Table of Contents

Splunk Alerts

Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.
Prisma Cloud continually scans your environment for vulnerabilities, Compliance, Runtime behavior, WAAS violations and more. You can now monitor your Prisma Cloud alerts in Splunk using a native integration.

Send Alerts to Splunk

Follow the instructions below to send alerts from your Prisma Cloud Console to Splunk Enterprise or Splunk Cloud Platform.

Set Up Splunk HTTP Event Collector (HEC)

Splunk HEC lets you send data and application events to a Splunk deployment over the HTTP and HTTPS protocols. Set up Splunk HEC to view alert notifications from Prisma Cloud in Splunk and consolidate alert notifications from Prisma Cloud into Splunk. This integration enables your operations team to review and take action on the alerts.
  1. To set up HEC, use the instructions in Splunk documentation. The default
    source type
  2. Go to
    Settings > Data inputs > HTTP Event
  3. Select
    and ensure that HEC is on the list with the
    the status.

Set up the Splunk Integration

  1. Log in to Prisma Cloud Console.
  2. Go to
    Manage > Alerts > Manage
  3. Click on
    + Add profile
    to create a dedicated alert profile for Splunk.
    1. Enter a name for your alert profile.
    2. In
      , select
      1. In
        Splunk HTTP event collector URL
        , enter the Splunk HEC URL that you set up earlier.
      2. In Custom JSON, enter the structure of the JSON payload, or use the default JSON.
        For more details about the type of data in each field, click
        Show macros
      3. Enter
        Auth Token
        The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HEC. A token is a 32-bit number that is presented in Splunk.
    3. In
      Alert triggers
      section, select what triggers send alerts to Splunk.
    4. Click
      Send test alert
      to test the connection. You can view the test message in Splunk.

Message Structure - JSON Schema

The integration with Splunk generates a consistent event format.
The JSON schema includes the following default fields:
  • app: Prisma Cloud Compute Alert Notification.
  • message: Contains the alert content in a JSON format as defined in the
    Custom JSON
    field. For example:
    • command: Shows the command which triggered the runtime alert.
    • namespaces: Lists the Kubernetes namespaces associated with the running image.
    • startup process: Shows the executed process activated when the container is initiated.
  • sender: Prisma Cloud Compute Alert Notification.
  • sentTs: Event sending timestamp as Unix time.
  • type: Shows the message type as alert.
{ app: Prisma Cloud Compute Alert Notification message: { [+] } sender: Prisma Cloud Compute Alert Notification sentTs: 1637843439 type: alert }
You can learn more about the Alert JSON macros and customizations in the Webhook Alert documentation

Recommended For You