Merge pull request #5096 from DebLanger/US428946_WIZ_no_crowdstrike_sentinelone

Us428946 wiz no crowdstrike sentinelone

Author: DebLanger

exposure-management/Qualys-data-connector.md

@@ -48,8 +48,6 @@ To establish a connection with Qualys in Exposure Management, follow these steps
 
 Qualys connector retrieves data on compute devices, including machines and virtual machines, and vulnerability findings from Qualys on those assets. It also retrieves some networking data to identify those devices.
 
-Only devices that were modified in the last 90 days are retrieved, based on assessing the "modified" field in the Qualys asset.
-
 | **Category**            | **Properties**                                                                 |
 |-------------------------|--------------------------------------------------------------------------------|
 | **Assets/devices**      | - Gateway address<br>- FQDN<br>- IP address<br>- MAC address<br>- OS information<br>- Qualys criticality data |
@@ -72,4 +70,14 @@ Here are some common issues that might arise when configuring the Qualys Connect
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the Qualys data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Qualys data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/Rapid7-data-connector.md

@@ -31,8 +31,6 @@ To establish a connection with Rapid7 in Exposure Management, follow these steps
 
 Exposure Management retrieves data on compute devices from Rapid7, including machines and virtual machines. It also retrieves vulnerabilities reported by Rapid7 on those devices.
 
-Only devices that were actively scanned in the last 90 days are retrieved, based on assessing the "last_scan_end" field in the Rapid7 asset.
-
 | Category               | Properties                                                                 |
 |------------------------|----------------------------------------------------------------------------|
 | **Assets/devices, and data per each identifier** | - Rapid7 ID<br>- Hostname<br>- IP address<br>- mac Address<br>- OS information<br>- Rapid7 risk score<br>- Tags<br>- Rapid7 criticality data<br>- Cloud platform |
@@ -54,4 +52,14 @@ Here are some common issues that might arise when configuring the Rapid7 Connect
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the Rapid7 data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Rapid7 data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/ServiceNow-data-connector.md

@@ -40,8 +40,6 @@ To establish a connection with ServiceNow in Exposure Management, follow these s
 
 Exposure Management currently retrieves data on devices, their business application association, and business criticality. Additional data is also retrieved that helps identify the device, such as network adapter information and OS data.
 
-Only devices that were active in the last 90 days are retrieved, based on assessing the "sys_updated_on" field in the ServiceNow CI.
-
 The following fields are ingested via the connector:
 
 | **Category**          | **Properties**                                                                 |
@@ -69,4 +67,14 @@ Here are some common issues that might arise when configuring the ServiceNow Con
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the ServiceNow data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see ServiceNow data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/TOC.yml

@@ -46,6 +46,12 @@
          items:
            - name: ServiceNow
              href: ServiceNow-data-connector.md
+       - name: Cloud Security data connectors
+         items:
+           - name: Wiz
+             href: wiz-data-connector.md
+           - name: Palo Alto Prisma
+             href: palo-alto-prisma-data-connector.md
        - name: Vulnerability Management data connectors
          items:
            - name: Qualys

exposure-management/Tenable-data-connector.md

@@ -44,8 +44,6 @@ To establish a connection with Tenable in Exposure Management, follow these step
 
 Exposure Management retrieves data on compute devices from Tenable, including machines and virtual machines. It also retrieves some networking data to identify those devices.
 
-Only devices that were modified in the last 90 days are retrieved, based on assessing the "updated_at" field in the Tenable asset.
-
 Exposure Management also retrieves vulnerability findings from Tenable on those assets.
 
 The vulnerability data retrieved for Tenable is applicable to CVEs only, and not other types of vulnerabilities or misconfigurations. Tenable shows total vulnerability counts that include other non-CVE misconfigurations as well, so these counts aren't applicable to the numbers of vulnerabilities ingested to Exposure Management.
@@ -77,4 +75,14 @@ Here are some common issues that might arise when configuring the Tenable Connec
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the Tenable data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Tenable data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/configure-data-connectors.md

@@ -30,6 +30,11 @@ To view the status of the connectors, you can use one of the following roles:
 - Global Reader (read permissions)
 - Security Reader (read permissions)
 
+You can also use [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) with the following permissions:
+    - **Exposure Management (read)** for read-only access to Exposure Management experiences
+    - **Exposure Management (manage)** for full access to manage Exposure Management experiences
+    - **Core security settings (manage)** for connecting or changing vendor configurations (located under Authorization and settings category)
+
 You can find more details about the permission levels here, [Prerequisites, and support](prerequisites.md).
 
