Dashboarding In Prisma Cloud

By Richard Vega, Senior Customer Success Engineer

• I. Out of the box Dashboards
• A. Code to Cloud Dashboard
• B. Command Center Dashboard
• C. Vulnerability Dashboard
• D. Compliance Dashboard
• E. Code Security Dashboard
• F. Custom Dashboards
• II. Summary
• III. References
• IV. About the Author

Dashboarding In Prisma Cloud

The Prisma Cloud Darwin release enables you to utilize out of the box dashboards as well as custom dashboards. With the capabilities to track and monitor your cloud security posture ranging from vulnerabilities to compliance. In this article, we will discuss the existing OOTB dashboards and the capability of creating custom dashboards in Prisma Cloud.

I.  Out of the box Dashboards

Prerequisites

To view the code to cloud dashboard, complete the following tasks:

• Onboard your cloud accounts
• Create an alert rule with incident and attack path policies to detect issues
• Enable applications security specifically infrastructure as code (IaC) scanning

• Enable agent-based or agentless security for cloud workload scanning

A.  Code to Cloud Dashboard

Figure 1: CodetoCloudDashboard_palo-alto-networks

A.  Code to Cloud Dashboard

Latest Events Tracker

The Dashboards > Code to Cloud > Latest Events Tracker provides a stream of updates to track changes across key metrics such as Threats Detected, Alerts Remediated, Critical Alerts etc., to help you assess the strength of your security posture in real time.

Use the Latest Events live stream to quickly assess the potential threat activity taking place in your cloud environment. You can also double-click on any event to investigate critical vulnerabilities and build-time issues detected. Select See All Events to see a list of the latest security events across your cloud estate. Select any event to navigate to the specific alert and investigate further.

Cloud Inventory and Graph

Figure 2: Cloud Inventory_palo-alto-networks

Code to Cloud Inventory provides a panoramic view of your entire cloud estate, helping you understand how well your organization is embracing security best practices across your cloud environment, from individual resources to the entire code pipeline.

• Graph data is sourced from Incidents, Attack Paths, Vulnerability Explorer data and IaC scans. Percentages are calculated by taking the latest snapshot and comparing it against data for the last 30 days, to derive the percentage difference.
• Metrics do not include data from non-onboarded accounts. Cloud accounts must be fully onboarded on the platform to view metrics.

Code/Build Inventory

Figure 3: Code&Build_palo-alto-networks

The Code/Build Inventory widget surfaces metrics derived from the monitoring and scanning of hundreds of code repositories across the three repository systems secured by Prisma Cloud scanners including IaC/SCA, and Secrets. Historical developer data for code issues and pull requests are also surfaced.

The Code Issues in Repositories graph captures code errors in the default branch of all onboarded repositories over the last thirty days. Use this graph to track your team’s progress in resolving code errors before they affect your production systems.

Code and Build Inventory provides you with a quick rundown of your protected repositories. Select any metric such as Repositories Systems to see a full catalog of all the Code & Build Providers with flags for Code Issues.

Deploy Inventory

Figure 4: DeployInventory_palo-alto-networks

The Deploy Inventory graph visualizes the critical and high severity alerts triggered by vulnerabilities detected in container images and registries in the last 30 days. Here you can monitor trends in the rate of vulnerabilities identified across your workloads.

Select any metric in the Deploy Inventory table to further investigate the following:

• Container Registries: View all the registries that currently scanned for vulnerabilities
• Container Images: View details on container images with detected vulnerabilities
• Trusted Images: View all the running images in your environment and their trust status

Runtime Inventory

Figure 5: Runtime Inventory_palo-alto-networks

Runtime Inventory helps you quantify and demonstrate your progress in securing your workloads. The Runtime graph captures the top critical and high severity incidents and alerts triggered by attack path policies in the last 30 days. Review the trendline to track your team’s progress in the remediation and the burn down of urgent incidents.

