09-14-2022 02:24 PM
I'm a new Prisma Cloud user and I'm here to ask for help. I have AWS Security Hub with all the rules allowed forwarding logs to Prisma Cloud, but I cannot validate that the logs are being forwarded correctly to Prisma Cloud.
Even using the alerts session filters, or using the investigate session with queries, I can't find the alerts that are frequently generated by Security HUb.
Can you tell me how to validate these alerts?
09-15-2022 08:58 AM
Greetings Umberto,
I hope that this note finds you well! In researching your use case I was able to create an event based RQL query that you can run in the investigate portion of the CSPM console to locate if the events are being ingested from the console:
event from cloud.audit_logs where cloud.service = 'securityhub.amazonaws.com'
Depending on if this has any returned values you can create a policy of the 'Audit Event' type and potentially utilize aspects of the returned data from AWS to create scoping for what may be nested within your use case. Here is additional documentation on the entire AWS Security Hub integration setup:
To troubleshoot if you do not have any returned values in the above RQL which, depending on the workload, could take a while to complete running, I would recommend checking that the region where you had setup the AWS account is the same as within the integration in the console, a test of the integration has a returned value from the AWS account, and that the permission AWSSecurityHubReadOnlyAccess is attached to the user account of the AWS administrator that is creating the integration. Please let me know if you need any additional help with this and I hope that you have a good day!
Kind Regards,
J. Avery King
09-15-2022 01:49 PM
Hi J. Avery King, thanks for the quick response
Unfortunately it doesn't return anything from the query:
event from cloud.audit_logs where cloud.service = 'securityhub.amazonaws.com'
Regarding the link you sent for integration, the settings we are using in the project are configured so that Prisma is responsible for the event manager, therefore, Prisma should only read the findings from the Security Hub, using this type of integration.
If you have any more information that could help I would appreciate it.
09-15-2022 02:27 PM
Hi Umberto,
I hope you are doing well. Can you please verify that have you enabled the "Accept finding" button for the "Palo Alto Networks: Prisma Cloud Enterprise" integration?
09-30-2022 02:17 PM
Hi Musiddiqui,
Even enabling this function in the security hub, I still don't receive the logs in Prisma. Now I have a doubt if only the permissions I used on Stack and StackSet are enough.
From: https://s3.amazonaws.com/redlock-public/
For Stack I used: rl-read-and-write.template
For StackSet I used: rl-read-and-write-member.template
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
