Ingest Alerts and Assets from Prisma Cloud - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-21
Category
Administrator Guide
Abstract

Configure Data Collection Settings in Cortex XSIAM to receive alerts and assets from Prisma Cloud.

To receive alerts and assets from Prisma Cloud, first configure the Data Sources settings in Cortex XSIAM. After you set up collection integration, Cortex XSIAM begins to receive alerts and assets from Prisma Cloud every 30 seconds.

Cortex XSIAM then groups these alerts and assets into incidents and adds them to the Alerts table and the Assets Inventory table. When Cortex XSIAM begins receiving the alerts, it creates a new Cortex Query Language (XQL) dataset (prisma_cloud_raw), which you can use to initiate XQL Search queries and create Correlation Rules. The in-app XQL Library contains sample search queries.

You can also configure Cortex XSIAM to collect data directly from other cloud providers using an applicable collector. For more information on the cloud collectors, see External Data Ingestion Vendor Support. The Prisma Cloud alerts are stitched to this data.

Complete the following tasks before you begin configuring Cortex XSIAM to receive alerts from Prisma Cloud.

  • Create an Access Key and Secret Key as explained in the Create and Manage Access Keys section of the [Prisma Cloud Administrator’s Guide].

  • Copy or download the Access Key ID and Secret Key as you will need them when configuring the Prisma Cloud Collector in Cortex XSIAM.

Configure Cortex XSIAM to receive alerts and assets from Prisma Cloud.

  1. Select Settings → Data Sources.

  2. In the Prisma Cloud Collector configuration, click Add Instance to begin a new configuration.

  3. Set the following parameters.

    • Specify a Name to identify the connection.

    • Specify the Domain URL for Prisma Cloud.

      Note

      You can find your default Prisma Cloud domain in the Prisma Cloud API URL table.

    • Specify the Prisma Cloud Access Key Id that you received when you created an Access Key.

    • Specify the Prisma Cloud Secret Key that you received when you created an Access Key.

  4. To collect Prisma Cloud alerts, select Fetches alerts.

  5. To collect Prisma Cloud assets and vulnerabilities, select Fetch assets and vulnerabilities.

  6. To create Cortex XSIAM alerts from the ingested Prisma Cloud alerts, click Advanced Settings, and select the desired options:

    • Incidents: Create Cortex XSIAM alerts for runtime alerts detected by Prisma Cloud.

    • Risks: Create Cortex XSIAM alerts for Prisma Cloud findings and vulnerabilities that could be exploited by threat actors.

  7. Click Test to validate the connection, and then click Enable.

    In Cortex XSIAM, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Collector configuration with the amount of data received.

  8. (Optional) Manage your Prisma Cloud Collector.

    After you enable the Prisma Cloud Collector, you can make additional changes, as needed.

    To modify a configuration, select any of the following options.

    • Edit the Prisma Cloud Collector settings.

    • Disable the Prisma Cloud Collector.

    • Delete the Prisma Cloud Collector.

  9. After Cortex XSIAM begins receiving data from Prisma Cloud, you can use XQL Search to search for specific data, using the prisma_cloud_raw dataset and to view alerts in the Alerts table. In the Cortex XSIAM Alerts table, the Prisma Cloud alerts are listed as Prisma Cloud in the ALERT SOURCE column.