Integrating Prisma Cloud with Azure Sentinel using the Data Connector

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

By Vinay Kumar M, Team Lead

 


Integrating Prisma Cloud with Azure Sentinel enables you to centralize and analyze security data from your Prisma Cloud environment within Azure Sentinel. This integration provides advanced threat detection, security monitoring, and incident response capabilities by forwarding Prisma Cloud findings (Only Audit Incidents) to Azure Sentinel. The process is streamlined through the use of a Data Connector, which allows Prisma Cloud Audit Incidents to be ingested and correlated with other security data within Sentinel.


Prerequisites

 

Before integrating Prisma Cloud with Azure Sentinel, ensure you meet the following requirements:

  1. Prisma Cloud Account: You need a Prisma Cloud account with the necessary permissions to access and configure the platform.

  2. Azure Sentinel Workspace: You must have an active Azure Sentinel workspace in your Azure subscription.

  3. Azure Subscription Permissions: You need sufficient permissions in Azure (e.g., Contributor role) to create and manage Data Connectors in Azure Sentinel.

  4. Network Connectivity: Ensure there is no network restriction between Prisma Cloud and Azure Sentinel, allowing the transfer of logs and events.


Here's a step-by-step guide to help you set up the Sentinel Workspace, deploy the connector, and complete the configuration:


1. Set Up the Azure Sentinel Workspace

 

  1. Log in to the Azure Portal:

  2. Create a Log Analytics Workspace:

    • Search for Log Analytics Workspaces in the search bar.

    • Click on + Create.

    • Fill in the required details:

      • Subscription: Choose your subscription.

      • Resource Group: Either create a new one or select an existing resource group.

      • Name: Enter a name for your workspace (e.g., SentinelWorkspace).

      • Region: Choose a region close to your infrastructure for better performance.

    • Click Review + Create, and then click Create.

  3. Enable Microsoft Sentinel:

    • After the workspace is created, navigate to Microsoft Sentinel by searching in the search bar.

    • Click on + Add.

    • Select the Log Analytics Workspace you just created and click Add Microsoft Sentinel.

 

 unnamed.png

Figure 1: Log-Analytics-Workspace_PaloAltoNetworks

 

unnamed.png

Figure 2: Log-Analytics-Workspace-Deployed_PaloAltoNetworks

 

2. Deploy the Prisma Cloud CWPP Data Connector

 

  1. Navigate to the Content Hub:

    • In the Microsoft Sentinel workspace, go to Content Hub from the left pane.

    • Search for Palo Alto Prisma Cloud CWPP or access it directly through this link.

  2. Deploy the Solution:

    • Click on Get it now or Deploy.

    • Follow the on-screen prompts to deploy the solution to your Sentinel workspace.

    • The solution will deploy relevant workbooks, data connectors, and analytics rules.

 

3. Install and Configure the Data Connector

 

  1. Navigate to Data Connectors:

    • Go to Microsoft Sentinel > Configuration > Data connectors.

    • Search for Palo Alto Prisma Cloud CWPP.

  2. Configure the Connector:

    • Click on the Open Connector Page.

    • Set up the data source connection:

      • Provide any URL (without https;//), Service Account API Access key, Service Account API Secret key, needed to connect Prisma Cloud to Azure Sentinel.

Note: Service Account Should be required with Admin Role/Permission.

 

unnamed.png

Figure 3: Prisma CWP Data Connectors_PaloAltoNetworks


Now that Data connector is successfully configured on the Azure Side, We can trigger an Incident on the Prisma Side, to start Ingesting the data to Azure Sentinel.
                

Steps to Trigger Malware detection in Prisma Cloud:


Please follow the procedure in the below doc - Test Prisma Cloud Malware Detection Capability
Custom Feeds

Once the Malware is detected in Prisma Cloud, the same should be now ingested to Azure Sentinel in a few minutes.

unnamed.png

Figure 4: Active Incidents Generated_PaloAltoNetworks

 

unnamed.png

Figure 5: Container Audits Generated_PaloAltoNetworks


Now, going back to Azure Sentinel Workspace, after sometime we can see the logs getting ingested into Azure Sentinel.

 

 

unnamed.png

Figure 6: Logs Ingested into Azure Sentinel_PaloAltoNetworks

 
 
unnamed.png

unnamed.png

Figure 7 & 8: Container Audit Details ingested into Azure Sentine_PaloAltoNetworks


So, the data is now successfully ingested into Azure Sentinel, however something to note only Audit Incident logs are sent to Azure Sentinel.


Conclusion

Integrating Prisma Cloud with Azure Sentinel enhances your organization's cloud security posture by leveraging the combined power of both platforms. By using the Data Connector to forward Prisma Cloud audit incidents to Sentinel, you gain comprehensive visibility, proactive threat detection, and seamless incident response for your cloud resources.

 

For more detailed instructions or to address specific configurations, refer to the official Prisma Cloud and Azure Sentinel documentation.

 

Reference

 

1 - Connect your data source to the Microsoft Sentinel Data Collector API to ingest data

2 - Palo Alto Prisma Cloud CWPP (Preview)

3 - Microsoft Sentinel data connectors

4 - github: Azure-Sentinel/Solutions/Palo Alto Prisma Cloud CWPP /Data Connectors

 

About the Author

 

Vinay Kumar M is a seasoned professional with over 8 years of invaluable experience in the dynamic realm of cloud computing. As a Team lead, JAPAC CS Scale Team in PANW, Vinay specializes in navigating the intricate landscape of Prisma Cloud and Compute, showcasing his expertise in ensuring seamless operations for accounts across the Asia-Pacific region.

Rate this article:
  • 574 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-15-2024 05:02 PM
Updated by: