Integrate Prisma Cloud DSPM with Webhooks
- 28 Feb 2024
- 3 Minutes to read
- Print
- PDF
Integrate Prisma Cloud DSPM with Webhooks
- Updated on 28 Feb 2024
- 3 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
A webhook is an architectural strategy that configures applications and services to send a web-based message request every time a qualifying event happens. Webhook messages can be sent in various formats, and you can integrate your preferred webhook-receiving platform’s URL to receive real-time notifications on risks and alerts.
Prerequisite
We recommend verifying in advance if any additional URL headers are required when providing your SIEM/SOC platform’s webhook URL.
Integration
- In Prisma Cloud DSPM, go to Settings > Integrations.
- Under Notifications, select Webhooks and click Connect.
- Enter your webhook-receiving platform’s URL.NoteWebhook URL can be in an IP format with high port definitions in the following format: https://<IP>:<port>. Supported high values are 12465-12475 and 8443. Other high port values are not supported.
- Under Notified On, select whether you want to be notified on Alerts, Risks, or All.Note
If you wish, you can set different logic for risks and alerts by setting up two different integrations. For example, you can send all alert severity levels to your SIEM Platform, and send Medium and above risks to a different platform.
- Check the Validate Certificate box (checked by default). Unchecking this box will disable SSL certificate validation and work with a self-signed certificate. Uncheck this box only if you trust the server identity.
- Select the Severity Threshold for receiving notifications. The recommended severity is Medium and above.
- If additional headers are required by the service you are connecting (usually for authentication reasons), click + Add headers and enter the Key and Value for each added header.
- Click Create.
To verify you successfully managed to integrate this webhook, you will receive a webhook notification containing a "Hello" message.
Integrate your preferred webhook-receiving platform’s URL to receive real-time notifications on risks or alerts, or both.
Examples of risks and alerts sent from Prisma Cloud DSPM
Example of Webhook Alert body sent from Prisma Cloud DSPM
{
"timestamp": 1700558955.309811162,
"alertName": "Production data asset deleted",
"actor": "smokey-assumed",
"target": "smokey-dynamodb-on-demand-0u82f2k2s1",
"project": "Sandbox Client 1",
"projectLabel": "PRODUCTION",
"severity": "Low",
"category": "ATTACK",
"targetIdentifier": "arn:aws:dynamodb:eu-central-1:454968046599:table/smokey-dynamodb-on-demand-0u82f2k2s1",
"cloud": "AWS",
"serviceType": "DynamoDB",
"alertId": 269756357,
"region": "eu-central-1",
"description": "Deleting production data assets is both the culmination of an attack on a data asset, as well as a stealth tactic used by attackers to delete assets that were created as part of the attack. This policy triggers an alert when an asset is deleted from a project that is tagged as 'Production' in Prisma Cloud DSPM.",
"assetTags": {},
"assetDigTags": {},
"assetLabels": [],
"investigationLink": "https://dashboard.dev-2.dig.security/company/2001/alerts/269756357"
}Example of Webhook Risk body sent from Prisma Cloud DSPM.
{
"riskName": "Sensitive asset without automatic backups",
"severity": "Low",
"affects": "Security and Compliance",
"assetName": "digsecuritye672be0fdb58",
"assetId": "/subscriptions/cc9aa240-08f4-4a1c-9586-faec8a3ef048/resourcegroups/dig-security-rg-acf9c7a/providers/microsoft.storage/storageaccounts/digsecuritye672be0fdb58",
"investigationLink": "https://dashboard.dev-2.dig.security/company/2001/risks/findings/269609916?pageNumber=1&pageSize=15&sort=riskDefinitionSeverity%7Cdesc&riskDefinitionNameIn=Sensitive+asset+without+automatic+backups&affectedAssetNameContains=digsecuritye672be0fdb58",
"status": "Open",
"project": "Sandbox-Client-1",
"projectLabel": "Production",
"firstDetectedOn": "2023-11-21T08:11:21.646Z",
"serviceType": "Storage Account",
"cloud": "AZURE",
"region": "westeurope",
"assetTags": {
"dig-security": "true"
},
"assetDigTags": {
"QA": [
"QA"
],
"test3": [
"test4"
],
"Staging": [
"Env"
],
"Test": [
"qa",
"test2"
]
},
"remediateInstruction": null,
"assetLabels": [
"PHI",
"PII",
"PCI",
"Developer Secrets",
"Sensitive"
],
"additionalInfo": "Data Type Groups: PII, PHI, PCI, Developer Secrets, Sensitive",
"description": "Automatic backup plans ensure that the data within the asset is recoverable in the event of a disaster or a malicious attack. In addition, many compliance standards require automatic backups for all assets containing sensitive or business data."
}Note
To prevent an overload of alerts, in case Prisma Cloud DSPM has sent more than ~30 alerts in 1 hour, it will not send any additional alerts for the next 4 hours. It will send a notification about multiple alerts created.
If you chose to receive Alert notifications, below is a list of the Alert parameters:
| Value name | Description | Example |
|---|---|---|
| timestamp | Time stamp | 1700558955.309811162 |
| alertName | Alert name | Production data asset deleted |
| actor | Threat actor | Smokey-assumed |
| target | Target | smokey-dynamodb-on-demand-0u82f2k2s1 |
| project | Project name | Prod-table |
| projectLabel | Project label (Production, Dev, Stage, Testing) | Production |
| severity | Risk severity | Low |
| category | Category | Attack |
| targetIdentifier | Target identification | arn:aws:dynamodb:eu-central-1:565079157600:table/smokey-dynamodb-on-demand-0u923g3h2s2 |
| cloud | Cloud name | AWS |
| serviceType | Service name | DynamoDB |
| alertID | Alert identification | 269756357 |
| region | Region | eu-central |
| description | Description | Deleting production data assets is both the culmination of an attack on a data asset, as well as a stealth tactic used by attackers to delete assets that were created as part of the attack. This policy triggers an alert when an asset is deleted from a project that is tagged as 'Production' in Prisma Cloud DSPM. |
| assetTags | Asset tags | QA |
| assetDigTags | Prisma Cloud DSPM asset tags | QA |
| assetLabels | Label associated to asset | PII |
| investigationLink | Link to the relevant risk in Prisma Cloud DSPM | https://dashboard.dev-2.dig.security/company/2001/alerts/269756357 |
If you chose to receive Risk notifications, below is a list of the Risk parameters:
| Value name | Description | Example |
|---|---|---|
| riskName | Risk name | Sensitive asset not encrypted |
| severity | Risk severity | High |
| affects | Relevant framework (security, compliance or both) | Security and compliance |
| assetName | Asset name | sensitivebucket |
| assetId | Asset unique ID | *********** |
| investigationLink | Link to the relevant risk in Prisma Cloud DSPM | https://app.dig.security/*** |
| status | Risk status (Open/Closed) | Open |
| project | Project name | Prod-table |
| projectLabel | Project label (Production, Dev, Stage, Testing) | Production |
| firstDetectedOn | Risk detection timestamp | 2023-13-06 11:54 UTC |
| serviceType | Service name | S3 |
| cloud | Cloud name | Azure |
| region | Region | westeurope |
| assetTags | Asset tag | QA |
| remediateInstruction | Remediate instructions | null |
| assetLabel | Label associated to asset | PII |
| additionalInfo | Additional information | Data Type Groups: PII, PHI |
| description | Description | Compliance standards require automatic backups for all assets containing sensitive or business data |
Once you add a webhook URL, it is listed at the bottom of the page under Webhooks. From there, you can edit the Notified On column or remove this webhook URL by clicking the X on the right.
Was this article helpful?