Collections

Scope rules to target specific resources in your environment. For example, you might create a vulnerability rule that applies to all container images in an app called sock-shop. The rule might reference collectionA, which specifies sock-shop** in the image resource filter.
Partition views. Collections provide a convenient way to browse data from related resources.
Enforce which views specific users and groups can see. Collections can control access to data on a need-to-know basis. These are known as assigned collections.

Distro name — "osDistro:<value>" (e.g. "osDistro:Ubuntu")
Distro version — "osVersion:<value>" (e.g. "osVersion:20.04")

Scoping rules

The scope of a rule is defined by referencing the relevant collections. Collections offer a centralized way to create and manage scope settings across the product. Collections make it easy to consistently reuse scope settings across policies. Policy tables give you a clear picture of what resources are being targeted in your rules.

When creating new rules, you can either select from a list of previously defined collections, or create a new one. By default, Prisma Cloud sets a rule’s scope to the

All

collection, which captures all resources in the environment.

Collections cannot be deleted as long as they’re being used by a rule. This mechanism ensures that rules are never left unscoped. Click on a specific collection to see how it’s being used.

Creating collections

You can create as many collections as you like. Collections cannot be nested.

Prisma Cloud ships with a built-in set called

All

that is not editable. The

All

collection contains all objects in the system. It is effectively the same as creating a collection manually and setting a wildcard (*) for each resource type (e.g., containers, images, hosts, labels, etc).

Collections can be created in

Manage > Collections and Tags > Collections

. Alternatively, collections can be created directly from a new rule dialog when you’re setting the rule’s scope. When creating collections from a new rule dialog, Prisma Cloud automatically disables any irrelevant scope fields. When selecting previously defined collections in a rule’s scope field, any improperly scoped collections are hidden from display. For example, you can’t select a collection that specifies serverless functions in a container runtime rule.

By default, new collections set a wildcard for each resource, effectively capturing all resources in the system. Customize the relevant fields to capture some segment of the universe of resources.

The labels field supports Docker labels, Kubernetes pod template labels, Kubernetes namespace labels, Kubernetes deployment labels, AWS tags, osDistro:<name> (for hosts), and osVersion:<version> (also for hosts).

To use Kubernetes namespace and deployment labels, enable the following setting when deploying Defenders:

Manage > Defenders > Deploy > DaemonSet > Collect Deployment and Namespace labels

.

To use AWS tags for hosts, enable the VM tags setting for relevant accounts under

Defend > Compliance > Cloud platforms

.

For vulnerability and compliance rules, Fargate tasks are specified in the

Hosts

field of a collection. For runtime rules, Fargate tasks are specified in the App IDs field.

You cannot have collections that specify both containers and images. You must leave a wildcard in one of the fields, or else the collection won’t be applied correctly. If you want to create collections that apply to both a container and an image, create two separate collections. The first collection should only include the container name, the second should only include the image name. Filtering on both collections at the same time will yield the desired result.

Filtering by cloud account ID for Azure Container Instances isn’t currently supported.

To create a new collection:

Open Console.
Go to
Manage > Collections and Tags > Collections
.
Click
Add collection
.
In the
Create a new collection
dialog, enter a name, description, and then specify a filter to target specific resources.
For example, create a collection named
Raspberry images
that shows all raspberry images in the fruit namespace. Pick a color for easy visibility and differentiation.
The following collection selects all images that start with the string raspberry. You can also create collections that exclude resources. For more information on syntax that can be used in the filter fields (e.g., containers, images, hosts, etc), see Rule ordering and pattern matching.

Click
Save
.

Selecting a collection

Collections filter data in the

Monitor

section of Console.

When a collection (or multiple collections) are selected, only the objects that match the filter are shown in those views. When a collection is selected, it remains selected for all views until it is explicitly disabled.

To select a collection, go to any view under

Monitor

. In the Collections drop-down list in the top right of the view, select a collection. In the following screenshot, the view is filtered based on the collection named

google images

, which shows all images that contain the string

google_containers

.

When multiple collections are selected, the effective scope is the union of each individual query.

Individual filters on each collection aren’t applicable to all views. For example, a collection created with only functions won’t include any resources when viewing hosts results. Similarly, a collection created with hosts won’t filter images by hosts when viewing image results.

The

Collections

column shows to which collection a resource belongs. The color assigned to a collection distinguishes objects that belong to specific collections. This is useful when multiple collections are displayed simultaneously. Collections can also be assigned arbitrary text tags to make it easier for users to associate other metadata with a collection.