https://github.com/paloaltonetworks/prisma-cloud-compute-splunk

Splunk app for ingesting Prisma Cloud Compute incidents and forensics
https://github.com/paloaltonetworks/prisma-cloud-compute-splunk

prisma-cloud prisma-cloud-compute-edition splunk

Last synced: 18 days ago
JSON representation

Splunk app for ingesting Prisma Cloud Compute incidents and forensics

• Host: GitHub
• URL: https://github.com/paloaltonetworks/prisma-cloud-compute-splunk
• Owner: PaloAltoNetworks
• License: isc
• Created: 2021-11-02T14:20:38.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2023-07-14T16:36:09.000Z (almost 2 years ago)
• Last Synced: 2025-04-07T13:43:32.910Z (about 1 month ago)
• Topics: prisma-cloud, prisma-cloud-compute-edition, splunk
• Language: Python
• Homepage: https://www.paloaltonetworks.com/prisma/cloud
• Size: 728 KB
• Stars: 6
• Watchers: 9
• Forks: 8
• Open Issues: 9
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Support: SUPPORT.md

Awesome Lists containing this project

README

        
# Prisma Cloud Compute Splunk App

---

**IMPORTANT: Please see [SUPPORT.md](SUPPORT.md) for the official support policy for the contents of this repository.**

---

The Prisma Cloud Compute Splunk App allows high priority security incidents from Prisma Cloud Compute to be sampled by Splunk on a user-defined interval and provides in-depth forensic data for incident analysis and response.

The app adds two main components to your Splunk deployment: scripted data inputs that make use of your Prisma Cloud Compute API to pull incidents and forensics and a sample Splunk dashboard that presents that data.

_Note: For bringing in data besides incidents and forensics, please use syslog or webhooks._

## Important news

## Getting the app

### GitHub

Download the latest app tarball (`pcc-splunk-app-*.tar.gz`) from its [release page](https://github.com/PaloAltoNetworks/prisma-cloud-compute-splunk/releases/latest).

### Splunkbase

Download the latest app tarball from [Splunkbase](https://splunkbase.splunk.com/app/4555).

### Splunk Apps Browser

In the Splunk UI, click on the Apps dropdown, click "Find More Apps", then search for "Prisma Cloud Compute".

## Installation and setup

1. Install the app by either uploading the tarball or following the Splunkbase prompts.

2. Navigate to the setup page if you aren't guided there.

3. Fill out the setup form and click "Complete setup."

Field descriptions are on the setup page.

4. If on Windows, update `$SPLUNK_HOME\etc\twistlock\default\inputs.conf` according to the instructions at the top of the file.

4. Enable `poll_incidents.py` and `poll_forensics.py` at **Settings > Data inputs > Scripts** in Splunk.

5. (Optional) Adjust the schedule as needed. By default, the `poll_forensics.py` script runs 2 minutes after `poll_incidents.py` and both scripts will run every 5 minutes.

## FAQs

### What user role is required?

Any user role that is able to view incidents and forensic data. This is a user with at least the [DevSecOps role](https://docs.twistlock.com/docs/compute_edition/authentication/user_roles.html#devsecops-user) (self-hosted Compute) or [Account Group Read Only role](https://docs.twistlock.com/docs/enterprise_edition/authentication/prisma_cloud_user_roles.html#prisma-cloud-roles-to-compute-roles-mapping) (SaaS Compute).

### What is my SaaS Compute Console address?

You can find it at **Compute > Manage > System > Utilities** under the **Path to Console** heading.

### Where is the configuration stored?

Whenever you complete the setup, `local/twistlock.conf` and `local/passwords.conf` are created.

The passwords are stored and accessed using [Splunk's encrypted password storage APIs](https://www.splunk.com/en_us/blog/security/storing-encrypted-credentials.html).

## Troubleshooting

### General

If incidents and/or forensics are not being ingested into Splunk, please verify the following:

- You have at least one incident at **Monitor > Runtime > Incident Explorer** under the "Active" tab.

- You are able to see the incident's forensic data by clicking on the "Forensic snapshot" button.

- The values in `local/twistlock.conf` and `local/passwords.conf` are correct.

If any are not correct, use the setup page with the same Console configuration name to update them.

- The app's scripts are enabled in Splunk (#4 in instructions), and have been ran at least once (#5 in instructions).

If data is still not being ingested, check `$SPLUNK_HOME/var/log/splunk/splunkd.log` for messages related to `poll_incidents.py` and `poll_forensics.py`:

```

index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ("poll_incidents.py" OR "poll_forensics.py")

```

### Updating To Latest Version

If new features or bug fixes are not appearing in your environment after updating the app in place, completely delete the Prisma Cloud Compute application out of Splunk before reinstalling the app.

Some users will also have to force clear their browswers cache in order to see changes to the App Setup Page in splunk.

## Screenshots

![image of the incident explorer](images/incident_explorer.png)

![image of the dashboard](images/dashboard.png)

![image of a search](images/search.png)

## Support

Please read [SUPPORT.md](SUPPORT.md) for details on how to get support for this project.