Prisma Cloud Compute Edition Administrator’s Guide
    : Cortex XDR alerts
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Alerts
    6. Cortex XDR alerts
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Cortex XDR alerts

    Table of Contents

    Cortex XDR alerts

    Cortex XDR is a detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks. Prisma Cloud can send runtime alerts to XDR when your policies are violated. Prisma Cloud can be configured to send data when an entire policy, or even specific rules, are violated.
    Prisma Cloud uses webhooks to send the alerts to Cortex XDR. When an event occurs, Prisma Cloud notifies the web service with an HTTP POST request that contains a JSON body.

    Configuring alert frequency

    You can configure the rate at which alerts are emitted. This is a global setting that controls the spamminess of the alert service. Alerts received during the specified period are aggregated into a single alert. For each alert profile, an alert is sent as soon as the first matching event is received. All subsequent alerts are sent once per period.
    1. Open Console, and go to
      Manage > Alerts
      .
    2. In
      General settings
      , select the default frequency for all alerts.
      You can specify
      Second
      ,
      Minute
      ,
      Hour
      ,
      Day
      .

    Send alerts to XDR

    Alert profiles specify which events should trigger the alert machinery, and to which channel alerts are sent. You can send alerts to any combination of channels by creating multiple alert profiles.
    Alert profiles consist of two parts:
    (1) Alert settings — Who should get the alerts, and on what channel?
     Configure Prisma Cloud to integrate with your messaging service and specify the people or places where alerts should be sent. For example, configure the email channel and specify a list of all the email addresses where alerts should be sent. Or for JIRA, configure the project where the issue should be created, along with the type of issue, priority, assignee, and so on.
    (2) Alert triggers — Which events should trigger an alert to be sent?
     Specify which of the rules that make up your overall policy should trigger alerts.
    If you use multi-factor authentication, you must create an exception or app-specific password to allow Console to authenticate to the service.

    Create a new alert channel

    1. In
      Manage > Alerts
      , click
      Add profile
      .
    2. Enter a
      Profile name
      .
    3. In
      Provider
      , select
      Cortex
      .
    4. In
      Application
      , select
      XDR
      .
    5. Click
      Next
      .

    Configure the triggers

    1. In
      Select triggers
      , select the events that should trigger an alert to be sent.
    2. To specify specific rules that should trigger an alert, deselect
      All rules
      , and then select any individual rules.
    3. Click
      Next
      .

    Configure the channel

    1. Under
      Settings
      , in
      Incoming webhook URL
       enter the Cortex XDR endpoint where Prisma Cloud should submit the alerts.
    2. (Optional) In
      Credential
      , specify a basic auth credential if your endpoint requires authentication.
    3. (Optional) In
      CA Certificate
      , enter a CA cert in PEM format.
      When using a CA cert to secure communication, only one-way SSL authentication is supported. If two-way SSL authentication is configured, alerts will not be sent.
    4. Click
      Next
      .
    5. Review the
      Summary
       and test the configuration by selecting
      Send test alert
      .
    6. Click
      Save
      .

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.