# Prisma Cloud MCP

> Prisma Cloud connects to your AI agent via MCP, letting it audit cloud environments on demand. It provides tools to check security alerts, verify compliance status against standards like CIS, find network anomalies, and list all active cloud policies across accounts.

## Overview
- **Category:** other
- **Price:** Free

## Description

**Prisma Cloud MCP Server - Audit Cloud Security Posture**

This server lets your agent drill straight into Prisma Cloud’s auditing functions. You don't have to sit there clicking through dashboards; you just ask your client a question—like, “What resources failed CIS compliance?” The agent handles the whole connection and runs the tools for you.

It's built for security teams who need total visibility without manually hopping between screens. Your AI client can immediately **identify active security risks** by using `get_alerts`, which spits out a comprehensive list of every current security alert and misconfiguration across your entire cloud estate.

When you gotta check regulatory compliance, `get_compliance` runs deep checks against major industry benchmarks like CIS. It doesn't just tell you *if* you failed; it reports the specific failing resource IDs and gives you clear steps on how to fix 'em right then and there. To track down threats, you run `get_network_anomalies`, which analyzes traffic patterns to spot unusual activity or network anomalies that might mean a workload's compromised.

To verify your coverage, you first use `get_cloud_accounts` to pull a full inventory of every cloud account onboarded in Prisma Cloud. You can pair this scope check with `get_policies`, which retrieves and lists all the security policies currently enforced across those accounts. 

Need to know who's running the show? You run `get_user_profile` to grab profile information for the connected user, letting you verify current API access levels or troubleshoot permission issues on the fly.

If standard checks aren’t enough, you gotta dig deep. Use `run_rql_query` to execute a custom Resource Query Language (RQL) string. This lets your agent perform highly customized analysis, giving you hunting capabilities over specific resources or finding tailored misconfigurations that automated scans might miss.

This server turns complex, multi-step audits into one simple chat command. It gives your AI client the power to audit cloud inventory using `get_cloud_accounts`, check for immediate misconfigurations with `get_alerts`, verify compliance status with `get_compliance`, detect network threats via `get_network_anomalies`, review security policies with `get_policies` and user credentials through `get_user_profile`, or run deep, custom queries using `run_rql_query`. You're talking about immediate, actionable data pulled straight from the source.

## Tools

### get_alerts
Lists all active security alerts and misconfigurations found within your cloud resources.

### get_cloud_accounts
Provides a full list of every cloud account that has been onboarded to Prisma Cloud for auditing purposes.

### get_compliance
Checks your overall cloud security posture against predefined benchmarks (like CIS) and reports failing checks with remediation steps.

### get_network_anomalies
Detects unusual traffic patterns or network anomalies that could indicate a compromised workload or insider threat.

### get_policies
Retrieves and lists all the security policies currently enforced across your various cloud environments.

### get_user_profile
Pulls profile information for the connected user to verify current API access levels and troubleshoot permission issues.

### run_rql_query
Executes a custom Resource Query Language (RQL) query, allowing deep analysis of specific resources or hunting tailored misconfigurations.

## Capabilities

### Identify Active Security Risks
Retrieves and lists all current security alerts and misconfigurations across your cloud resources using `get_alerts`.

### Audit Cloud Account Inventory
Lists every cloud account onboarded in Prisma Cloud, helping you verify full coverage or check onboarding status using `get_cloud_accounts`.

### Check Regulatory Compliance Status
Runs checks against industry benchmarks (CIS, etc.) and returns failing resource IDs along with clear remediation steps via `get_compliance`.

### Detect Network Threats
Analyzes traffic patterns to spot network anomalies or unusual activity that might signal a compromised workload using `get_network_anomalies`.

### Review Security Policies and Roles
Lists all security policies enforced in your cloud environment via `get_policies`, or pulls user profile data to verify API access levels with `get_user_profile`.

### Run Custom Deep Queries
Executes complex Resource Query Language (RQL) strings for highly customized, deep-dive cloud analysis using `run_rql_query`.

## Use Cases

### Pre-audit check for new services
A DevOps engineer needs to provision a new database. Instead of waiting for the quarterly audit report, they prompt their agent: "Check compliance and user access for this resource type." The agent runs `get_compliance` first, then uses `get_user_profile` on the service account, confirming both standards adherence and proper least-privilege access before the deployment starts.

### Investigating a suspected data leak
The Security Analyst suspects an insider threat. They ask their agent to look for suspicious activity across two streams: first running `get_network_anomalies` to detect unusual egress traffic, and second running `get_alerts` to correlate that activity with any recently flagged misconfigurations or unauthorized resource access.

### Quarterly compliance readiness check
The Compliance Officer needs a comprehensive report. They instruct the agent to run `get_compliance`, which returns failing checks and remediation steps. Then, they follow up with `run_rql_query` to pull all related resource IDs for manual ticket creation, creating a complete audit trail.

### Verifying account onboarding status
Before merging two business units' cloud environments, the agent first runs `get_cloud_accounts`. This ensures every target environment is accounted for. Then, the team uses `get_policies` to audit if consistent security rules are applied across all newly discovered accounts.

## Benefits

- Stop manually cross-referencing data. You can chain `get_alerts` with `run_rql_query` to find misconfigurations that standard reports miss, giving you a complete risk picture in one prompt.
- Instantly verify regulatory adherence. Call `get_compliance` and get structured output listing exactly which controls fail (CIS, etc.)—no more reading vague summary reports.
- Know who has access to what. Use `get_user_profile` before granting new permissions. It verifies the actual API roles attached to a user, cutting down on privilege creep.
- Find threats that aren't alerts. Run `get_network_anomalies` when you suspect lateral movement or insider activity. This goes beyond simple policy violations.
- Audit your entire footprint at once. Running `get_cloud_accounts` ensures the AI client has checked every single linked environment, preventing blind spots in inventory management.

## How It Works

The bottom line is: you tell the agent what security question you have, and it runs the exact function needed to answer it.

1. You ask your AI client to audit a specific area—for example, "What compliance rules are failing in our production environment?"
2. Your agent identifies the need for structured data and calls the appropriate tool (e.g., `get_compliance`), passing required parameters.
3. Prisma Cloud executes the tool, fetches the raw findings (failing checks, resource IDs), and sends the clean result back to your AI client.

## Frequently Asked Questions

**How do I check overall compliance using get_compliance?**
You simply ask your agent to run `get_compliance`. The tool checks your cloud security posture against benchmarks like CIS and reports back all failing checks along with specific steps needed to fix them.

**Is there a way to find custom misconfigurations? How does run_rql_query help?**
`run_rql_query` lets you execute Resource Query Language (RQL) strings. This is your escape hatch for deep analysis, letting you hunt for specific resource states that standard alerts might miss.

**Can I audit all my connected accounts at once with get_cloud_accounts?**
Yes, running `get_cloud_accounts` lists every cloud account onboarded to Prisma Cloud. This is critical for ensuring your audits aren't missing any shadow IT environments.

**How do I find potential insider threats? Should I use get_network_anomalies?**
Yes, `get_network_anomalies` detects unusual traffic patterns. It helps identify compromised workloads or suspicious activity that goes beyond simple policy violations.

**How do I review all the security rules enforced across my environment? Should I use get_policies?**
Yes, `get_policies` lists every security policy configured in Prisma Cloud. This lets you audit the guardrails that are active across your cloud environments.

**I need to know about immediate risks; how do I check my current warnings? Should I use get_alerts?**
It gives a list of all active security alerts. This function helps you pinpoint immediate misconfigurations or risks that require quick attention, separate from general compliance reports.

**How can I verify what permissions my AI agent has? Should I use get_user_profile?**
It retrieves the profile details for the connected user. Run this to check your API access levels and make sure your agent has enough permission before running critical tasks.

**When using run_rql_query, how do I scope my search? Can I limit the results?**
You must include specific filters in your RQL string. This allows you to narrow down deep cloud analysis to only the resources or types of assets you are interested in.