Data mapping

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Data mapping

    This content explains how data from Palo Alto Prisma Cloud is imported and mapped into the ServiceNow Configuration Compliance module within the ServiceNow instance. It describes terminology changes starting with Configuration Compliance version 14.9 and details how Prisma Cloud entities correspond to Configuration Compliance records.

    Show full answer Show less

    Key Features

    • Terminology updates: Since version 14.9, terms like Test Result Group, Rules, and Policy Test group have been renamed to Remediation Task Group, Remediation Task Rules, and Test, respectively.
    • Data mapping: Prisma Cloud Policies import as Tests in Configuration Compliance, which can be customized and viewed under Configuration Compliance > Tests.
    • Test Results: Prisma Cloud Alerts import as Test Results and are remediated using Remediation Tasks. These can be accessed at Configuration Compliance > Test Results.
    • Integration jobs:
      • Prisma Policy Integration: Retrieves tests from Prisma Cloud.
      • Prisma Alert Integration: Runs daily to pull test results with status changes and triggers end-of-import calculations.
      • Prisma Comprehensive Alert Integration: Runs weekly to pull alerts updated in the past seven days, ensuring up-to-date test results even if alerts have no recent status changes.
    • Authoritative Sources: These represent industry standards (e.g., ISO 27001, PCI DSS 3.2.1) and provide references for vulnerability alerts generation. They can be reviewed under Configuration Compliance > Authoritative Sources.
    • Assets and discovered items: Alerts and related asset information are captured in the Discovered Items module. Additional asset attributes such as host tags (key-value pairs), cloud account, region, resource type, service provider, and account groups are recorded in specific tables and linked to discovered items.
    • CI Lookup Rules: The system provides base configuration item (CI) lookup rules for Resource ID, Name, and S3 Bucket to support accurate mapping and identification of assets linked to Prisma Cloud data.

    What You Can Expect

    By integrating Prisma Cloud data into Configuration Compliance, ServiceNow customers can:

    • View and manage Prisma Cloud policies as compliance tests within ServiceNow, adapting them to organizational requirements.
    • Monitor Prisma Cloud alerts as test results and drive remediation activities through Configuration Compliance’s Remediation Tasks framework.
    • Leverage automated integration jobs to keep test and alert data current without manual intervention, ensuring ongoing visibility into cloud security posture.
    • Access authoritative compliance standards mapped to tests for precise vulnerability management aligned with industry regulations.
    • Gain comprehensive asset insights via enriched metadata, including cloud provider details and resource tags, promoting better asset management and vulnerability prioritization.

    The data from Prisma Cloud is imported in the Configuration Compliance module of the ServiceNow instance.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    The data from Prisma Cloud is imported with a different name in Configuration Compliance as mentioned in the table.

    Table 2. Mapping of Prisma Cloud data in Configuration Compliance
    Prisma Cloud Configuration Compliance
    Policy Test
    Alert Test result
    Compliance standard Authoritative source
    Sections Citation
    Asset Discovery item/ Configuration item (CI)

    Tests

    A policy in Prisma Cloud is imported as a test in Configuration Compliance. Policies are related to authoritative documents and test records, and they can be modified to meet the needs of your organization. You can view the tests by navigating to Configuration Compliance > Tests.

    If Vulnerability Response Integration with Palo Alto Prisma Cloud is installed, the integration job, Prisma Policy Integration retrieves the tests. You can view this integration job by navigating to All > Prisma Cloud Integrations > Prisma Policy Integration.

    Test Results

    An alert in Prisma Cloud is imported as a test result in Configuration Compliance. Alerts are remediated using Remediation Tasks. You can view the test results by navigating to Configuration Compliance > Test Results.

    The Configuration Compliance imports test results as part of a third-party integration. After they’re viewable on the Configuration Compliance application, they are remediated using Remediation Tasks.

    If Vulnerability Response Integration with Palo Alto Prisma Cloud is installed, the integration job Prisma Alert Integration retrieves the test results. You can view this integration job by navigating to All > Prisma Cloud Integration > Integrations > Prisma Alert Integration.

    The Prisma Alert Integration is an integration job that runs daily and pulls the test results with status change after the time that is defined in the Start Time field in the Integration tab.

    Note:
    If you run the integration job, Prisma Alert Integration manually, run it after you run the integration job, Prisma Policy Integration.

    When the Prisma Alert Integration completes importing the data, an event is started to trigger end-of-import calculations. If the alert fails continuously for the past few days, the integration won’t fetch the alerts as there’s no status change for the alert. So, to keep the test results data up to date with the Prisma alerts, a new integration job, Prisma Comprehensive alert Integration is added which pulls the alerts that are updated in the past seven days. It runs weekly and pulls all the test results, which aren’t passed.

    Authoritative Sources

    Configuration Compliance uses authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as ISO 27001 and PCI DSS 3.2.1.

    These source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. The references define requirements for security policies and procedures. Navigate to Configuration Compliance > Authoritative Sources to view the authoritative sources.

    Assets

    If the Vulnerability Response Integration with Palo Alto Prisma Cloud is installed, the scheduled job Prisma Alerts Integration captures the alert related information in the Discovered Items module or table. You can view this scheduled job by navigating to Prisma Cloud Integration > Integrations.

    The Prisma Alerts integration imports additional types of information, such as resource tags and cloud attributes that are stored in tables. This information is displayed in the Discovered items form.  
    • Host tags: A resource can have multiple tags. The host tags are available in key value pair format. For example, the operating system is Windows 10 and the Java version is 1.8.
    • Cloud attributes for assets: The following cloud attributes are available:
      • Cloud account: Provides the account ID from the integration. The information is populated from the Cloud Accounts [sn_sec_cmn_cloud_account.LIST] table.
      • Cloud region: Provides the location where the resource has been hosted. The information is populated from the Cloud Regions [sn_sec_cmn_region.LIST] table.
      • Cloud resource type: Provides information on the type of resource such as whether it is a virtual machine or a database instance, and so on. The information is populated from the Cloud Resource Type [sn_sec_cmn_cloud_resource_type.LIST] table.
      • Cloud service provider: Provides information on the cloud service provider whether it’s Amazon Web Services (AWS), Oracle Cloud, and so on. The information is populated from the Cloud Service Provider [sn_sec_cmn_cloud_service_provider.LIST] table.
      • Cloud account groups: Provides information on the account groups. The information is populated from the Cloud Account Groups [sn_vul_prismacloud_account_group.list] table.
        Note:
        The Cloud account groups attribute is available only for Prisma.

    CI lookup rules

    The base system CI lookup rules are available for Resource ID, Name, and S3 Bucket. For more information on the CI lookup rules, see CI lookup rules for Microsoft Defender for Cloud Integration for Security Operations and Palo Alto Prisma Cloud.