Skip to content

send-prisma-cloud-alert-notifications-to-third-party-tools.adoc

Latest commit

 

History

History
402 lines (265 loc) · 20.7 KB

send-prisma-cloud-alert-notifications-to-third-party-tools.adoc

File metadata and controls

402 lines (265 loc) · 20.7 KB

Send Prisma Cloud Alert Notifications to Third-Party Tools

Learn how to send Prisma™ Cloud alert notifications to your existing tools so that you can incorporate cloud security into your existing operational procedures.

Alert rules define which policy violations trigger an alert in a selected set of cloud accounts. When you create an alert rule for cloud infrastructure assets, you can also configure the rule to send the Alert Payload that the rule triggers to one or more third-party tools. For all channels except email, to enable notification of policy violations in your cloud environments in your existing operational workflows, you must Configure External Integrations on Prisma Cloud. You can either set up an integration before you create the alert rule or use the inline link in the alert rule creation process to set up the integration when you need it.

On some integrations, such as Google CSCC, AWS Security Hub, PagerDuty, and ServiceNow, Prisma Cloud can send a state-change notification to resolve an incident when the issue that generated the alert is resolved manually or if the resource was updated in the cloud environment and the service learns that the violation is fixed.

Refer to the following topics to enable an alert notification channel with third-party tools:

Send Alert Notifications to Amazon SQS

You can send Prisma Cloud alert notifications to Amazon Simple Queue Service (SQS).

  1. Integrate Prisma Cloud with Amazon SQS.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > Amazon SQS".

  4. Select the SQS Queues to which you want to send alerts triggered by this alert rule.

  5. Set the toggle to Enabled to send notifications and Next.

    alert rule sqs

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to Azure Service Bus Queue

You can send Prisma Cloud alert notifications to an Azure Service Bus queue.

  1. Integrate Prisma Cloud with Azure Service Bus Queue.

  2. Select Alerts > View Alert Rules.

  3. Navigate to "Configure Notifications > Azure Service Bus Queue".

  4. Select the Azure Service Bus Queue to which you want to send alerts triggered by this alert rule.

  5. Set the toggle to Enabled to send notifications and Next.

    alert rule sazure service bus

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications Through Email

To send email notifications for alerts triggered by an alert rule, Prisma Cloud provides a default email notification template. You can customize the message in the template using the in-app rich text editor and attach the template to an alert rule. In the alert notification, you can configure Prisma Cloud to send the alert details as an uncompressed CSV file or as a compressed zip file, of 9 MB maximum attachment size.

All email notifications from Prisma Cloud include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address used is noreply@prismacloud.paloaltonetworks.com.

  1. (tt:[Optional]) Set up a custom message for your email notification template.

    Prisma Cloud provides a default email template for your convenience, and you can customize the lead-in message within the body of the email using the rich-text editor.

    1. Select "Alerts > Notification Templates" and Add Notification Template

    2. Select the Email Notification template from the list.

    3. Enter a Template Name.

      The total length of the template name can be up to 99 characters and should not include special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’).

      If you had previously created a template that includes the unsupported characters and you try to update the template, an error message will indicate that the template name is invalid.

    4. Enter a Custom Note and select Next.

      The preview on the right gives you an idea of how your content will look.

    5. Review Status and Save Template.

      alert rules custom email review status

  2. Select Alerts > View Alert Rules

  3. Navigate to "Configure Notifications > Email".

  4. Enter or select the Emails for which to send the alert notifications.

    You can include multiple email addresses and can send email notifications to email addresses in your domain and to guests external to your organization.

  5. Set the toggle to Enabled to send alert notifications and Next.

  6. (tt:[Optional]) Select your custom email Template, if you have one.

  7. Set the Frequency at which to send email notifications.

    • Instantly—Sends an email to the recipient list each time the alert rule triggers an alert.

    • Recurring—You can select the time interval as Daily, Weekly, or Monthly. Prisma Cloud sends a single email to the recipient list that lists all alerts triggered by the alert rule on that day, during that week, or the month.

  8. Specify whether to include an attachment to the email.

    Including an attachment provides a way for you to include information on the alerts generated and the remediation steps required to fix the violating resource. When you select Attach detailed report, you can choose whether to Include remediation instructions to fix the root cause for the policy that triggered each alert, and opt to send it as a zip file (Compress attachment(s)).

    Each email can include up to 10 attachments. An attachment in the zip file format can have 60000 rows, while a CSV file can have 900 rows. If the number of alerts exceeds the maximum number of attachments, the alerts with the older timestamps are omitted.

    alerts alert rules set alert notification

  9. Review the Summary and Save the new alert rule or changes to an existing alert rule.

  10. Verify the alert notification emails.

    The email alert notification specifies the alert rule, account name, cloud type, policies that were violated, the number of alerts each policy violated, and the affected resources. Click the <number> of alerts to view the Prisma Cloud menu:Alerts[Overview] page.

    alerts email notification

Send Alert Notifications to a Slack Channel

You can send alert notifications associated with an alert rule to a Slack channel.

  1. Integrate Prisma Cloud with Slack.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > Slack".

  4. Select the Slack Channels to which you want to send alerts triggered by this alert rule.

  5. Set the Frequency at which to send email notifications.

    • As it Happens—Sends a notification to the selected slack channels each time the alert rule triggers an alert.

