Dashboarding In Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

By Richard Vega, Senior Customer Success Engineer

 

 

Dashboarding In Prisma Cloud


The Prisma Cloud Darwin release enables you to utilize out of the box dashboards as well as custom dashboards. With the capabilities to track and monitor your cloud security posture ranging from vulnerabilities to compliance. In this article, we will discuss the existing OOTB dashboards and the capability of creating custom dashboards in Prisma Cloud.

 

I.  Out of the box Dashboards

 

Prerequisites

 

To view the code to cloud dashboard, complete the following tasks:

 

A.  Code to Cloud Dashboard

 

 

 

 

RPrasadi_0-1716341687204.png

Figure 1: CodetoCloudDashboard_palo-alto-networks

 

A.  Code to Cloud Dashboard

 

Latest Events Tracker

 

The Dashboards > Code to Cloud > Latest Events Tracker provides a stream of updates to track changes across key metrics such as Threats Detected, Alerts Remediated, Critical Alerts etc., to help you assess the strength of your security posture in real time.

 

Use the Latest Events live stream to quickly assess the potential threat activity taking place in your cloud environment. You can also double-click on any event to investigate critical vulnerabilities and build-time issues detected. Select See All Events to see a list of the latest security events across your cloud estate. Select any event to navigate to the specific alert and investigate further.

 

Cloud Inventory and Graph

RPrasadi_1-1716341688208.png

Figure 2: Cloud Inventory_palo-alto-networks

 

Code to Cloud Inventory provides a panoramic view of your entire cloud estate, helping you understand how well your organization is embracing security best practices across your cloud environment, from individual resources to the entire code pipeline.

 

  • Graph data is sourced from Incidents, Attack Paths, Vulnerability Explorer data and IaC scans. Percentages are calculated by taking the latest snapshot and comparing it against data for the last 30 days, to derive the percentage difference.
  • Metrics do not include data from non-onboarded accounts. Cloud accounts must be fully onboarded on the platform to view metrics.

 

Code/Build Inventory

RPrasadi_2-1716341687511.png

Figure 3: Code&Build_palo-alto-networks

 

The Code/Build Inventory widget surfaces metrics derived from the monitoring and scanning of hundreds of code repositories across the three repository systems secured by Prisma Cloud scanners including IaC/SCA, and Secrets. Historical developer data for code issues and pull requests are also surfaced.

 

The Code Issues in Repositories graph captures code errors in the default branch of all onboarded repositories over the last thirty days. Use this graph to track your team’s progress in resolving code errors before they affect your production systems.

Code and Build Inventory provides you with a quick rundown of your protected repositories. Select any metric such as Repositories Systems to see a full catalog of all the Code & Build Providers with flags for Code Issues.

 

Deploy Inventory

RPrasadi_3-1716341687587.png

Figure 4: DeployInventory_palo-alto-networks

 

The Deploy Inventory graph visualizes the critical and high severity alerts triggered by vulnerabilities detected in container images and registries in the last 30 days. Here you can monitor trends in the rate of vulnerabilities identified across your workloads.

 

Select any metric in the Deploy Inventory table to further investigate the following:

  • Container Registries: View all the registries that currently scanned for vulnerabilities
  • Container Images: View details on container images with detected vulnerabilities
  • Trusted Images: View all the running images in your environment and their trust status

 

Runtime Inventory

RPrasadi_4-1716341687306.png

Figure 5: Runtime Inventory_palo-alto-networks

 

Runtime Inventory helps you quantify and demonstrate your progress in securing your workloads. The Runtime graph captures the top critical and high severity incidents and alerts triggered by attack path policies in the last 30 days. Review the trendline to track your team’s progress in the remediation and the burn down of urgent incidents.

 

Select any metric on the Runtime Inventory table to view the total number of cloud providers and assets, and workloads protected by agents. For instance, you can select the Workloads Protected by Agents metric to view potentially compromised workloads that may be infected with malware.

 

The Inventory data above is sourced from Prisma Cloud Incidents, Attack Paths, Vulnerability Explorer, and IaC scanning data. Percentages are calculated by tabulating the difference between the latest snapshot and data points for the last 30 days.

 

Top Issues by Collection

 

The Code to Cloud dashboard, also provides you with the option to define your applications or teams and assign owners to track and monitor progress. You can compare key metrics such as Code Issues in Repositories or Urgent Vulnerabilities in Images across teams, business units and applications to benchmark security standards.

 

The first row of the table captures the aggregate of all issues across the tenants in your onboarded accounts. Use the Sort By drop-down to categorize your business unit view across Code/Build, Deploy and Run phases of the application lifecycle.

 

Add Row also allows you to create your own custom collection of accounts, application owners or business units to obtain more granular results on risks by individual applications and stakeholders.

 

The following caveats apply to Collections:

  • Only System Administrators can create or add Collections.
  • The Code to Cloud Row trendline is initiated after at least one row is added. Trendline data is populated only after regularly scheduled Prisma Cloud system updates. Trendlines may display a no data available message prior to system update.
  • You can add Repositories to Collections. If a Repository is deleted at the source, it may still appear in a Collection 

    B.  Command Center Dashboard 

RPrasadi_5-1716341687527.png

Figure 6: Command Center Dashboard_palo-alto-networks

 

B.  Command Center Dashboard 

 

The Command Center dashboard provides you with a unified view of the top cloud security incidents and risks uncovered across the assets monitored by Prisma Cloud. It provides security teams with a picture of the highest priority incidents and risks that require attention across the following attack vectors:

 

  • Incidents
  • Attack Paths
  • Misconfigurations
  • Vulnerabilities
  • Exposures
  • Identity Risks
  • Data Risks

 

The Command Center dashboard is only available to users with a System Admin role.


Total Urgent Alerts

 

The Total Urgent Alerts bar provides a tally of alerts grouped by Incidents, Misconfigurations, Exposures, Identity, and Data Risks. The Filter controls above the Alerts bar allowing you to narrow your investigation to a specific Time Range or Account Group

 

You can select multiple account groups at once to view data from multiple account sources. Filter data retrieved is updated across all the alert visualizations on the dashboard. The revert icon on the right above the Total Urgent Alerts bar allows you to revert back to default filter settings.

 

RPrasadi_6-1716341687589.png

Figure 7: Urgent Issues_palo-alto-networks

 

Alerts Visualization

 

Actionable alert data is further grouped into the following areas by risk type:

 

  • Incidents: Retrieves data for critical and high severity alerts, generated by policies that detect potential security issues from misconfiguration or exposure, across your cloud infrastructure.
  • Attack Paths: Provides the total number of critical and high severity alerts, triggered by policies covering issues that when taken together indicate a heightened risk of attack.
  • Misconfigurations: Captures data for alerts generated by policies with configuration errors.
  • Vulnerabilities: Provides insight into potentially compromised assets in your cloud environment, capturing the top five assets with vulnerabilities that triggered the most number of Critical and High alerts. Click on any listed image or asset to access the Assets Explorer to investigate further and take remedial action, if necessary.
  • Exposures: Retrieves data for alerts generated by violations in network policies; in addition to the policy subtype config.
  • Identity Risks: Lists alerts generated by violations in Identity and Access Management policies. This view is only available by subscription.
  • Data Risks: Retrieves data for alerts generated by exceptions in the policy type Data. This view is only enabled by subscription.

 

Alerts Actions

 

Each alerts visualization allows you to further drill down and view the source of the alert by the policy name or the asset it originated from:

 

RPrasadi_7-1716341687901.png

Figure 8: Incidents Widgets_palo-alto-networks

The Incidents widget above for instance, provides three visualizations of urgent alerts activity:

 

  • Urgent Incidents: Provides a donut chart visualization of Critical and High severity Incidents. Select any alert for an in depth look at alerts generated by policies that detect potential security issues from misconfiguration or exposure.
  • Top Incidents by Policy: Lists the top five policies that triggered an alert. Select a policy or an alert total for a detailed view of policy coverage incidents. You can also investigate alerts within individual policies.
  • Top Attack Path by Policy: Lists top five attack paths by policy, type, severity, and number of alerts. Learn more about responding to alerts generated for a specific attack path.
  • Top Incidents by Asset: Lists top five incidents by asset name, number of alerts, service, and account name. Learn more about responding to alerts generated in a specific asset.