Select any metric on the Runtime Inventory table to view the total number of cloud providers and assets, and workloads protected by agents. For instance, you can select the Workloads Protected by Agents metric to view potentially compromised workloads that may be infected with malware.

The Inventory data above is sourced from Prisma Cloud Incidents, Attack Paths, Vulnerability Explorer, and IaC scanning data. Percentages are calculated by tabulating the difference between the latest snapshot and data points for the last 30 days.

Top Issues by Collection

The Code to Cloud dashboard, also provides you with the option to define your applications or teams and assign owners to track and monitor progress. You can compare key metrics such as Code Issues in Repositories or Urgent Vulnerabilities in Images across teams, business units and applications to benchmark security standards.

The first row of the table captures the aggregate of all issues across the tenants in your onboarded accounts. Use the Sort By drop-down to categorize your business unit view across Code/Build, Deploy and Run phases of the application lifecycle.

Add Row also allows you to create your own custom collection of accounts, application owners or business units to obtain more granular results on risks by individual applications and stakeholders.

The following caveats apply to Collections:

• Only System Administrators can create or add Collections.
• The Code to Cloud Row trendline is initiated after at least one row is added. Trendline data is populated only after regularly scheduled Prisma Cloud system updates. Trendlines may display a no data available message prior to system update.
• You can add Repositories to Collections. If a Repository is deleted at the source, it may still appear in a Collection 

  B.  Command Center Dashboard 

Figure 6: Command Center Dashboard_palo-alto-networks

B.  Command Center Dashboard 

The Command Center dashboard provides you with a unified view of the top cloud security incidents and risks uncovered across the assets monitored by Prisma Cloud. It provides security teams with a picture of the highest priority incidents and risks that require attention across the following attack vectors:

• Incidents
• Attack Paths
• Misconfigurations
• Vulnerabilities
• Exposures
• Identity Risks
• Data Risks

The Command Center dashboard is only available to users with a System Admin role.

Total Urgent Alerts

The Total Urgent Alerts bar provides a tally of alerts grouped by Incidents, Misconfigurations, Exposures, Identity, and Data Risks. The Filter controls above the Alerts bar allowing you to narrow your investigation to a specific Time Range or Account Group. 

You can select multiple account groups at once to view data from multiple account sources. Filter data retrieved is updated across all the alert visualizations on the dashboard. The revert icon on the right above the Total Urgent Alerts bar allows you to revert back to default filter settings.

Figure 7: Urgent Issues_palo-alto-networks

Alerts Visualization

Actionable alert data is further grouped into the following areas by risk type:

• Incidents: Retrieves data for critical and high severity alerts, generated by policies that detect potential security issues from misconfiguration or exposure, across your cloud infrastructure.
• Attack Paths: Provides the total number of critical and high severity alerts, triggered by policies covering issues that when taken together indicate a heightened risk of attack.
• Misconfigurations: Captures data for alerts generated by policies with configuration errors.
• Vulnerabilities: Provides insight into potentially compromised assets in your cloud environment, capturing the top five assets with vulnerabilities that triggered the most number of Critical and High alerts. Click on any listed image or asset to access the Assets Explorer to investigate further and take remedial action, if necessary.
• Exposures: Retrieves data for alerts generated by violations in network policies; in addition to the policy subtype config.
• Identity Risks: Lists alerts generated by violations in Identity and Access Management policies. This view is only available by subscription.
• Data Risks: Retrieves data for alerts generated by exceptions in the policy type Data. This view is only enabled by subscription.

Alerts Actions

Each alerts visualization allows you to further drill down and view the source of the alert by the policy name or the asset it originated from:

Figure 8: Incidents Widgets_palo-alto-networks

The Incidents widget above for instance, provides three visualizations of urgent alerts activity:

• Urgent Incidents: Provides a donut chart visualization of Critical and High severity Incidents. Select any alert for an in depth look at alerts generated by policies that detect potential security issues from misconfiguration or exposure.
• Top Incidents by Policy: Lists the top five policies that triggered an alert. Select a policy or an alert total for a detailed view of policy coverage incidents. You can also investigate alerts within individual policies.
• Top Attack Path by Policy: Lists top five attack paths by policy, type, severity, and number of alerts. Learn more about responding to alerts generated for a specific attack path.
• Top Incidents by Asset: Lists top five incidents by asset name, number of alerts, service, and account name. Learn more about responding to alerts generated in a specific asset.

