https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-compute-sentinel-integration-with-azure-functions/m-p/464714#M450 <P><SPAN>I am looking to integrate Prisma Cloud Compute (Twistlock) container runtime alerts with Azure Sentinel via Azure Functions instead of Logic Apps. Has anyone tested this and if so, could you provide the steps on how this can be done?</SPAN></P> <P><SPAN><LI-PRODUCT title="Prisma Cloud" id="Prisma_Cloud"></LI-PRODUCT>&nbsp;</SPAN></P> Wed, 03 Aug 2022 18:42:10 GMT ThilinaSenevirathna 2022-08-03T18:42:10Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-compute-sentinel-integration-with-azure-functions/m-p/464714#M450 <P><SPAN>I am looking to integrate Prisma Cloud Compute (Twistlock) container runtime alerts with Azure Sentinel via Azure Functions instead of Logic Apps. Has anyone tested this and if so, could you provide the steps on how this can be done?</SPAN></P> <P><SPAN><LI-PRODUCT title="Prisma Cloud" id="Prisma_Cloud"></LI-PRODUCT>&nbsp;</SPAN></P> Wed, 03 Aug 2022 18:42:10 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-compute-sentinel-integration-with-azure-functions/m-p/464714#M450 ThilinaSenevirathna 2022-08-03T18:42:10Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-compute-sentinel-integration-with-azure-functions/m-p/510082#M539 <P>Greetings ThilinaSenevirathna,</P> <P>&nbsp;</P> <P>I hope that this message finds you well! In trying to help you with your use case I have gotten some insight with the help of a colleague as to a process flow of what you are looking for:<BR /><SPAN>Step 1: Set up webhook alert to Azure API Management with alert payload specified to runtime alerts <BR />Step 2: Configure Azure Functions behind Azure API Management service to ingest webhook payload from the Prisma console <BR />Step 3: Use Azure Functions to parse out relevant data to be ingested in the Microsoft Sentinel service <BR />Step 4: Verify that Microsoft Sentinel has ingested the relevant data from the original Prisma webhook alert payload<BR /><BR /></SPAN>The core of what will solve for this use case is parsing out the relevant JSON fields from the webhook alert payload that is ingested from Prisma cloud into your Azure environment through the coded parsing logic in you Azure Function. Here is some documentation from the Azure website that may be helpful in setting up an API endpoint for your Azure Function via the API Management service:&nbsp;<A href="https://docs.microsoft.com/en-us/azure/api-management/import-function-app-as-api" target="_blank">https://docs.microsoft.com/en-us/azure/api-management/import-function-app-as-api</A></P> <P>In addition to this I was able to find this document to help with the configuration of Microsoft Sentinel being able to ingest data from an Azure Function:&nbsp;<A href="https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template?tabs=ARM" target="_blank">https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template?tabs=ARM</A></P> <P>Even though this document is centered around connecting to an application REST-API endpoint to ingest the logs as the payload via an Azure Function into Microsoft Sentinel, the logical basis of this may be useful in setting up the webhook integration with the runtime alert as the payload.&nbsp;</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>Avery</P> Wed, 27 Jul 2022 20:05:25 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-compute-sentinel-integration-with-azure-functions/m-p/510082#M539 AKing9 2022-07-27T20:05:25Z