Integrate Prisma Cloud with Splunk

Learn how to integrate Prisma Cloud with Splunk.
Splunk is a software platform to search, analyze and visualize machine-generated data gathered from the websites, applications, sensors, and devices.
Prisma Cloud integrates with Splunk and monitors your assets and sends alerts on resource misconfigurations, compliance violations, network security risks, and anomalous user activities to Splunk.
  1. Set up Splunk HTTP Event Collector (HEC) to view alert notifications from Prisma Cloud in Splunk.
    Splunk HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. This helps in the consolidation of alerts notifications from Prisma Cloud into Splunk so that your operations team can review, take action on the alerts.
    1. To set up HEC, use instructions in Splunk documentation .
      For
      source type
      ,
      _json
      is the default; if you specify a custom string on Prisma Cloud, that value will overwrite what you set here.
    2. Select
      Settings
      Data inputs
      HTTP Event Collector
      and make sure you see HEC added in the list and that the status is
      Enabled
      .
  2. Set up the Splunk integration in Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Settings
      Integrations
      .
    3. Select 
      +New Integration
      to create a new integration.
    4. Set
      Splunk
       as the
      Integration Type
    5. Enter a name for the integration and a description.
    6. Enter
      Splunk HTTP Event Collector URL
      that you set up earlier.
      Splunk HTTP Event Collector URL is a Splunk endpoint for sending event notifications to your Splunk deployment. You can either use HTTP or HTTPS for the purpose.
    7. Enter
      Auth Token
      .
      The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HTTP Event Collector. A token is a 32-bit number that is presented in Splunk.
      splunk-add-integration-in-prisma-cloud.png
    8. (
      Optional
      ) Specify the
      Source Type
      if you want all Prisma Cloud alerts to include this custom name in the alert payload.
    9. Click
      Test
      and then
      Save
      .
      The integration status check for Splunk displays as red if the event collector URL is not reachable or times out, or if the authentication token is invalid or gets an HTTP 403 response.
  3. Create an Alert Rule or modify an existing rule to receive alerts in Splunk. See Send Prisma Cloud Alert Notifications to Third-Party Tools.

Related Documentation