations:  5 requests per second
Fetch asset details and vulns	https://api.prismacloud.io/uai/v1/asset	Default Params: batch size: 100 API Limitations: 5 requests per second
Fetch asset details and Misconfiguration	https://api.prismacloud.io/policy/	Default Params: API Limitations: 5 requests per second
Fetch vunerabiity from Twisklock	https://us-east1.cloud.twistlock.com/ {customerdominaname}/uai/v1/asset	Default Params: API Limitations: 5 requests per second

Prisma Cloud Transformation Map

The default transformation map configured for the Prisma cloud connector is fetched from the database and utilized during the execution of the connector profile to perform data transformation.

Compute Transformation Map

Transformation map for AWS EC2Transformation map for AWS EC2

Transformation map for Azure VMTransformation map for Azure VM

Transformation map for GCP VMTransformation map for GCP VM

Storage Transformation map

Azure Storage AccountAzure Storage Account

AWS S3 BucketAWS S3 Bucket

Azure storage account blob containerAzure storage account blob container

Azure storage account file service propertyAzure storage account file service property

Container Instance

Container_instanceContainer_instance

Container Image

Container_imageContainer_image

Finding Vulnerability

FINDING VULNERABILITYFINDING VULNERABILITY

Misconfiguration Transformation map

Storage Asset Class: AZURE.STORAGE.ACCOUNTStorage Asset Class: AZURE.STORAGE.ACCOUNT

Storage Asset Class: AWS.S3.BUCKETStorage Asset Class: AWS.S3.BUCKET

Storage Asset Class: AZURE.STORAGE.ACCOUNT.BLOB.CONTAINERStorage Asset Class: AZURE.STORAGE.ACCOUNT.BLOB.CONTAINER

Storage Asset Class:  AZURE.STORAGE.ACCOUNT.FILE.SERVICE.PROPERTYStorage Asset Class:  AZURE.STORAGE.ACCOUNT.FILE.SERVICE.PROPERTY