Integrate Prisma Cloud with Splunk

Learn how to integrate Prisma™ Cloud with Splunk.
Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.
Prisma™ Cloud integrates with Splunk and monitors your assets and sends alerts for resource misconfigurations, compliance violations, network security risks, and anomalous user activities to Splunk.
  1. Set up Splunk HTTP Event Collector (HEC) to view alert notifications from Prisma Cloud in Splunk.
    Splunk HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. This helps consolidate alert notifications from Prisma Cloud into Splunk so that your operations team can reviewand take action on the alerts.
    1. To set up HEC, use instructions in Splunk documentation.
      For
      source type
      ,
      _json
      is the default; if you specify a custom string on Prisma Cloud, that value will overwrite anything you set here.
    2. Select
      Settings
      Data inputs
      HTTP Event Collector
      and make sure you see HEC added in the list and that the status showsthat it is
      Enabled
      .
  2. Set up the Splunk integration in Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Settings
      Integrations
      .
    3. Create a
      +New Integration
      .
    4. Set
      Splunk
       as the
      Integration Type
      .
    5. Enter an
      Integration Name
      and,optionally, a
      Description
      .
    6. Enter the
      Splunk HTTP Event Collector URL
      that you set up earlier.
      The Splunk HTTP Event Collector URL is a Splunk endpoint for sending event notifications to your Splunk deployment. You can either use HTTP or HTTPS for this purpose.
    7. Enter
      Auth Token
      .
      The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HTTP Event Collector. A token is a 32-bit number that is presented in Splunk.
      splunk-add-integration-in-prisma-cloud.png
    8. (
      Optional
      ) Specify the
      Source Type
      if you want all Prisma Cloud alerts to include this custom name in the alert payload.
    9. Click
      Test
      and then
      Save
      your changes.
      The integration status check for Splunk displays as red if the event collector URL is not reachable or times out or if the authentication token is invalid or receives an HTTP 403 response.
  3. Create an Alert Rule or modify an existing rule to receive alerts in Splunk. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)

Recommended For You