topic Re: Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel in Cortex Cloud Discussions

Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel

balaji31d — Mon, 30 Jun 2025 03:29:11 GMT

I am trying to integrate Palo Prisma Runtime Security and Cloud Security with all the alerts to Microsoft Sentinel

Try1: Palo Alto Prisma Cloud CWPP (using REST API) - This is the data connector available from Microsoft, status is Connected but no data received although there are new alerts in Palo Prisma. Can advise what configuration is required in Palo Prisma i this is the recommended method.

Try2: Palo Prisma Manage Alert providers, Profile, Provider option only has Webhook

Try3: Palo Prisma Manage / Integration and Notification has Integration option to Azure Service Bus Queue and Webhook.

In Palo Prisma Cloud, I have runtime security, cloud security, IaC Security, CICD security modules turned on. Can help to advise what method to choose to ingest all security alerts to Microsoft Sentinel? Thank you

Re: Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel

JCalloway1 — Mon, 30 Jun 2025 13:26:25 GMT

Hello!
You are correct. There is technically not a direct integration with Azure Sentinel. Your best best is to start with Cloud Security, or CSPM and use the webhook for integration. The same goes, secondly, with Compute Security. You should create the web hook integration for CSPM, then monitor for a bit to see that you are getting the alerts you want, and adjust as needed. Once you're satisfied, you should then integrate with Compute, again, using the Webhook method. Remember that, once you perform the integration in the Compute module, you will see results in the form of events, vulnerabilites, etc within the Compute module. While some of these events will get "transmitted" to CSPM, keep in mind that a lot of them will not. You will need to adjust your Alert Profile in the Compute module accordingly. Hope this helps.

Re: Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel

LMegrelis — Mon, 30 Jun 2025 18:50:11 GMT

Hello!

The flow is as follows:

Step 1: Set up webhook alert to Azure API Management with alert payload specified to runtime alerts
Step 2: Configure Azure Functions behind Azure API Management service to ingest webhook payload from the Prisma console
Step 3: Use Azure Functions to parse out relevant data to be ingested in the Microsoft Sentinel service
Step 4: Verify that Microsoft Sentinel has ingested the relevant data from the original Prisma webhook alert payload

Re: Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel

giorgimax — Thu, 06 Nov 2025 17:22:43 GMT

I have set up the new Sentinel CCF connector from Sentinel for Prisma CSPM and although I am getting the audit logs , this can be seen in the data type , however for the alerts data type it is not receiving anything. In the past the old Sentinel using Function App had the webhook configuration and alerts use to come fine. But since we are now using the new CCF connector does it still require the logic app and webhook to receive the alerts in the alert table or there is a new process to get the alert directly from the Prisma Cloud and if yes , could you help me with the config please?

Paul