Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Prisma
Prisma Cloud
Prisma Cloud Compute Edition Administrator’s Guide
Alerts
Cortex XSOAR alerts

Last Updated:

Nov 21, 2022

Current Version:

Self.Hosted 22.06

Version Prisma Cloud Enterprise Edition
Version Self-Hosted 30.xx
Version Self-Hosted 22.12
Version Self-Hosted 22.06
Version Self-Hosted 22.01
Version Self-Hosted 21.08 (EoL)
Version Self-Hosted 21.04 (EoL)
Version Self-Hosted 20.12 (EoL)
Version Self-Hosted 20.09 (EoL)
Version Self-Hosted 20.04 (EoL)

Table of Contents

Filter

Welcome

Releases

Getting started

Product architecture

Support lifecycle

Security Assurance Policy on Prisma Cloud Compute

Licensing

Prisma Cloud Enterprise Edition vs Compute Edition

Utilities and plugins

Install

Getting started

System Requirements

Prisma Cloud container images

Onebox

Kubernetes

OpenShift v4

Console on Fargate

Amazon ECS

Alibaba Cloud Container Service for Kubernetes (ACK)

Azure Kubernetes Service (AKS)

Amazon Elastic Kubernetes Service (EKS)

Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) Autopilot

IBM Kubernetes Service (IKS)

Windows

Defender types

Cluster Context

Install Defender

Install a single Container Defender

Automatically Install Container Defender in a Cluster

App-Embedded Defender

App-Embedded Defender for Fargate

Default setting for App-Embedded Defender file system protection

VMware Tanzu Application Service (TAS) Defender

Serverless Defender

Serverless Defender as a Lambda layer

Auto-defend serverless functions

Install a single Host Defender

Auto-defend hosts

Deploy Prisma Cloud Defender from the GCP Marketplace

Decommission Defenders

Redeploy Defenders

Uninstall Defenders

Upgrade

Support lifecycle for connected components

Prisma Cloud’s backward compatibility and upgrade process

Upgrade Onebox

Kubernetes

OpenShift

Helm charts

Amazon ECS

Upgrade the Single Container Defenders

Upgrade Defender DaemonSets

Upgrade Defender DaemonSets (Helm)

Technology overviews

Intelligence Stream

Prisma Cloud Advanced Threat Protection

App-specific network intelligence

Container Runtimes

Radar

Serverless Radar

Prisma Cloud Rules Guide - Docker

Defender architecture

Host Defender architecture

TLS v1.2 cipher suites

Telemetry

Configure

Rule ordering and pattern matching

Backup and restore

Custom feeds

Configuring Prisma Cloud proxy settings

Prisma Cloud Compute certificates

Configure Agentless Scanning

Agentless Scanning Modes

Configure scanning

User certificate validity period

Enable HTTP access to Console

Set different paths for Defender and Console (with DaemonSets)

Authenticate to Console with certificates

Configure custom certs from a predefined directory

Customize terminal output

Collections

Tags

Logon settings

Reconfigure Prisma Cloud

Subject Alternative Names

WildFire Settings

Log Scrubbing

Clustered-DB

Permissions by feature

Authentication

Logging into Prisma Cloud

Integrating with an IdP

Integrate with Active Directory

Integrate with OpenLDAP

Integrate Prisma Cloud with Open ID Connect

Integrate with Okta via SAML 2.0 federation

Integrate Google G Suite via SAML 2.0 federation

Integrate with Azure Active Directory via SAML 2.0 federation

Integrate with PingFederate via SAML 2.0 federation

Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation

Integrate Prisma Cloud with GitHub

Integrate Prisma Cloud with OpenShift

Non-default UPN suffixes

Compute user roles

Assign roles

Credentials store

Cloud accounts

Vulnerability management

Prisma Cloud vulnerability feed

Vulnerability Explorer

Vulnerability management rules

Search CVEs

Scan reports

Scanning procedure

Customize image scanning

Configure Registry Scans

Registry scanning

Scan Images in Sonatype Nexus Registry

Scan images in Alibaba Cloud Container Registry

Scan images in Amazon EC2 Container Registry (ECR)

Scan images in Azure Container Registry (ACR)

