1. Overview

Compliance Explorer is a reporting tool for compliance rate. Metrics present the compliance rate for resources in your environment on a per-check, per-rule, and per-regulation basis. Report data can be exported to CSV files for further investigation.

The key pivot for Compliance Explorer is failed compliance checks. Compliance Explorer tracks each failed check, and the resources impacted by each failed check. From there, you can further slice and dice the data by secondary facets, such as collection, benchmark, and issue severity.

Compliance Explorer helps you answer these types of questions:

  • What is the compliance rate for the entire estate?

  • What is the compliance rate for some segment of the estate?

  • What is the compliance rate relative to the checks that you consider important?

    • Segment by benchmark.

    • Segment by specific compliance policy rules. Prisma Cloud supports compliance policies for containers, images, hosts, and serverless functions.

  • Which resources (containers, images, hosts, serverless functions) are failing the compliance checks you care about?

To view Compliance Explorer, go to Monitor > Compliance > Compliance Explorer.

2. Page organization

The Compliance Explorer view is organized into three main areas:

compliance explorer overview

1. Collection filter. Collections group related resources together. Use them to filter the data in Compliance Explorer. For example, you might want to see how all the entities in the sock-shop namespace in your production cluster comply to the checks in the PCI DSS template.

2. Roll-up charts. Configurable charts that summarize compliance data for the perspetives you care about. They report the following data:

  • Total compliance rate for your entire estate.

  • Compliance rate by regulation. Click Select regulations to configure which benchmarks and templates are shown on the page. Benchmarks are industry-standard checklists, such as the CIS Docker Benchmark. Templates are Prisma Cloud-curated checklists Checks are selected from the universe of checks provided in the product that pertain to directives in a regulatory regime, such as the Payment Card Industry Data Security Standard (PCI DSS).

  • Compliance rate by rule. Provides another mechanism to surface specific segments of your environment when scrutinizing compliance. Click Add rule to configure the card.

  • Historical trend chart for compliance rate. Shows how the compliance rate has changed over time.

The lists in the regulation and rule cards are sorted by compliance rate (the lowest compliance rate first).

3. Results table. Shows the universe of compliance checks, and the compliance rate for each check, relative to:

  • Your policies and the checks that are enabled. Every compliance check has an ID, and it’s either enabled or disabled.

  • The collection selected at the top of the page.

  • The filters applied (e.g. show critical severity issues only.)

By default, columns are sorted by severity (primary sort key), and then by compliance rate (secondary sort key). If no parameters are specified, Compliance Explorer shows all IDs by default.

The tabs organize results by benchmark or template. The tabs are shown or hidden based on how you configure the corresponding Compliance rate for regulations roll-up card. If you select the Rules view, the tabs show the rules selected in the Compliance rate for policy rules roll-up card.

compliance explorer tabs

Filters let you show failed checks only by setting the Status key to Failed:

compliance explorer filter

After narrowing your view of the data with collections and filters, you can export the data in the table to a CSV file.

3. Statistics

The data in Compliance Explorer is calculated every time the page is loaded, and it’s based on data from the latest scan. Data in the trend graph is based on snapshots taken every 24 hours.

You can force Console to recalculate statistics from the latest scan data by clicking the Refresh button. The Refresh button displays a red indicator when there’s a change in the following resources in your environment:

  • Containers.

  • Images.

  • Hosts.

  • Serverless functions.

For example, the refresh indicator is shown when new containers are detected. It’s also shown when containers are deleted.

No red refresh indicator is shown if you simply change the compliance policy. If you change the compliance policy, manually force Prisma Cloud to rescan your environment (or wait for the next periodic scan), and then refresh the Compliance Explorer.