Ingest Alerts from Prisma Cloud Compute - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Configure Data Collection Settings to receive alerts from Prisma Cloud Compute.

To receive alerts from Prisma Cloud Compute, first configure the Data Sources settings in Cortex XSIAM. In Prisma Cloud, you then must create a webhook, which provides the mechanism to interface Prisma Cloud’s alert system with Cortex XSIAM . After you set up your webhook, Cortex XSIAM begins receiving alerts from Prisma Cloud Compute.

Cortex XSIAM then groups these alerts into incidents and adds them to the Alerts table. When Cortex XSIAM begins receiving the alerts, it creates a new Cortex Query Language (XQL) dataset (prisma_cloud_compute_raw), which you can use to initiate XQL Search queries and to create Correlation Rules. The in-app XQL Library contain sample search queries.

Configure Cortex XSIAM to receive alerts from Prisma Cloud Compute.

  1. Select SettingsData Sources.

  2. In the Prisma Cloud Compute Collector configuration, click Add Instance to begin a new alerts integration.

  3. Specify the Name for the Prisma Cloud Compute Collector displayed in Cortex XSIAM.

  4. Save & Generate Token. The token is displayed in a blue box, which is blurred in the image below.

    Click the Copy icon next to the Username and Password, and record them in a safe place, as you will need to provide them when you configure the Prisma Cloud Compute Collector for alerts integration. If you forget to record the key and close the window, you will need to generate a new key and repeat this process. When you are finished, click Done to close the window.

  5. Copy api url.

    In the Data Sources page for the Prisma Cloud Compute Collector that you created, select Copy api url, and record it somewhere safe. You will need to provide this API URL when you set the Incoming Webhook URL as part of the configuration in Prisma Cloud Compute.

    Note

    The URL format for the tenant is https://api-<tenant name>.xdr.us.paloaltonetworks.com/logs/v1/prisma.

  6. Create a webhook as explained in the Webhook Alerts section of the [Prisma Cloud Administrator’s Guide (Compute)].

    1. Use the Webhook option to configure the webhook.

    2. In Incoming Webhook URL, paste the API URL that you copied and recorded from Copy api url.

    3. In Credential Options, select Basic Authentication, and use the Username and Password that you saved when you generated the token.

    4. Select Container Runtime.

    5. Click Save.

      In Cortex XSIAM, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Compute Collector configuration with the amount of data received.

  7. (Optional) Manage your Prisma Cloud Compute Collector.

    After you enable the Prisma Cloud Compute Collector, you can make additional changes, as needed.

    To modify a configuration, select any of the following options.

    • Edit the Prisma Cloud Compute Collector settings.

    • Disable the Prisma Cloud Compute Collector.

    • Delete the Prisma Cloud Compute Collector.

  8. After Cortex XSIAM begins receiving data from Prisma Cloud Compute, you can use XQL Search to search for specific data using the prisma_cloud_compute_raw dataset and view alerts in the Alerts table. In the Cortex XSIAM Alerts table, the Prisma Cloud Compute alerts are listed as Prisma Cloud Compute in the ALERT SOURCE column and are classified as Medium in the SEVERITY column.