Scan images in Docker Registry v2 (including Docker Hub)

Scan images in Google Artifact Registry

Scan images in Google Container Registry (GCR)

Scan images in Harbor Registry

Scan images in IBM Cloud Container Registry

Scan images in Artifactory Docker Registry

Scan images in OpenShift integrated Docker registry

Trigger registry scans with Webhooks

Base images

Configure VM image scanning

Configure code repository scanning

Agentless scanning

Malware scanning

Vulnerability risk tree

Vulnerabilities Detection

CVSS scoring

Windows container image scanning

Serverless function scanning

VMware Tanzu blobstore scanning

Scan App-Embedded workloads

Troubleshoot vulnerability detection

Compliance

Compliance Explorer

Enforce compliance checks

CIS Benchmarks

Prisma Cloud Labs compliance checks

Serverless functions compliance checks

Windows compliance checks

DISA STIG compliance checks

Custom compliance checks

Trusted images

Host scanning

VM image scanning

App-Embedded scanning

Detect secrets

Cloud discovery

OSS license management

Runtime defense

Runtime defense for containers

Runtime defense for hosts

Runtime defense for serverless functions

Runtime defense for App-Embedded

Custom runtime rules

Import and export individual rules

ATT&CK Explorer

Runtime Audits

Event Aggregation

Image analysis sandbox

Incident Explorer

Incident types

Altered binary

Backdoor admin accounts

Backdoor SSH access

Brute force

Cryptominers

Execution flow hijack attempt

Kubernetes attacks

Lateral movement

Malware

Port scanning

Reverse shell

Suspicious binary

Other incident types

Access control

Role-based access control for Docker Engine

Admission control with Open Policy Agent

Continuous integration

Jenkins plugin

Jenkins Freestyle project

Jenkins Maven project

Jenkins Pipeline project

Run Jenkins in a container

Jenkins pipeline on Kubernetes

CI plugin policy

Code repo scanning

WAAS

Web-Application and API Security (WAAS)

Deploy WAAS

Deploy WAAS for Containers

Deploy WAAS for Hosts

Deploy WAAS for Containers Protected By App-Embedded Defender

Deploy WAAS for serverless functions

Deploy WAAS Out-of-band

Deploy WAAS Out-of-band with VPC Traffic Mirroring

WAAS Troubleshooting

WAAS Sanity Tests

WAAS Explorer

App Firewall Settings

API Protection

DoS protection

Bot Protection

WAAS Access Controls

Advanced Settings

WAAS Analytics

API observations

API definition scan

WAAS custom rules

Detecting unprotected web apps

WAAS Log Scrubbing

Firewalls

Cloud Native Network Firewall (CNNF)

Secrets

Secrets manager

Integrate with secrets stores

Secrets Stores

AWS Secrets Manager

AWS Systems Manager Parameters Store

Azure Key Vault

CyberArk Enterprise Password Vault

HashiCorp Vault

Inject secrets into containers

Injecting secrets: end-to-end example

Alerts

Alert mechanism

AWS Security Hub

Cortex XDR alerts

Cortex XSOAR alerts

Email alerts

Google Cloud Pub/Sub

Google Cloud Security Command Center

IBM Cloud Security Advisor

JIRA Alerts

PagerDuty alerts

ServiceNow alerts

ServiceNow alerts

Slack Alerts

Splunk alerts

Webhook alerts

Audit

Event viewer

Host activity

Administrative activity audit trail

Annotate audit event records

Delete audit logs

Syslog and stdout integration

Log rotation

Throttling audits

Prometheus

Kubernetes auditing

Tools

twistcli

Scan images with twistcli

Scan code repos with twistcli

Install Console with twistcli

Update the Intelligence Stream in offline environments

Deployment patterns

Projects

Migration options for scale projects

Best practices for DNS and certificate management

Storage limits for audits and reports

Migrating to a SaaS Console

Performance planning

Automated deployment

High Availability and Disaster Recovery guidelines

API

Howto

Configure an AWS Classic Load Balancer for ECS

Configure Prisma Cloud Console’s listening ports

Provision tenant projects in OpenShift

Disable automatic learning

Debug data

Welcome
Install
Upgrade
Technology overviews
Configure
Authentication
Vulnerability management
Compliance
Runtime defense
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
WAAS
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
Alerts
Audit
Tools
Deployment patterns
API
Howto

