Add Your OCI Tenant to Prisma Cloud

Add OCI Tenant
To start monitoring your resources on OCI, add your OCI tenant to Prisma Cloud.
Access Prisma Cloud and select

Settings

Cloud Accounts

Add Cloud Account

.

Select

Oracle Cloud

as the cloud provider to onboard and secure your account.



Enter a

Cloud Account Name

that uniquely identifies your OCI tenant on Prisma Cloud and click

Next

.


Add Tenant Details
In OCI, administrator resources are only created at the tenant level. To ingest those resources, you must first onboard the OCI tenant in Prisma Cloud by entering the root compartment OCID and home region from the OCI console.
Log in to your OCI console and select

Identity & Security

Identity

Compartments

.

Copy the

OCID

of the root compartment.



Return to the Prisma Cloud Onboarding Setup page and paste the OCID in the

Tenant/Root OCID

field.

Select the

Home Region

where the tenant is created (for example, us-phoenix-1) and click

Next

.

Follow the steps in Create a User to Enable Access, to create a new user, group, and policy that correspond to OCI Identity User Name, Group Name, and Policy Name.

You can use an existing user with the correct privileges, an existing group, and an existing policy with the correct policy statements. However, it is recommended that you create a new user, group, and policy as described in Create a User to Enable Access


Create a User to Enable Access
Use the Terraform template to generate a new user OCID. The User Name, Group Name, and Policy Name must be unique and should not be present in your OCI tenant.
Click to download the terraform

template to your local machine.

To onboard the Oracle Cloud account, a public key is needed to access the OCI API. This public key is embedded in the Terraform template, and it changes each time you download the template. Therefore, when creating a stack, make sure to use the most recent Terraform file that you downloaded.



Check the OCI console to see if the

Primary email address required

checkbox is disabled.

To ensure that the Terraform file runs successfully, uncheck the

Primary email address required

checkbox.

Log in to your OCI tenant console.

Navigate to

Identity

Domains

Default Domain

Settings

Domain Settings

.

Disable the

Primary email address required

checkbox if it is enabled.



Save changes

.

If you want to keep the

Primary email address required

checkbox enabled on your console, add your OCI tenant administrator’s email address to the

oci identity user

email field in the Terraform file before running it.

resource "oci_identity_user" "user" {
name           = "oci_user_name_param"
description    = "user created by terraform"
email          = "<oci-tenant-administrator-email-address>"
compartment_id = "oci_tenant_id_param"
}

Follow these steps to

Generate User OCID

:

Select the Home Region you entered in

Add Tenant Details

(for example, US West (Phoenix)).

Navigate to

Developer Services

Resource Manager

Stacks

and select

Create Stack

.

Select

My Configuration

to upload the Terraform configuration files.

Under

Stack Configuration

, select

.Zip file

and upload the

terraform.tf.zip

file that you had previously downloaded to your local machine.

Enter a stack

Name

, for example, PrismaCloudApp.

Under

Create in compartment

, choose the

root

compartment if it is not already selected, and click

Next

.



The Configure variables have already been set. Click

Next

.



Review the Stack information, select

Run apply

and

Create

the stack.

The Terraform file gets executed, and the User OCID is generated.



From the current Job details, navigate to

Resources

Outputs

and copy the user_ocid

Value

.



Return to the Prisma Cloud Onboarding Setup page and paste the

User OCID

value in the User OCID text field and click

Next

.


Account Group Selection
Select the Account Groups to associate with your OCI tenant and click
Next
.
You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.

Cloud Account Status
Review the onboarding Status of your OCI account on Prisma Cloud and click

Save

.

The status check verifies the OCI tenant and the number of compartments available under that tenant. Prisma Cloud ingests the child compartment(s) along with the root tenant.



After successfully onboarding the account, you will see it on the

Cloud Accounts

page.


Next Steps
It can take up to an hour for the ingestion to complete after which you can view the resources in Prisma Cloud, review, and act on the alerts generated.

Configure Alert Rule to include OCI policies.

If you do not want to ingest data from any of the child compartments:

Navigate to

Settings

Cloud Accounts

.

Click the

Name

of the tenant you have onboarded.

The tenant is also displayed as a compartment. Select the child compartments you want to disable.



Depending on your password policy, you can choose to rotate your user’s keys:

Navigate to

Settings

Cloud Accounts

.

Click the Edit icon for the tenant for which you want to rotate the keys.



Select

Rotate Keys

.

Click

Download Terraform Template

and follow the steps listed in

Create a User to Enable Access

to regenerate the User OCID.



On the Prisma Cloud

Dashboard

, you can filter by OCI

Cloud Accounts

. Prisma Cloud supports only configuration ingestion for OCI tenants and displays only the relevant configuration ingestion data.



Start using the Prisma Cloud Asset Inventory for visibility. Set the

Cloud Type

filter as OCI to view the data for the supported services. You can also filter the data based on the OCI

Cloud Region

and

Service Name

.



To verify if the configuration logs for your OCI-related resources have been analyzed, you can run a query on the

Investigate

page.



Review the Prisma Cloud default

Policies

for OCI. Set the

Cloud Type

filter as

OCI

and view all the Configuration policies that are available to detect any misconfiguration in your infrastructure.


Update an Onboarded OCI Account
To update the permissions of an already onboarded OCI account to ingest new APIs or to ingest additional attributes in the OCI API:
Navigate to
Settings
Cloud Accounts
.
Click the Edit icon for the tenant you want to update.
In the edit flow, you can choose to rotate your user’s keys by checking the
Rotate Keys
checkbox (which is always unchecked by default) or leave it unchecked and download the updated Terraform template.

Log in to your OCI tenant console.
Navigate to
Developer Services
Resource Manager
Stacks
.
Select the stack to Edit. For example, PrismaCloudApp.

If you are unable to find the stack to Edit, you must delete the existing user, group, and policy from OCI console and perform the steps in Create a User to Enable Access.
Select
Edit
Edit Stack
, upload the updated Terraform template and click
Next
.
The Configure variables have already been set. Click
Next
.
Select
Run apply
and
Save changes
.
From the current Job details, navigate to
Resources
Outputs
, copy user_ocid, and add it to Prisma Cloud.
This will update the policy with the newly added policy statements.