IMPORTANT: Please see SUPPORT.md for the official support policy for the contents of this repository.
The Prisma Cloud Compute Splunk App allows high priority security incidents from Prisma Cloud Compute to be sampled by Splunk on a user-defined interval and provides in-depth forensic data for incident analysis and response. The app adds two main components to your Splunk deployment: scripted data inputs that make use of your Prisma Cloud Compute API to pull incidents and forensics and a sample Splunk dashboard that presents that data.
Note: For bringing in data besides incidents and forensics, please use syslog or webhooks.
Download the latest app tarball (pcc-splunk-app-*.tar.gz
) from its release page.
Download the latest app tarball from Splunkbase.
In the Splunk UI, click on the Apps dropdown, click "Find More Apps", then search for "Prisma Cloud Compute".
- Install the app by either uploading the tarball or following the Splunkbase prompts.
- Navigate to the setup page if you aren't guided there.
- Fill out the setup form and click "Complete setup." Field descriptions are on the setup page.
- If on Windows, update
$SPLUNK_HOME\etc\twistlock\default\inputs.conf
according to the instructions at the top of the file. - Enable
poll_incidents.py
andpoll_forensics.py
at Settings > Data inputs > Scripts in Splunk. - (Optional) Adjust the schedule as needed. By default, the
poll_forensics.py
script runs 2 minutes afterpoll_incidents.py
and both scripts will run every 5 minutes.
Any user role that is able to view incidents and forensic data. This is a user with at least the DevSecOps role (self-hosted Compute) or Account Group Read Only role (SaaS Compute).
You can find it at Compute > Manage > System > Utilities under the Path to Console heading.
Whenever you complete the setup, local/twistlock.conf
and local/passwords.conf
are created.
The passwords are stored and accessed using Splunk's encrypted password storage APIs.
If incidents and/or forensics are not being ingested into Splunk, please verify the following:
- You have at least one incident at Monitor > Runtime > Incident Explorer under the "Active" tab.
- You are able to see the incident's forensic data by clicking on the "Forensic snapshot" button.
- The values in
local/twistlock.conf
andlocal/passwords.conf
are correct. If any are not correct, use the setup page with the same Console configuration name to update them. - The app's scripts are enabled in Splunk (#4 in instructions), and have been ran at least once (#5 in instructions).
If data is still not being ingested, check $SPLUNK_HOME/var/log/splunk/splunkd.log
for messages related to poll_incidents.py
and poll_forensics.py
:
index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ("poll_incidents.py" OR "poll_forensics.py")
If new features or bug fixes are not appearing in your environment after updating the app in place, completely delete the Prisma Cloud Compute application out of Splunk before reinstalling the app.
Some users will also have to force clear their browswers cache in order to see changes to the App Setup Page in splunk.
Please read SUPPORT.md for details on how to get support for this project.