Deployment of AWS SecurityHub and PrismaCloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Deployment of AWS SecurityHub and PrismaCloud

L1 Bithead

I'm a new Prisma Cloud user and I'm here to ask for help. I have AWS Security Hub with all the rules allowed forwarding logs to Prisma Cloud, but I cannot validate that the logs are being forwarded correctly to Prisma Cloud.
Even using the alerts session filters, or using the investigate session with queries, I can't find the alerts that are frequently generated by Security HUb.

Can you tell me how to validate these alerts?

Rizzo
4 REPLIES 4

L4 Transporter

Greetings Umberto,

 

I hope that this note finds you well! In researching your use case I was able to create an event based RQL query that you can run in the investigate portion of the CSPM console to locate if the events are being ingested from the console:

 

event from cloud.audit_logs where cloud.service = 'securityhub.amazonaws.com'

 

Depending on if this has any returned values you can create a policy of the 'Audit Event' type and potentially utilize aspects of the returned data from AWS to create scoping for what may be nested within your use case. Here is additional documentation on the entire AWS Security Hub integration setup:

 

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...

 

To troubleshoot if you do not have any returned values in the above RQL which, depending on the workload, could take a while to complete running, I would recommend checking that the region where you had setup the AWS account is the same as within the integration in the console, a test of the integration has a returned value from the AWS account, and that the permission AWSSecurityHubReadOnlyAccess is attached to the user account of the AWS administrator that is creating the integration. Please let me know if you need any additional help with this and I hope that you have a good day!

 

Kind Regards,

J. Avery King

J. Avery King | Prisma Cloud | Customer Success Engineer

Hi J. Avery King, thanks for the quick response

 

Unfortunately it doesn't return anything from the query:

event from cloud.audit_logs where cloud.service = 'securityhub.amazonaws.com'

 

Regarding the link you sent for integration, the settings we are using in the project are configured so that Prisma is responsible for the event manager, therefore, Prisma should only read the findings from the Security Hub, using this type of integration.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform...

 

If you have any more information that could help I would appreciate it.

Rizzo

L2 Linker

Hi Umberto,

 

I hope you are doing well. Can you please verify that have you enabled the "Accept finding" button for the "Palo Alto Networks: Prisma Cloud Enterprise" integration?


Screen Shot 2022-09-15 at 2.26.12 PM.png

Muhammad Wahaaj Siddiqui | Sr. Technical Support Engineer - Prisma Cloud Compute | PCCSE, CKA, CKS, AWS SysOps, AWS DevOps Professional

Hi Musiddiqui,

 

Even enabling this function in the security hub, I still don't receive the logs in Prisma. Now I have a doubt if only the permissions I used on Stack and StackSet are enough.

 

From: https://s3.amazonaws.com/redlock-public/ 

For Stack I used: rl-read-and-write.template

For StackSet I used: rl-read-and-write-member.template

 

Rizzo
  • 1889 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!