Ingest alerts and assets from Prisma Cloud - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Configure Data Collection Settings in Cortex XSIAM to receive alerts and assets from Prisma Cloud.

To receive alerts and assets from Prisma Cloud, first configure the Data Sources settings in Cortex XSIAM. After you set up collection integration, Cortex XSIAM begins to receive alerts and assets from Prisma Cloud every 30 seconds.

Cortex XSIAM then groups these alerts and assets into incidents and adds them to the Alerts table and the Unified Asset Inventory table. When Cortex XSIAM begins receiving the alerts, it creates a new Cortex Query Language (XQL) dataset (prisma_cloud_raw), which you can use to initiate XQL Search queries and create Correlation Rules. The in-app XQL Library contains sample search queries.

You can also configure Cortex XSIAM to collect data directly from other cloud providers using an applicable collector. For more information on the cloud collectors, see External Data Ingestion Vendor Support. The Prisma Cloud alerts are stitched to this data.

Complete the following tasks before you begin configuring Cortex XSIAM to receive alerts from Prisma Cloud.

  • Create an Access Key and Secret Key as explained in the Create and Manage Access Keys section of the [Prisma Cloud Administrator’s Guide].

  • Copy or download the Access Key ID and Secret Key as you will need them when configuring the Prisma Cloud Collector in Cortex XSIAM.

Configure Cortex XSIAM to receive alerts and assets from Prisma Cloud.

  1. Select Settings → Data Sources.

  2. On the Data Sources page, click Add Data Source, search for and select Prisma Cloud Collector, and click Connect.

  3. Set the following parameters.

    • Specify a Name to identify the connection.

    • Specify the Domain URL for Prisma Cloud.

      Note

      You can find your default Prisma Cloud domain in the Prisma Cloud API URL table.

    • Specify the Prisma Cloud Access Key Id that you received when you created an Access Key.

    • Specify the Prisma Cloud Secret Key that you received when you created an Access Key.

  4. To collect Prisma Cloud alerts, select Fetches alerts.

  5. To collect Prisma Cloud assets and vulnerabilities, select Fetch assets and vulnerabilities.

  6. Click Test to validate the connection, and then click Enable.

    In Cortex XSIAM, once alerts start to come in, a green check mark appears underneath the Prisma Cloud Collector configuration with the amount of data received.

  7. (Optional) Manage your Prisma Cloud Collector.

    After you enable the Prisma Cloud Collector, you can make additional changes, as needed.

    To modify a configuration, select any of the following options.

    • Edit the Prisma Cloud Collector settings.

    • Disable the Prisma Cloud Collector.

    • Delete the Prisma Cloud Collector.

  8. After Cortex XSIAM begins receiving data from Prisma Cloud, you can use XQL Search to search for specific data, using the prisma_cloud_raw dataset and to view alerts in the Alerts table. In the Cortex XSIAM Alerts table, the Prisma Cloud alerts are listed as Prisma Cloud in the ALERT SOURCE column.