Splunk alerts

Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.
Prisma Cloud continually scans your environment for vulnerabilities, Complience, Runtime behavior, WAAS valiolations and more. You can now monitor your Prisma Cloud alerts in Splunk using a native integration.

Sending alerts to Splunk

Follow the instructions below to send alerts from your Prisma Cloud Console to Splunk Enterprise or Splunk Cloud Platform.

Set up Splunk HTTP Event Collector (HEC) to view alert notifications from Prisma Cloud in Splunk

Splunk HEC lets you send data and application events to a Splunk deployment over the HTTP and HTTPS protocols. This helps consolidate alert notifications from Prisma Cloud into Splunk, so that your operations team can review and take action on the alerts.
  1. To set up HEC, use instructions in Splunk documentation. note that the default
    source type
  2. Select
    Settings > Data inputs > HTTP Event
    Collector and make sure you see HEC added in the list and that the status shows that it is

Set up the Splunk integration in Prisma Cloud Compute edition

  1. Log in to Prisma Cloud Console
  2. Go to
    Manage > Alerts > Manage
  3. Click on
    + Add profile
    to create a dedicated alert profile for Splunk
    1. Enter a name for your alert profile
    2. In
      , select
      1. In
        Splunk HTTP event collector URL
        , enter the Splunk HEC URL that you set up earlier.
      2. In Custom JSON, enter the structure of the JSON payload, or use the default JSON.
        For more details about the type of data in each field, click
        Show macros
      3. Enter
        Auth Token
        The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HEC. A token is a 32-bit number that is presented in Splunk.
    3. In
      Alert triggers
      section, select the triggers that you would like Splunk to be alerted by
    4. Click
      Send test alert
      to test the connection. You can view the test message in Splunk

Set up the Splunk integration in Prisma Cloud Enterprise edition (SAAS)

Prisma Cloud Compute in SAAS uses the same notification settings set up in the platform for CSPM alerts. These configurations are setup in the platform under
Settings > Integrations
, and can be used in Compute by importing them as an Alert Profile. Any changes to the provider settings will need to be done on the platform side.
  1. Importing platform configurations inside Compute:
    1. Navigate to
      Manage > Alerts > Manage
      tab in Compute, click on "Add Profile"
    2. From the Provider drop down, select
      Prisma Cloud
    3. In the Integrations field, select the configuration you set up with Splunk in step 1
    4. Select triggers to be sent to this channel
    5. Click Save

Message structure

Both integrations with Splunk, via Prisma Cloud SAAS and Enterprise eddition, generate the same event format.

JSON schema

The JSON scema includes the following default fields:
  • app: Prisma Cloud Compute Alert Notification
  • message: contains the alert content in a JSON format as defined in the
    Custom JSON
  • sender: Prisma Cloud Compute Alert Notification
  • sentTs: Event sending timestamp as Unix time
  • type: alert
{ app: Prisma Cloud Compute Alert Notification message: { [+] } sender: Prisma Cloud Compute Alert Notification sentTs: 1637843439 type: alert }
You can learn more about the Alert JSON macros and customizations in the Webhook Alert documentation