Document:Prisma Cloud Administrator’s Guide (Compute)

Webhook alerts

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Webhook alerts

Prisma Cloud offers native integration with a number of services, including email, JIRA, and Slack. When no native integration is available, webhooks provide a mechanism to interface Prisma Cloud’s alert system with virtually any third party service.

A webhook is an HTTP callback. When an event occurs, Prisma Cloud notifies your web service with an HTTP POST request. The request contains an JSON body that you configure when you set up the webhook. A webhook configuration consists of:

URL

Custom JSON body

Credentials

CA Certificate

Custom JSON body

You can customize the body of the POST request with values of interest. The content of the JSON object in the request body is defined using predefined macros. For example:

{
  "type":#type,
  "host":#host,
  "details":#message
}

When an event occurs, Prisma Cloud replaces the macros in your custom JSON with real values, and then submits the request.

{
  "type":"ContainerRuntime",
  "host":"host1",
  "details":"/bin/cp changed binary /bin/busybox MD5:XXXXXXX"
}

All supported macros are described in the following table. Not all macros are applicable to all alert types.

Rule	Description
#type	Audit alert type. For example, 'Container Runtime'.
#time	Audit alert time. For example, 'Jan 21, 2018 UTC'.
#container	Impacted container.
#image	Impacted image.
#imageID	The ID of the impacted image. For example 'sha256:13b66b487594a1f2b75396013bc05d29d9f527852d96c5577cc4f187559875d0'.
#tags	The tags of the impacted resource.
#host	Hostname for the host where the audit occurred.
#fqdn	Fully qualified domain name for the host where the audit occurred.
#function	Serverless function where the audit occurred.
#region	Region where the audit occurred. For example 'N. Virginia'.
#provider	The cloud provider in which the alert was detected. For example 'aws'.
#osRelease	The OS on which the alert occurred. For example 'stretch'.
#osDistro	The OS distro on which the alert occurred. For example 'Debian GNU/Linux 9'.
#runtime	Language runtime in which the audit occurred. For example, 'python3.6'.
#appID	Serverless or Function name.
#rule	Rule which triggered the alert.
#message	Associated alert message.
#aggregated	All fields in the audit message as a single JSON object.
#rest	All subsequent alerts that occurred during the aggregation period, in JSON format.
#forensics

Document:Prisma Cloud Administrator’s Guide (Compute)

Webhook alerts

Table of Contents

Webhook alerts

Custom JSON body