Prisma Cloud Compute Sentinel Integration with Azure Functions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prisma Cloud Compute Sentinel Integration with Azure Functions

I am looking to integrate Prisma Cloud Compute (Twistlock) container runtime alerts with Azure Sentinel via Azure Functions instead of Logic Apps. Has anyone tested this and if so, could you provide the steps on how this can be done?

Prisma Cloud 

1 REPLY 1

L4 Transporter

Greetings ThilinaSenevirathna,

 

I hope that this message finds you well! In trying to help you with your use case I have gotten some insight with the help of a colleague as to a process flow of what you are looking for:
Step 1: Set up webhook alert to Azure API Management with alert payload specified to runtime alerts
Step 2: Configure Azure Functions behind Azure API Management service to ingest webhook payload from the Prisma console
Step 3: Use Azure Functions to parse out relevant data to be ingested in the Microsoft Sentinel service
Step 4: Verify that Microsoft Sentinel has ingested the relevant data from the original Prisma webhook alert payload

The core of what will solve for this use case is parsing out the relevant JSON fields from the webhook alert payload that is ingested from Prisma cloud into your Azure environment through the coded parsing logic in you Azure Function. Here is some documentation from the Azure website that may be helpful in setting up an API endpoint for your Azure Function via the API Management service: https://docs.microsoft.com/en-us/azure/api-management/import-function-app-as-api

In addition to this I was able to find this document to help with the configuration of Microsoft Sentinel being able to ingest data from an Azure Function: https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template?tabs=ARM

Even though this document is centered around connecting to an application REST-API endpoint to ingest the logs as the payload via an Azure Function into Microsoft Sentinel, the logical basis of this may be useful in setting up the webhook integration with the runtime alert as the payload. 

 

Kind Regards,

Avery

J. Avery King | Prisma Cloud | Customer Success Engineer
  • 2623 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!