- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-09-2022 07:14 PM - last edited on 08-03-2022 11:42 AM by RPrasadi
I am looking to integrate Prisma Cloud Compute (Twistlock) container runtime alerts with Azure Sentinel via Azure Functions instead of Logic Apps. Has anyone tested this and if so, could you provide the steps on how this can be done?
07-27-2022 01:05 PM
Greetings ThilinaSenevirathna,
I hope that this message finds you well! In trying to help you with your use case I have gotten some insight with the help of a colleague as to a process flow of what you are looking for:
Step 1: Set up webhook alert to Azure API Management with alert payload specified to runtime alerts
Step 2: Configure Azure Functions behind Azure API Management service to ingest webhook payload from the Prisma console
Step 3: Use Azure Functions to parse out relevant data to be ingested in the Microsoft Sentinel service
Step 4: Verify that Microsoft Sentinel has ingested the relevant data from the original Prisma webhook alert payload
The core of what will solve for this use case is parsing out the relevant JSON fields from the webhook alert payload that is ingested from Prisma cloud into your Azure environment through the coded parsing logic in you Azure Function. Here is some documentation from the Azure website that may be helpful in setting up an API endpoint for your Azure Function via the API Management service: https://docs.microsoft.com/en-us/azure/api-management/import-function-app-as-api
In addition to this I was able to find this document to help with the configuration of Microsoft Sentinel being able to ingest data from an Azure Function: https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template?tabs=ARM
Even though this document is centered around connecting to an application REST-API endpoint to ingest the logs as the payload via an Azure Function into Microsoft Sentinel, the logical basis of this may be useful in setting up the webhook integration with the runtime alert as the payload.
Kind Regards,
Avery
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!