Integrate Prisma Cloud with Azure Sentinel
Learn how to integrate Prisma™ Cloud with Azure Sentinel.
Prisma™ Cloud can send alerts to Azure Sentinel,
which integrates seamlessly with all Microsoft security controls
and consumes signals and intelligence from third party security solutions
in Azure, on premises, or other clouds.
- Configure Azure Sentinel to receive Prisma Cloud alerts by creating an HTTP-triggered Logic App workflow.
- To create a Logic App workflow, log in to the Azure portal.
- In the search bar, enterLogic appsand select it from the Services options.
- .AddConsumption
- InCreate a logic app, configure the following:
- Subscription: Select your Azure subscription
- Resource group: Select an existing group or create a new one
- Logic app name: Enter prisma-cloud-to-sentinel-ingestion
- Region: Select an Azure region relevant to your location
Do not modify the remaining fields and check boxes. - Review + create.
- Confirm the details you’ve provided and clickCreate.
- After the deployment is complete, clickGo to resource.
- InLogic Apps Designer, clickWhen a HTTP request is received.
- In theWhen a HTTP request is receivedwindow, in theRequest Body JSON Schemasection, enter the following schema:Make sure to use a JSON formatter and validator when you copy-paste the schema.{ "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "status": { "type": "string" }, "firstSeen": { "type": "integer" }, "lastSeen": { "type": "integer" }, "alertTime": { "type": "integer" }, "policy": { "type": "object", "properties": { "policyId": { "type": "string" }, "policyType": { "type": "string" }, "systemDefault": { "type": "boolean" }, "remediation": { "type": "object", "properties": { "description": { "type": "string" }, "impact": { "type": "string" }, "cliScriptTemplate": { "type": "string" } } }, "remediable": { "type": "boolean" } } }, "alertRules": { "type": "array" }, "history": { "type": "array", "items": { "type": "object", "properties": { "modifiedBy": { "type": "string" }, "modifiedOn": { "type": "integer" }, "status": { "type": "string" }, "reason": { "type": "string" } }, "required": [ "modifiedBy", "modifiedOn", "status" ] } }, "riskDetail": { "type": "object", "properties": { "riskScore": { "type": "object", "properties": { "score": { "type": "integer" }, "maxScore": { "type": "integer" } } }, "rating": { "type": "string" }, "score": { "type": "string" } } }, "resource": { "type": "object", "properties": { "rrn": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "account": { "type": "string" }, "accountId": { "type": "string" }, "cloudAccountGroups": { "type": "array" }, "region": { "type": "string" }, "regionId": { "type": "string" }, "resourceType": { "type": "string" }, "resourceApiName": { "type": "string" }, "url": { "type": "string" }, "data": { "type": "object", "properties": { "pricings": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "properties": { "type": "object", "properties": { "pricingTier": { "type": "string" } } } }, "required": [ "id", "name", "type", "properties" ] } }, "settings": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "kind": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "properties": { "type": "object", "properties": { "enabled": { "type": "boolean" } } } }, "required": [ "id", "kind", "name", "type", "properties" ] } }, "securityContacts": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "location": { "type": "string" }, "properties": { "type": "object", "properties": { "email": { "type": "string" }, "phone": { "type": "string" }, "alertsToAdmins": { "type": "string" }, "alertNotifications": { "type": "string" } } } }, "required": [ "id", "name", "type", "location", "properties" ] } }, "autoProvisioningSettings": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "properties": { "type": "object", "properties": { "autoProvision": { "type": "string" } } } }, "required": [ "id", "name", "type", "properties" ] } } } }, "cloudType": { "type": "string" }, "resourceTs": { "type": "integer" } } }, "reason": { "type": "string" } }, "required": [ "id", "status", "firstSeen", "lastSeen", "alertTime", "policy", "alertRules", "history", "riskDetail", "resource" ] } }+ New step.In theChoose an operationwindow, enterAzure Log Analytics data collectorin the search bar and after it’s displayed clickSend Data.In theAzure Log Analytics Data Collectorwindow, configure the following:
- Connection name: Enter sentinel-la-connection
- Workspace ID: Copy the log analytics workspace ID of your Azure Sentinel resource from the Log Analytics resource inLog Analytics WorkspaceAgents management
- Workspace Key: Copy the log analytics workspace key of your Azure Sentinel resource from the Log Analytics resource inLog Analytics WorkspaceAgents management
- Create
In theSend Data (Preview)window, configure the following:- JSON Request body: Click inside the box and the dynamic content list appears. In the Dynamic content search bar, enterBodyand select it when it’s displayed below.
- Custom Log Name: Enter prisma_cloud_alerts
ClickSavelocated in the upper-left corner.ClickWhen a HTTP request is receivedand copy the HTTP POST URL. You will need to paste this URL while setting up Webhooks as an integration on Prisma Cloud in the next step. - Configure Webhook integration in Prisma Cloud.
- Log in to Prisma Cloud and select.SettingsIntegrations
- . A modal wizard opens where you can add the Azure Sentinel integration.Add IntegrationWebhook
- Enter theIntegration Nameas azure-sentinel-integration.
- Enter theWebhook URL(HTTP POST URL) that you copied earlier.
- Add any customHTTP Headersas key-value pairs.You can, for example, include an authentication token in the custom header. The integration includes Content-Type as a default header and you cannot edit it.
- Next.
- TestandSavethe integration. You should receive a success message.After you set up the integration successfully, the status () turns red when the Webhook URL is unreachable or when Prisma Cloud cannot authenticate to it successfully and turns green when there aren’t any issues or the issues are resolved.SettingsIntegrations
- Create an Alert Rule for Run-Time Checks or modify an existing rule to enable the Azure Sentinel integration.
- Send Alert Notifications to Azure Sentinel and verify that the alerts are displayed in Azure Sentinel.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.