Ingest Alerts from Prisma Cloud Compute

Configure Data Collection Settings in Cortex® XDR™ to receive alerts from Prisma Cloud Compute to Cortex® XDR™.
Ingesting alerts from Prisma Cloud Compute requires a Cortex XDR Pro per TB license.
To receive alerts from Prisma Cloud Compute, first configure the Collection Integrations settings in Cortex XDR. In Prisma Cloud, you then must create a webhook, which provides the mechanism to interface Prisma Cloud’s alert system with Cortex XDR. After you set up your webhook, Cortex XDR begins receiving alerts from Prisma Cloud Compute.
Cortex XDR then groups these alerts into incidents and adds them to the Alerts table. When Cortex XDR begins receiving the alerts, it creates a new XQL dataset (
prisma_cloud_compute_raw
), which you can use to initiate XQL Search queries and to create Correlation Rules. The in-app XQL Library contain sample search queries.
Configure Cortex XDR to receive alerts from Prisma Cloud Compute.
  1. Select
    Settings ( )
    Configurations
    Data Collection
    Collection Integrations
  2. In the
    Prisma Cloud Compute
    Collector configuration, click the
    Here
    link to begin a new alerts integration.
  3. Specify the
    Name
    for the Prisma Cloud Compute Collector displayed in Cortex XDR.
  4. Save & Generate Token
    . The token is displayed in a blue box, which is blurred in the image below.
    Click the Copy icon next to the
    Username
    and
    Password
    , and record them in a safe place, as you will need to provide them when you configure the Prisma Cloud Compute Collector for alerts integration. If you forget to record the key and close the window, you will need to generate a new key and repeat this process. When you are finished, click
    Done
    to close the window.
  5. Copy api url
    .
    In the
    Collection Integrations
    page for the Prisma Cloud Compute Collector that you created, select
    Copy api url
    , and record it somewhere safe. You will need to provide this API URL when you set the
    Incoming Webhook URL
    as part of the configuration in Prisma Cloud Compute.
    The URL format for the tenant is
    https://api-<tenant name>.xdr.us.paloaltonetworks.com/logs/v1/prisma
    .
  6. Create a webhook as explained in the Webhook Alerts section of the
    Prisma Cloud Administrator’s Guide (Compute)
    .
    1. Use the
      Webhook
      option to configure the webhook.
    2. In
      Incoming Webhook URL
      , paste the API URL that you copied and recorded from Copy api url..
    3. In
      Credential Options
      , select
      Basic Authentication
      , and use the
      Username
      and
      Password
      that you saved when you generated the token in Cortex XDR.
    4. Select
      Container Runtime
      .
    5. Click
      Save
      .
      In Cortex XDR, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Compute Collector configuration with the amount of data received.
  7. (
    Optional
    ) Manage your Prisma Cloud Compute Collector.
    After you enable the Prisma Cloud Compute Collector, you can make additional changes, as needed.
    To modify a configuration, select any of the following options.
    • Edit
      the Prisma Cloud Compute Collector settings.
    • Disable
      the Prisma Cloud Compute Collector.
    • Delete
      the Prisma Cloud Compute Collector.
  8. After Cortex XDR begins receiving data from Prisma Cloud Compute, you can use XQL Search to search for specific data using the
    prisma_cloud_compute_raw
    dataset and view alerts in the Cortex XDR Alerts table. In the Cortex XDR Alerts table, the
    Prisma Cloud Compute
    alerts are listed as
    Prisma Cloud Compute
    in the
    ALERT SOURCE
    column and are classified as
    Medium
    in the
    SEVERITY
    column.

Recommended For You