Prisma Cloud Integration Guide
Prisma Cloud is Cloud Native Application Protection Platform (CNAPP). Prisma Cloud secures applications from code to cloud, enabling security and DevOps teams to effectively collaborate to accelerate secure cloud-native application development and deployment.
What can Zenduty do for Prisma Cloud users?
With Prisma Cloud's Integration, Zenduty sends new Prisma Cloud alerts to the right team and notifies them based on on-call schedules via email, text messages(SMS), phone calls(Voice), Slack, Microsoft Teams and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed. Zenduty provides your NOC, SRE and application engineers with detailed context around the Prisma Cloud alert along with playbooks and a complete incident command framework to triage, remediate and resolve incidents with speed.
With the Zenduty-Prisma Cloud integration, you would be able to create new Incidents/Alerts in Zenduty whenever any Alerts are triggered in Prisma Cloud.
You can also use Alert Rules to custom route specific Prisma Cloud alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.
To integrate Prisma Cloud with Zenduty, complete the following steps:
In Zenduty:
-
To add a new Prisma Cloud integration, go to Teams on Zenduty and click on the team you want to add the integration to.
-
Next, go to Services and click on the relevant Service.
-
Go to Integrations and then Add New Integration. Give it a name and select the application Prisma Cloud from the dropdown menu.
-
Go to Configure under your Integrations and copy the generated Webhook URL & Integration Key.
In Prisma Cloud:
-
Log into Prisma Cloud, and go to Manage > Alerts, click Add profile.
-
Enter a name for your alert profile. In Provider, select Webhook. In Webhook incoming URL, paste URL that copied from Zenduty.
For CWP type of Alerts copy below json and paste it into Custom JSON.
{ "type": #type "time": #time "container": #container "image": #image "imageID": #imageID "tags": #tags "host": #host "fqdn": #fqdn "function": #function "region": #region "provider": #provider "osRelease": #osRelease "osDistro": #osDistro "runtime": #runtime "appID": #appID "rule": #rule "message": #message "aggregated": #aggregated "rest": #rest "forensics": #forensics "accountID": #accountID "category": #category "command": #command "startupProcess": #startupProcess "labels": #labels "collections": #collections "complianceIssues": #complianceIssues "vulnerabilities": #vulnerabilities "clusters": #clusters "namespaces": #namespaces "accountIDs": #accountIDs }
For Other type of alerts paste below JSON.
{ "resourceId": "${Resource Id}", "alertRuleName": "${AlertRuleName}", "anomaly": "${Anomaly}", "accountName": "${AccountName}", "hasFinding": ${HasFinding}, "resourceRegionId": "${Resource RegionId}", "alertRemediationCli": "${RemediationCli}", "cloudType": "${CloudType}", "complianceMetadata": ${ComplianceMetadata}, "callbackUrl": "${CallbackUrl}", "alertId": "${AlertId}", "policyLabels": ${PolicyLabels}, "alertAttribution": ${AlertAttribution}, "severity": "${Severity}", "policyName": "${PolicyName}", "resource": ${ResourceData}, "resourceName": "${ResourceName}", "alertRemediationCliDescription": "${Policy RemediationCliDesc}", "alertRemediation Impact": "${Policy Remediation Impact}", "source": "Prisma Cloud", "resourceRegion": "${ResourceRegion}", "policyDescription": "${Policy Description}", "policy Recommendation": "${Policy Recommendation}", "accountId": "${AccountId}", "policyId": "${PolicyId}", "alertTs": ${AlertTime}, "firstSeen": ${FirstSeen}, "lastSeen": ${LastSeen}, "resourceType": "${ResourceType}", "additionalInfo": ${AdditionalInfo}, "reason": "${Reason}", "alertStatus": "${Status}", "alertDismissalNote": "${Alert DismissalNote}", "alertRuleId": "${AlertRuleId}", "tags": ${ResourceTags}, "findingSummary": ${FindingSummary}, "policyType": "${PolicyType}", "resourceCloudService": "${Resource Cloud Service?". "accountOwners": "${AccountOwners}", "accountAncestors": "${Account Ancestors}" }
-
Click Send Test Alert to test the connection. An alert is sent immediately.
-
In Select triggers, select the events that should trigger an alert to be sent. To specify specific rules that should trigger an alert, deselect All rules, and then select any individual rules.
-
Prisma Cloud is now integrated with Zenduty! Zenduty will create new incident for every alert sent by Prisma Cloud.