Integrate Prisma Cloud DSPM with QRadar

Overview

IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors. You can configure QRadar to receive notifications from Prisma Cloud DSPM on risks and alerts.

Prerequisite

You need to have a configured HTTP Receiver log source in QRadar. To configure this, follow the instructions here.

Integration

Step 1 - Setting Up a Certificate-Based Authentication for the HTTP Receiver

There are two alternative methods to integrate Prisma Cloud DSPM with QRadar, depending on the certificate you are working with.

Working With a Certificate Signed by a CA

If you are working with a certificate signed by a CA, you need to map the Qradar IP address to an FQDN (fully qualified domain name), and configure an SSL certificate for it. To do so, follow the instructions here.

Working With a Self-Signed Certificate

If you are working with a self-signed certificate, when you are configuring an HTTP Receiver log source (as detailed in the prerequisite), under Server Certificate, select Self-signed Generated Certificate. Note that this option is less recommended from a security perspective.

Step 2 - Configuring a Prisma Cloud DSPM-Webhook Integration

To integrate Prisma Cloud DSPM with Webhook, follow the instructions here and enter the details of your QRradar log source in the URL box. If you are working with a-self signed certificate, uncheck the Validate Certificate box.

Once the integration is complete, Prisma Cloud DSPMDig sends a test event to QRadar. If the event is received, the integration is saved and displayed in the Webhook Integration page, and the event can be found on QRadar by searching by log source (search for the name assigned to the log source on QRadar).