{ "name": "prisma_cloud", "title": "Palo Alto Prisma Cloud", "version": "4.1.0", "release": "ga", "description": "Collect logs from Prisma Cloud with Elastic Agent.", "type": "integration", "download": "/epr/prisma_cloud/prisma_cloud-4.1.0.zip", "path": "/package/prisma_cloud/4.1.0", "icons": [ { "src": "/img/prisma_cloud-logo.svg", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-logo.svg", "title": "Prisma Cloud logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.8 || ~9.1.8 || ~9.2.2 || ^9.3.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "cloudsecurity_cdr", "misconfiguration_workflow", "vulnerability_workflow" ], "signature_path": "/epr/prisma_cloud/prisma_cloud-4.1.0.zip.sig", "format_version": "3.2.3", "readme": "/package/prisma_cloud/4.1.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/prisma_cloud-alert-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-alert-dashboard.png", "title": "Prisma Cloud Alert Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/prisma_cloud-audit-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-audit-dashboard.png", "title": "Prisma Cloud Audit Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/prisma_cloud-host-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-host-dashboard.png", "title": "Prisma Cloud Host Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/prisma_cloud-host-profile-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-host-profile-dashboard.png", "title": "Prisma Cloud Host Profile Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/prisma_cloud-incident-audit-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-incident-audit-dashboard.png", "title": "Prisma Cloud Incident Audit Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/prisma_cloud-misconfiguration-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-misconfiguration-dashboard.png", "title": "Prisma Cloud Misconfiguration Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/prisma_cloud-vulnerability-dashboard.png", "path": "/package/prisma_cloud/4.1.0/img/prisma_cloud-vulnerability-dashboard.png", "title": "Prisma Cloud Vulnerability Dashboard Screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/prisma_cloud/4.1.0/LICENSE.txt", "/package/prisma_cloud/4.1.0/changelog.yml", "/package/prisma_cloud/4.1.0/manifest.yml", "/package/prisma_cloud/4.1.0/validation.yml", "/package/prisma_cloud/4.1.0/docs/README.md", "/package/prisma_cloud/4.1.0/img/prisma_cloud-alert-dashboard.png", "/package/prisma_cloud/4.1.0/img/prisma_cloud-audit-dashboard.png", "/package/prisma_cloud/4.1.0/img/prisma_cloud-host-dashboard.png", "/package/prisma_cloud/4.1.0/img/prisma_cloud-host-profile-dashboard.png", "/package/prisma_cloud/4.1.0/img/prisma_cloud-incident-audit-dashboard.png", "/package/prisma_cloud/4.1.0/img/prisma_cloud-logo.svg", "/package/prisma_cloud/4.1.0/img/prisma_cloud-misconfiguration-dashboard.png", "/package/prisma_cloud/4.1.0/img/prisma_cloud-vulnerability-dashboard.png", "/package/prisma_cloud/4.1.0/kibana/tags.yml", "/package/prisma_cloud/4.1.0/data_stream/alert/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/alert/sample_event.json", "/package/prisma_cloud/4.1.0/data_stream/audit/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/audit/sample_event.json", "/package/prisma_cloud/4.1.0/data_stream/host/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/host/sample_event.json", "/package/prisma_cloud/4.1.0/data_stream/host_profile/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/host_profile/sample_event.json", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/sample_event.json", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/sample_event.json", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/manifest.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/sample_event.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-0350ce90-731c-11ee-9b31-b9dc63d74a8c.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-19913580-7495-11ee-9d52-2d0fa627877e.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-5bc2b380-7318-11ee-9b38-f7fd414b059a.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-af1d9a50-7407-11ee-9b38-f7fd414b059a.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-b75744e3-d9f4-4717-bc31-128e06be46b6.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-d1674a40-72f7-11ee-9b38-f7fd414b059a.json", "/package/prisma_cloud/4.1.0/kibana/dashboard/prisma_cloud-ee17bbf9-276a-4a1f-b9c1-c18447215c58.json", "/package/prisma_cloud/4.1.0/kibana/search/prisma_cloud-5ca49ec7-5930-43a6-af38-51f94203393d.json", "/package/prisma_cloud/4.1.0/kibana/search/prisma_cloud-96136169-9c3e-4527-b07e-3dd1c0ffb848.json", "/package/prisma_cloud/4.1.0/kibana/search/prisma_cloud-d140b5e0-771d-11ee-b6b7-396983b7218f.json", "/package/prisma_cloud/4.1.0/data_stream/alert/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/alert/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/alert/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/audit/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/audit/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/audit/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/host/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/host/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/host/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/host_profile/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/host_profile/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/host_profile/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/ecs.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/resource.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/result.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/fields/rule.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/beats.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/ecs.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/fields.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/package.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/resource.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/fields/vulnerability.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/transform.