Send Prisma Cloud Alert Notifications to Third-Party Tools
Learn how to send Prisma™ Cloud alert notifications to
your existing tools so that you can incorporate cloud security into
your existing operational procedures.
Alert rules define which policy violations
trigger an alert in a selected set of cloud accounts. When you Create an Alert Rule for Run-Time Checks, you can also
configure the rule to send the Alert Payload that the
rule triggers to one or more third-party tools. For all channels
except email, to enable notification of policy violations in your
cloud environments in your existing operational workflows, you must Configure External Integrations on Prisma Cloud. You can
either set up an integration before you create the alert rule or
use the inline link in the alert rule creation process to set up
the integration when you need it.
On some integrations, such
as Google CSCC, AWS Security Hub, PagerDuty, and ServiceNow, Prisma
Cloud can send a state-change notification to resolve an incident
when the issue that generated the alert is resolved manually or
if the resource was updated in the cloud environment and the service
learns that the violation is fixed.
Refer to the following
topics to enable an alert notification channel with third-party
tools:
Send Alert Notifications to Amazon SQS
You can send Prisma Cloud alert notifications
to Amazon Simple Queue Service (SQS).
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectSQS.
- Select the SQSQueuesto which you want to send alerts triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to Azure Sentinel
You can send Prisma Cloud alert notifications
to Azure Sentinel.
- Select .
- In theSelect Alert Rule Typewindow, clickRun.
- InAdd Alert Rule, configure the following:
- Alert Rule Name: azure-sentinel
- Next
- Account Groups: Default Account Group
- Next
- Select all policies
- Next
- Enable Webhook
- Select the Webhook channel
- Savethe new alert rule.
- Verify that the alerts are shown in Log Analytics underCustom Logs.
- Review the new alerts being processed by Logic Apps.
Send Alert Notifications to Azure Service Bus Queue
You can send Prisma Cloud alert notifications
to an Azure Service Bus queue.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectAzure Service Bus Queue.
- Select theAzure Service Bus Queueto which you want to send alerts triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications Through Email
To send email notifications for alerts triggered
by an alert rule, Prisma Cloud provides a default email notification
template. You can customize the message in the template using the in-app
rich text editor and attach the template to an alert rule. In the
alert notification, you can configure Prisma Cloud to send the alert
details as an uncompressed CSV file or as a compressed zip file,
of 9 MB maximum attachment size.
All email notifications from
Prisma Cloud include the domain name to support Domain-based Message
Authentication, Reporting & Conformance (DMARC), and the email
address used is noreply@prismacloud.paloaltonetworks.com.
- (Optional) Set up a custom message for your email notification template.Prisma Cloud provides a default email template for your convenience, and you can customize the lead-in message within the body of the email using the rich-text editor.
- Select .
- Add Newnotification template, and chooseEmailtemplate.
- Enter aTemplate Name.The total length of the template name can be up to 99 characters and should not include special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’).If you had previously created a template that includes the unsupported characters and you try to update the template, an error message will indicate that the template name is invalid.
- Enter aCustom Note.The preview on the right gives you an idea of how your content will look.
- Savethe email notification template.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectEmail.
- Enter or select theEmailsfor which to send the alert notifications.You can include multiple email addresses and can send email notifications to email addresses in your domain and to guests external to your organization.
- (Optional) Select your custom emailTemplate, if you have one.
- Set theFrequencyat which to send email notifications.
- Instantly—Sends an email to the recipient list each time the alert rule triggers an alert.
- Recurring—You can select the time interval as Daily, Weekly or Monthly. Prisma Cloud sends a single email to the recipient list that lists all alerts triggered by the alert rule on that day, during that week, or the month.
- Specify whether to include an attachment to the email.Including an attachment provides a way for you to include information on the alerts generated and the remediation steps required to fix the violating resource. When you selectAttach detailed report, you can choose whether toInclude remediation instructionsto fix the root cause for the policy that triggered each alert, and opt to send it as a zip file (Compress attachment(s)).Each email can include up to 10 attachments. An attachment in the zip file format can have 60000 rows, while a CSV file can have 900 rows. If the number of alerts exceed the maximum number of attachments, the alerts with the older timestamps are omitted.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
- Verify the alert notification emails.The email alert notification specifies the alert rule, account name, cloud type, policies that were violated, the number of alerts each policy violated, and the affected resources. Click the<number>of alerts view the Prisma Cloud page.
Send Alert Notifications to a Slack Channel
You can send alert notifications associated
with an alert rule to a Slack channel.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectSlack.
- Select the SlackChannelsto which you want to send alerts triggered by this alert rule.
- Set theFrequencyat which to send email notifications.
- As it Happens—Sends a notification to the selected slack channels each time the alert rule triggers an alert.
- Daily—Sends a single notification to the selected Slack channels once each day that lists all alerts triggered by the alert rule on that day.
- Weekly—Sends a single notification to the selected Slack channels once each week that lists all alerts triggered by the alert rule during that weekly interval.
- Monthly—Sends a single notification to the selected Slack channels once each month that lists all alerts triggered by the alert rule monthly interval.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to Splunk
You can send alert notifications associated
with an alert rule to a Splunk event collector.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectSplunk.
- Select the SplunkEvent Collectorsto which you want to send alerts triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to Jira
You can configure alert notifications triggered
by an alert rule to create Jira tickets.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectJira.
- Select the JiraTemplatesto use for creating tickets based on the alert payload data for alerts that are triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to Google Cloud SCC
You can send alert notifications to Google
Cloud Security Command Center (SCC).
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectCSCC.
- Select theGoogle CSCC Integrationsthat you want to use to send notifications of alerts triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to ServiceNow
You can send alert notifications to ServiceNow.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectnow.
- Select the ServiceNowTemplatesthat you want to use to send notifications of alerts triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to Webhooks
You can send alert notifications to webhooks.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectwebhooks.
- Select the webhookChannelsthat you want to use to send notifications of alerts triggered by this alert rule.A webhook notification is delivered as soon as the alert is generated.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to PagerDuty
You can send alert notifications to PagerDuty.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectpagerduty.
- Select theIntegration Key.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to AWS Security Hub
You can send alert notifications to AWS Security
Hub.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- Select your AWS account fromAWS Security Hub.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
Send Alert Notifications to Microsoft Teams
You can send alert notifications to Microsoft
Teams.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectMicrosoft Teams.
- Select theTeamschannels that you want to use to send notifications for alerts triggered by this alert rule.
- Set theFrequencyat which to send POST notifications.
- As it Happens—Sends a notification to the selected channels each time the alert rule triggers an alert.
- Daily—Sends a single notification to the selected channels once each day that lists all alerts triggered by the alert rule on that day.
- Weekly—Sends a single notification to the selected channels once each week that lists all alerts triggered by the alert rule during that weekly interval.
- Monthly—Sends a single notification to the selected channels once each month that lists all alerts triggered by the alert rule monthly interval.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.When a policy rule is violated, a message card displays on the Microsoft teams conversation. The message card is formatted with a red (high), yellow (medium), or gray (low) line to indicate the severity of the alert. For example, the following screenshot is a daily notification summary.
Send Alert Notifications to Cortex XSOAR
You can send alert notifications associated
with an alert rule to a Demisto instance.
- Select and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
- On theSet Alert Notificationpage for the alert rule, selectDemisto.
- Select the Demisto instance to which you want to send alerts triggered by this alert rule.
- Savethe new alert rule orConfirmyour changes to an existing alert rule.
