Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

ThreatQ v6 Users – while the connector’s overall operation remains the same, installation and usage commands for ThreatQ v6 users will differ from what is listed in this guide. See the Installing Custom Connectors in ThreatQ v6 and Installing Custom Connectors on Another Instance topics for additional information.

The Palo Alto Prisma Cloud Connector integration provides you with the ability to import CVE data for hosts into ThreatQ from Prisma Cloud.

Prerequisites

Review the following requirements before attempting to install the connector.  

API Token

To obtain the API Key and Secret.

1. Log into the Prisma user interface (UI).
2. Navigate to the User Management panel under Settings.
3. Select a user, click the dropdown action wheel on the right side and select generate an api key.
   The UI will guide you through the process.
4. A download link for a CSV file with the API Key and Secret is provided at the end of key generation. You must download this file as the secret is never displayed in the user interface.

   The download link will not be provided again, it must be downloaded at this specific point of the process.

   You now have the API Key and Secret and can enter them as credentials in ThreatQ.

Console Address

Log into the Prisma console and navigate to Compute > Manage > System > Downloads to view your console address listed in the Path to Console section.

See the Prisma documentation site for more information on retrieving your console address, or path to console.

Time Zone

The time zone steps are for ThreatQ v5 only.  ThreatQ v6 users should skip these steps.  

You should ensure all ThreatQ devices are set to the correct time, time zone, and date (UTC is recommended), and using a clock source available to all.

To identify which time zone is closest to your present location, use the timedatectl command with the list-timezones command line option.

For example, enter the following command to list all available time zones in Europe:

Enter the following command, as root, to change the time zone to UTC:

PIP.conf

Prior to ThreatQ version 4.10, you were required to modify your system's pip.conf to use the ThreatQ integrations python repo, also known as DevPi. This functionality was made available upon an initial install of 4.10.  If you have upgraded to 4.10 from a previous version, you will need to modify the pip.conf on your environment to the following (replacing username and password with your information).

[global]
   index-url = https://system-updates.threatq.com/pypi
   extra-index-url = https://<username>:<password>@extensions.threatq.com/threatq/integrations
                     https://<username>:<password>@extensions.threatq.com/threatq/sdk

Asset Custom Object

The integration requires the Asset object.  The Asset installation files are included with the integration download on the ThreatQ Marketplace.  The Asset object must be installed prior to installing the integration.  

You do not have to install the Asset object if you are running ThreatQ version 5.10.0 or greater as the object has been seeded as a default system object.

Integration Dependencies

The integration must be installed in a python 3.6 environment.

The following is a list of required dependencies for the integration.  These dependencies are downloaded and installed during the installation process.  If you are an Air Gapped Data Sync (AGDS) user, or run an instance that cannot connect to network services outside of your infrastructure, you will need to download and install these dependencies separately as the integration will not be able to download them during the install process.

Items listed in bold are pinned to a specific version.  In these cases, you should download the version specified to ensure proper function of the integration.

Installation

The following provides you with steps on installing a Python 3 Virtual Environment and installing the connector.

This integration requires that the Asset custom object be installed on your ThreatQ instance if your are on ThreatQ version 5.9.0 or earlier.  Failing to install the custom object prior to installing the connector will result in the connector failing.  See the Prerequisites chapter for more details.  

Creating a Python 3.6 Virtual Environment  

Run the following commands to create the virtual environment:

Proceed to Installing the Connector.

Installing the Connector

Upgrading Users - Review the Change Log for updates to configuration parameters before updating.  If there are changes to the configuration file (new/removed parameters), you must first delete the previous version's configuration file before proceeding with the install steps listed below.  Failure to delete the previous configuration file will result in the connector failing.

1. Navigate to the ThreatQ Marketplace and download the zip file for the integration.
2. Extract the zip's contents and install the required Asset custom object if you are on ThreatQ version 5.9 or earlier.
3. Activate the virtual environment if you haven't already:
   source /opt/tqvenv/<environment_name>/bin/activate
4. Transfer the whl file to the /tmp directory on your ThreatQ instance.  
5. Install the connector on your ThreatQ instance:
   pip install /tmp/conn_tq_conn_prisma_cloud-<version>-py3-none-any.whl 

   A driver called tq-conn-prisma-cloud will be installed.   After installing, a script stub will appear in /opt/tqvenv/<environment_name>/bin/tq-conn-prisma-cloud .

6. Once the application has been installed, a directory structure must be created for all configuration, logs and files, using the mkdir -p command. Use the commands below to create the required directories:
   mkdir -p /etc/tq_labs/
   mkdir -p /var/log/tq_labs/
7. Perform an initial run using the following command:
   /opt/tqvenv/<environment_name>/bin/tq-conn-prisma-cloud -ll /var/log/tq_labs/ -c /etc/tq_labs/ -v3
8. Enter the following parameters when prompted:

   Parameter	Description
   ThreatQ Host	This is the host of the ThreatQ instance, either the IP Address or Hostname as resolvable by ThreatQ.
   ThreatQ Client ID	This is the OAuth id that can be found at Settings Gear → User Management → API details within the user’s details.
   ThreatQ Username	This is the Email Address doe the user in the ThreatQ System for integrations.
   ThreatQ Password	The password for the above ThreatQ account.

   Example Output

   /opt/tqvenv/<environment_name>/bin/tq-conn-prisma-cloud -ll /var/log/tq_labs/ -c /etc/tq_labs/ -v3
   ThreatQ Host: <ThreatQ Host IP or Hostname> 
   ThreatQ Client ID: <ClientID> 
   ThreatQ Username: <EMAIL ADDRESS> 
   ThreatQ Password: <PASSWORD> 
   Connector configured. Set information in UI

You will still need to configure and then enable the connector.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Labs option from the Category dropdown (optional).
3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Hostname	The hostname for communicating with the Prisma Cloud API. Example: https://us-west1.cloud.twistlock.com/
   API Key	The API key for interacting with the Prisma Cloud API.
   API Secret	The API secret for interacting with the Prisma Cloud api.
   API Version	Enter the API version for your Prisma Cloud instance.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

Usage

Use the following command to execute the driver:

Command Line Arguments

This connector supports the following custom command line arguments:

CRON

Automatic CRON configuration has been removed from this script. To run this script on a recurring basis, use CRON or some other jobs scheduler. The argument in the CRON script must specify the config and log locations.

Add an entry to your Linux crontab to execute the connector at a recurring interval. Depending on how quickly you need updates, this can be run multiple times a day (no more than once an hour) or a few times a week.

In the example below, the command will execute the connector every two hours.

1. Log into your ThreatQ host via a CLI terminal session.
2. Enter the following command:
   crontab -e

   This will enable the editing of the crontab, using vi. Depending on how often you wish the cronjob to run, you will need to adjust the time to suit the environment.

3. Enter the commands below:

   Every 2 Hours Example

   0 */2 * * * /opt/tqvenv/<environment_name>/bin/tq-conn-prisma-cloud -c /etc/tq_labs/ -ll /var/log/tq_labs/ -v3  
4. Save and exit CRON.

Change Log

• Version 1.1.0
  • Added new configuration field: API Version.

• Version 1.0.0
  • Initial release