Prisma Cloud Compute Edition Administrator’s Guide
    : Splunk Alerts
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Alerts
    6. Splunk Alerts
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Splunk Alerts

    Table of Contents

    Splunk Alerts

    Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.
    Prisma Cloud continually scans your environment for vulnerabilities, Compliance, Runtime behavior, WAAS violations and more. You can now monitor your Prisma Cloud alerts in Splunk using a native integration.

    Send Alerts to Splunk

    Follow the instructions below to send alerts from your Prisma Cloud Console to Splunk Enterprise or Splunk Cloud Platform.

    Set Up Splunk HTTP Event Collector (HEC)

    Splunk HEC lets you send data and application events to a Splunk deployment over the HTTP and HTTPS protocols. Set up Splunk HEC to view alert notifications from Prisma Cloud in Splunk and consolidate alert notifications from Prisma Cloud into Splunk. This integration enables your operations team to review and take action on the alerts.
    1. To set up HEC, use the instructions in Splunk documentation. The default
      source type
       is
      _json
      .
    2. Go to
      Settings > Data inputs > HTTP Event
      .
    3. Select
      Collector
       and ensure that HEC is on the list with the
      Enabled
       the status.

    Set up the Splunk Integration

    1. Log in to Prisma Cloud Console.
    2. Go to
      Manage > Alerts > Manage
       tab.
    3. Click on
      + Add profile
       to create a dedicated alert profile for Splunk.
      1. Enter a name for your alert profile.
      2. In
        Provider
        , select
        Splunk
        .
        1. In
          Splunk HTTP event collector URL
          , enter the Splunk HEC URL that you set up earlier.
        2. In Custom JSON, enter the structure of the JSON payload, or use the default JSON.
          For more details about the type of data in each field, click
          Show macros
          .
        3. Enter
          Auth Token
          The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HEC. A token is a 32-bit number that is presented in Splunk.
      3. In
        Alert triggers
         section, select what triggers send alerts to Splunk.
      4. Click
        Send test alert
         to test the connection. You can view the test message in Splunk.

    Message Structure - JSON Schema

    The integration with Splunk generates a consistent event format.
    The JSON schema includes the following default fields:
    • app: Prisma Cloud Compute Alert Notification.
    • message: Contains the alert content in a JSON format as defined in the
      Custom JSON
       field. For example:
      • command: Shows the command which triggered the runtime alert.
      • namespaces: Lists the Kubernetes namespaces associated with the running image.
      • startup process: Shows the executed process activated when the container is initiated.
    • sender: Prisma Cloud Compute Alert Notification.
    • sentTs: Event sending timestamp as Unix time.
    • type: Shows the message type as alert.
    {
   app: Prisma Cloud Compute Alert Notification
   message: { [+] }
   sender: Prisma Cloud Compute Alert Notification
   sentTs: 1637843439
   type: alert
}
    You can learn more about the Alert JSON macros and customizations in the Webhook Alert documentation

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.