C.  Vulnerability Dashboard

RPrasadi_8-1716341687942.png

Figure 9: Vulnerability Dashboard_palo-alto-networks

 

C.  Vulnerability Dashboard


Prisma Cloud Vulnerabilities Dashboard gives you a holistic graphical view of all the vulnerabilities across your Code to Cloud environment. An overview of the top impacting CVEs enables you to prioritize vulnerabilities based on existing risks and trace them from runtime back to the source. 

 

This risk assessment capability helps you to make informed decisions with findings and fix the vulnerable package or base image in code. This capability will allow you to remediate the root cause and resolve the issue when the build is next executed.

 

The dashboard helps you answer:

 

  • What are all the vulnerable assets across my entire application lifecycle?
  • Where should I focus to find and fix the vulnerabilities? What are the critical and urgent ones, and the ones that are patchable?
  • What actions can I take to remediate or mitigate the vulnerabilities in Code or Cloud?

Discover Vulnerabilities

RPrasadi_9-1716341688188.png

Figure 10: PrioritizedVulnerabilities_palo-alto-networks

 

On Dashboard > Vulnerabilities you can discover all the vulnerabilities across your environment. Let’s say, there are 25K vulnerabilities in your environment out of which only 20,637 are critical and high, 7,470 are exploitable, out of which 7,400 are patchable meaning these vulnerabilities are actionable for you to fix them. 

 

The funnel in the Prioritized Vulnerabilities further narrows down to just 35 vulnerable packages that are in use in the runtime that you can focus on.

 

Prerequisites

 

 

The following visualizations are available for you to help contextualize risks from vulnerabilities:

 

  • Vulnerabilities Overview - Provides a summarized view of the total vulnerabilities in your environment further divided into Vulnerabilities by Asset and Vulnerabilities that have already been remediated. 
    • Allowing you to track and share your progress in securing your environment. Visualize the trends with Total Vulnerable Assets, and their metadata, Total Vulnerabilities Remediated, and Total Vulnerabilities count in the current snapshot.
  • Prioritized Vulnerabilities - Discover all the vulnerabilities across your workloads and identify the top-priority vulnerabilities (aggregated vulnerabilities that are urgent, exploitable, patchable, and vulnerable packages in use).
    • The vulnerabilities sourced from Compute and CAS (Cloud App Sec) are prioritized and aggregated based on the most urgent, exploitable, patchable, and vulnerable packages in use. This prioritization helps you to identify the top-priority vulnerabilities to focus on.
    • The aggregation is based on vulnerabilities that are:
      • Urgent: Critical, High
      • Exploitable: Exploit in the Wild and Exploit in POC
      • Patchable: Vulnerabilities that are actionable and have a patch to fix or mitigate.
      • Vulnerable packages in use.
  • Top Impacting Vulnerabilities - Provides a ranked list of the most critical vulnerabilities in your environment based on the risk score. The ranked list consists of CVEs affecting the environment. Each CVE includes data about its risk factors, severity, CVSS, risk factors, and assets impacted.
    • Review the top-impacting vulnerabilities based on the CVE severity, CVSS score, Risk Factors, and the assets impacted across your CI/CD pipeline.
  • Vulnerability Impact by Stage - Visualize the sources of the vulnerabilities and the impact of the vulnerability across app stages of your application lifecycle. Trace vulnerabilities from runtime back to the repositories they originate from.
    • At each stage, you can select and investigate any of the impacted assets such as Packages, Images in IaC Files, Host VM Images, Registry Images, Deployed Images, Serverless Functions, and Hosts. 
      • This makes it easier for you to trace back the packages and images that were used to build a workload that is now vulnerable in the deploy stage, or runtime.

D.  Compliance Dashboard

 

RPrasadi_10-1716341688241.png

Figure 11: Compliance Dashboard_palo-alto-networks

 

D.  Compliance Dashboard


Prisma Cloud’s Compliance dashboard provides a snapshot view of your overall compliance posture across multiple compliance standards. The dashboard provides you with an interactive look at how your compliance coverage maps to the established compliance frameworks available within Prisma Cloud.

Use the Compliance dashboard as a tool for risk oversight across all the supported cloud platforms and quickly evaluate your compliance posture using real-time data. Use the provided Filters to hone in on the time period, cloud account, or account group you would like to focus on. 

 

By default, the dashboard shows your compliance state for the last 24 hour period. The Compliance dashboard is available to users with the System Administrator role on all stacks, with the exception of app.gov  and app.cn.
 

