PrismaCloud CSPM Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

The following steps allow you to configure this connector for use with Tenable Exposure Management from start to finish.

Tip: For more information on how third-party integrations work, see Connectors.

Connector Details

Details Description

Supported products

PrismaCloud Enterprise Edition (SaaS)

Ingestion from: AWS, Azure, GCP, OCI, and Alibaba Cloud via the Prisma Cloud API.

Category

CSPM

Ingested data

Assets and Findings

Ingested Asset Classes

Devices

Resources

Integration type

UNI directional (data is transferred from the Connector to Tenable Exposure Management in one direction)

Supported version and type

SaaS (latest)

Prerequisites and User Permissions

Before you begin configuring the connector, make sure to:

  1. Identify PrismaCloud CSPM servel URL.

  2. Create PrismaCloud CSPM role.

  3. Generate PrismaCloud CSPM Access Key and Secret Key.

Identify PrismaCloud CSPM Server URL

To identify your server URL (also known as the API URL) for PrismaCloud CSPM, look at the URL you use to log in to your PrismaCloud Admin Console. The API URL varies depending on the specific cluster where your tenant is deployed.

You can determine your API URL by replacing app with api in your Admin Console UR.
Example: https://app.prismacloud.io --> https://api.prismacloud.io.

Create PrismaCloud CSPM Role

Assign a Account Group Read Only role:

  1. Log in to the PrismaCloud CSPM platform.

  2. Navigate to Settings > Access Control.

  3. Click Roles, and then click Add > Role.

  4. In the Name box, type a descriptive name for the role.

  5. (Optional) In the Description box, type a brief description.

  6. Select the Account Group Read Only permission.

  7. Select the On-prem/Other cloud providers checkbox.

  8. Click Save.

Generate PrismaCloud CSPM Access Key and Secret Key

Note: These should be the credentials of a valid PrismaCloud user with the assigned role as described above.

  1. Click Add, then click Service Account (In Settings > Access Control.

  2. Click Add, then click Service Account.

  3. In the Name box, type a descriptive name for this service account.

  4. Select the role you created in the previous procedure, and then click Next.

  5. In the Access Key Name box, type a name for the access key.

  6. (Optional) Select an Expiration Date.

  7. Click Save and Create.

  8. Copy the Access Key and Secret Key to a safe location. You need them to configure the connector.

Add a Connector

To add a new connector:

  1. In the left navigation menu, click Connectors.

    The Connectors page appears.

  2. In the upper-right corner, click Add new connector.

    The Connector Library page appears.

  3. In the search box, type the name of the connector.

  4. On the tile for the connector, click Connect.

    The connector configuration options appear.

Configure the Connector

To configure the connector:

  1. (Optional) In the Connector's Name text box, type a descriptive name for the connector.

  2. In the Server Url section, type the URL of your PrismaCloud server.

  3. In the Access Key ID and Secret Access Key text boxes, paste the secret credentials you generated in PrismaCloud.

  4. In the Data pulling configuration section, you can configure dynamic settings specific to the connector.

    • In Asset Classes, check the assets you want Tenable Exposure Management to fetch. The options are Compute, Database, Identity and Security, Kurbernetes, and Storage.

    • In Alerts, check the type of alerts you want Exposure Management to fetch:

      • To fetch alerts with an informational severity (which adds the policy.severity = informational filter), select the Fetch informational alerts checkbox.

      • To fetch alerts with a dismissed status (which adds the alert.status = dismissed filter), select the Fetch dismissed alerts checkbox.

      • To fetch alerts with a resolved status (which adds the alert.status = resolved filter), select the Fetch resolved alerts checkbox.

      Note: During the initial synchronization and once a week thereafter, Tenable Exposure Managementperforms a full sync that fetches all alerts from PrismaCloud. For all other scheduled syncs, the connector performs an incremental sync that fetches only alerts updated since your last successful sync.

    • In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.

      Tip: For more information, see Asset Retention.

  5. In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.

    • A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.

    • If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.

  6. In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

    Tip: For more information, see Connector Scheduling.

  7. Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.

