Ingest Alerts from Prisma Cloud - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-11-07
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Configure Data Collection Settings in Cortex XDR to receive alerts from Prisma Cloud.

Note

Ingesting alerts from Prisma Cloud requires a Cortex XDR Pro per GB license.

To receive alerts from Prisma Cloud, first configure the Collection Integrations settings in Cortex XDR. After you set up collection integration, Cortex XDR begins to receive alerts from Prisma Cloud every 30 seconds.

Cortex XDR then groups these alerts into incidents and adds them to the Alerts table. When Cortex XDR begins receiving the alerts, it creates a new Cortex Query Language (XQL) dataset (prisma_cloud_raw), which you can use to initiate XQL Search queries and create Correlation Rules. The in-app XQL Library contains sample search queries.

You can also configure Cortex XDR to collect data directly from other cloud providers using an applicable collector. For more information on the cloud collectors, see External Data Ingestion Vendor Support. The Prisma Cloud alerts are stitched to this data.

Complete the following tasks before you begin configuring Cortex XDR to receive alerts from Prisma Cloud.

  • Create an Access Key and Secret Key as explained in the Create and Manage Access Keys section of the [Prisma Cloud Administrator’s Guide].

  • Copy or download the Access Key ID and Secret Key as you will need them when configuring the Prisma Cloud Collector in Cortex XDR.

Configure Cortex XDR to receive alerts from Prisma Cloud.

  1. Select SettingsConfigurationsData CollectionCollection Integrations.

  2. In the Prisma Cloud collector configuration, click Add Instance to begin a new configuration.

  3. Set the following parameters.

    • Specify a Name to identify the connection.

    • Specify the Domain URL for Prisma Cloud.

      Note

      You can find your default Prisma Cloud domain in the Prisma Cloud API URL table.

    • Specify the Prisma Cloud Access Key Id that you received when you created an Access Key.

    • Specify the Prisma Cloud Secret Key that you received when you created an Access Key.

  4. To create Cortex XDR alerts from the ingested Prisma Cloud alerts, click Advanced Settings, and select the desired options:

    • Incidents: Create Cortex XDR alerts for runtime alerts detected by Prisma Cloud.

    • Risks: Create Cortex XDR alerts for Prisma Cloud findings and vulnerabilities that could be exploited by threat actors.

  5. Click Test to validate the connection, and then click Enable.

    In Cortex XDR, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Collector configuration with the amount of data received.

  6. (Optional) Manage your Prisma Cloud Collector.

    After you enable the Prisma Cloud Collector, you can make additional changes, as needed.

    To modify a configuration, select any of the following options.

    • Edit the Prisma Cloud Collector settings.

    • Disable the Prisma Cloud Collector.

    • Delete the Prisma Cloud Collector.

  7. After Cortex XDR begins receiving data from Prisma Cloud, you can use XQL Search to search for specific data, using the prisma_cloud_raw dataset and to view alerts in the Alerts table. In the Cortex XDR Alerts table, the Prisma Cloud alerts are listed as Prisma Cloud in the ALERT SOURCE column.