Integrating Prisma Cloud with Azure Sentinel enables you to centralize and analyze security data from your Prisma Cloud environment within Azure Sentinel. This integration provides advanced threat detection, security monitoring, and incident response capabilities by forwarding Prisma Cloud findings (Only Audit Incidents) to Azure Sentinel. The process is streamlined through the use of a Data Connector, which allows Prisma Cloud Audit Incidents to be ingested and correlated with other security data within Sentinel.
Before integrating Prisma Cloud with Azure Sentinel, ensure you meet the following requirements:
Prisma Cloud Account: You need a Prisma Cloud account with the necessary permissions to access and configure the platform.
Azure Sentinel Workspace: You must have an active Azure Sentinel workspace in your Azure subscription.
Azure Subscription Permissions: You need sufficient permissions in Azure (e.g., Contributor role) to create and manage Data Connectors in Azure Sentinel.
Network Connectivity: Ensure there is no network restriction between Prisma Cloud and Azure Sentinel, allowing the transfer of logs and events.
Here's a step-by-step guide to help you set up the Sentinel Workspace, deploy the connector, and complete the configuration:
Log in to the Azure Portal:
Navigate to https://portal.azure.com and log in with your credentials.
Create a Log Analytics Workspace:
Search for Log Analytics Workspaces in the search bar.
Click on + Create.
Fill in the required details:
Subscription: Choose your subscription.
Resource Group: Either create a new one or select an existing resource group.
Name: Enter a name for your workspace (e.g., SentinelWorkspace).
Region: Choose a region close to your infrastructure for better performance.
Click Review + Create, and then click Create.
Enable Microsoft Sentinel:
After the workspace is created, navigate to Microsoft Sentinel by searching in the search bar.
Click on + Add.
Select the Log Analytics Workspace you just created and click Add Microsoft Sentinel.
Figure 1: Log-Analytics-Workspace_
Figure 2: Log-Analytics-Workspace-
Navigate to the Content Hub:
In the Microsoft Sentinel workspace, go to Content Hub from the left pane.
Search for Palo Alto Prisma Cloud CWPP or access it directly through this link.
Deploy the Solution:
Click on Get it now or Deploy.
Follow the on-screen prompts to deploy the solution to your Sentinel workspace.
The solution will deploy relevant workbooks, data connectors, and analytics rules.
Navigate to Data Connectors:
Go to Microsoft Sentinel > Configuration > Data connectors.
Search for Palo Alto Prisma Cloud CWPP.
Configure the Connector:
Click on the Open Connector Page.
Set up the data source connection:
Provide any URL (without https;//), Service Account API Access key, Service Account API Secret key, needed to connect Prisma Cloud to Azure Sentinel.
Note: Service Account Should be required with Admin Role/Permission.
Figure 3: Prisma CWP Data Connectors_PaloAltoNetworks
Now that Data connector is successfully configured on the Azure Side, We can trigger an Incident on the Prisma Side, to start Ingesting the data to Azure Sentinel.
Steps to Trigger Malware detection in Prisma Cloud:
Please follow the procedure in the below doc - Test Prisma Cloud Malware Detection Capability
Custom Feeds
Once the Malware is detected in Prisma Cloud, the same should be now ingested to Azure Sentinel in a few minutes.
Figure 4: Active Incidents Generated_PaloAltoNetworks
Figure 5: Container Audits Generated_PaloAltoNetworks
Now, going back to Azure Sentinel Workspace, after sometime we can see the logs getting ingested into Azure Sentinel.
Figure 6: Logs Ingested into Azure Sentinel_PaloAltoNetworks
Figure 7 & 8: Container Audit Details ingested into Azure Sentine_PaloAltoNetworks
So, the data is now successfully ingested into Azure Sentinel, however something to note only Audit Incident logs are sent to Azure Sentinel.
Integrating Prisma Cloud with Azure Sentinel enhances your organization's cloud security posture by leveraging the combined power of both platforms. By using the Data Connector to forward Prisma Cloud audit incidents to Sentinel, you gain comprehensive visibility, proactive threat detection, and seamless incident response for your cloud resources.
For more detailed instructions or to address specific configurations, refer to the official Prisma Cloud and Azure Sentinel documentation.
1 - Connect your data source to the Microsoft Sentinel Data Collector API to ingest data
2 - Palo Alto Prisma Cloud CWPP (Preview)
3 - Microsoft Sentinel data connectors
4 - github: Azure-Sentinel/Solutions/Palo Alto Prisma Cloud CWPP /Data Connectors
Vinay Kumar M is a seasoned professional with over 8 years of invaluable experience in the dynamic realm of cloud computing. As a Team lead, JAPAC CS Scale Team in PANW, Vinay specializes in navigating the intricate landscape of Prisma Cloud and Compute, showcasing his expertise in ensuring seamless operations for accounts across the Asia-Pacific region.
