@CloudEngineer dude, you were correct the whole time. The Prisma Cloud Compute SecurityHub Alert Provider works perfectly fine.
I got misinformation from support case 02326773. Here is how I determined that the Registry Scanned CVEs and Compliance vulnerabilities were generating Alerts and propogating them to AWS SecurityHub/Findings Console. I entered this Filter criteria and then I could see the CVE-Alerts.
I still have NO explanation for those errors that I cited at the beginning of this
Hi Tommy,
I'd like to know what alerts you are looking for? While its true that there isn't a single consolidated alerts API endpoint for Compute, you can still use the relevant individual APIs to gather what you want which would ultimately match your configured rules and ultimately trigger an alert to be sent to a desired integration.
As for the AWS SecurityHub integration, could you please clarify what you mean "does not publish Alerts of CVEs as reported by scanners?" It will should forward your requested information as I understand it. I have seen the findings sent to SecurityHub so I'd be very interested in understanding more.
Regards,
Hi Tommy,
I've read through the PCSUP and I can summarize that if you are trying to send Compute's findings to an AWS Gov account then we are expecting a fix in the next major release (Lagrange) which may resolve the errors observed from AWS.
If you are working on integrating with Security Hub in a typical commercial account then we can probably get this going with some additional configuration checks and testing since I have seen this integration work successfully.
However, I noticed that your request mentioned alerts generated by CI rules. At this time, the Security Hub integration doesn't have an option to send CI alerts to Security Hub. Please have a look at this screenshot where I've shown that only Deployed and Registry scan results are available for Vulnerability Management:
You'll see within "select rules to alert on" that only your Deployed / Registry rules are available to select.
We also support sending findings for Runtime, Access, WAAS and CNNF.
Lastly, can you please confirm if you are using the self-hosted Compute console or Prisma Cloud Enterprise Edition (SaaS) ? I know you mentioned "Prisma Cloud Compute" which is generally our identification of the self-hosted product but I always like to be sure especially since that will change some of the authentication options.
Regards,
Brandon, I am grateful for your help with this matter.
We are a commercial enterprise; we have nothing to do with AWS Gov and we have no AWS Gov accounts. I suspect that is the Prisma SaaS default behavior when the integration is only partially or mis configured. This gov issue isn't my request for help, however, it's an issue but would take me some time to recreate the configuration to trigger that behavior in the SaaS product. So much to do, I prefer not to spend any time on this.
My issue is very detailed...
No one is saying that the integration doesn't work, I assert that THE INTEGRATION WORKS but only partially. You are saying that you've seen these VERY specific kinds of alerts that I report create errors; just seeing some/any Alerts being transferred to SecurityHub is insufficient evidence that my issue is to be dismissed.
Let me describe it again because the support comments are scrambled eggs...
PCC SaaS Alerts triggered by scans of ECS & Artifactory registries appear to NOT be Accepted by AWS due to this error being reported by Prisma's SecurityHub Alert provider...
failed to add findings: [{ ErrorCode: "InvalidInput", ErrorMessage: "Finding does not adhere to Amazon Finding Format. data.Resources[0].Id should NOT be shorter than 1 characters, data.Resources[0].Id should NOT be shorter than 12 characters, data.Resources[0].Id should match pattern \"^arn:(aws|aws-cn|aws-us-gov):[A-Za-z0-9\\-]{1,63}:[a-z0-9\\-]*:([0-9]{12})?:.+$\", data.Resources[0].Id should match some schema in anyOf.", Id: "us-west-2/twistlock/vulnerabilities/" }]
The support guy says that error is a known issue in the product but I'm hoping that you've seen registry scans CVE-Alerts propagated to SecurityHub. Webhooks are not an option, due to my firms' policies on exposing network endpoints to public ingress internet.
Our AlertProvider is configured to send registry vulnerabilities...
I incorrectly used the language "CI", because there are no equivalent "Fail/Report" rules for the Registry scans; whereas there are rules for "CI" and "Deployed" scans. Within the alert profile, I specified these "Deployed" rules be applied to Vulnerabilities; its not clear if these would have an effect on Registry Scans' CVE-Alerts.
Our intention is to use registries' scans to govern images on their path-to-production; we want to BLOCK images with CVEs of severity, CRITICAL and HIGH.
We use Prisma Cloud Enterprise Edition (SaaS). Because of the two kinds of Alerts in this product, I use PCC to distinguish the kind of Alert that I am speak of. Whew!
@CloudEngineer dude, you were correct the whole time. The Prisma Cloud Compute SecurityHub Alert Provider works perfectly fine.
I got misinformation from support case 02326773. Here is how I determined that the Registry Scanned CVEs and Compliance vulnerabilities were generating Alerts and propogating them to AWS SecurityHub/Findings Console. I entered this Filter criteria and then I could see the CVE-Alerts.
I still have NO explanation for those errors that I cited at the beginning of this
