This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Prisma Cloud Integration with Google Security Operations (Chronicle)  

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma Cloud Integration with Google Security Operations (Chronicle)  

RPrasadi
L4 Transporter

on ‎02-19-2025 02:38 PM

No ratings

By Tomi Fajulugbe, Customer Success Engineer

 

 

Google Security Operations (SecOps) is a cloud-based platform that helps security teams detect, investigate, and respond to threats. It includes security orchestration, automation, and response (SOAR) capabilities. The product was formerly called Chronicle.

 

To pass alert information to third-party integrations or tools such as Google Security Operations SIEM from Prisma Cloud, you can use the webhook integration.  Prisma Cloud will send alert data to a custom webhook, which can then be integrated with some security application.  For demonstration in this article, we will work with Google Security Operations. This integration helps your incident response teams monitor and act on alerts in real time.

 

In this article we will cover how to configure both Google Security Operations and Prisma Cloud to achieve the alert data pipeline sending alert data from Prisma Cloud to Google Security Operations.

 

Configure a feed in Google SecOps to ingest Palo Alto Prisma Cloud Alerts

 

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, PAN Prisma Cloud Alerts).
  4. Select Webhook as the Source type.
  5. Select Palo Alto Prisma Cloud Alerts payload as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
  • Split delimiter: the delimiter used to separate log lines, such as \n.
  • Asset namespace
  • Ingestion labels: the label applied to the events from this feed.
  1. Click Next.
  2. Review the feed configuration in the Finalize screen, and then click Submit.
  3. Click Generate Secret Key to generate a secret key to authenticate this feed.
  4. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  5. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL on Prisma Cloud.
  6. Click Done.

 

Create a GoogAPI key for the webhook feed

 

  1. Go to Google Cloud console > Credentials.
    Go to Credentials
  2. Click Create credentials, and then select API key.
  3. Restrict the API key access to the Google Security Operations API.

 

Specify the endpoint URL

 

  1. On Prisma Cloud, specify the HTTPS endpoint URL provided in the webhook feed.
  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
            
  3. Recommendation: Specify the API key as a header instead of specifying it in the URL.

 

Configure Palo Alto Prisma Cloud webhook to Google SecOps

 

  1. Sign in to Palo Alto Prisma Cloud.
  2. Select Settings > Integrations & Notification 
  3. Click Add Integration.
  4. Select Webhook.
  5. Specify values for the following input parameters:

 

  i.  Integration Name: Provide a unique and descriptive name (for example, Google SecOps)

 ii.  Webhook URL: Enter the ENDPOINT_URL.

iii.  Optional: Provide a Description of the integration.

iv.  Optional: Enable Custom Payload.

 v.  HTTP Headers ( Specify Keys { X-goog-api-key : ****************** }  and  { X-Webhook-Access-Key : ****************** } )

 

  1. Click Next.
  2. Test and Save Integration.

 

RPrasadi_4-1739929546193.png

Figure 1: Setup_PaloAltoNetworks

 

 
RPrasadi_3-1739929387719.png

 

 

Figure 2: Chronicle_setup_PaloAltoNetworks

 

Finally, configure the Palo Alto Prisma Cloud Alerts rule to send alerts to the webhook integration that was created

 

 

Conclusion

 

In this article, we described how to configure a generic webhook integration in Prisma Cloud to pass alert data to an external security application that can receive data from a webhook.

 

This article used Google Security Operations SIEM as an example of an external security application.  We described how to configure a webhook in Google Security Operations as well as how to configure Prisma Cloud to talk to a custom webhook.  We also covered adding the webhook integration to an alert rule.

 

Creating a webhook integration enables security operation teams to enhance their operational, ticketing, notification, and escalation workflows for Prisma Cloud alerts on policy violations in all your cloud environments.

 

References

 

  1. Collect Palo Alto Prisma Cloud alert logs
  2. Integrate Prisma Cloud with Webhooks
  3. Create an Alert Rule for Cloud Infrastructure

 

About the Author

 

Tomi Fajulugbe is a Senior Customer Success Engineer at Palo Alto Networks. He has vast experience securing multi-cloud infrastructures and offers expertise across a wide range of Cloud Security Posture Management (CSPM) solutions for Prisma™ Cloud, supporting platforms including AWS, Azure, GCP, OCI, and Alibaba.

 

Rate this article:
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
(1)
  • 622 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎02-19-2025 02:38 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks