topic Deployment of AWS SecurityHub and PrismaCloud in Cortex Cloud Discussions

Deployment of AWS SecurityHub and PrismaCloud

Umberto — Wed, 14 Sep 2022 21:24:37 GMT

I'm a new Prisma Cloud user and I'm here to ask for help. I have AWS Security Hub with all the rules allowed forwarding logs to Prisma Cloud, but I cannot validate that the logs are being forwarded correctly to Prisma Cloud.
Even using the alerts session filters, or using the investigate session with queries, I can't find the alerts that are frequently generated by Security HUb.

Can you tell me how to validate these alerts?

Re: Deployment of AWS SecurityHub and PrismaCloud

AKing9 — Thu, 15 Sep 2022 15:58:09 GMT

Greetings Umberto,

I hope that this note finds you well! In researching your use case I was able to create an event based RQL query that you can run in the investigate portion of the CSPM console to locate if the events are being ingested from the console:

event from cloud.audit_logs where cloud.service = 'securityhub.amazonaws.com'

Depending on if this has any returned values you can create a policy of the 'Audit Event' type and potentially utilize aspects of the returned data from AWS to create scoping for what may be nested within your use case. Here is additional documentation on the entire AWS Security Hub integration setup:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-aws-security-hub

To troubleshoot if you do not have any returned values in the above RQL which, depending on the workload, could take a while to complete running, I would recommend checking that the region where you had setup the AWS account is the same as within the integration in the console, a test of the integration has a returned value from the AWS account, and that the permission AWSSecurityHubReadOnlyAccess is attached to the user account of the AWS administrator that is creating the integration. Please let me know if you need any additional help with this and I hope that you have a good day!

Kind Regards,

J. Avery King

Re: Deployment of AWS SecurityHub and PrismaCloud

Umberto — Thu, 15 Sep 2022 20:49:34 GMT

Hi J. Avery King, thanks for the quick response

Unfortunately it doesn't return anything from the query:

event from cloud.audit_logs where cloud.service = 'securityhub.amazonaws.com'

Regarding the link you sent for integration, the settings we are using in the project are configured so that Prisma is responsible for the event manager, therefore, Prisma should only read the findings from the Security Hub, using this type of integration.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-aws-account/add-aws-organization-to-prisma-cloud

If you have any more information that could help I would appreciate it.

Re: Deployment of AWS SecurityHub and PrismaCloud

musiddiqui — Thu, 15 Sep 2022 21:27:03 GMT

Hi Umberto,

I hope you are doing well. Can you please verify that have you enabled the "Accept finding" button for the "Palo Alto Networks: Prisma Cloud Enterprise" integration?

Re: Deployment of AWS SecurityHub and PrismaCloud

Umberto — Fri, 30 Sep 2022 21:17:02 GMT

Hi Musiddiqui,

Even enabling this function in the security hub, I still don't receive the logs in Prisma. Now I have a doubt if only the permissions I used on Stack and StackSet are enough.

From: https://s3.amazonaws.com/redlock-public/

For Stack I used: rl-read-and-write.template

For StackSet I used: rl-read-and-write-member.template