VR and Prisma Registry - Using the Auto-Close Rule Effectively
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hello,
For those of you who have VR integration with Prisma Cloud, you may have noticed that the built-in Auto-Close Rules is using the last_found field, which comes from the scanTime field in Prisma's API response.
We have an issue with CVITs coming from the Prisma Cloud Compute Registry integration, where the scanTime in the API response can be far in the past, so the CVIT closes-out in VR, but the vulnerability still exists and is open on Prisma. When the integration is next run, the CVIT re-opens. This has caused daily closing/re-opening cycles on many CVITs (the auto-close rule is sent to 1d ago, where ideally our remediation teams would know if their vulnerability remediation was successful by the next business day).
Aside from disabling the Auto-Close rule on Registry items altogether, I was wondering if other users had another solution to this problem. I was also thinking of modifying the last_found date during ingestion, but then remediation teams won't be seeing the true "last_found" date, it would always be set to the current day, which isn't ideal.
The best solution would be one where our end-users see stale results close-out when they aren't in Prisma, but also not have the results re-open and re-close every 1/15/30 days.
