Send Prisma Cloud Alert Notifications to Third-Party Tools

Learn how to send Prisma™ Cloud alert notifications to your existing tools so that you can incorporate cloud security into your existing operational procedures.
Alert rules define which policy violations trigger an alert in a selected set of cloud accounts. When you Create an Alert Rule for Run-Time Checks, you can also configure the rule to send the Alert Payload that the rule triggers to one or more third-party tools. For all channels except email, to enable notification of policy violations in your cloud environments in your existing operational workflows, you must Configure External Integrations on Prisma Cloud. You can either set up an integration before you create the alert rule or use the inline link in the alert rule creation process to set up the integration when you need it.
On some integrations, such as Google CSCC, AWS Security Hub, PagerDuty, and ServiceNow, Prisma Cloud can send a state-change notification to resolve an incident when the issue that generated the alert is resolved manually or if the resource was updated in the cloud environment and the service learns that the violation is fixed.
Refer to the following topics to enable an alert notification channel with third-party tools:

Send Alert Notifications to Amazon SQS

You can send Prisma Cloud alert notifications to Amazon Simple Queue Service (SQS).
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    SQS
    .
    alert-rules-notification.png
  3. Select the SQS
    Queues
    to which you want to send alerts triggered by this alert rule.
    alert-rule-sqs.png
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to Azure Service Bus Queue

You can send Prisma Cloud alert notifications to an Azure Service Bus queue.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    Azure Service Bus Queue
    .
  3. Select the
    Azure Service Bus Queue
    to which you want to send alerts triggered by this alert rule.
    alert-rule-sazure-service-bus.png
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications Through Email

To send email notifications for alerts triggered by an alert rule, Prisma Cloud provides a default email notification template. You can customize the message in the template using the in-app rich text editor and attach the template to an alert rule. In the alert notification, you can configure Prisma Cloud to send the alert details as an uncompressed CSV file or as a compressed zip file, of 9 MB maximum attachment size.
All email notifications from Prisma Cloud include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address used is noreply@prismacloud.paloaltonetworks.com.
  1. (
    Optional
    ) Set up a custom message for your email notification template.
    Prisma Cloud provides a default email template for your convenience, and you can customize the lead-in message within the body of the email using the rich-text editor.
    1. Select
      Alerts
      Notification Templates
      .
    2. Add New
      notification template, and choose
      Email
      template.
    3. Enter a
      Template Name
      .
    4. Enter a
      Custom Note
      .
      The preview on the right gives you an idea of how your content will look.
      alert-rules-custom-email-notification.png
    5. Save
      the email notification template.
  2. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  3. On the
    Set Alert Notification
    page for the alert rule, select
    Email
    .
    alert-rules-notification.png
  4. Enter or select the
    Emails
    for which to send the alert notifications.
    You can include multiple email addresses and can send email notifications to email addresses in your domain and to guests external to your organization.
  5. (
    Optional
    ) Select your custom email
    Template
    , if you have one.
  6. Set the
    Frequency
    at which to send email notifications.
    • Instantly
      —Sends an email to the recipient list each time the alert rule triggers an alert.
    • Recurring
      —You can select the time interval as Daily, Weekly or Monthly. Prisma Cloud sends a single email to the recipient list that lists all alerts triggered by the alert rule on that day, during that week, or the month.
  7. Specify whether to include an attachment to the email.
    Including an attachment provides a way for you to include information on the alerts generated and the remediation steps required to fix the violating resource. When you select
    Attach detailed report
    , you can choose whether to
    Include remediation instructions
    to fix the root cause for the policy that triggered each alert, and opt to send it as a zip file (
    Compress attachment(s)
    ).
    Each email can include up to 10 attachments. An attachment in the zip file format can have 60000 rows, while a CSV file can have 900 rows. If the number of alerts exceed the maximum number of attachments, the alerts with the older timestamps are omitted.
    alerts-alert-rules-set-alert-notification.png
  8. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.
  9. Verify the alert notification emails.
    The email alert notification specifies the alert rule, account name, cloud type, policies that were violated, the number of alerts each policy violated, and the affected resources. Click the
    <number>
    of alerts view the Prisma Cloud
    Alerts
    Overview
    page.
    alerts-email-notification.png

