Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute integration

    The Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute enables ServiceNow customers to scan container images and running hosts for vulnerabilities. This integration imports vulnerability data into the Container Vulnerability Response application, allowing for centralized visibility, prioritization, and remediation of vulnerabilities affecting container images and hosts.

    Show full answer Show less

    Prisma Cloud Compute offers APIs to retrieve detailed vulnerability snapshots for hosts, supporting regular synchronization with ServiceNow. Because Prisma Cloud Compute can be deployed as SaaS or on-premises, a MID Server is required to facilitate API communication when the ServiceNow AI Platform instance and Prisma environment are separate.

    Key Features

    • Integration Types and Scheduling: Four main integrations support different data retrieval needs:
      • Base Images Integration (daily): Retrieves vulnerabilities in base images separately, creating findings and vulnerable items linked to these images.
      • Vulnerabilities Integration (daily): Imports container vulnerabilities and creates associated findings and container vulnerable items (CVITs).
      • Container Counts Integration (on-demand): Retrieves container counts for non-base images.
      • Registry Integration (daily): Retrieves static image findings from Prisma registry scans into Container Vulnerability Response.
    • Base Image Configuration: Allows registry and base image configuration in the Prisma console, with vulnerabilities in base images flagged during integration runs.
    • Configurable Vulnerable Item Granularity: Customers can define the granularity of CVITs based on combinations of image repository, image, vulnerability, cluster, and other parameters. Starting with version 2.12.1, customers can select data sources such as scanner or Discovery to tailor the Kubernetes and image information shown in CVIT records.
    • Integration Process and National Vulnerability Database (NVD) Handling: When importing vulnerabilities, the integration checks if CVEs exist in the NVD table. If absent, placeholder records are created and can be updated if configured. Prisma-specific details like exploit existence and remediation notes are also populated to aid vulnerability understanding before NVD data is fully available.
    • MID Server Requirement: A MID Server is necessary when the Prisma Cloud Compute product and the ServiceNow instance reside in different environments to enable API calls.

    Preparing and Configuring the Integration

    • Install the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute application, which is available as a separate subscription.
    • Configure the integration application to connect with Prisma Cloud Compute correctly.
    • Import vulnerability data from Prisma Cloud Compute to begin prioritizing and remediating vulnerabilities for Docker images and hosts within the ServiceNow environment.

    Practical Benefits for ServiceNow Customers

    • Centralizes container and host vulnerability data for comprehensive risk management.
    • Supports automated, scheduled synchronization to keep vulnerability information current.
    • Enables tailored vulnerability tracking with configurable granularity and data sources.
    • Integrates detailed vulnerability context even before NVD data is fully populated, aiding faster remediation.
    • Facilitates secure and seamless integration across different deployment environments using MID Servers.

    The Prisma Cloud Compute integration enables you to scan container images to detect vulnerabilities.

    Starting with version 23.0 of the Vulnerability Response, you can use the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute in the Container Vulnerability Response application to import vulnerabilities on the running hosts. The Prisma Host APIs enable retrieval of comprehensive vulnerability information for a specific host and also provides a snapshot of the host vulnerabilities at a specific time. This API enables regular synchronization between Prisma and ServiceNow instance. As Prisma is offered both as software as a service (SaaS) and on-prem solution, using a MID Server is necessary to invoke Prisma APIs from the ServiceNow instance.

    Starting with version 16.1 of the Vulnerability Response, you can use the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute in the Container Vulnerability Response application to import container image vulnerability data for deployed containers. You can then view reports on vulnerabilities and vulnerable items on the Vulnerability Response dashboards. These vulnerabilities can then be prioritized and remediated.

    If the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute product and your ServiceNow AI Platform instance aren’t in the same environment, you’re required to use a MID Server. For more information, see MID Server system requirements.

    Viewing the integrations

    You can view the integrations that are part of the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute. To view the integrations, navigate to All > Prisma Cloud Compute Integration > Integrations.

    The following integrations are available.

    Run Sequence Schedule Integration Description
    1 Daily Prisma Cloud Compute Base Images Integration Retrieves the vulnerabilities for base images from the Prisma API and reports the base images vulnerabilities separately. It also creates image findings and vulnerable items, which point to the base images.
    2 Daily Prisma Cloud Compute Vulnerabilities Integration Retrieves container vulnerabilities. Creates findings and container vulnerable items (CVITs) and discovered container images.
    3 On Demand Prisma Cloud Compute Container Counts Integration Retrieves container counts for each non base image.
    4 Daily Prisma Cloud Compute Registry Integration Retrieves static image findings obtained from the Prisma registry scan and ingests into Container Vulnerability Response.

    Base image configuration in Prisma

    In the Prisma console, you can configure the registry and then configure the base images from those registries. If a vulnerability is present in the base image, then when you run the Prisma Cloud Compute Base Images Integration, the Base image check box is selected indicating the vulnerabilities are present in the base image.

    Configure CVR-based VI granularity

    To configure the granularity of CVITs, navigate to All > Prisma Cloud Compute Integration > Configure CVR based VI Granularity and specify the key combinations. By default, a CVIT is created for a combination of image repository, image, and vulnerability. You can add additional components to the key for further granularity. For example, you can create a CVIT for a combination of image repository, image, vulnerability, and cluster.

    Starting with v2.12.1 of Container Vulnerability Response, you can also configure the granularity of container vulnerable items (CVITs) using Registry information and data sources. The namespace and cluster information is received from both scanner and Discovery. If you want this information only from Discovery, you can select Discovery Information from the Data Source field. Configure CVIT granularity Depending on the chosen data source, you can view either image or Kubernetes information related to a CVIT record.

    If Scanner information is selected, the CVIT record shows Image clusters and Image namespace fields.

    If Discovery Information is selected, the CVIT record shows Kubernetes clusters and Kubernetes namespace fields.

    Prisma integration process

    When the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute is run, it checks if a Common Vulnerability and Exposure (CVE) exists in the National Vulnerability Database (NVD) table. If it’s already present, the existing information is used. However, if the CVE isn’t found, placeholder records are generated in the NVD table. When creating these placeholder NVD records, initially only the CVE and its name are populated. Other details aren’t populated with the assumption that the NVD integration fills in these details later. If the integration instance parameter update_nvd is set to true, it updates the placeholder NVD records. By default, the instance parameter is set to false. However, atleast until the NVD integration runs and populates these details, some understanding of the CVE, such as its severity or other details about the issue is needed. To meet this requirement, the fields Exploit exists and Remediation notes are populated with the details obtained from Prisma. Additionally, this configuration is made customizable, enabling you to specify any other fields you want to populate in the NVD entry based on the information provided by Prisma.