Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute integration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute integration

    The Vulnerability Response integration with Palo Alto Networks Prisma Cloud Compute allows ServiceNow customers to scan running hosts for vulnerabilities by importing detailed vulnerability data from Prisma Cloud Compute. This integration leverages Prisma Host APIs to retrieve comprehensive and timely vulnerability snapshots for hosts, enabling continuous synchronization between Prisma and the ServiceNow instance.

    Show full answer Show less

    Since Prisma Cloud Compute is available as both SaaS and on-premises, a MID Server is required for ServiceNow to invoke Prisma APIs, especially when the Prisma product and the ServiceNow AI Platform instance reside in different environments. This setup ensures secure, reliable communication for data import and synchronization.

    Key Features

    • Automated Vulnerability Import: The integration runs daily to retrieve vulnerabilities from Prisma Cloud Compute for hosts, creating Vulnerable Item Tasks (VITs), detections, and discovered items within ServiceNow.
    • National Vulnerability Database (NVD) Integration: When importing vulnerabilities, the system checks for existing CVEs in the NVD table. If a CVE is not found, a placeholder record is created and can be later updated either automatically or manually.
    • Customizable CVE Data Population: Fields such as Exploit Exists and Remediation Notes are populated using Prisma data to provide essential context before the NVD integration completes. Customers can customize which additional CVE fields to populate based on Prisma’s provided information.
    • Dashboard Visibility: Vulnerabilities and vulnerable items imported from Prisma can be viewed and prioritized through the Vulnerability Response dashboards in ServiceNow.
    • MID Server Requirement: A MID Server is mandatory for integration API calls when ServiceNow and Prisma Cloud Compute are not co-located, ensuring proper connectivity and security.

    Practical Benefits for ServiceNow Customers

    • Enables continuous and automated vulnerability detection on running hosts monitored by Prisma Cloud Compute within the familiar ServiceNow Vulnerability Response framework.
    • Provides actionable vulnerability data enriched with remediation notes and exploit information to prioritize and address security risks effectively.
    • Integrates seamlessly into existing ServiceNow workflows by creating records and dashboards to monitor and manage vulnerabilities efficiently.
    • Supports both SaaS and on-premises Prisma deployments through MID Server usage, offering flexible deployment options.

    The Prisma Cloud Compute integration enables you to scan hosts to detect vulnerabilities.

    Starting with version 24.02.0 of the Vulnerability Response, you can use the Prisma Cloud Compute Integration to import vulnerabilities on the running hosts. The Prisma Host APIs enable retrieval of comprehensive vulnerability information for a specific host and also provides a snapshot of the host vulnerabilities at a specific time. This API enables regular synchronization between Prisma and ServiceNow instance. As Prisma is offered both as software as a service (SaaS) and on-prem solution, using a MID Server is necessary to invoke Prisma APIs from the ServiceNow instance. In addition, you’re required to use a MID Server if the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute product and your ServiceNow AI Platform instance aren’t in the same environment. For more information, see MID Server system requirements.

    You can also view reports on vulnerabilities and vulnerable items on the Vulnerability Response dashboards. These vulnerabilities can then be prioritized and remediated.

    Viewing the integrations

    You can view the integrations that are part of the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute. To view the integrations, navigate to All > Prisma Cloud Compute Integration > Integrations.

    The following integrations are available.

    Run Sequence Schedule Integration Description
    1 Daily Prisma Cloud Compute Hosts Integration

    Retrieves hosts vulnerabilities and creates VITs, detections, and discovered items for hosts.
    Note:
    If Container Vulnerability Response plugin is installed, you can also view Container Vulnerability Response related integrations.

    Prisma integration process

    When the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute is run, it checks if a Common Vulnerability and Exposure (CVE) exists in the National Vulnerability Database (NVD) table. If it’s already present, the existing information is used. However, if the CVE isn’t found, placeholder records are generated in the NVD table. When creating these placeholder NVD records, initially only the CVE and its name is populated. Other details aren’t populated with the assumption that the NVD integration fills in these details later. If the integration instance parameter update_nvd is set to true, it updates the placeholder NVD records. By default, the instance parameter is set to false. However, at least until the NVD integration runs and populates these details, some understanding of the CVE, such as its severity or some basic information about the issue is needed. To meet this requirement, the fields Exploit exists and Remediation notes are populated with the details obtained from Prisma. Additionally, this configuration is made customizable, enabling you to specify any other fields you want to populate in the NVD entry based on the information provided by Prisma.