  8. To confirm the sync is complete, do the following:

PrismaCloud CSPM in Tenable Exposure Management

Locate Connector Assets in Tenable Exposure Management

As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.

To view assets by connector:

  1. In Tenable Exposure Management, navigate to the Assets page.

  2. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.

    The asset list updates to show only assets from the selected connector.

  3. Click on any asset to view Asset Details.

Locate Connector Weaknesses in Tenable Exposure Management

As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.

To view weaknesses by connector: 

  1. In Tenable Exposure Management, navigate to the Weaknesses page.

  2. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view weaknesses.

    The weaknesses list updates to show only weaknesses from the selected connector.

  3. Click on any weakness to view Weakness Details.

Locate Connector Findings in Tenable Exposure Management

As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.

To view findings by connector:

  1. In Tenable Exposure Management, navigate to the Findings page.

  2. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings

    The findings list updates to show only assets from the selected connector.

  3. Click on any asset to view Finding Details.

Data Mapping

Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.

Device and Resource Mapping

Tenable Exposure Management UI Field

PrismaCloud CSPM Field
Asset Uniqueness Criteria ID

Asset Host Name

Asset Name

 Name

Asset External Identifier

Asset Provider Identifier

 Asset ID
Asset Cloud Resource > Cloud Type Cloud Type
Asset Cloud Resource > Type Asset Type
Asset Cloud Resource > Cloud Account Name Cloud Account Name

Asset Operating System

Asset OS Version

OS distribution

OS release

Asset IPv4 Addresses

Asset IPv6 Addresses

 IP Address

Asset Created Date

Asset First Observation Date

 "Resource was discovered" from Audit trail
Asset External Tags

Tags

Internal Exposure
Asset Custom Attributes

VPC Name

Region

Service

Finding as an Alert Mapping

Tenable Exposure Management UI Field

PrismaCloud CSPM Field
Finding Type > Alert Misconfiguration
Finding Type > Vulnerabilities Vulnerabilities
Finding Unique Identifier Alert ID (Alerts)
Finding Name policy name
Finding Description Policy Description
Finding First Seen Alert Time

Finding Last Seen (Observed)

Finding Last Fixed At

 Last Modified Time

Finding Severity

Finding Severity Driver

Finding Risk Factor

 Severity
Finding Solution How to fix tab > recommendation
Finding Custom Attributes

packageName

packageVersion

severity

cvss

vecStr

attack_path

Reason

policy.labels[]

Finding as a Vulnerability Mapping

Tenable Exposure Management UI Field

PrismaCloud CSPM Field
Uniqueness Criteria id (alertID) + resourceId+ package
Finding Name CVE
Finding Description policy.description

Finding Severity

Finding Severity Driver

Finding Risk Factor

 Severity
Finding Solution Fix Status
Finding Custom Attributes Status
Finding Custom Attributes

packageName

Path

Package Version

Type

cvss

Finding Status Mapping

Tenable Exposure Management Status

Prsima CSPM Status

Active

Open, Pending Resolutions, Snoozed

Fixed

Resolved, Dismissed

Finding Severity Mapping

Tenable Exposure Management Severity

PrismaCloud CSPM Score

Critical

CVSS: 9.0 - 10.0

High

CVSS: 7.0 - 8.9

Medium

CVSS4.0 - 6.9

Low

CVSS: 1-3.9

None

CVSS:0

Note:For PrismaCloud CSPM, Tenable Exposure Management uses the cvss field to determine vulnerability severity.

Status Update Mechanisms

Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.

Update Type in Exposure Management

Mechanism (When?)

Archiving Assets

  • Asset not seen for X days according to "Last Seen". See Asset Retention]

  • Asset status changes to one of the selected statuses defined in the Asset Retention configuration

Change a Finding status from "Active" to "Fixed"

  • Finding no longer appears in the scan findings

  • Finding status changes to Resolved or Dismissed on the vendor side
Note: Updates on the vendor side are reflected in Tenable Exposure Management only when the next scheduled connector sync time is complete (once a day).

Uniqueness Criteria

Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.