 ## Establish a connection
@@ -42,8 +47,8 @@ To establish a connection with any of the supported external products, follow th
      - [Qualys VM](Qualys-data-connector.md)
      - [Rapid7 VM](Rapid7-data-connector.md)
      - [Tenable](Tenable-data-connector.md)
-     - Wiz (coming soon)
-     - Palo Alto (coming soon)
+     - [Wiz](wiz-data-connector.md)
+     - [Palo Alto Prisma](palo-alto-prisma-data-connector.md)
 
 2. Go to **Data Connectors** in the Exposure Management navigation.
 3. Select **Connect** on the selected data connector from the external connectors catalog.
@@ -81,4 +86,4 @@ Select the external data connector you want to configure and follow the steps to
 
 - [CMDB data connectors](ServiceNow-data-connector.md)
 - [Vulnerability management data connectors](Qualys-data-connector.md)
-- Cloud security data connectors (coming soon)
+- [Cloud security data connectors](wiz-data-connector.md)

exposure-management/palo-alto-prisma-data-connector.md

@@ -0,0 +1,76 @@
+---
+title: Integrate Palo Alto Prisma data connector in Microsoft Security Exposure Management
+description: Learn how to integrate the Palo Alto Prisma data connector in Microsoft Security Exposure Management.
+ms.author: dlanger
+author: dlanger
+manager: ornat-spodek
+ms.topic: overview
+ms.service: exposure-management
+ms.date: 09/09/2025
+---
+
+# Palo Alto Prisma data connector?
+
+To integrate with Palo Alto Prisma, you need to provide an authentication endpoint API URL, and a valid Access Key and Secret Key generated using a Palo Alto service account.
+
+> [!Note]
+> We recommend creating a dedicated service account for use with data connectors in Exposure Management.
+
+## Palo Alto Prisma configuration
+
+First, you need to create a service account with the required permissions to get the Access Key and Secret Key.
+
+> [!Note]
+> To create a Palo Alto API Client, you must be logged in as a user with the System Admin role.
+
+### Add an API Client
+
+1. Log in to your Palo Alto Prisma account with the required permissions.
+2. Go to **Settings** > **Access Control** > **Access keys**.
+3. Click **Add**, then **Access key**.
+4. Enter a meaningful **Access Key Name**, then click **Save**.
+5. Copy and save the **Access Key ID** and **Secret Access Key** that appears.
+6. Close the credential window.
+
+## Establish Palo Alto Prisma connection in Exposure Management
+
+To establish a connection with Palo Alto Prisma in Exposure Management, follow these steps:
+
+1. Open the [Exposure Management Connectors](https://security.microsoft.com/exposure-data-connectors) page and click **Connect** in the Palo Alto tile.
+2. Enter your Palo Alto API URL and authentication credentials, then click **Connect**.
+
+## Retrieved data
+
+The Palo Alto Prisma connector retrieves data on your IT assets and risks, providing extended exposure insights based on the additional data and context it offers.
+
+| **Category**            | **Properties**                                                                 |
+|-------------------------|--------------------------------------------------------------------------------|
+| **Assets/devices**      | - Cloud provider information<br>- Resource type<br>- Network interfaces<br>- IP address<br>- Public DNS name<br>- Operating system details<br>- Internet facing<br>- Palo Alto criticality data |
+| **Vulnerability findings** | Palo Alto Prisma retrieves CVE findings on the assets that it ingests. |
+
+## Troubleshooting the Palo Alto Prisma data connector
+
+Here are some common issues that might arise when configuring the Palo Alto Prisma Connector, and suggestions for how to resolve them.
+
+| **Error Type**                                               | **Troubleshooting Action**                                   |
+| ------------------------------------------------------------ | ------------------------------------------------------------ |
+| **Authorization failure**                                    | Check your credentials and make sure they're correct and valid. Also check that your credentials have the required permissions. See the Palo Alto [configuration section](#palo-alto-prisma-configuration) for details on how to assign the appropriate roles. |
+| **Access forbidden error**                                   | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the [configuration section](#palo-alto-prisma-configuration). |
+| **Not found error**                                          | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your Palo Alto authentication endpoint URL is correct, see the [configuration section](#palo-alto-prisma-configuration) for details. |
+| **Too many requests**                                        | The system periodically pulls data from the configured external providers, which might have a limit on the number of concurrent requests. We recommend creating a dedicated service account for the connector to avoid reaching this limit. |
+| 'Temporary disconnected' or 'Temporary failure' error message | Verify the connector configuration (authentication endpoint URL and credentials). If the configuration is valid and the issue doesn't resolve on its own, contact Support. |
+| Not seeing my assets or the vulnerabilities reported by Palo Alto Prisma in the ingested data | See [Retrieved data](#retrieved-data) for a description of the expected retrieved data by the Palo Alto Prisma connector. If there's still missing data, contact Support. |
+
+## Next steps
+
+After configuring the Palo Alto Prisma data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Palo Alto Prisma data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/whats-new.md

@@ -26,6 +26,14 @@ Learn more about MSEM by reading the blogs, [here](https://techcommunity.microso
 
 ## September 2025
 
+### New data connectors
+
+We have added new data connectors for Wiz and Palo Alto Prisma. These connectors enable seamless integration of vulnerability and asset data from leading cloud security platforms into Microsoft Security Exposure Management, providing enhanced visibility and context for your environments.
+
+For more information, see:
+- [Wiz data connector](wiz-data-connector.md)
+- [Palo Alto Prisma data connector](palo-alto-prisma-data-connector.md)
+
 ### New predefined classifications
 
 The following predefined **Device** classification rules were added to the critical assets list: