1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Configure External Integrations on Prisma Cloud
    6. Integrate Prisma Cloud with Azure Sentinel

    Integrate Prisma Cloud with Azure Sentinel

    Learn how to integrate Prisma™ Cloud with Azure Sentinel.
    Prisma™ Cloud can send alerts to Azure Sentinel, which integrates seamlessly with all Microsoft security controls and consumes signals and intelligence from third party security solutions in Azure, on premises, or other clouds.
    1. Configure Azure Sentinel to receive Prisma Cloud alerts by creating an HTTP-triggered Logic App workflow.
      1. To create a Logic App workflow, log in to the Azure portal.
      2. In the search bar, enter
        Logic apps
         and select it from the Services options.
      3. Add
        Consumption
        .
      4. In
        Create a logic app
        , configure the following:
        • Subscription
          : Select your Azure subscription
        • Resource group
          : Select an existing group or create a new one
        • Logic app name
          : Enter prisma-cloud-to-sentinel-ingestion
        • Region
          : Select an Azure region relevant to your location
        Do not modify the remaining fields and check boxes.
      5. Review + create
        .
      6. Confirm the details you’ve provided and click
        Create
        .
      7. After the deployment is complete, click
        Go to resource
        .
      8. In
        Logic Apps Designer
        , click
        When a HTTP request is received
        .
      9. In the
        When a HTTP request is received
         window, in the
        Request Body JSON Schema
         section, enter the following schema:
        Make sure to use a JSON formatter and validator when you copy-paste the schema.
        {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"status": {
"type": "string"
},
"firstSeen": {
"type": "integer"
},
"lastSeen": {
"type": "integer"
},
"alertTime": {
"type": "integer"
},
"policy": {
"type": "object",
"properties": {
"policyId": {
"type": "string"
},
"policyType": {
"type": "string"
},
"systemDefault": {
"type": "boolean"
},
"remediation": {
"type": "object",
"properties": {
"description": {
"type": "string"
},
"impact": {
"type": "string"
},
"cliScriptTemplate": {
"type": "string"
}
}
},
"remediable": {
"type": "boolean"
}
}
},
"alertRules": {
"type": "array"
},
"history": {
"type": "array",
"items": {
"type": "object",
"properties": {
"modifiedBy": {
"type": "string"
},
"modifiedOn": {
"type": "integer"
},
"status": {
"type": "string"
},
"reason": {
"type": "string"
}
},
"required": [
"modifiedBy",
"modifiedOn",
"status"
]
}
},
"riskDetail": {
"type": "object",
"properties": {
"riskScore": {
"type": "object",
"properties": {
"score": {
"type": "integer"
},
"maxScore": {
"type": "integer"
}
}
},
"rating": {
"type": "string"
},
"score": {
"type": "string"
}
}
},
"resource": {
"type": "object",
"properties": {
"rrn": {
"type": "string"
},
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"account": {
"type": "string"
},
"accountId": {
"type": "string"
},
"cloudAccountGroups": {
"type": "array"
},
"region": {
"type": "string"
},
"regionId": {
"type": "string"
},
"resourceType": {
"type": "string"
},
"resourceApiName": {
"type": "string"
},
"url": {
"type": "string"
},
"data": {
"type": "object",
"properties": {
"pricings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"pricingTier": {
"type": "string"
}
}
}
},
"required": [
"id",
"name",
"type",
"properties"
]
}
},
"settings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
}
},
"required": [
"id",
"kind",
"name",
"type",
"properties"
]
}
},
"securityContacts": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"location": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"email": {
"type": "string"
},
"phone": {
"type": "string"
},
"alertsToAdmins": {
"type": "string"
},
"alertNotifications": {
"type": "string"
}
}
}
},
"required": [
"id",
"name",
"type",
"location",
"properties"
]
}
},
"autoProvisioningSettings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"autoProvision": {
"type": "string"
}
}
}
},
"required": [
"id",
"name",
"type",
"properties"
]
}
}
}
},
"cloudType": {
"type": "string"
},
"resourceTs": {
"type": "integer"
}
}
},
"reason": {
"type": "string"
}
},
"required": [
"id",
"status",
"firstSeen",
"lastSeen",
"alertTime",
"policy",
"alertRules",
"history",
"riskDetail",
"resource"
]
}
}
      10. + New step
        .
      11. In the
        Choose an operation
         window, enter
        Azure Log Analytics data collector
         in the search bar and after it’s displayed click
        Send Data
        .
      12. In the
        Azure Log Analytics Data Collector
         window, configure the following:
        • Connection name
          : Enter sentinel-la-connection
        • Workspace ID
          : Copy the log analytics workspace ID of your Azure Sentinel resource from the Log Analytics resource in
          Log Analytics Workspace
          Agents management
        • Workspace Key
          : Copy the log analytics workspace key of your Azure Sentinel resource from the Log Analytics resource in
          Log Analytics Workspace
          Agents management
        • Create
      13. In the
        Send Data (Preview)
         window, configure the following:
        • JSON Request body
          : Click inside the box and the dynamic content list appears. In the Dynamic content search bar, enter
          Body
           and select it when it’s displayed below.
        • Custom Log Name
          : Enter prisma_cloud_alerts
      14. Click
        Save
         located in the upper-left corner.
      15. Click
        When a HTTP request is received
         and copy the HTTP POST URL. You will need to paste this URL while setting up Webhooks as an integration on Prisma Cloud in the next step.
    2. Configure Webhook integration in Prisma Cloud.
      1. Log in to Prisma Cloud and select
        Settings
        Integrations
        .
      2. Add Integration
        Webhook
        . A modal wizard opens where you can add the Azure Sentinel integration.
      3. Enter the
        Integration Name
         as azure-sentinel-integration.
      4. Enter the
        Webhook URL
         (HTTP POST URL) that you copied earlier.
      5. Add any custom
        HTTP Headers
         as key-value pairs.
        You can, for example, include an authentication token in the custom header. The integration includes Content-Type as a default header and you cannot edit it.
      6. Next
        .
      7. Test
         and
        Save
         the integration. You should receive a success message.
        After you set up the integration successfully, the status (
        Settings
        Integrations
        ) turns red when the Webhook URL is unreachable or when Prisma Cloud cannot authenticate to it successfully and turns green when there aren’t any issues or the issues are resolved.
    3. Create an Alert Rule for Run-Time Checks or modify an existing rule to enable the Azure Sentinel integration.
    4. Send Alert Notifications to Azure Sentinel and verify that the alerts are displayed in Azure Sentinel.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo