1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Alerts
    6. Splunk alerts

    Splunk alerts

    Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.
    Prisma Cloud continually scans your environment for vulnerabilities, Complience, Runtime behavior, WAAS valiolations and more. You can now monitor your Prisma Cloud alerts in Splunk using a native integration.

    Sending alerts to Splunk

    Follow the instructions below to send alerts from your Prisma Cloud Console to Splunk Enterprise or Splunk Cloud Platform.

    Set up Splunk HTTP Event Collector (HEC) to view alert notifications from Prisma Cloud in Splunk

    Splunk HEC lets you send data and application events to a Splunk deployment over the HTTP and HTTPS protocols. This helps consolidate alert notifications from Prisma Cloud into Splunk, so that your operations team can review and take action on the alerts.
    1. To set up HEC, use instructions in Splunk documentation. note that the default
      source type
       is
      _json
    2. Select
      Settings > Data inputs > HTTP Event
       Collector and make sure you see HEC added in the list and that the status shows that it is
      Enabled
      .

    Set up the Splunk integration in Prisma Cloud Compute edition

    1. Log in to Prisma Cloud Console
    2. Go to
      Manage > Alerts > Manage
       tab
    3. Click on
      + Add profile
       to create a dedicated alert profile for Splunk
      1. Enter a name for your alert profile
      2. In
        Provider
        , select
        Splunk
        1. In
          Splunk HTTP event collector URL
          , enter the Splunk HEC URL that you set up earlier.
        2. In Custom JSON, enter the structure of the JSON payload, or use the default JSON.
          For more details about the type of data in each field, click
          Show macros
          .
        3. Enter
          Auth Token
          The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HEC. A token is a 32-bit number that is presented in Splunk.
      3. In
        Alert triggers
         section, select the triggers that you would like Splunk to be alerted by
      4. Click
        Send test alert
         to test the connection. You can view the test message in Splunk

    Set up the Splunk integration in Prisma Cloud Enterprise edition (SAAS)

    Prisma Cloud Compute in SAAS uses the same notification settings set up in the platform for CSPM alerts. These configurations are setup in the platform under
    Settings > Integrations
    , and can be used in Compute by importing them as an Alert Profile. Any changes to the provider settings will need to be done on the platform side.
    2. Importing platform configurations inside Compute:
      1. Navigate to
        Manage > Alerts > Manage
         tab in Compute, click on "Add Profile"
      2. From the Provider drop down, select
        Prisma Cloud
      3. In the Integrations field, select the configuration you set up with Splunk in step 1
      4. Select triggers to be sent to this channel
      5. Click Save

    Message structure

    Both integrations with Splunk, via Prisma Cloud SAAS and Enterprise eddition, generate the same event format.

    JSON schema

    The JSON scema includes the following default fields:
    • app: Prisma Cloud Compute Alert Notification
    • message: contains the alert content in a JSON format as defined in the
      Custom JSON
       field
    • sender: Prisma Cloud Compute Alert Notification
    • sentTs: Event sending timestamp as Unix time
    • type: alert
    {
   app: Prisma Cloud Compute Alert Notification
   message: { [+] }
   sender: Prisma Cloud Compute Alert Notification
   sentTs: 1637843439
   type: alert
}
    You can learn more about the Alert JSON macros and customizations in the Webhook Alert documentation