Send Alert Notifications to a Slack Channel

You can send alert notifications associated with an alert rule to a Slack channel.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    Slack
    .
    alert-rules-notification.png
  3. Select the Slack
    Channels
    to which you want to send alerts triggered by this alert rule.
  4. Set the
    Frequency
    at which to send email notifications.
    • As it Happens
      —Sends a notification to the selected slack channels each time the alert rule triggers an alert.
    • Daily
      —Sends a single notification to the selected Slack channels once each day that lists all alerts triggered by the alert rule on that day.
    • Weekly
      —Sends a single notification to the selected Slack channels once each week that lists all alerts triggered by the alert rule during that weekly interval.
    • Monthly
      —Sends a single notification to the selected Slack channels once each month that lists all alerts triggered by the alert rule monthly interval.
    alert-rule-slack.png
  5. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to Splunk

You can send alert notifications associated with an alert rule to a Splunk event collector.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    Splunk
    .
    alert-rules-notification.png
  3. Select the Splunk
    Event Collectors
    to which you want to send alerts triggered by this alert rule.
    alert-rule-splunk.png
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to Jira

You can configure alert notifications triggered by an alert rule to create Jira tickets.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    Jira
    .
    alert-rules-notification.png
  3. Select the Jira
    Templates
    to use for creating tickets based on the alert payload data for alerts that are triggered by this alert rule.
    alert-rule-jira.png
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to Google Cloud SCC

You can send alert notifications to Google Cloud Security Command Center (SCC).
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    CSCC
    .
    alert-rules-notification.png
  3. Select the
    Google CSCC Integrations
    that you want to use to send notifications of alerts triggered by this alert rule.
    alert-rule-google-cscc.png
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to ServiceNow

You can send alert notifications to ServiceNow.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    now
    .
    alert-rules-notification.png
    servicenow-set-alert-rule.png
  3. Select the ServiceNow
    Templates
    that you want to use to send notifications of alerts triggered by this alert rule.
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to Webhooks

You can send alert notifications to webhooks.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    webhooks
    .
    alert-rules-notification.png
  3. Select the webhook
    Channels
    that you want to use to send notifications of alerts triggered by this alert rule.
    A webhook notification is delivered as soon as the alert is generated.
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to PagerDuty

You can send alert notifications to PagerDuty.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    pagerduty
    .
    alert-rules-notification.png
  3. Select the
    Integration Key
    .
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to AWS Security Hub

You can send alert notifications to AWS Security Hub.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. Select your AWS account from
    AWS Security Hub
    .
    alert-rules-notification.png
  3. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Send Alert Notifications to Microsoft Teams

You can send alert notifications to Microsoft Teams.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    Microsoft Teams
    .
    alert-rules-notification.png
  3. Select the
    Teams
    channels that you want to use to send notifications for alerts triggered by this alert rule.
  4. Set the
    Frequency
    at which to send POST notifications.
    • As it Happens
      —Sends a notification to the selected channels each time the alert rule triggers an alert.
    • Daily
      —Sends a single notification to the selected channels once each day that lists all alerts triggered by the alert rule on that day.
    • Weekly
      —Sends a single notification to the selected channels once each week that lists all alerts triggered by the alert rule during that weekly interval.
    • Monthly
      —Sends a single notification to the selected channels once each month that lists all alerts triggered by the alert rule monthly interval.
    ms-teams-set-alert-rule.png
  5. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.
    When a policy rule is violated, a message card displays on the Microsoft teams conversation. The message card is formatted with a red (high), yellow (medium), or gray (low) line to indicate the severity of the alert. For example, the following screenshot is a daily notification summary.
    ms-teams-alert-rule-message-verify.png

Send Alert Notifications to Cortex XSOAR

You can send alert notifications associated with an alert rule to a Demisto instance.
  1. Select
    Alerts
    Alert Rules
    and either Create an Alert Rule for Run-Time Checks or select an existing rule to edit.
  2. On the
    Set Alert Notification
    page for the alert rule, select
    Demisto
    .
  3. Select the Demisto instance to which you want to send alerts triggered by this alert rule.
    demisto-send-alert-notification.png
  4. Save
    the new alert rule or
    Confirm
    your changes to an existing alert rule.

Recommended For You