Compliance Overview

RPrasadi_11-1716341687994.png

Figure 12: Compliance Overview_palo-alto-networks

 

The compliance score presents data on the total unique resources that are passing or failing the policy checks that match compliance standards. Use this score to audit how many unique resources are failing compliance checks and get a quick count on the severity of these failures. 

 

The links allow you to view the list of all resources on the Inventory page, and the View Alerts link enables you to view all the open alerts of Low, Medium, or High severity.

Compliance Trend

 

The compliance trendline is a line chart that shows you how the compliance posture of your monitored resources have changed over time (on the horizontal X axis). You can view the total number of resources monitored (in blue), and the number of resources that passed (in green) and failed (in red) over that time period.

 

Compliance Coverage

 

The Compliance coverage bar graph highlights the passed and failed resource count across all compliance standards for easy comparison. Select any given compliance standard to view the total number of failed assets for that standard. Click on the compliance standard to view policy details.

E. Code Security Dashboard 

Dashboard.jpg

Figure 13: Code Security Dashboard_palo-alto-networks

 

E. Code Security Dashboard 

 

As a part of Application Security, the Code Security dashboard provides you with a contextual view of the top code security vulnerabilities and misconfigurations identified in scans across the code and build integrations on Prisma Cloud.

 

It gives you a contextual understanding of high priority errors that require attention across these vectors:

  • High-risk code errors by severity
  • Historical data for code issues and pull requests
  • Common policy errors
  • Licensing errors in non-compliant packages
  • IaC errors in code categories
  • Vulnerabilities seen in CVE from CVSS score

 

You can view the dashboard on Dashboards > Code Security. The Code Security dashboard is only available if you have subscribed to Application Security on Prisma Cloud. To know more on user role permissions see Prisma Cloud Administrator Permissions.

 

The Code Security dashboard is available to users with the System Administrator role on all stacks, with the exception of app.gov and app.cn.

 

Errors by Severity

 

The Total Errors bar provides a summary of code errors across severity of Critical, High, Medium, Low, and Info. You can see custom results for all Code Security errors using filters that allow you to narrow your investigation to a specific Repository, Code Category, or Severity

 

You can select multiple repositories, code categories, and severities at once to narrow your investigation to find critical errors that may need immediate remediation. Filtering the data updates all visualizations on the dashboard. The reset filters allow you to revert back to default filter settings. 

 

You can also see contextual results for code errors by severity when selecting the number corresponding to the severity giving you access to the results from Prisma Cloud switcher Application Security Projects > Overview. On Projects, you can execute remedial actions, if necessary.

 

Code Errors Visualization

 

The code errors are actionable and are grouped in these areas:

 

  • High-risk code errors by severity: The Top Repositories by High Risk Code Error Count provides a bar graph visualization of the top trending repositories to have a maximum number of Critical or High severity errors. The representing data is periodically updated, and you can verify the accuracy of the last scan by hovering on the timestamp.

 

dash 2.jpg

Figure 14: Code Errors_palo-alto-networks

  • Historical data for code issues and pull requests: View the trend for code errors and pull requests for repositories that are scanned using Prisma Cloud.
  • Code Issues over time: Visualizes the trendline of code errors from the last 30 days of a default branch in an integrated repository. The data also gives you an understanding of when the errors occurred by monitoring data on Opened Earlier, Fix Pending, and Suppressed. You can also see if any remedial actions were taken on the same day by monitoring data on Fixed Today and Opened Today.


RPrasadi_14-1716341688462.png

Figure 15: Code Issues_palo-alto-networks

 

  • Pull Requests over time: Visualizes a trendline of pull requests created on specific branches of integrated repositories from the last 30 days. Monitor the vulnerability status of the PR across Failed Earlier, Failed Today, Resolved, and Passed.


RPrasadi_15-1716341688564.png

Figure 16: Pull Requests_palo-alto-networks

 

  • Common policy errors: The Common Errors by Policy provides a view of policies that have the highest error count. The data contextualized here is after periodic scans with timestamp available for you to see. With the high count of errors within a policy, you can also have information of the type of policy by Labels, and the Severity
    • Selecting the policy directs you to Policies for more actionable information. While selecting the error count directs you to Application Security > Projects > Overview to execute a remedial action, if necessary.

