integrate-prisma-cloud-with-splunk.adoc

Integrate Prisma Cloud with Splunk

Learn how to integrate Prisma™ Cloud with Splunk.

Splunk is a software platform to search, analyze, and visualize machine-generated data gathered from websites, applications, sensors, and devices.

Prisma™ Cloud integrates with Splunk and monitors your assets and sends alerts for resource misconfigurations, compliance violations, network security risks, and anomalous user activities to Splunk.

1. Set up Splunk HTTP Event Collector (HEC) to view alert notifications from Prisma Cloud in Splunk.

   Splunk HEC lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. This helps consolidate alert notifications from Prisma Cloud in to Splunk so that your operations team can review and take action on the alerts.

   If you have a firewall or cloud Network Security Group between the internet and Splunk, you need to ensure network reachability and Enable Access to the Prisma Cloud Console.

   1. To set up HEC, use instructions in Splunk documentation.

      For source type, _json is the default; if you specify a custom string on Prisma Cloud, that value will overwrite anything you set here.

   2. Select "Settings > Data inputs > HTTP Event Collector" and make sure you see HEC added in the list and that the status shows that it is Enabled.

2. Set up the Splunk integration in Prisma Cloud.

   1. Log in to Prisma Cloud.

   2. Select "Settings > Integrations".

   3. Set the Add Integration to Splunk.

   4. Enter an Integration Name, optionally, a Description.

   5. Enter the Splunk HEC URL that you set up earlier.

      The Splunk HEC URL is a Splunk endpoint for sending event notifications to your Splunk deployment. You can either use HTTP or HTTPS for this purpose. Since Prisma Cloud sends data about an alert or error in JSON format, make sure to include userinput:[/services/collector] endpoint as part of the Splunk HEC URL.

   6. Enter Auth Token.

      The integration uses token-based authentication between Prisma Cloud and Splunk to authenticate connections to Splunk HEC. A token is a 32-bit number that is presented in Splunk.

      

   7. (tt:[Optional]) Specify the Source Type if you want all Prisma Cloud alerts to include this custom name in the alert payload.

   8. Click Next and then Test.

      

   9. Save the integration.

      After you set up the integration successfully, you can use the Get Status link in "Settings > Integrations" to periodically check the integration status.

      

3. Create an Alert Rule for Run-Time Checks or modify an existing rule to receive alerts in Splunk.