[Prisma Cloud] Initial Release for Prisma Cloud

[mohitjha-elastic]

What does this PR do?

• Generated the skeleton of the Prisma Cloud integration package.
• Added data stream.
• Added data collection logic for the data stream.
• Added the ingest pipeline for the data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added test for pipeline for the data stream.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target is documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to: ^8.8.0

New Package

• Screenshot of the "Add Integration" page on Fleet added

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/prisma_cloud directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes Palo Alto Prisma Cloud #1132

Automated Test

test-file.txt

Screenshot

We are facing message size exceeding errors so need to validate it in the cloud instance.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-23T07:40:17.362+0000

• Duration: 25 min 25 sec

Test stats 🧪

Test	Results
Failed	0
Passed	30
Skipped	0
Total	30

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[P1llus]

/test

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[kcreddy]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (5/5)	💚
Files	100.0% (5/5)	💚
Classes	100.0% (5/5)	💚
Methods	94.118% (64/68)	👎 -2.132
Lines	94.914% (7017/7393)	👎 -5.086
Conditionals	100.0% (0/0)	💚

[kcreddy]

Suggested change

	reference: git@v8.9.0
	reference: git@v8.10.0

[kcreddy]

8.10.0 is now available.

[kcreddy]

Can you add assert.hit_count to all system test configs?

[piyush-elastic]

update title to Palo Alto Prisma Cloud

[kcreddy]

/test

[kcreddy]

How are we getting 500 events? Where are these 500 events defined?

[leandrojmp]

Hello, just curious, is this integration planned for 8.10 or just 8.11?

[mohitjha-elastic]

Hello, just curious, is this integration planned for 8.10 or just 8.11?

Hey @leandrojmp, We have planned it for 8.10.1.

[kcreddy]

LGTM

[kcreddy]

you could save this token in redact config next release

[elasticmachine]

Package prisma_cloud - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=prisma_cloud

[leandrojmp]

Hello,

We are planning to test this integration, but one question, is the Incident Audit dataset only available when using TCP/UDP? The datastreams for this dataset only have those two inputs available.

Not sure if this is a limitation of the Prisma Cloud tool or the integration.

EDIT:

Just saw this in the notes:

Currently, we are unable to collect logs of Incident Audit datastream via defined API. Hence, we have not added the configuration of Incident Audit data stream via REST API.