    • Daily—Sends a single notification to the selected Slack channels once each day that lists all alerts triggered by the alert rule on that day.

    • Weekly—Sends a single notification to the selected Slack channels once each week that lists all alerts triggered by the alert rule during that weekly interval.

    • Monthly—Sends a single notification to the selected Slack channels once each month that lists all alerts triggered by the alert rule monthly interval.

      alert rule slack

  6. Set the toggle to Enabled to send alert notifications and Next.

  7. Review the Summary and Save the new alert rule or changes to an existing alert rule.

Send Alert Notifications to Splunk

You can send alert notifications associated with an alert rule to a Splunk event collector.

  1. Integrate Prisma Cloud with Splunk.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > Splunk".

  4. (tt:[Optional]) Select the Splunk Event Collectors to which you want to send alerts from this alert rule.

  5. Set the toggle to Enabled to send notifications and Next.

    splunk alert rules notification

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to Jira

You can configure alert notifications triggered by an alert rule to create Jira tickets.

  1. Integrate Prisma Cloud with Jira.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > Jira".

  4. Select the Jira Templates to use for creating tickets based on the alert payload data for alerts that are triggered by this alert rule.

  5. Set the toggle to Enabled to send notifications and Next.

    alert rule jira

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to Google Cloud SCC

You can send alert notifications to Google Cloud Security Command Center (SCC).

  1. Integrate Prisma Cloud with Google Cloud Security Command Center (SCC).

  2. Select Alerts > View Alert Rules

  3. Navigate to "Configure Notifications > Google CSCC".

  4. Select the Google CSCC Integrations that you want to use to send notifications of alerts triggered by this alert rule.

  5. Set the toggle to Enabled to send notifications and Next.

    alert rule google cscc

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to ServiceNow

You can send alert notifications to ServiceNow.

  1. Integrate Prisma Cloud with ServiceNow.

  2. Select Alerts > View Alert Rules

  3. Navigate to "Configure Notifications > Service Now".

  4. Select the ServiceNow Templates that you want to use to send notifications of alerts triggered by this alert rule.

  5. Set the toggle to Enabled to send notifications and Next.

    servicenow set alert rule

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to Webhooks

You can send alert notifications to Webhooks.

  1. Integrate Prisma Cloud with Webhooks.

  2. Select Alerts > View Alert Rules.

  3. Navigate to "Configure Notifications > Webhook".

  4. (tt:[Optional]) Select the webhook Channels that you want to use to send notifications of alerts triggered by this alert rule.

    A webhook notification is delivered as soon as the alert is generated.

  5. Set the toggle to Enabled to send notifications and Next.

    webhook alert rules notification

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to PagerDuty

You can send alert notifications to PagerDuty.

  1. Integrate Prisma Cloud with PagerDuty.

  2. Select Alerts > View Alert Rules.

  3. Navigate to "Configure Notifications > Pager Duty".

  4. Select the Integration Key.

  5. Set the toggle to Enabled to send notifications and Next.

    pagerDuty alert rules notification

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to AWS Security Hub

You can send alert notifications to AWS Security Hub.

  1. Integrate Prisma Cloud with AWS Security Hub.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > AWS Security Hub".

  4. (tt:[Optional]) Select your account from the AWS Security Hub drop-down list.

  5. Set the toggle to Enabled to send notifications and Next.

    securityhub alert rules notification

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.

Send Alert Notifications to Microsoft Teams

You can send alert notifications to Microsoft Teams.

  1. Integrate Prisma Cloud with Microsoft Teams.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > Microsoft Teams".

  4. Select the Teams channels that you want to use to send notifications for alerts triggered by this alert rule.

  5. Set the Frequency at which to send POST notifications.

    • As it Happens—Sends a notification to the selected channels each time the alert rule triggers an alert.

    • Daily—Sends a single notification to the selected channels once each day that lists all alerts triggered by the alert rule on that day.

    • Weekly—Sends a single notification to the selected channels once each week that lists all alerts triggered by the alert rule during that weekly interval.

    • Monthly—Sends a single notification to the selected channels once each month that lists all alerts triggered by the alert rule monthly interval.

      ms teams set alert rule

  6. Set the toggle to Enabled to send alert notifications and Next.

  7. Review the Summary and Save the new alert rule or changes to an existing alert rule.

    When a policy rule is violated, a message card displays on the Microsoft teams conversation. The message card is formatted with a red (high), yellow (medium), or gray (low) line to indicate the severity of the alert. For example, the following screenshot is a daily notification summary.

    ms teams alert rule message verify

Send Alert Notifications to Cortex XSOAR

You can send alert notifications associated with an alert rule to a Cortex XSOAR instance.

  1. Integrate Prisma Cloud with Cortex XSOAR.

  2. Select "Alerts > Alert Rules".

  3. Navigate to "Configure Notifications > Cortex XSOAR".

  4. (tt:[Optional]) Select your account from the Cortex XSOAR drop-down list.

  5. Set the toggle to Enabled to send notifications and Next.

    demisto send alert notification

  6. Review the Summary and Save the new alert rule or your changes to an existing alert rule.