Ingest Alerts from Prisma Cloud Compute - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-11-07
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Configure Data Collection Settings to receive alerts from Prisma Cloud Compute.

Note

Ingesting alerts from Prisma Cloud Compute requires a Cortex XDR Pro per GB license.

To receive alerts from Prisma Cloud Compute, first configure the Collection Integrations settings in Cortex XDR. In Prisma Cloud, you then must create a webhook, which provides the mechanism to interface Prisma Cloud’s alert system with Cortex XDR . After you set up your webhook, Cortex XDR begins receiving alerts from Prisma Cloud Compute.

Cortex XDR then groups these alerts into incidents and adds them to the Alerts table. When Cortex XDR begins receiving the alerts, it creates a new Cortex Query Language (XQL) dataset (prisma_cloud_compute_raw), which you can use to initiate XQL Search queries and to create Correlation Rules. The in-app XQL Library contain sample search queries.

Configure Cortex XDR to receive alerts from Prisma Cloud Compute.

  1. Select Settings ConfigurationsData CollectionCollection Integrations.

  2. In the Prisma Cloud Compute collector configuration, click Add Instance to begin a new alerts integration.

  3. Specify the Name for the Prisma Cloud Compute Collector displayed in Cortex XDR.

  4. Save & Generate Token. The token is displayed in a blue box, which is blurred in the image below.

    Click the Copy icon next to the Username and Password, and record them in a safe place, as you will need to provide them when you configure the Prisma Cloud Compute Collector for alerts integration. If you forget to record the key and close the window, you will need to generate a new key and repeat this process. When you are finished, click Done to close the window.

  5. Copy api url.

    In the Collection Integrations page for the Prisma Cloud Compute Collector that you created, select Copy api url, and record it somewhere safe. You will need to provide this API URL when you set the Incoming Webhook URL as part of the configuration in Prisma Cloud Compute.

    Note

    The URL format for the tenant is https://api-<tenant name>.xdr.us.paloaltonetworks.com/logs/v1/prisma.

  6. Create a webhook as explained in the Webhook Alerts section of the [Prisma Cloud Administrator’s Guide (Compute)].

    1. Use the Webhook option to configure the webhook.

    2. In Incoming Webhook URL, paste the API URL that you copied and recorded from Copy api url.

    3. In Credential Options, select Basic Authentication, and use the Username and Password that you saved when you generated the token.

    4. Select Container Runtime.

    5. Click Save.

      In Cortex XDR, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Compute Collector configuration with the amount of data received.

  7. (Optional) Manage your Prisma Cloud Compute Collector.

    After you enable the Prisma Cloud Compute Collector, you can make additional changes, as needed.

    To modify a configuration, select any of the following options.

    • Edit the Prisma Cloud Compute Collector settings.

    • Disable the Prisma Cloud Compute Collector.

    • Delete the Prisma Cloud Compute Collector.

  8. After Cortex XDR begins receiving data from Prisma Cloud Compute, you can use XQL Search to search for specific data using the prisma_cloud_compute_raw dataset and view alerts in the Alerts table. In the Cortex XDR Alerts table, the Prisma Cloud Compute alerts are listed as Prisma Cloud Compute in the ALERT SOURCE column and are classified as Medium in the SEVERITY column.