C.  Vulnerability Dashboard

Figure 9: Vulnerability Dashboard_palo-alto-networks

C.  Vulnerability Dashboard

Prisma Cloud Vulnerabilities Dashboard gives you a holistic graphical view of all the vulnerabilities across your Code to Cloud environment. An overview of the top impacting CVEs enables you to prioritize vulnerabilities based on existing risks and trace them from runtime back to the source. 

This risk assessment capability helps you to make informed decisions with findings and fix the vulnerable package or base image in code. This capability will allow you to remediate the root cause and resolve the issue when the build is next executed.

The dashboard helps you answer:

• What are all the vulnerable assets across my entire application lifecycle?
• Where should I focus to find and fix the vulnerabilities? What are the critical and urgent ones, and the ones that are patchable?
• What actions can I take to remediate or mitigate the vulnerabilities in Code or Cloud?
  
  

Discover Vulnerabilities

Figure 10: PrioritizedVulnerabilities_palo-alto-networks

On Dashboard > Vulnerabilities you can discover all the vulnerabilities across your environment. Let’s say, there are 25K vulnerabilities in your environment out of which only 20,637 are critical and high, 7,470 are exploitable, out of which 7,400 are patchable meaning these vulnerabilities are actionable for you to fix them. 

The funnel in the Prioritized Vulnerabilities further narrows down to just 35 vulnerable packages that are in use in the runtime that you can focus on.

Prerequisites

• Onboard cloud accounts
• Onboard code repositories
• Configure registry scans
• Enable Workload Incident and Workload Vulnerability policies

The following visualizations are available for you to help contextualize risks from vulnerabilities:

• Vulnerabilities Overview - Provides a summarized view of the total vulnerabilities in your environment further divided into Vulnerabilities by Asset and Vulnerabilities that have already been remediated. 

• Allowing you to track and share your progress in securing your environment. Visualize the trends with Total Vulnerable Assets, and their metadata, Total Vulnerabilities Remediated, and Total Vulnerabilities count in the current snapshot.
  
• Prioritized Vulnerabilities - Discover all the vulnerabilities across your workloads and identify the top-priority vulnerabilities (aggregated vulnerabilities that are urgent, exploitable, patchable, and vulnerable packages in use).

• The vulnerabilities sourced from Compute and CAS (Cloud App Sec) are prioritized and aggregated based on the most urgent, exploitable, patchable, and vulnerable packages in use. This prioritization helps you to identify the top-priority vulnerabilities to focus on.

• The aggregation is based on vulnerabilities that are:

• Urgent: Critical, High
• Exploitable: Exploit in the Wild and Exploit in POC
• Patchable: Vulnerabilities that are actionable and have a patch to fix or mitigate.
• Vulnerable packages in use.
  
• Top Impacting Vulnerabilities - Provides a ranked list of the most critical vulnerabilities in your environment based on the risk score. The ranked list consists of CVEs affecting the environment. Each CVE includes data about its risk factors, severity, CVSS, risk factors, and assets impacted.

• Review the top-impacting vulnerabilities based on the CVE severity, CVSS score, Risk Factors, and the assets impacted across your CI/CD pipeline.
  
• Vulnerability Impact by Stage - Visualize the sources of the vulnerabilities and the impact of the vulnerability across app stages of your application lifecycle. Trace vulnerabilities from runtime back to the repositories they originate from.

• At each stage, you can select and investigate any of the impacted assets such as Packages, Images in IaC Files, Host VM Images, Registry Images, Deployed Images, Serverless Functions, and Hosts. 

• This makes it easier for you to trace back the packages and images that were used to build a workload that is now vulnerable in the deploy stage, or runtime.

