Cortex XSOAR alerts
Table of Contents
Cortex XSOAR alerts
Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform.
Prisma Cloud can send alerts, vulnerabilities, and compliance issues to XSOAR when your policies are violated.
Prisma Cloud can be configured to send data when an entire policy, or even specific rules, are violated.
Configuring alert frequency
You can configure the rate at which alerts are emitted.
This is a global setting that controls the spamminess of the alert service.
Alerts received during the specified period are aggregated into a single alert.
For each alert profile, an alert is sent as soon as the first matching event is received.
All subsequent alerts are sent once per period.
- Open Console, and go toManage > Alerts.
- InAggregate audits every, specify the maximum rate that alerts should be sent.You can specifySecond,Minute,Hour,Day.
Send alerts to XSOAR
Alert profiles specify which events should trigger the alert machinery, and to which channel alerts are sent.
You can send alerts to any combination of channels by creating multiple alert profiles.
Alert profiles consist of two parts:
(1) Alert settings — Who should get the alerts, and on what channel?
Configure Prisma Cloud to integrate with your messaging service and specify the people or places where alerts should be sent.
For example, configure the email channel and specify a list of all the email addresses where alerts should be sent.
Or for JIRA, configure the project where the issue should be created, a long with the type of issue, priority, assignee, and so on.(2) Alert triggers — Which events should trigger an alert to be sent?
Specify which of the rules that make up your overall policy should trigger alerts.
If you use multi-factor authentication, you must create an exception or app-specific password to allow Console to authenticate to the service.
Create new alert profile
Create a new alert profile.
- InManage > Alerts, clickAdd profile.
- Enter a name for your alert profile.
- InProvider, selectCortex.
- InApplication, selectXSOAR.
Configure the channel
Configure the channel.
- InConsole Name, choose the console name XSOAR should use to access your Prisma Cloud console.
- Copy theConsole URLand save it for creating the integration in XSOAR.
- Copy theProject Name, and save it for creating the integration in XSOAR (the project name would only appear if you are using the projects feature).
- Copy theCA certificateand save it for creating the integration in XSOAR.
Configure the triggers
Configure how the alert is triggered.
- UnderAlert Types, check the boxes types of events that should trigger an alert.
- For additional configuration options, clickEdit.
- To specify specific rules that should trigger an alert, deselectAll rules, and then select any individual rules.
- ClickSave.
Configure XSOAR
Create a new Prisma Cloud Compute integration in XSOAR.
- Log into Cortex XSOAR.
- Go toSettings > Integrations.
- Search forPrisma Cloud Computeand clickAdd instance.
- Under theSettings:
- Name: Enter the name for the integration.
- Check theFetch incidentscheckbox.
- Prisma Cloud Compute Console URL and Port: Paste the URL of the console that you copied from Prisma Cloud.
- (optional)Prisma Cloud Compute Project Name: Enter the name of the project in Prisma Cloud.
- Credentials: Enter the Prisma Cloud username that XSOAR should use to communicate with your Prisma Cloud console.
- Password: Enter the password for the username you provided.
- Prisma Cloud Compute CA Certificate: Paste the CA Certificate you copied from Prisma Cloud, or enter your own CA Certificate (if using a custom certificate to access your Prisma Cloud console).
- ClickTestto check the connection to Prisma Cloud console.
- ClickDoneto save the integration.
- Go toIncidentsto see the alerts received from Prisma Cloud.