Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

L3 Networker

I have configured Prisma CloudCompute Console/Manage/Alerts/Manage/Alert providers/AWSSecurityHub.

When I <Send Test Alert>, the console reports success and the status of that integration is green, "Connected".

 

I have also configured Registry scans and pushed images with CVEs.

Overnight the registries were scanned and I can see the images/repos with their CVEs in the Monitor/Vulnerabitlity Explorer.

 

However, I cannot find the Alerts that should have been generated by Prisma CloudCompute Console/Defend/Vulnerabilities/Images/CI/Rules.

 

It appears that the CVEs did trigger Alert creation because now the Alert provider, AWSSecurityHub, is reporting this error...

failed to add findings: [{ ErrorCode: "InvalidInput", ErrorMessage: "Finding does not adhere to Amazon Finding Format. data.Resources[0].Id should NOT be shorter than 1 characters, data.Resources[0].Id should NOT be shorter than 12 characters, data.Resources[0].Id should match pattern \"^arn:(aws|aws-cn|aws-us-gov):[A-Za-z0-9\\-]{1,63}:[a-z0-9\\-]*:([0-9]{12})?:.+$\", data.Resources[0].Id should match some schema in anyOf.", Id: "us-west-2/twistlock/vulnerabilities/" }]

 

Two Questions:

  1. Where can I browse, search Prisma Cloud Compute Alerts within Prisma Cloud Console? wanting to confirm alerts are properly formatted, populated.
  2. What the heck is wrong with the integration to Alert provider, AWSSecurityHub?  remember that Test Alerts and runtime Alerts are sent successfully.
Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
1 REPLY 1

L2 Linker

Hi TommyHunt,

 

I hope you are doing well. Following are the answers to your questions:

 

  • Where can I browse, search Prisma Cloud Compute Alerts within Prisma Cloud Console? wanting to confirm alerts are properly formatted, populated.

Ans: Currently, there is no place in the Prisma Cloud Compute console where you can browse for the alerts that are being generated. You can set up an alert by using the following doc but you can browse the generated alerts:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alerts

You can create a feature request for it by using the following link:

https://prismacloud.ideas.aha.io/ideas

 

  • What the heck is wrong with the integration to Alert provider, AWSSecurityHub?  remember that Test Alerts and runtime Alerts are sent successfully.

Ans: There must be some permissions that are missing in the AWS which is why you are getting this error while setting up the alert. Can you please go through the console logs and look for the error message? It should look something like this:

ERRO 2020-05-18T21:04:37.751 serverless_radar_scanner.go:125 AWS Twistlock Security Hub

 

Regards,

Muhammad Wahaaj Siddiqui | Sr. Technical Support Engineer - Prisma Cloud Compute | PCCSE, CKA, CKS, AWS SysOps, AWS DevOps Professional
  • 2325 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!