Prisma Cloud Integration with Eventbridge

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
100% helpful (1/1)

By Kishwar Firdaus, Customer Success Engineer

 

Introduction 

 

What is Event Assisted Ingestion?

 

Event Assisted Ingestion is an enhancement that is intended to reduce the number of API calls. It helps to make the API call only if the resource configuration is changed. Prisma Cloud will listen to any changes on the resources we support and it calls the corresponding API to sync the details for the resource between the cloud and itself.

 

Prisma Cloud leverages Amazon EventBridge to receive audit logs in near real-time, thus allowing Prisma Cloud to reduce the total number of API calls and total time to alert.

 

Need for Event-Assisted Ingestion:

 

Basic CSPM solutions that can only detect misconfiguration once or twice a day leave cybercriminals with plenty of time to exploit the misconfiguration and launch an attack, Prisma Cloud can detect misconfiguration in near real-time so customers can remediate as quickly as possible to reduce their attack surface. E.g. RDS snapshot accidentally made public - this can be a common use case as Snapshots can then be shared across different AWS accounts both internal and external, allowing users to share data/ templates. Another value add is that we alert on the misconfiguration in just under a minute with the relevant resource information which can save countless hours trying to find and constrain the impact.

 

While other solutions won’t catch the problem for up to 12 hours, Prisma Cloud can detect an issue in just minutes.

 

Currently, Prisma Cloud makes API calls to the AWS CloudTrail service to fetch change events (aka audit logs). Using EventBridge provides an update to this method as it enables Prisma Cloud to move from a traditional pull model to a push method which triggers ingestion when changes are made to the resources.

 

Prerequisites:

 

The following are the basic and baseline requirements for Event Assisted Ingestion:

  • Prisma Cloud Tenant with EventBridge enabled.

  • User with Administrator permissions in the Tenant (to provide Read permissions for Prisma Public Cloud).

  • User with permissions in the AWS account to create/update a Cloudformation stack resource.

  • Login Details of Prisma Public Cloud.

  • At Least one cloudtrail trail should be set up that logs all the write events from the account. If a Cloudtrail trail already exists, we don't have to create a new one.

 

Configuration:

 

On Prisma Cloud:

 

Step 1: Navigate to the Cloud Account Landing Page from the dashboard:

 

 
unnamed.jpg

Figure 1: Cloud Accounts Landing Page_PaloAltoNetworks

 

Step 2: Click on the “View Cloud Account” Page:

 

unnamed.jpg

Figure 2: "View" on Cloud Account Page_PaloAltoNetworks

 

unnamed.jpg

Figure 3: "Actions" on Cloud Accounts page_PaloAltoNetworks

 

Step 3: Navigate to Misconfigurations(CSPM) tab:

 
unnamed.jpg

Figure 4: "Misconfigurations" tab_PaloAltoNetworks

 

Step 4:  Click on Configure and follow the steps detailed in the sidecar to Create/Update IAM Role CloudFormation templates(CFT). 

Notes: Please copy the EventBridge Rule Name Prefix from this step to input in the next.

Creating EventBridge CFT stack creates the following:

  • Roles required for Cloudformation service to create the stackset. 

  • Roles required for EventBridge service to invoke EventBridge API destination.

  • EventBridge rules, EventBridge API destinations, EventBridge connections.

 

Verification:

 

Once the user completes the set up and executes the EventBridge CFT, the user should be able to see the EventBridge Rules on AWS like below

 

 
unnamed.jpg

Figure 5: EB Rules on AWS Console_PaloAltoNetworks

 

On Prisma Cloud console, under Cloud Accounts –> View Cloud Account —> Misconfigurations(CSPM), it should look as below:

 

 
unnamed.jpg

Figure 6: View on Prisma Cloud Side_PaloAltoNetworks

 

Notes:

 

  1. EAI(Event Assisted Ingestion) does not consume additional Prisma Cloud credits, it will be cost savings on CSP. 

  2. Both audit and config will move to push, however on the config only APIs (that are on EAI) will use EventBridge. The rest of the APIs will be on the classic ingestion.

  3. There will be costs for EventBridge on the AWS side. But the costs are relatively low and in most cases will be offset by the reduced number of API calls.

  4. Prisma will not revert to the old way of detection and alerting(e.g. Cloudtrail) if EventBridge gets disabled.

  5. Moving to Near Real-time Visibility will not resolve the alerts that were already logged. There will not be any changes made to the alerts that were already logged and it will not change any existing alert behavior.

 

Conclusion

 

Prisma Cloud by default uses the Amazon CloudTrail service to fetch the change events (ingest the audit logs). However, you can configure near real-time visibility in Prisma Cloud to ingest the audit logs using Amazon EventBridge on your onboarded AWS accounts. EAI enables Prisma Cloud to move from a pull to a push method that triggers the ingestion of data only when changes are made to the resources. This process reduces the time to alert for any misconfigurations or policy violations as well as reduces the number of API calls. It makes the API call only if the resource configuration has changed.

 

Reference

 

 

About the Author

 

Kishwar Firdaus is a Customer Success Engineer on the Prisma™ Cloud CSPM team, specializing in supporting all CSPM solutions for Prisma™ Cloud  AWS, Azure, GCP, OCI, and Alibaba.
Rate this article:
  • 578 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-01-2024 12:22 PM
Updated by: