Splunk is a software platform to search, analyze, and
visualize machine-generated data gathered from websites, applications,
sensors, and devices.
Prisma™ Cloud integrates with Splunk
and monitors your assets and sends alerts for resource misconfigurations,
compliance violations, network security risks, and anomalous user
activities to Splunk.
Set up Splunk HTTP Event Collector (HEC) to view
alert notifications from Prisma Cloud in Splunk.
Splunk HEC lets you send data and application events to
a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols.
This helps consolidate alert notifications from Prisma
Cloud in to Splunk so that your operations team can review and take
action on the alerts.
the default; if you specify a custom string on Prisma Cloud, that
value will overwrite anything you set here.
HTTP Event Collector
make sure you see HEC added in the list and that the status shows that
Set up the Splunk integration in Prisma Cloud.
Log in to Prisma Cloud.
Splunk HEC URL
you set up earlier.
The Splunk HEC URL is a Splunk endpoint for sending event
notifications to your Splunk deployment. You can either use HTTP
or HTTPS for this purpose. Since Prisma Cloud sends data about
an alert or error in JSON format, make sure to include
as part of the Splunk HEC URL.
The integration uses token-based authentication between
Prisma Cloud and Splunk to authenticate connections to Splunk HEC.
A token is a 32-bit number that is presented in Splunk.
) Specify the
if you want all Prisma Cloud alerts to include
this custom name in the alert payload.
The integration status check for Splunk displays as red
if the event collector URL is not reachable or times out or if
the authentication token is invalid or receives an HTTP 403 response.