Integrate Prisma Cloud with Amazon SQS
Learn how to integrate Prisma Cloud with Amazon SQS.
Prisma Cloud supports Amazon Simple Queue
Service (SQS) to send alerts. Customers can consume them through
Splunk add-on or through CloudFormation to enable custom workflows.
Alert
notifications are triggered for each Alert generated as it happens
with the entire Alert payload to Amazon SQS and Splunk. The CLI
remediation (the actual CLI, any instructions for CLI) are included
in the Alert Payload.
- Configure Amazon SQS to receive Prisma Cloud alerts.
- Log in to Amazon console with necessary credentials to create SQS.
- ClickSimple Queue ServicesunderMessaging services.
- ClickCreate New Queueor use an existing queue.
- Enter a Queue name and choose a Queue TypeStandardorFIFO.
- ClickConfigure Queue.For the attributes specific to the Queue, use either AWS default selection set them as per policies of your company. SelectUse SSEto keep all messages in Queue encrypted.
- ClickCreate Queue.Your SQS Queue is created and listed.
- Click the Queue that you created and view theDetailsand copyURLof this queue.You will need to give this value in Prisma Cloud to integrate Prisma Cloud notifications into this Queue.
- If you are using encrypted queues in Amazon SQS, Prisma Cloud Role must be granted explicit permission to read the key.
- On the Amazon console, select and selectCreate Key
- Enter Alias and Description. SelectKMSand clickNext.
- Add any requiredTagsand clickNext.
- Choose IAM users who can use this Key throughKMSAPI and clickNext.
- Choose IAM users who can use this key to encrypt and decrypt the data.
- Review the Key policy and clickFinish.
- Enable read-access permissions to Amazon SQS on the IAM Role policy.The Prisma Cloud IAM Role policy you used to onboard your AWS setup needs these permissions:"sqs:GetQueueAttributes", "sqs:ListQueues","sqs:SendMessage", "tag:GetResources"If you used the CFT templates to onboard your AWS account, Prisma Cloud IAM role policy has the permissions required for Amazon SQS.
- Setup Amazon SQS integration in Prisma Cloud.
- Log in to Prisma Cloud.
- Select .
- Select theIntegration TypeasAmazon SQS.
- Enter a name and description for the Integration.
- Enter theQueue URLthat you copied while configuring Prisma Cloud in Amazon SQS.
- ClickNextand then clickTest.You should get a success message.
- ClickSave.After you set up the integration successfully, if the SQS URL becomes unresponsive for any reason, the status transitions to red on , and updates to green if the issue gets resolved.
- Create an Alert Rule or modify an existing rule to enable the Amazon SQS Integration.
- Ingest SQS alerts through Splunk add-on.
- Create an IAM user (or use AWS role) using the policy given below and store the Access Key ID and Secret Access key generated: E.g.: Value of key ‘Resource’ can be “arn:aws:sqs:us-east-1:123456789101:my_queue”.{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:*" ], "Effect": "Allow", "Resource”: [“arn:aws:sqs:<YOUR_SQS_QUEUE_REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<YOUR_SQS_QUEUE_NAME>" ] } ]}
- Install the Prisma Cloud add-on from Splunk Market Place. Use the instructions at Splunk Add-on instructions.
- Launch the app and from theInputstab, clickCreate New Input.
- Add a new input. Each input will pull messages from a single queue in the region specified using Access Key Id and Secret Access Key provided.You can see the log messages usingindex="_internal" "[RL SQS Poller]".
You can also see the events created by this poller usingindex=”<selected index>” source=”rl_sqs_json”
An Alerts CIM mapping is also created that can be accessed only if you have “Splunk Common Information Model” app. (https://splunkbase.splunk.com/app/1621) installed in your Splunk environment. To search using data model type| datamodel Alerts searchin the search bar to get all the Alerts generated.