Palo Alto Prisma Cloud CSPM Solution

Solution: PaloAltoPrismaCloud

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.2
Author	Microsoft - support@microsoft.com
First Published	2021-04-16
Solution Folder	PaloAltoPrismaCloud
Marketplace	Azure Marketplace · Rating: ★★★★☆ 4.3/5 (111 ratings) · Popularity: 🔵 Medium (77%)

The Palo Alto Prisma Cloud CSPM solution provides the capability to ingest Prisma Cloud CSPM alerts and audit logs into Microsoft Sentinel using the Prisma Cloud CSPM API. Refer to Prisma Cloud CSPM API documentation for more information.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

• Azure Monitor HTTP Data Collector API

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s) (plus 1 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 4 table(s):

Table	Used By Connectors	Used By Content
`PaloAltoPrismaCloudAlertV2_CL`	Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`PaloAltoPrismaCloudAlert_CL` 🔶	[DEPRECATED] Palo Alto Prisma Cloud CSPM	Analytics, Hunting, Workbooks
`PaloAltoPrismaCloudAuditV2_CL`	Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`PaloAltoPrismaCloudAudit_CL` 🔶	[DEPRECATED] Palo Alto Prisma Cloud CSPM	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 24 content item(s):

Content Type	Count
Analytic Rules	11
Hunting Queries	9
Playbooks	2
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Palo Alto Prisma Cloud - Access keys are not rotated for 90 days	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Anomalous access key usage	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - High risk score alert	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - High severity alert opened for several days	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Inactive user	Low	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Maximum risk score alert	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Multiple failed logins for user	Medium	CredentialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Network ACL allow all outbound traffic	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic	Medium	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`

Hunting Queries

Name	Tactics	Tables Used
Palo Alto Prisma Cloud - Access keys used	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - High risk score opened alerts	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - High severity alerts	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - New users	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Opened alerts	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Top recources with alerts	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Top sources of failed logins	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Top users by failed logins	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`
Palo Alto Prisma Cloud - Updated resources	InitialAccess	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`

Workbooks

Name	Tables Used
PaloAltoPrismaCloudOverview	`PaloAltoPrismaCloudAlertV2_CL` `PaloAltoPrismaCloudAlert_CL` `PaloAltoPrismaCloudAuditV2_CL` `PaloAltoPrismaCloudAudit_CL`

Playbooks

Name	Description	Tables Used
Fetch Security Posture from Prisma Cloud	This playbook provides/updates the compliance security posture details of asset in comments section ...	-
Remediate assets on prisma cloud	This playbook provides/updates the compliance security posture details of asset in comments section ...	-

Parsers

Name	Description	Tables Used
PaloAltoPrismaCloud	-	`PaloAltoPrismaCloudAlertV2_CL` (read) `PaloAltoPrismaCloudAlert_CL` (read) `PaloAltoPrismaCloudAuditV2_CL` (read) `PaloAltoPrismaCloudAudit_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.4	27-10-2025	Add missing "detailed" flag to CCF Data Connector polling config
3.0.3	10-10-2025	CCF Data Connector Moving to GA.
3.0.2	06-08-2025	Change authentication type from Basic to JWT Token.
3.0.1	17-07-2025	1 Analytic Rule updated with improved rule logic. Added new CCF Connector - Palo Alto Prisma Cloud CSPM.
3.0.0	18-08-2023	Manual deployment instructions updated for Data Connector