1. Overview

After Prisma Cloud is configured and tuned, it will collect lots of data. You need to determine how to extract data from Prisma Cloud and send it to the right places in the right format so that it can be consumed and processed. Alerts, notifications, and other integration points help you get the right data to the right place.

Prisma Cloud lets you configure multiple, separate, independent alert channels, so that each team can get just the data they want in the format that best suits their needs. For example, your vulnerability team could get data via email, the compliance team could get data in CSV files, and the security operations center (SOC) could get data from syslog.

If you run a SIEM, such as Splunk, then you can configure Prisma Cloud to direct all audit messages to syslog, and then configure your SIEM to ingest audits from there. All Prisma Cloud audits are well structured and fully documented to ease integration.

Prisma Cloud supports numerous alert channels, including email, Slack, JIRA, and others. You can alert on any rule, as well as some other events, such as Defender health (when it gets disconnected) and admin activity (when changes are made to a rule or configuration in Console).

Alert labels close the loop between production and remediation. If you use Kubernetes or Docker labels to tag your resources, you can configure Prisma Cloud to append any of the label key-value pairs to Prisma Cloud audits. When an event fires, if the associated object has any of the specified labels, it is appended to the event. If the label contains email addresses, you can further configure Prisma Cloud to send the audit to the recipients. These mechanisms route feedback directly to the owner or group responsible for the resource.

The API lets you build all sorts of integrations. For example, you might have a centralized tool where all vulnerability data is aggregated. You can use Prisma Cloud’s API to extract the vulnerability data from your container ecosystem, and send it your central dashboard, with its own parsers and notifications system.

2. Best practice

Label your container resources, then leverage alert labels to automatically notify the right party when security issues arise. Besides segmenting and classifying resources, labels also let you track resources through their lifecycle, from the CI/CD pipeline to production.

Prisma Cloud’s alert labels let you declare a list of labels. When something happens that violates your policy, the key-value pair of any declared label connected to the resource in question is automatically appended to generated audits. You can further automate alerting by declaring labels that contain email addresses. If a policy violation is triggered by a resource with a label that contains email addresses, an email alert is automatically sent to all targets in the list.