D.  Compliance Dashboard

Figure 11: Compliance Dashboard_palo-alto-networks

D.  Compliance Dashboard

Prisma Cloud’s Compliance dashboard provides a snapshot view of your overall compliance posture across multiple compliance standards. The dashboard provides you with an interactive look at how your compliance coverage maps to the established compliance frameworks available within Prisma Cloud.

Use the Compliance dashboard as a tool for risk oversight across all the supported cloud platforms and quickly evaluate your compliance posture using real-time data. Use the provided Filters to hone in on the time period, cloud account, or account group you would like to focus on. 

By default, the dashboard shows your compliance state for the last 24 hour period. The Compliance dashboard is available to users with the System Administrator role on all stacks, with the exception of app.gov  and app.cn.
 

Compliance Overview

Figure 12: Compliance Overview_palo-alto-networks

The compliance score presents data on the total unique resources that are passing or failing the policy checks that match compliance standards. Use this score to audit how many unique resources are failing compliance checks and get a quick count on the severity of these failures. 

The links allow you to view the list of all resources on the Inventory page, and the View Alerts link enables you to view all the open alerts of Low, Medium, or High severity.

Compliance Trend

The compliance trendline is a line chart that shows you how the compliance posture of your monitored resources have changed over time (on the horizontal X axis). You can view the total number of resources monitored (in blue), and the number of resources that passed (in green) and failed (in red) over that time period.

Compliance Coverage

The Compliance coverage bar graph highlights the passed and failed resource count across all compliance standards for easy comparison. Select any given compliance standard to view the total number of failed assets for that standard. Click on the compliance standard to view policy details.

E. Code Security Dashboard 

Figure 13: Code Security Dashboard_palo-alto-networks

E. Code Security Dashboard 

As a part of Application Security, the Code Security dashboard provides you with a contextual view of the top code security vulnerabilities and misconfigurations identified in scans across the code and build integrations on Prisma Cloud.

It gives you a contextual understanding of high priority errors that require attention across these vectors:

• High-risk code errors by severity
• Historical data for code issues and pull requests
• Common policy errors
• Licensing errors in non-compliant packages
• IaC errors in code categories
• Vulnerabilities seen in CVE from CVSS score

You can view the dashboard on Dashboards > Code Security. The Code Security dashboard is only available if you have subscribed to Application Security on Prisma Cloud. To know more on user role permissions see Prisma Cloud Administrator Permissions.

The Code Security dashboard is available to users with the System Administrator role on all stacks, with the exception of app.gov and app.cn.

Errors by Severity

The Total Errors bar provides a summary of code errors across severity of Critical, High, Medium, Low, and Info. You can see custom results for all Code Security errors using filters that allow you to narrow your investigation to a specific Repository, Code Category, or Severity . 

You can select multiple repositories, code categories, and severities at once to narrow your investigation to find critical errors that may need immediate remediation. Filtering the data updates all visualizations on the dashboard. The reset filters allow you to revert back to default filter settings. 

You can also see contextual results for code errors by severity when selecting the number corresponding to the severity giving you access to the results from Prisma Cloud switcher Application Security Projects > Overview. On Projects, you can execute remedial actions, if necessary.

Code Errors Visualization

The code errors are actionable and are grouped in these areas:

• High-risk code errors by severity: The Top Repositories by High Risk Code Error Count provides a bar graph visualization of the top trending repositories to have a maximum number of Critical or High severity errors. The representing data is periodically updated, and you can verify the accuracy of the last scan by hovering on the timestamp.

Figure 14: Code Errors_palo-alto-networks

• Historical data for code issues and pull requests: View the trend for code errors and pull requests for repositories that are scanned using Prisma Cloud.
• Code Issues over time: Visualizes the trendline of code errors from the last 30 days of a default branch in an integrated repository. The data also gives you an understanding of when the errors occurred by monitoring data on Opened Earlier, Fix Pending, and Suppressed. You can also see if any remedial actions were taken on the same day by monitoring data on Fixed Today and Opened Today.

