Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

TommyHunt — Wed, 19 Oct 2022 17:08:55 GMT

I have configured Prisma CloudCompute Console/Manage/Alerts/Manage/Alert providers/AWSSecurityHub.

When I <Send Test Alert>, the console reports success and the status of that integration is green, "Connected".

I have also configured Registry scans and pushed images with CVEs.

Overnight the registries were scanned and I can see the images/repos with their CVEs in the Monitor/Vulnerabitlity Explorer.

However, I cannot find the Alerts that should have been generated by Prisma CloudCompute Console/Defend/Vulnerabilities/Images/CI/Rules.

It appears that the CVEs did trigger Alert creation because now the Alert provider, AWSSecurityHub, is reporting this error...

failed to add findings: [{ ErrorCode: "InvalidInput", ErrorMessage: "Finding does not adhere to Amazon Finding Format. data.Resources[0].Id should NOT be shorter than 1 characters, data.Resources[0].Id should NOT be shorter than 12 characters, data.Resources[0].Id should match pattern \"^arn:(aws|aws-cn|aws-us-gov):[A-Za-z0-9\\-]{1,63}:[a-z0-9\\-]*:([0-9]{12})?:.+$\", data.Resources[0].Id should match some schema in anyOf.", Id: "us-west-2/twistlock/vulnerabilities/" }]

Two Questions:

Where can I browse, search Prisma Cloud Compute Alerts within Prisma Cloud Console? wanting to confirm alerts are properly formatted, populated.
What the heck is wrong with the integration to Alert provider, AWSSecurityHub? remember that Test Alerts and runtime Alerts are sent successfully.

Re: Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

musiddiqui — Fri, 23 Sep 2022 20:53:26 GMT

Hi TommyHunt,

I hope you are doing well. Following are the answers to your questions:

Where can I browse, search Prisma Cloud Compute Alerts within Prisma Cloud Console? wanting to confirm alerts are properly formatted, populated.

Ans: Currently, there is no place in the Prisma Cloud Compute console where you can browse for the alerts that are being generated. You can set up an alert by using the following doc but you can browse the generated alerts:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alerts

You can create a feature request for it by using the following link:

https://prismacloud.ideas.aha.io/ideas

What the heck is wrong with the integration to Alert provider, AWSSecurityHub? remember that Test Alerts and runtime Alerts are sent successfully.

Ans: There must be some permissions that are missing in the AWS which is why you are getting this error while setting up the alert. Can you please go through the console logs and look for the error message? It should look something like this:

ERRO 2020-05-18T21:04:37.751 serverless_radar_scanner.go:125 AWS Twistlock Security Hub

Regards,

topic Re: Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub? in Prisma Cloud Discussions

Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

Re: Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?