Integrate Prisma Cloud with QRadar

Learn how to set up IBM QRadar integration with Prisma™ Cloud so that you can view Prisma Cloud alerts on the QRadar console.
The Prisma™ Cloud integration with IBM QRadar requires that you get the Prisma Cloud QRadar app from the IBM marketplace, set up an Amazon Simple Queue Service (SQS), and configure Prisma Cloud to send alerts to the SQS. After you configure the ability to publish messages to the SQS, Prisma Cloud sends alert messages to the SQS. Then,the Prisma Cloud QRadar app polls the SQS at defined intervals to retrieve the alert messages and uses a custom extension to write the messages and the custom event mapping feeds into QRadar (on UDP port 514). This data is then displayed on the QRadar console to help you proactively detect threats and continuously improve detection.
  1. Install the Prisma Cloud QRadar app.
    1. Get the Prisma Cloud QRadar app from the IBM Market Place.
    2. Login to the QRadar Console.
    3. Select
      Admin
      Extensions Management
      .
    4. Add
      the Prisma Cloud app(select the appropriate ZIP file (
      Prisma Cloud(_
      <version>
      ).zip
      ).
    5. Install immediately
      .
    6. Add
      the app.
      Wait for validation and installation. After installation is complete, you can see the App name on the screen.
      qradar-install.png
    7. Install
      the QRadar environment,close the dialog, and go to the
      Dashboard
      .
      qradar-install-application-package.png
    8. Overwrite
      and
      Install
      all the components required for this integration.
      qradar-overwrite-application.png
    9. Deploy Changes
      on
      Admin
      .
  2. Configure the Prisma Cloud.
    1. Set up AWS SQS queue. (See Integrate Prisma Cloud with Amazon SQS.)
      Configure the following permissions in SQS to access the logs from the queue:
      SQS:DeleteMessage, SQS:GetQueueURL, SQS:GetQueueAttributes, SQS:ReceiveMessage, SQS:ChangeMessageVisibility
    2. Login to the QRadar console.
    3. From
      Menu
      , select the Prisma Cloud application that you installed and set the server settings as follows.
      qradar-prisma-cloud-server-settings-on-qradar.png
      AWS SQS Settings
      AWS Access Key
      Unique key to access AWS SQS service
      AWS Secret Key
      Unique secret key to authenticate
      AWS Region Name
      Enter region name of the AWS SQS service
      Queue Name
      Target SQS queue name
      Proxy Server Settings
      Proxy Host
      Server address / URL to point at for proxy
      Proxy Port
      Port number
      Proxy User
      Proxy authentication user
      Proxy Password
      Proxy password
      HTTP/HTTPS
      Select the normal or SSL proxy
    4. Process Prisma Cloud logs
      .
  3. Create the dashboard for viewing Prisma Cloud alerts.
    1. Login to the QRadar console.
    2. Select the following custom filters in a Search:
      Log Source
      as
      RedLock
      and
      Payload
      contains
      RedLockLog
      .
      qradar-prisma-cloud-dashboard-custom-filters.png
    3. Create a dashboard using Prisma Cloud attributes, such as
      Severity
      ,
      AlertID
      ,
      Risk Rating
      ,
      Alert Rule Name
      ,
      Account Name
      , and
      Resource Type
      .
      qradar-dashboard.png

Related Documentation