Figure 15: Code Issues_palo-alto-networks

• Pull Requests over time: Visualizes a trendline of pull requests created on specific branches of integrated repositories from the last 30 days. Monitor the vulnerability status of the PR across Failed Earlier, Failed Today, Resolved, and Passed.

Figure 16: Pull Requests_palo-alto-networks

• Common policy errors: The Common Errors by Policy provides a view of policies that have the highest error count. The data contextualized here is after periodic scans with timestamp available for you to see. With the high count of errors within a policy, you can also have information of the type of policy by Labels, and the Severity. 

• Selecting the policy directs you to Policies for more actionable information. While selecting the error count directs you to Application Security > Projects > Overview to execute a remedial action, if necessary.
  
  

Figure 17: Common Errors _palo-alto-networks

• Licensing errors in non-compliant packages: The Top Non-compliant Package licenses provides insight into non-compliant package licenses that are being used in the repositories. The data shows the number of repositories that are potentially exposed due to usage of non-compliant package licenses.

•  The count shows the total number of instances the non-compliant package is used. Selecting the count directs you to Application Security > Projects > Overview with the non-compliant package already filtered. You can choose to execute a manual remedial action on Overview, if necessary.
  
  
• IaC errors in code categories: The IaC Errors by Category provides a summarized view for misconfigurations seen in IaC category. The count in each category is the number of misconfigurations identified and on selecting the count directs you to Application Security > Projects > IaC Misconfiguration where you can choose to execute a remedial action on Resource Explorer.
  
  
• Vulnerabilities seen in CVE from CVSS score: The Top CVSS Score Code Vulnerabilities lists the highest CVSS score identified across vulnerability scans. You also see the Risk Factors, the potentially compromised CVE with Severity, and Count. Selecting the count directs you to Application Security > Projects > Vulnerabilities with the CVE errors preselected.

F.  Custom Dashboards

Figure 18: Manage Dashboards_palo-alto-networks

F.  Custom Dashboards

Custom Dashboards are an option you have in Prisma Cloud to create your own customized views for the different personas in your organization. You can use a combination of the functionality discussed above as well as customize for your organization’s desired result.

You can add and manage dashboards enable, disable, share, and clone as seen above.

You can also add a new custom dashboard from scratch to fit your specific needs:

Figure 19: Add Dashboard_palo-alto-networks

From here, you can add widgets to customize your dashboard view and share your dashboard with other Prisma Cloud users.

Figure 20: Custom Dashboard_palo-alto-networks

Prisma Cloud has a number of widgets that can be used to customize your dashboard and slice and dice data as you see fit. Each of these widgets has their own settings as well so you can include things like account groups or edit existing widgets to only contain certain data points - you can be as granular as need be.

To enable shareability of your custom dashboards you will need to make sure the access permissions are set to public:

Figure 21: Access Settings_palo-alto-networks

II.  Summary

In this article we talked about the Code To Cloud, Command Center, Vulnerability, Compliance, Code Security, And Custom dashboards that allow you to track, visualize, and share the metrics that matter most to you and your team. Widgets with visual representations in various formats such as line and bar graphs and pie charts are available to track key metrics such as assets with the most urgent alerts and vulnerabilities, resource compliance trend charts, and top risks to remediate. Share dashboard visualizations with your management team to quantify your progress in hardening your security posture.

III.  References

• Code to Cloud Dashboard
• Command Center Dashboard
• Vulnerabilities Dashboard
• Compliance Dashboard
• Code Security Dashboard
• Create and Manage Dashboards

IV.  About the Author

Richard Vega is a Senior Customer Success Engineer at Palo Alto Networks specializing in securing Multi-Cloud infrastructure and being a trusted advisor to large and strategic customers. Rich is no stranger to wearing many hats and has worked in Sales, Product, Engineering and Customer Success in his career so he brings a unique perspective to the table when it comes to working with customers on securing their cloud assets.