Tip:  Read all about Third-Party Data Deduplication in Tenable Exposure Management

The uniqueness criteria for this connector are as follows:

Data

Uniqueness Criteria

Asset

assetId

Weakness

policyId

Finding id (alertID) + resourceId+ package
Detection / Connection id

API Endpoints in Use

Permission Required

{{baseUrl}}/login

 -

{{baseUrl}}/search/config

 Account Group Read Only

{{baseUrl}}/v2/alert

Findings and Vulnerabilities

 Account Group Read Only

Data Validation

This section shows how to validate and compare data between Tenable Exposure Management and the PrismaCloud CSPM platform.

Asset Data Validation

Objective: Ensure the number of endpoints (devices) in PrismaCloud CSPM aligns with the number of devices displayed in Tenable Exposure Management.

Important: When validating asset counts between Prisma Cloud and Tenable Exposure Management, you may observe slight differences. The Prisma Cloud UI filters assets based on high-level Asset Classes (e.g., Compute, Kubernetes, Storage). However, the connector fetches inventory at a more granular level using individual Cloud Services via RQL queries (e.g., cloud.service = '<service_name>'). Tenable Exposure Management maps this specific Cloud Service data back to your selected Asset Classes. Since Tenable Exposure Management calculates totals based on this mapped data rather than Prisma Cloud native UI groupings, the final entity counts might differ slightly.

In PrismaCloud CSPM:

  1. Navigate to the Investigate page.

  2. Choose to query assets.

  3. Click Add and choose Class.

  4. Select the asset classes you chose to fetch (e.g., Compute, Kubernetes, Identity & Security, Database, Storage) and click Search.

  5. At the bottom of the page, review the total asset count for the chosen Asset Classes (you may need to click Load More to see the full total).

In Tenable Exposure Management:

  1. Locate your connector assets.

  2. Compare the total number of assets between PrismaCloud CSPM and Tenable Exposure Management.

Expected outcome: The total numbers returned in PrismaCloud CSPM and Tenable Exposure Management should match.

If an asset is not visible in Tenable Exposure Management, check the following conditions:

  • Classification: Ensure the asset is actually classified under one of the chosen Asset Classes.

  • Archived Status: Check if the asset was archived based on your configuration (e.g., the status changed to "deleted" or "terminated").

  • Retention Period: The asset's last observed date may be older than the defined Asset Retention Period.

  • Tip: To learn more on how assets are archived and findings change status, see PrismaCloud CSPM Connector.

Finding Data Validation

Objective: Ensure the number of alerts/findings in PrismaCloud CSPM aligns with the number of findings in Tenable Exposure Management.

In PrismaCloud CSPM:

  1. Navigate to Alerts > Reset filters.

  2. Click Add filter > Asset Class and select the Asset Classes you configured the connector to fetch.

  3. On the top left of the screen, note the total number of Alerts.

In Tenable Exposure Management:

  1. Locate your connector findings.

  2. Compare the total number of findings between PrismaCloud CSPM and Tenable Exposure Management.

Expected outcome: The numbers may differ slightly at any given time because Prisma Cloud is actively running and scanning new alerts. Additionally, alerts on deleted assets remain visible on the Prisma Cloud platform, which can cause counts to diverge.

If a finding is missing from Tenable Exposure Management or no longer active, check the following conditions:

  • Category Mismatches: Ensure you are filtering Alerts linked to the exact same Inventory Asset Categories on both Prisma Cloud and Tenable Exposure Management.

  • Archived Assets: The finding is related to an asset that has already been archived in Tenable.

  • Informational Severities: The Alert in Prisma Cloud has an "Informational" severity, but the Fetch Informational Alerts checkbox is unchecked in your connector.

  • Resolved/Dismissed Status: The Alert in Prisma Cloud has a "dismissed" or "resolved" status, but the Fetch Dismissed alerts or Fetch Resolved alerts checkboxes are unchecked in your connector configuration.

  • The finding is marked as Fixed and appears under the Fixed state on the Findings screen.

Tip: To learn more on how assets are archived and findings change status, see PrismaCloud CSPM Connector.