RPrasadi_16-1716341688609.png

Figure 17: Common Errors _palo-alto-networks

 

  • Licensing errors in non-compliant packages: The Top Non-compliant Package licenses provides insight into non-compliant package licenses that are being used in the repositories. The data shows the number of repositories that are potentially exposed due to usage of non-compliant package licenses.
    •  The count shows the total number of instances the non-compliant package is used. Selecting the count directs you to Application Security > Projects > Overview with the non-compliant package already filtered. You can choose to execute a manual remedial action on Overview, if necessary.

  • IaC errors in code categories: The IaC Errors by Category provides a summarized view for misconfigurations seen in IaC category. The count in each category is the number of misconfigurations identified and on selecting the count directs you to Application Security > Projects > IaC Misconfiguration where you can choose to execute a remedial action on Resource Explorer.

  • Vulnerabilities seen in CVE from CVSS score: The Top CVSS Score Code Vulnerabilities lists the highest CVSS score identified across vulnerability scans. You also see the Risk Factors, the potentially compromised CVE with Severity, and Count. Selecting the count directs you to Application Security > Projects > Vulnerabilities with the CVE errors preselected.

F.  Custom Dashboards

dash 3.jpg

Figure 18: Manage Dashboards_palo-alto-networks

 

F.  Custom Dashboards

Custom Dashboards are an option you have in Prisma Cloud to create your own customized views for the different personas in your organization. You can use a combination of the functionality discussed above as well as customize for your organization’s desired result.

You can add and manage dashboards enable, disable, share, and clone as seen above.


You can also add a new custom dashboard from scratch to fit your specific needs:

RPrasadi_18-1716341689993.png

Figure 19: Add Dashboard_palo-alto-networks

From here, you can add widgets to customize your dashboard view and share your dashboard with other Prisma Cloud users.

RPrasadi_19-1716341689005.png

Figure 20: Custom Dashboard_palo-alto-networks

 

Prisma Cloud has a number of widgets that can be used to customize your dashboard and slice and dice data as you see fit. Each of these widgets has their own settings as well so you can include things like account groups or edit existing widgets to only contain certain data points - you can be as granular as need be.

To enable shareability of your custom dashboards you will need to make sure the access permissions are set to public:

RPrasadi_20-1716341689052.png

Figure 21: Access Settings_palo-alto-networks

 

II.  Summary

 

In this article we talked about the Code To Cloud, Command Center, Vulnerability, Compliance, Code Security, And Custom dashboards that allow you to track, visualize, and share the metrics that matter most to you and your team. Widgets with visual representations in various formats such as line and bar graphs and pie charts are available to track key metrics such as assets with the most urgent alerts and vulnerabilities, resource compliance trend charts, and top risks to remediate. Share dashboard visualizations with your management team to quantify your progress in hardening your security posture.

 

III.  References

 


IV.  About the Author

 

Richard Vega is a Senior Customer Success Engineer at Palo Alto Networks specializing in securing Multi-Cloud infrastructure and being a trusted advisor to large and strategic customers. Rich is no stranger to wearing many hats and has worked in Sales, Product, Engineering and Customer Success in his career so he brings a unique perspective to the table when it comes to working with customers on securing their cloud assets. 

Rate this article:
Comments
L0 Member

For the vulnerability dashboard, how does PRISMA build this overview?

Lets say I see a docker image in this overview, how did PRISMA find it?

An external scan, or a resource dump from our AWS accounts, or something else?

Where can I read more about how PRISMA Cloud actually works?

L2 Linker

Hi CHOUMANN!
Prisma Cloud gathers vulnerability information for the Vulnerability funnel in several ways.  The "easiest" is through scans conducted by deployed Defenders.  Also, if you have Agentless scanning configured, then Vulnerability data is captured through those scans as well.  Vulnerabilities can also be discovered for Docker images if you have configured registry scanning.  Asside from those methods, Vulnerability information is collected and assessed from the data that is collected during regular ingestion cycles.  Of course, this is different for each CSP, and can be greatly enhanced  by adding flow logs.  Finally, a lot of the information on the inner workings of how Prisma Cloud works is proprietary, and I like my job, so I can't divulge all of the secrets!

  • 4246 Views
  • 2 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-12-2024 12:51 PM
Updated by: