Ingest Alerts from Prisma Cloud

Configure Data Collection Settings in Cortex® XDR™ to receive alerts from Prisma Cloud to Cortex® XDR™.
Ingesting alerts from Prisma Cloud requires a Cortex XDR Pro per TB license.
To receive alerts from Prisma Cloud, first configure the Collection Integrations settings in Cortex XDR. After you set up collection integration, Cortex XDR begins to receive alerts from Prisma Cloud every 30 seconds.
Cortex XDR then groups these alerts into incidents and adds them to the Alerts table. When Cortex XDR begins receiving the alerts, it creates a new XQL dataset (
prisma_cloud_raw
), which you can use to initiate XQL Search queries and create Correlation Rules. The in-app XQL Library contains sample search queries.
You can also configure Cortex XDR to collect data directly from other cloud providers using an applicable collector. For more information on the cloud collectors, see External Data Ingestion Vendor Support. The Prisma Cloud alerts are stitched to this data.
Complete the following tasks before you begin configuring Cortex XDR to receive alerts from Prisma Cloud.
  • Create an
    Access Key
    and
    Secret Key
    as explained in the Create and Manage Access Keys section of the
    Prisma Cloud Administrator’s Guide
  • Copy or download the
    Access Key ID
    and
    Secret Key
    as you will need them when configuring the Prisma Cloud Collector in Cortex XDR.
Configure Cortex XDR to receive alerts from Prisma Cloud.
  1. Select
    Settings ( )
    Configurations
    Data Collection
    Collection Integrations
    .
  2. In the Prisma Cloud Collector configuration, click the
    here
    link to begin a new configuration.
  3. Set the following parameters.
  4. Click
    Test
    to validate the connection, and then click
    Enable
    .
    In Cortex XDR, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Collector configuration with the amount of data received.
  5. (
    Optional
    ) Manage your Prisma Cloud Collector.
    After you enable the Prisma Cloud Collector, you can make additional changes, as needed.
    To modify a configuration, select any of the following options.
    • Edit
      the Prisma Cloud Collector settings.
    • Disable
      the Prisma Cloud Collector.
    • Delete
      the Prisma Cloud Collector.
  6. After Cortex XDR begins receiving data from Prisma Cloud, you can use XQL Search to search for specific data, using the
    prisma_cloud_raw
    dataset and to view alerts in the Cortex XDR Alerts table. In the Cortex XDR Alerts table, the
    Prisma Cloud
    alerts are listed as
    Prisma Cloud
    in the
    ALERT SOURCE
    column.

Recommended For You