Integrate Prisma Cloud with Azure Sentinel

Learn how to integrate Prisma™ Cloud with Azure Sentinel.
Prisma™ Cloud can send alerts to Azure Sentinel, which integrates seamlessly with all Microsoft security controls and consumes signals and intelligence from third party security solutions in Azure, on premises, or other clouds.
  1. Configure Azure Sentinel to receive Prisma Cloud alerts by creating an HTTP-triggered Logic App workflow.
    1. To create a Logic App workflow, log in to the Azure portal.
    2. In the search bar, enter
      Logic apps
      and select it from the Services options.
    3. Add
      Consumption
      .
    4. In
      Create a logic app
      , configure the following:
      • Subscription
        : Select your Azure subscription
      • Resource group
        : Select an existing group or create a new one
      • Logic app name
        : Enter prisma-cloud-to-sentinel-ingestion
      • Region
        : Select an Azure region relevant to your location
      Do not modify the remaining fields and check boxes.
    5. Review + create
      .
    6. Confirm the details you’ve provided and click
      Create
      .
    7. After the deployment is complete, click
      Go to resource
      .
    8. In
      Logic Apps Designer
      , click
      When a HTTP request is received
      .
    9. In the
      When a HTTP request is received
      window, in the
      Request Body JSON Schema
      section, enter the following schema:
      Make sure to use a JSON formatter and validator when you copy-paste the schema.
      { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "status": { "type": "string" }, "firstSeen": { "type": "integer" }, "lastSeen": { "type": "integer" }, "alertTime": { "type": "integer" }, "policy": { "type": "object", "properties": { "policyId": { "type": "string" }, "policyType": { "type": "string" }, "systemDefault": { "type": "boolean" }, "remediation": { "type": "object", "properties": { "description": { "type": "string" }, "impact": { "type": "string" }, "cliScriptTemplate": { "type": "string" } } }, "remediable": { "type": "boolean" } } }, "alertRules": { "type": "array" }, "history": { "type": "array", "items": { "type": "object", "properties": { "modifiedBy": { "type": "string" }, "modifiedOn": { "type": "integer" }, "status": { "type": "string" }, "reason": { "type": "string" } }, "required": [ "modifiedBy", "modifiedOn", "status" ] } }, "riskDetail": { "type": "object", "properties": { "riskScore": { "type": "object", "properties": { "score": { "type": "integer" }, "maxScore": { "type": "integer" } } }, "rating": { "type": "string" }, "score": { "type": "string" } } }, "resource": { "type": "object", "properties": { "rrn": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "account": { "type": "string" }, "accountId": { "type": "string" }, "cloudAccountGroups": { "type": "array" }, "region": { "type": "string" }, "regionId": { "type": "string" }, "resourceType": { "type": "string" }, "resourceApiName": { "type": "string" }, "url": { "type": "string" }, "data": { "type": "object", "properties": { "pricings": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "properties": { "type": "object", "properties": { "pricingTier": { "type": "string" } } } }, "required": [ "id", "name", "type", "properties" ] } }, "settings": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "kind": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "properties": { "type": "object", "properties": { "enabled": { "type": "boolean" } } } }, "required": [ "id", "kind", "name", "type", "properties" ] } }, "securityContacts": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "location": { "type": "string" }, "properties": { "type": "object", "properties": { "email": { "type": "string" }, "phone": { "type": "string" }, "alertsToAdmins": { "type": "string" }, "alertNotifications": { "type": "string" } } } }, "required": [ "id", "name", "type", "location", "properties" ] } }, "autoProvisioningSettings": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "type": { "type": "string" }, "properties": { "type": "object", "properties": { "autoProvision": { "type": "string" } } } }, "required": [ "id", "name", "type", "properties" ] } } } }, "cloudType": { "type": "string" }, "resourceTs": { "type": "integer" } } }, "reason": { "type": "string" } }, "required": [ "id", "status", "firstSeen", "lastSeen", "alertTime", "policy", "alertRules", "history", "riskDetail", "resource" ] } }
      Code copied to clipboard
      Unable to copy due to lack of browser support.
    10. + New step
      .
    11. In the
      Choose an operation
      window, enter
      Azure Log Analytics data collector
      in the search bar and after it’s displayed click
      Send Data
      .
    12. In the
      Azure Log Analytics Data Collector
      window, configure the following:
      • Connection name
        : Enter sentinel-la-connection
      • Workspace ID
        : Copy the log analytics workspace ID of your Azure Sentinel resource from the Log Analytics resource in
        Log Analytics Workspace
        Agents management
      • Workspace Key
        : Copy the log analytics workspace key of your Azure Sentinel resource from the Log Analytics resource in
        Log Analytics Workspace
        Agents management
      • Create
    13. In the
      Send Data (Preview)
      window, configure the following:
      • JSON Request body
        : Click inside the box and the dynamic content list appears. In the Dynamic content search bar, enter
        Body
        and select it when it’s displayed below.
      • Custom Log Name
        : Enter prisma_cloud_alerts
    14. Click
      Save
      located in the upper-left corner.
    15. Click
      When a HTTP request is received
      and copy the HTTP POST URL. You will need to paste this URL while setting up Webhooks as an integration on Prisma Cloud in the next step.
  2. Configure Webhook integration in Prisma Cloud.
    1. Log in to Prisma Cloud and select
      Settings
      Integrations
      .
    2. Add Integration
      Webhook
      . A modal wizard opens where you can add the Azure Sentinel integration.
    3. Enter the
      Integration Name
      as azure-sentinel-integration.
    4. Enter the
      Webhook URL
      (HTTP POST URL) that you copied earlier.
    5. Add any custom
      HTTP Headers
      as key-value pairs.
      You can, for example, include an authentication token in the custom header. The integration includes Content-Type as a default header and you cannot edit it.
    6. Next
      .
    7. Test
      and
      Save
      the integration. You should receive a success message.
      After you set up the integration successfully, the status (
      Settings
      Integrations
      ) turns red when the Webhook URL is unreachable or when Prisma Cloud cannot authenticate to it successfully and turns green when there aren’t any issues or the issues are resolved.
  3. Create an Alert Rule for Run-Time Checks or modify an existing rule to enable the Azure Sentinel integration.
  4. Send Alert Notifications to Azure Sentinel and verify that the alerts are displayed in Azure Sentinel.

Recommended For You