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/transform.yml", "/package/prisma_cloud/4.1.0/data_stream/alert/agent/stream/input.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/data_stream/audit/agent/stream/input.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/data_stream/host/agent/stream/input.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/host/agent/stream/tcp.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/host/agent/stream/udp.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/host/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/data_stream/host_profile/agent/stream/input.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/host_profile/agent/stream/tcp.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/host_profile/agent/stream/udp.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/host_profile/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/agent/stream/cel.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/agent/stream/tcp.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/agent/stream/udp.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/incident_audit/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/agent/stream/cel.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/misconfiguration/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/prisma_cloud/4.1.0/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/beats.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/ecs.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/fields.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/resource.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/result.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/misconfiguration/fields/rule.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/base-fields.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/beats.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/ecs.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/fields.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/package.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/resource.yml", "/package/prisma_cloud/4.1.0/elasticsearch/transform/vulnerability/fields/vulnerability.yml" ], "policy_templates": [ { "name": "sample", "title": "Sample logs", "description": "Collect sample logs", "inputs": [ { "type": "cel", "vars": [ { "name": "username", "type": "text", "title": "Username", "description": "Access Key ID of the Prisma Cloud Console.", "multi": false, "required": true, "show_user": true }, { "name": "password", "type": "password", "title": "Password", "description": "Secret Key of the Prisma Cloud Console.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Prisma Cloud logs via API", "description": "Collecting Prisma Cloud via API." }, { "type": "tcp", "vars": [ { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Prisma Cloud logs via TCP input", "description": "Collecting logs from Prisma Cloud instance via TCP input." }, { "type": "udp", "title": "Collect Prisma Cloud logs via UDP input", "description": "Collecting logs from Prisma Cloud instance via UDP input." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "prisma_cloud.alert", "title": "Collect Alert logs from Prisma Cloud Security Posture Management.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API.", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "time_amount", "type": "integer", "title": "Time Amount", "description": "Number of Time Units.", "multi": false, "required": true, "show_user": true, "default": 5 }, { "name": "time_unit", "type": "text", "title": "Time Unit", "description": "Possible Value for this parameter are minute/hour/day/week/month/year.", "multi": false, "required": true, "show_user": true, "default": "day" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "The maximum number of items that will be returned in one response. The maximum cannot exceed 10,000.", "multi": false, "required": true, "show_user": false, "default": 10000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "input.yml.hbs", "title": "Alert Logs", "description": "Collect Alert logs from Prisma Cloud Security Posture Management.", "enabled": false, "ingestion_method": "API" } ], "package": "prisma_cloud", "path": "alert" }, { "type": "logs", "dataset": "prisma_cloud.audit", "title": "Collect Audit logs from Prisma Cloud Security Posture Management.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API.", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "time_amount", "type": "integer", "title": "Time Amount", "description": "Number of Time Units.", "multi": false, "required": true, "show_user": true, "default": 5 }, { "name": "time_unit", "type": "text", "title": "Time Unit", "description": "Possible Value for this parameter are minute/hour/day/week/month/year.", "multi": false, "required": true, "show_user": true, "default": "day" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "input.yml.hbs", "title": "Audit Logs", "description": "Collect Audit logs from Prisma Cloud Security Posture Management.", "enabled": false, "ingestion_method": "API" } ], "package": "prisma_cloud", "path": "audit" }, { "type": "logs", "dataset": "prisma_cloud.host", "title": "Collect Host logs from Prisma Cloud Workload Protection.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API, in the form `https:///api/v`.", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "offset", "type": "integer", "title": "Offset", "description": "Offsets the result to a specific report count. Offset starts from 0.", "multi": false, "required": true, "show_user": false, "default": 0 }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50.", "multi": false, "required": true, "show_user": false, "default": 50 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-host" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.host fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "input.yml.hbs", "title": "Host Logs", "description": "Collect Host logs from Prisma Cloud Workload Protection.", "enabled": false, "ingestion_method": "API" }, { "input": "tcp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9508 }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 20MiB\n#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-host" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.host fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "Host logs", "description": "Collect Host logs via TCP input.", "enabled": false, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9508 }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 10KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-host" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.host fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Host logs", "description": "Collect Host logs via UDP input.", "enabled": false, "ingestion_method": "Network Protocol" } ], "package": "prisma_cloud", "path": "host" }, { "type": "logs", "dataset": "prisma_cloud.host_profile", "title": "Collect Host Profile logs from Prisma Cloud Workload Protection.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API, in the form `https:///api/v`.", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "offset", "type": "integer", "title": "Offset", "description": "Offsets the result to a specific report count. Offset starts from 0.", "multi": false, "required": true, "show_user": false, "default": 0 }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50.", "multi": false, "required": true, "show_user": false, "default": 50 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-host_profile" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.host_profile fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "input.yml.hbs", "title": "Host Profile Logs", "description": "Collect Host Profile logs from Prisma Cloud Workload Protection.", "enabled": false, "ingestion_method": "API" }, { "input": "tcp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9508 }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 20MiB\n#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-host_profile" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.host_profile fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "Host Profile logs", "description": "Collect Host Profile logs via TCP input.", "enabled": false, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9508 }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 10KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-host_profile" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.host_profile fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Host Profile logs", "description": "Collect Host Profile logs via UDP input.", "enabled": false, "ingestion_method": "Network Protocol" } ], "package": "prisma_cloud", "path": "host_profile" }, { "type": "logs", "dataset": "prisma_cloud.incident_audit", "title": "Collect Incident Audit logs from Prisma Cloud Workload Protection.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API, in the form `https:///api/v`.", "multi": false, "required": true, "show_user": true }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Prisma Cloud Incident Audit logs from the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Number of events to retrieve in a page. The maximum limit is 100.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-incident_audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.incident_audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Incident Audit Logs", "description": "Collect Incident Audit logs from Prisma Cloud Workload Protection.", "enabled": false, "ingestion_method": "API" }, { "input": "tcp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9508 }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 20MiB\n#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-incident_audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.incident_audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "Incident Audit logs", "description": "Collect Incident Audit logs via TCP input.", "enabled": false, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9508 }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 10KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-incident_audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.incident_audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Incident Audit logs", "description": "Collect Incident Audit logs via UDP input.", "enabled": false, "ingestion_method": "Network Protocol" } ], "package": "prisma_cloud", "path": "incident_audit" }, { "type": "logs", "dataset": "prisma_cloud.misconfiguration", "title": "Collect Misconfiguration logs from Prisma Cloud.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API. Example: `https://api.prismacloud.io`. See [documentation](https://pan.dev/prisma-cloud/api/cspm/api-urls/) for details on API URLs.", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Number of events to retrieve in a page. The maximum limit is 10000.", "multi": false, "required": true, "show_user": false, "default": 10000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-misconfiguration" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.misconfiguration fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Misconfiguration Logs", "description": "Collect Misconfiguration logs from Prisma Cloud.", "enabled": false, "ingestion_method": "API" } ], "package": "prisma_cloud", "path": "misconfiguration" }, { "type": "logs", "dataset": "prisma_cloud.vulnerability", "title": "Collect Vulnerability logs from Prisma Cloud.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Prisma Cloud Server API. Example: `https://api.prismacloud.io`. See [documentation](https://pan.dev/prisma-cloud/api/cspm/api-urls/) for details on API URLs.", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval between two REST API calls. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "prisma_cloud-vulnerability" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve prisma_cloud.vulnerability fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vulnerability Logs", "description": "Collect Vulnerability logs from Prisma Cloud.", "enabled": false, "ingestion_method": "API" } ], "package": "prisma_cloud", "path": "vulnerability" } ] }