Document:Prisma Cloud Compute Edition Administrator’s Guide

Cortex XSOAR alerts

Last Updated:

Nov 21, 2022

Current Version:

Self.Hosted 22.06

Version Prisma Cloud Enterprise Edition
Version Self-Hosted 30.xx
Version Self-Hosted 22.12
Version Self-Hosted 22.06
Version Self-Hosted 22.01
Version Self-Hosted 21.08 (EoL)
Version Self-Hosted 21.04 (EoL)
Version Self-Hosted 20.12 (EoL)
Version Self-Hosted 20.09 (EoL)
Version Self-Hosted 20.04 (EoL)

Table of Contents

Filter

Welcome

Releases

Getting started

Product architecture

Support lifecycle

Security Assurance Policy on Prisma Cloud Compute

Licensing

Prisma Cloud Enterprise Edition vs Compute Edition

Utilities and plugins

Install

Getting started

System Requirements

Prisma Cloud container images

Onebox

Kubernetes

OpenShift v4

Console on Fargate

Amazon ECS

Alibaba Cloud Container Service for Kubernetes (ACK)

Azure Kubernetes Service (AKS)

Amazon Elastic Kubernetes Service (EKS)

Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) Autopilot

IBM Kubernetes Service (IKS)

Windows

Defender types

Cluster Context

Install Defender

Install a single Container Defender

Automatically Install Container Defender in a Cluster

App-Embedded Defender

App-Embedded Defender for Fargate

Default setting for App-Embedded Defender file system protection

VMware Tanzu Application Service (TAS) Defender

Serverless Defender

Serverless Defender as a Lambda layer

Auto-defend serverless functions

Install a single Host Defender

Auto-defend hosts

Deploy Prisma Cloud Defender from the GCP Marketplace

Decommission Defenders

Redeploy Defenders

Uninstall Defenders

Upgrade

Support lifecycle for connected components

Prisma Cloud’s backward compatibility and upgrade process

Upgrade Onebox

Kubernetes

OpenShift

Helm charts

Amazon ECS

Upgrade the Single Container Defenders

Upgrade Defender DaemonSets

Upgrade Defender DaemonSets (Helm)

Technology overviews

Intelligence Stream

Prisma Cloud Advanced Threat Protection

App-specific network intelligence

Container Runtimes

Radar

Serverless Radar

Prisma Cloud Rules Guide - Docker

Defender architecture

Host Defender architecture

TLS v1.2 cipher suites

Telemetry

Configure

Rule ordering and pattern matching

Backup and restore

Custom feeds

Configuring Prisma Cloud proxy settings

Prisma Cloud Compute certificates

Configure Agentless Scanning

Agentless Scanning Modes

Configure scanning

User certificate validity period

Enable HTTP access to Console

Set different paths for Defender and Console (with DaemonSets)

Authenticate to Console with certificates

Configure custom certs from a predefined directory

Customize terminal output

Collections

Tags

Logon settings

Reconfigure Prisma Cloud

Subject Alternative Names

WildFire Settings

Log Scrubbing

Clustered-DB

Permissions by feature

Authentication

Logging into Prisma Cloud

Integrating with an IdP

Integrate with Active Directory

Integrate with OpenLDAP

Integrate Prisma Cloud with Open ID Connect

Integrate with Okta via SAML 2.0 federation

Integrate Google G Suite via SAML 2.0 federation

Integrate with Azure Active Directory via SAML 2.0 federation

Integrate with PingFederate via SAML 2.0 federation

Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation

Integrate Prisma Cloud with GitHub

Integrate Prisma Cloud with OpenShift

Non-default UPN suffixes

Compute user roles

Assign roles

Credentials store

Cloud accounts

Vulnerability management

Prisma Cloud vulnerability feed

Vulnerability Explorer

Vulnerability management rules

Search CVEs

Scan reports

Scanning procedure

Customize image scanning

Configure Registry Scans

Registry scanning

Scan Images in Sonatype Nexus Registry

Scan images in Alibaba Cloud Container Registry

Scan images in Amazon EC2 Container Registry (ECR)

