The Prisma Cloud Compute Splunk App allows high priority security incidents from Prisma Cloud Compute to be sampled by Splunk on a user-defined interval and provides in-depth forensic data for incident analysis and response. The app adds two main components to your Splunk deployment: scripted data inputs that make use of your Prisma Cloud Compute API to pull incidents and forensics and a sample Splunk dashboard that presents that data.
Note: For bringing in data besides incidents and forensics, please use syslog or webhooks.
Download the latest app tarball (pcc-splunk-app-*.tar.gz) from its release page.
Download the latest app tarball from Splunkbase.
In the Splunk UI, click on the Apps dropdown, click "Find More Apps", then search for "Prisma Cloud Compute".
- Install the app by either uploading the tarball or following the Splunkbase prompts.
- Navigate to the setup page if you aren't guided there.
- Fill out the setup form and click "Complete setup." Field descriptions are on the setup page.
- If on Windows, update
$SPLUNK_HOME\etc\twistlock\default\inputs.confaccording to the instructions at the top of the file. - Enable
poll_incidents.pyandpoll_forensics.pyat Settings > Data inputs > Scripts in Splunk. - (Optional) Adjust the schedule as needed. By default, the
poll_forensics.pyscript runs 2 minutes afterpoll_incidents.pyand both scripts will run every 5 minutes.
Any user role that is able to view incidents and forensic data. This is a user with at least the DevSecOps role (self-hosted Compute) or Account Group Read Only role (SaaS Compute).
You can find it at Compute > Manage > System > Utilities under the Path to Console heading.
Whenever you complete the setup, local/twistlock.conf and local/passwords.conf are created.
The passwords are stored and accessed using Splunk's encrypted password storage APIs.
If incidents and/or forensics are not being ingested into Splunk, please verify the following:
- You have at least one incident at Monitor > Runtime > Incident Explorer under the "Active" tab.
- You are able to see the incident's forensic data by clicking on the "Forensic snapshot" button.
- The values in
local/twistlock.confandlocal/passwords.confare correct. If any are not correct, use the setup page with the same Console configuration name to update them. - The app's scripts are enabled in Splunk (#4 in instructions), and have been ran at least once (#5 in instructions).
If data is still not being ingested, check $SPLUNK_HOME/var/log/splunk/splunkd.log for messages related to poll_incidents.py and poll_forensics.py:
index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ("poll_incidents.py" OR "poll_forensics.py")
Please read SUPPORT.md for details on how to get support for this project.