This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma Cloud Runtime and Cloud Security Integration to Microsoft Sentinel

balaji31d
L0 Member

‎06-29-2025 08:29 PM

I am trying to integrate Palo Prisma Runtime Security and Cloud Security with all the alerts to Microsoft Sentinel

 

Try1: Palo Alto Prisma Cloud CWPP (using REST API) - This is the data connector available from Microsoft, status is Connected but no data received although there are new alerts in Palo Prisma. Can advise what configuration is required in Palo Prisma i this is the recommended method.

 

Try2: Palo Prisma Manage Alert providers, Profile, Provider option only has Webhook

 

Try3: Palo Prisma Manage / Integration and Notification has Integration option to Azure Service Bus Queue and Webhook.

 

In Palo Prisma Cloud, I have runtime security, cloud security, IaC Security, CICD security modules turned on. Can help to advise what method to choose to ingest all security alerts to Microsoft Sentinel? Thank you

 

 

0 Likes Likes
2 REPLIES 2

JCalloway1
L3 Networker

‎06-30-2025 06:26 AM

Hello!
You are correct.  There is technically not a direct integration with Azure Sentinel.  Your best best is to start with Cloud Security, or CSPM and use the webhook for integration.  The same goes, secondly, with Compute Security.  You should create the web hook integration for CSPM, then monitor for a bit to see that you are getting the alerts you want, and adjust as needed.  Once you're satisfied, you should then integrate with Compute, again, using the Webhook method.  Remember that, once you perform the integration in the Compute module, you will see results in the form of events, vulnerabilites, etc within the Compute module.  While some of these events will get "transmitted" to CSPM, keep in mind that a lot of them will not.  You will need to adjust your Alert Profile in the Compute module accordingly.  Hope this helps. 

0 Likes Likes

LMegrelis
L3 Networker

‎06-30-2025 11:50 AM

Hello!

The flow is as follows:

Step 1: Set up webhook alert to Azure API Management with alert payload specified to runtime alerts
Step 2: Configure Azure Functions behind Azure API Management service to ingest webhook payload from the Prisma console
Step 3: Use Azure Functions to parse out relevant data to be ingested in the Microsoft Sentinel service
Step 4: Verify that Microsoft Sentinel has ingested the relevant data from the original Prisma webhook alert payload

Preview file
307 KB
Preview file
427 KB
0 Likes Likes
  • 257 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks