Add Your OCI Tenant to Prisma Cloud
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View and Forward Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Add Your OCI Tenant to Prisma Cloud
Your OCI tenant has a root compartment (tenancy) by default. To onboard your OCI tenant, you will need the root compartment’s OCID.
You must onboard OCI at the tenant level and any child compartments will be automatically onboarded on Prisma Cloud.
Each OCI tenant is associated with a Home region. Prisma Cloud is available for visibility and monitoring of your OCI tenants in all OCI-supported cloud regions.
- Add OCI TenantTo start monitoring your resources on OCI, add your OCI tenant to Prisma Cloud.
- Access Prisma Cloud and select.SettingsCloud AccountsAdd Cloud Account
- SelectOracle Cloudas the cloud provider to onboard and secure your account.
- Enter aCloud Account Namethat uniquely identifies your OCI tenant on Prisma Cloud and clickNext.
- Add Tenant DetailsIn OCI, administrator resources are only created at the tenant level. To ingest those resources, you must first onboard the OCI tenant in Prisma Cloud by entering the root compartment OCID and home region from the OCI console.
- Log in to your OCI console and select.Identity & SecurityIdentityCompartments
- Copy theOCIDof the root compartment.
- Return to the Prisma Cloud Onboarding Setup page and paste the OCID in theTenant/Root OCIDfield.
- Select theHome Regionwhere the tenant is created (for example, us-phoenix-1) and clickNext.
- Follow the steps in Create a User to Enable Access, to create a new user, group, and policy that correspond to OCI Identity User Name, Group Name, and Policy Name.You can use an existing user with the correct privileges, an existing group, and an existing policy with the correct policy statements. However, it is recommended that you create a new user, group, and policy as described in Create a User to Enable Access
- Create a User to Enable AccessUse the Terraform template to generate a new user OCID. The User Name, Group Name, and Policy Name must be unique and should not be present in your OCI tenant.
- Click to download the terraformtemplate to your local machine.To onboard the Oracle Cloud account, a public key is needed to access the OCI API. This public key is embedded in the Terraform template, and it changes each time you download the template. Therefore, when creating a stack, make sure to use the most recent Terraform file that you downloaded.
- Check the OCI console to see if thePrimary email address requiredcheckbox is disabled.To ensure that the Terraform file runs successfully, uncheck thePrimary email address requiredcheckbox.
- Log in to your OCI tenant console.
- Navigate to.IdentityDomainsDefault DomainSettingsDomain Settings
- Disable thePrimary email address requiredcheckbox if it is enabled.
- Save changes.If you want to keep thePrimary email address requiredcheckbox enabled on your console, add your OCI tenant administrator’s email address to theoci identity useremail field in the Terraform file before running it.resource "oci_identity_user" "user" { name = "oci_user_name_param" description = "user created by terraform" email = "<oci-tenant-administrator-email-address>" compartment_id = "oci_tenant_id_param" }
Follow these steps toGenerate User OCID:- Select the Home Region you entered inAdd Tenant Details(for example, US West (Phoenix)).
- Navigate toand selectDeveloper ServicesResource ManagerStacksCreate Stack.
- SelectMy Configurationto upload the Terraform configuration files.
- UnderStack Configuration, select.Zip fileand upload theterraform.tf.zipfile that you had previously downloaded to your local machine.
- Enter a stackName, for example, PrismaCloudApp.
- UnderCreate in compartment, choose therootcompartment if it is not already selected, and clickNext.
- The Configure variables have already been set. ClickNext.
- Review the Stack information, selectRun applyandCreatethe stack.The Terraform file gets executed, and the User OCID is generated.
- From the current Job details, navigate toand copy the user_ocidResourcesOutputsValue.
Return to the Prisma Cloud Onboarding Setup page and paste theUser OCIDvalue in the User OCID text field and clickNext. - Account Group SelectionSelect the Account Groups to associate with your OCI tenant and clickNext.You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
- Cloud Account Status
- Review the onboarding Status of your OCI account on Prisma Cloud and clickSave.The status check verifies the OCI tenant and the number of compartments available under that tenant. Prisma Cloud ingests the child compartment(s) along with the root tenant.
- After successfully onboarding the account, you will see it on theCloud Accountspage.
- Next Steps
- It can take up to an hour for the ingestion to complete after which you can view the resources in Prisma Cloud, review, and act on the alerts generated.
- Configure Alert Rule to include OCI policies.
- If you do not want to ingest data from any of the child compartments:
- Navigate to.SettingsCloud Accounts
- Click theNameof the tenant you have onboarded.
- The tenant is also displayed as a compartment. Select the child compartments you want to disable.
- Depending on your password policy, you can choose to rotate your user’s keys:
- Navigate to.SettingsCloud Accounts
- Click the Edit icon for the tenant for which you want to rotate the keys.
- SelectRotate Keys.
- ClickDownload Terraform Templateand follow the steps listed inCreate a User to Enable Accessto regenerate the User OCID.
- On the Prisma CloudDashboard, you can filter by OCICloud Accounts. Prisma Cloud supports only configuration ingestion for OCI tenants and displays only the relevant configuration ingestion data.
- Start using the Prisma Cloud Asset Inventory for visibility. Set theCloud Typefilter as OCI to view the data for the supported services. You can also filter the data based on the OCICloud RegionandService Name.
- To verify if the configuration logs for your OCI-related resources have been analyzed, you can run a query on theInvestigatepage.
- Review the Prisma Cloud defaultPoliciesfor OCI. Set theCloud Typefilter asOCIand view all the Configuration policies that are available to detect any misconfiguration in your infrastructure.
- Update an Onboarded OCI AccountTo update the permissions of an already onboarded OCI account to ingest new APIs or to ingest additional attributes in the OCI API:
- Navigate to.SettingsCloud Accounts
- Click the Edit icon for the tenant you want to update.
- In the edit flow, you can choose to rotate your user’s keys by checking theRotate Keyscheckbox (which is always unchecked by default) or leave it unchecked and download the updated Terraform template.
- Log in to your OCI tenant console.
- Navigate to.Developer ServicesResource ManagerStacks
- Select the stack to Edit. For example, PrismaCloudApp.If you are unable to find the stack to Edit, you must delete the existing user, group, and policy from OCI console and perform the steps in Create a User to Enable Access.
- Select, upload the updated Terraform template and clickEditEdit StackNext.
- The Configure variables have already been set. ClickNext.
- SelectRun applyandSave changes.
- From the current Job details, navigate to, copy user_ocid, and add it to Prisma Cloud.ResourcesOutputsThis will update the policy with the newly added policy statements.