Cortex XSOAR alerts
Table of Contents
Cortex XSOAR alerts
Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform.
Prisma Cloud can send alerts, vulnerabilities, and compliance issues to XSOAR when your policies are violated.
Prisma Cloud can be configured to send data when an entire policy, or even specific rules, are violated.
Configuring alert frequency
You can configure the rate at which alerts are emitted.
This is a global setting that controls the spamminess of the alert service.
Alerts received during the specified period are aggregated into a single alert.
For each alert profile, an alert is sent as soon as the first matching event is received.
All subsequent alerts are sent once per period.
- Open Console, and go toManage > Alerts.
- InGeneral settings, select the default frequency for all alerts.You can specifySecond,Minute,Hour,Day.
Send alerts to XSOAR
Alert profiles specify which events should trigger the alert machinery, and to which channel alerts are sent.
You can send alerts to any combination of channels by creating multiple alert profiles.
Alert profiles consist of two parts:
(1) Alert settings — Who should get the alerts, and on what channel?
Configure Prisma Cloud to integrate with your messaging service and specify the people or places where alerts should be sent.
For example, configure the email channel and specify a list of all the email addresses where alerts should be sent.
Or for JIRA, configure the project where the issue should be created, along with the type of issue, priority, assignee, and so on.(2) Alert triggers — Which events should trigger an alert to be sent?
Specify which of the rules that make up your overall policy should trigger alerts.
If you use multi-factor authentication, you must create an exception or app-specific password to allow Console to authenticate to the service.
Create a new alert profile
- InManage > Alerts, clickAdd profile.
- Enter aProfile name.
- InProvider, selectCortex.
- InApplication, selectXSOAR.
- ClickNext.
Configure the triggers
- InSelect triggers, select the events that should trigger an alert to be sent.
- To specify specific rules that should trigger an alert, deselectAll rules, and then select any individual rules.
- ClickNext.
Configure the channel
- InSettings, enter aConsole Namethat XSOAR should use to access your Prisma Cloud console.
- Copy theConsole URLand save it for creating the integration in XSOAR.
- Copy theCA certificateand save it for creating the integration in XSOAR.
- ClickNext.
- Review theSummaryand clickSave.
Configure XSOAR
Create a new Prisma Cloud Compute integration in XSOAR.
- Log into Cortex XSOAR.
- Go toSettings > Integrations.
- Search forPrisma Cloud Computeand clickAdd instance.
- Under theSettings:
- Name: Enter the name for the integration.
- Check theFetch incidentscheckbox.
- Prisma Cloud Compute Console URL and Port: Paste the URL of the console that you copied from Prisma Cloud.
- (optional)Prisma Cloud Compute Project Name: Enter the name of the project in Prisma Cloud.
- Credentials: Enter the Prisma Cloud username that XSOAR should use to communicate with your Prisma Cloud console.
- Password: Enter the password for the username you provided.
- Prisma Cloud Compute CA Certificate: Paste the CA Certificate you copied from Prisma Cloud, or enter your own CA Certificate (if using a custom certificate to access your Prisma Cloud console).
- ClickTestto check the connection to Prisma Cloud console.
- ClickDoneto save the integration.
- Go toIncidentsto see the alerts received from Prisma Cloud.