Data mapping

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Data mapping

    This document explains how Prisma Cloud data is imported and mapped within the Configuration Compliance module of a ServiceNow instance, specifically for the Xanadu release as of August 1, 2024. It highlights terminology changes since version 14.9 and details the relationships between Prisma Cloud entities and Configuration Compliance components.

    Show full answer Show less

    Key Features

    • Terminology Updates: Terms such as Test Result Group and Rules have been renamed to Remediation Task Group and Remediation Task Rules respectively starting from Configuration Compliance v14.9.
    • Data Mapping:
      • Policy Test: Prisma Cloud policies are imported as tests in Configuration Compliance. These tests are linked to authoritative sources and can be customized. Tests are accessible under Configuration Compliance > Tests.
      • Test Results: Prisma Cloud alerts are imported as test results and are viewable under Configuration Compliance > Test Results. Remediation is done through Remediation Tasks.
      • Integration Jobs:
        • Prisma Policy Integration: Retrieves tests from Prisma Cloud.
        • Prisma Alert Integration: Pulls test results daily based on status changes and triggers end-of-import calculations post-import.
        • Prisma Comprehensive Alert Integration: Runs weekly to pull all alerts updated in the past seven days to ensure data completeness, especially for alerts without recent status changes.
      • Authoritative Sources: Represent industry standards (e.g., ISO 27001, PCI DSS 3.2.1) that provide security policy references tied to tests and test results. Accessible via Configuration Compliance > Authoritative Sources.
      • Assets and Discovered Items: Alerts and related asset information, including resource tags and cloud attributes, are captured in the Discovered Items table when Vulnerability Response Integration with Prisma Cloud is installed.
      • Cloud Attributes and Tags: Includes cloud account IDs, regions, resource types, service providers, and account groups associated with assets, enhancing context for vulnerability management.
      • CI Lookup Rules: Base system rules exist for Resource ID, Name, and S3 Bucket, assisting with configuration item matching for Prisma Cloud and Microsoft Defender for Cloud integrations.

    Key Outcomes

    ServiceNow customers leveraging this integration can expect automated, accurate import of Prisma Cloud policies and alerts into Configuration Compliance, facilitating centralized vulnerability tracking and remediation. The use of authoritative sources ensures compliance with industry standards, while asset and cloud attribute data enrich vulnerability context. Integration jobs run on schedules to keep test and alert data current, and remediation tasks streamline the resolution process.

    The data from Prisma Cloud is imported in the Configuration Compliance module of the ServiceNow instance.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    The data from Prisma Cloud is imported with a different name in Configuration Compliance as mentioned in the table.

    Table 2. Mapping of Prisma Cloud data in Configuration Compliance
    Prisma Cloud Configuration Compliance
    Policy Test
    Alert Test result
    Compliance standard Authoritative source
    Sections Citation
    Asset Discovery item/ Configuration item (CI)

    Tests

    A policy in Prisma Cloud is imported as a test in Configuration Compliance. Policies are related to authoritative documents and test records, and they can be modified to meet the needs of your organization. You can view the tests by navigating to Configuration Compliance > Tests.

    If Vulnerability Response Integration with Palo Alto Prisma Cloud is installed, the integration job, Prisma Policy Integration retrieves the tests. You can view this integration job by navigating to All > Prisma Cloud Integrations > Prisma Policy Integration.

    Test Results

    An alert in Prisma Cloud is imported as a test result in Configuration Compliance. Alerts are remediated using Remediation Tasks. You can view the test results by navigating to Configuration Compliance > Test Results.

    The Configuration Compliance imports test results as part of a third-party integration. After they’re viewable on the Configuration Compliance application, they are remediated using Remediation Tasks.

    If Vulnerability Response Integration with Palo Alto Prisma Cloud is installed, the integration job Prisma Alert Integration retrieves the test results. You can view this integration job by navigating to All > Prisma Cloud Integration > Integrations > Prisma Alert Integration.

    The Prisma Alert Integration is an integration job that runs daily and pulls the test results with status change after the time that is defined in the Start Time field in the Integration tab.

    Note:
    If you run the integration job, Prisma Alert Integration manually, run it after you run the integration job, Prisma Policy Integration.

    When the Prisma Alert Integration completes importing the data, an event is started to trigger end-of-import calculations. If the alert fails continuously for the past few days, the integration won’t fetch the alerts as there’s no status change for the alert. So, to keep the test results data up to date with the Prisma alerts, a new integration job, Prisma Comprehensive alert Integration is added which pulls the alerts that are updated in the past seven days. It runs weekly and pulls all the test results, which aren’t passed.

    Authoritative Sources

    Configuration Compliance uses authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as ISO 27001 and PCI DSS 3.2.1.

    These source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. The references define requirements for security policies and procedures. Navigate to Configuration Compliance > Authoritative Sources to view the authoritative sources.

    Assets

    If the Vulnerability Response Integration with Palo Alto Prisma Cloud is installed, the scheduled job Prisma Alerts Integration captures the alert related information in the Discovered Items module or table. You can view this scheduled job by navigating to Prisma Cloud Integration > Integrations.

    The Prisma Alerts integration imports additional types of information, such as resource tags and cloud attributes that are stored in tables. This information is displayed in the Discovered items form.  
    • Host tags: A resource can have multiple tags. The host tags are available in key value pair format. For example, the operating system is Windows 10 and the Java version is 1.8.
    • Cloud attributes for assets: The following cloud attributes are available:
      • Cloud account: Provides the account ID from the integration. The information is populated from the Cloud Accounts [sn_sec_cmn_cloud_account.LIST] table.
      • Cloud region: Provides the location where the resource has been hosted. The information is populated from the Cloud Regions [sn_sec_cmn_region.LIST] table.
      • Cloud resource type: Provides information on the type of resource such as whether it is a virtual machine or a database instance, and so on. The information is populated from the Cloud Resource Type [sn_sec_cmn_cloud_resource_type.LIST] table.
      • Cloud service provider: Provides information on the cloud service provider whether it’s Amazon Web Services (AWS), Oracle Cloud, and so on. The information is populated from the Cloud Service Provider [sn_sec_cmn_cloud_service_provider.LIST] table.
      • Cloud account groups: Provides information on the account groups. The information is populated from the Cloud Account Groups [sn_vul_prismacloud_account_group.list] table.
        Note:
        The Cloud account groups attribute is available only for Prisma.

    CI lookup rules

    The base system CI lookup rules are available for Resource ID, Name, and S3 Bucket. For more information on the CI lookup rules, see CI lookup rules for Microsoft Defender for Cloud Integration for Security Operations and Palo Alto Prisma Cloud.