This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Where can I browse the Prisma Cloud Compute Alerts? Why are Alerts generated by CVEs failing Alert provider AWSSecurityHub?

TommyHunt
L3 Networker

‎09-23-2022 12:29 PM - last edited on ‎10-19-2022 10:08 AM by

I have configured Prisma CloudCompute Console/Manage/Alerts/Manage/Alert providers/AWSSecurityHub.

When I <Send Test Alert>, the console reports success and the status of that integration is green, "Connected".

 

I have also configured Registry scans and pushed images with CVEs.

Overnight the registries were scanned and I can see the images/repos with their CVEs in the Monitor/Vulnerabitlity Explorer.

 

However, I cannot find the Alerts that should have been generated by Prisma CloudCompute Console/Defend/Vulnerabilities/Images/CI/Rules.

 

It appears that the CVEs did trigger Alert creation because now the Alert provider, AWSSecurityHub, is reporting this error...

failed to add findings: [{ ErrorCode: "InvalidInput", ErrorMessage: "Finding does not adhere to Amazon Finding Format. data.Resources[0].Id should NOT be shorter than 1 characters, data.Resources[0].Id should NOT be shorter than 12 characters, data.Resources[0].Id should match pattern \"^arn:(aws|aws-cn|aws-us-gov):[A-Za-z0-9\\-]{1,63}:[a-z0-9\\-]*:([0-9]{12})?:.+$\", data.Resources[0].Id should match some schema in anyOf.", Id: "us-west-2/twistlock/vulnerabilities/" }]

 

Two Questions:

  1. Where can I browse, search Prisma Cloud Compute Alerts within Prisma Cloud Console? wanting to confirm alerts are properly formatted, populated.
  2. What the heck is wrong with the integration to Alert provider, AWSSecurityHub?  remember that Test Alerts and runtime Alerts are sent successfully.
Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
Labels:
Preview file
74 KB
1 REPLY 1

musiddiqui
L2 Linker

‎09-23-2022 01:53 PM

Hi TommyHunt,

 

I hope you are doing well. Following are the answers to your questions:

 

  • Where can I browse, search Prisma Cloud Compute Alerts within Prisma Cloud Console? wanting to confirm alerts are properly formatted, populated.

Ans: Currently, there is no place in the Prisma Cloud Compute console where you can browse for the alerts that are being generated. You can set up an alert by using the following doc but you can browse the generated alerts:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alerts

You can create a feature request for it by using the following link:

https://prismacloud.ideas.aha.io/ideas

 

  • What the heck is wrong with the integration to Alert provider, AWSSecurityHub?  remember that Test Alerts and runtime Alerts are sent successfully.

Ans: There must be some permissions that are missing in the AWS which is why you are getting this error while setting up the alert. Can you please go through the console logs and look for the error message? It should look something like this:

ERRO 2020-05-18T21:04:37.751 serverless_radar_scanner.go:125 AWS Twistlock Security Hub

 

Regards,

Muhammad Wahaaj Siddiqui | Sr. Technical Support Engineer - Prisma Cloud Compute | PCCSE, CKA, CKS, AWS SysOps, AWS DevOps Professional
0 Likes Likes
  • 2323 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks