Splunk Alerts

Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.
Prisma Cloud continually scans your environment for vulnerabilities, Compliance, Runtime behavior, WAAS violations and more. You can now monitor your Prisma Cloud alerts in Splunk using a native integration.

Send Alerts to Splunk

Follow the instructions below to send alerts from your Prisma Cloud Console to Splunk Enterprise or Splunk Cloud Platform.

Set Up Splunk HTTP Event Collector (HEC)

Splunk HEC lets you send data and application events to a Splunk deployment over the HTTP and HTTPS protocols. Set up Splunk HEC to view alert notifications from Prisma Cloud in Splunk and consolidate alert notifications from Prisma Cloud into Splunk. This integration enables your operations team to review and take action on the alerts.
  1. To set up HEC, use the instructions in Splunk documentation. The default
    source type
  2. Go to
    Settings > Data inputs > HTTP Event
  3. Select
    and ensure that HEC is on the list with the
    the status.

Set up the Splunk Integration

The Prisma Cloud Compute Enterprise Edition (SaaS) uses the same notification settings you set up in the platform for CSPM alerts. You configure the notifications in the platform under
Settings > Integrations
. You can import them as an alert profile to use them in Prisma Cloud Compute. You need to make any changes to the provider settings on the platform side.
  1. Import the platform notification configuration in Prisma Cloud Compute:
    1. Go to
      Compute > Manage > Alerts > Manage
    2. Click on
      Add Profile
    3. From the
      drop down, select
      Prisma Cloud
    4. In the
      field, select the configuration you set up when integrating Prisma Cloud with Splunk.
    5. Select the triggers you want sent to this channel.
    6. Click

Message Structure - JSON Schema

The integration with Splunk generates a consistent event format.
The JSON schema includes the following default fields:
  • app: Prisma Cloud Compute Alert Notification.
  • message: Contains the alert content in a JSON format as defined in the
    Custom JSON
    field. For example:
    • command: Shows the command which triggered the runtime alert.
    • namespaces: Lists the Kubernetes namespaces associated with the running image.
    • startup process: Shows the executed process activated when the container is initiated.
  • sender: Prisma Cloud Compute Alert Notification.
  • sentTs: Event sending timestamp as Unix time.
  • type: Shows the message type as alert.
{ app: Prisma Cloud Compute Alert Notification message: { [+] } sender: Prisma Cloud Compute Alert Notification sentTs: 1637843439 type: alert }
You can learn more about the Alert JSON macros and customizations in the Webhook Alert documentation

Recommended For You