Scan images in Azure Container Registry (ACR)

Scan images in Docker Registry v2 (including Docker Hub)

Scan images in Google Artifact Registry

Scan images in Google Container Registry (GCR)

Scan images in Harbor Registry

Scan images in IBM Cloud Container Registry

Scan images in Artifactory Docker Registry

Scan images in OpenShift integrated Docker registry

Trigger registry scans with Webhooks

Base images

Configure VM image scanning

Configure code repository scanning

Agentless scanning

Malware scanning

Vulnerability risk tree

Vulnerabilities Detection

CVSS scoring

Windows container image scanning

Serverless function scanning

VMware Tanzu blobstore scanning

Scan App-Embedded workloads

Troubleshoot vulnerability detection

Compliance

Compliance Explorer

Enforce compliance checks

CIS Benchmarks

Prisma Cloud Labs compliance checks

Serverless functions compliance checks

Windows compliance checks

DISA STIG compliance checks

Custom compliance checks

Trusted images

Host scanning

VM image scanning

App-Embedded scanning

Detect secrets

Cloud discovery

OSS license management

Runtime defense

Runtime defense for containers

Runtime defense for hosts

Runtime defense for serverless functions

Runtime defense for App-Embedded

Custom runtime rules

Import and export individual rules

ATT&CK Explorer

Runtime Audits

Event Aggregation

Image analysis sandbox

Incident Explorer

Incident types

Altered binary

Backdoor admin accounts

Backdoor SSH access

Brute force

Cryptominers

Execution flow hijack attempt

Kubernetes attacks

Lateral movement

Malware

Port scanning

Reverse shell

Suspicious binary

Other incident types

Access control

Role-based access control for Docker Engine

Admission control with Open Policy Agent

Continuous integration

Jenkins plugin

Jenkins Freestyle project

Jenkins Maven project

Jenkins Pipeline project

Run Jenkins in a container

Jenkins pipeline on Kubernetes

CI plugin policy

Code repo scanning

WAAS

Web-Application and API Security (WAAS)

Deploy WAAS

Deploy WAAS for Containers

Deploy WAAS for Hosts

Deploy WAAS for Containers Protected By App-Embedded Defender

Deploy WAAS for serverless functions

Deploy WAAS Out-of-band

Deploy WAAS Out-of-band with VPC Traffic Mirroring

WAAS Troubleshooting

WAAS Sanity Tests

WAAS Explorer

App Firewall Settings

API Protection

DoS protection

Bot Protection

WAAS Access Controls

Advanced Settings

WAAS Analytics

API observations

API definition scan

WAAS custom rules

Detecting unprotected web apps

WAAS Log Scrubbing

Firewalls

Cloud Native Network Firewall (CNNF)

Secrets

Secrets manager

Integrate with secrets stores

Secrets Stores

AWS Secrets Manager

AWS Systems Manager Parameters Store

Azure Key Vault

CyberArk Enterprise Password Vault

HashiCorp Vault

Inject secrets into containers

Injecting secrets: end-to-end example

Alerts

Alert mechanism

AWS Security Hub

Cortex XDR alerts

Cortex XSOAR alerts

Email alerts

Google Cloud Pub/Sub

Google Cloud Security Command Center

IBM Cloud Security Advisor

JIRA Alerts

PagerDuty alerts

ServiceNow alerts

ServiceNow alerts

Slack Alerts

Splunk alerts

Webhook alerts

Audit

Event viewer

Host activity

Administrative activity audit trail

Annotate audit event records

Delete audit logs

Syslog and stdout integration

Log rotation

Throttling audits

Prometheus

Kubernetes auditing

Tools

twistcli

Scan images with twistcli

Scan code repos with twistcli

Install Console with twistcli

Update the Intelligence Stream in offline environments

Deployment patterns

Projects

Migration options for scale projects

Best practices for DNS and certificate management

Storage limits for audits and reports

Migrating to a SaaS Console

Performance planning

Automated deployment

High Availability and Disaster Recovery guidelines

API

Howto