Integrate Prisma Cloud with Amazon SQS

Learn how to integrate Prisma Cloud with Amazon SQS.
Prisma Cloud supports Amazon Simple Queue Service (SQS) to send alerts. Customers can consume them through Splunk add-on or through CloudFormation to enable custom workflows.
Alert notifications are triggered for each Alert generated as it happens with the entire Alert payload to Amazon SQS and Splunk. The CLI remediation (the actual CLI, any instructions for CLI) are included in the Alert Payload.
  1. Configure Amazon SQS to receive Prisma Cloud alerts.
    1. Log in to Amazon console with necessary credentials to create SQS.
    2. Click
      Simple Queue Services
      under
      Messaging services
      .
    3. Click
      Create New Queue
      or use an existing queue.
      sqs-create-new-queue.png
    4. Enter a Queue name and choose a Queue Type
      Standard
      or
      FIFO
      .
    5. Click
      Configure Queue
      .
      For the attributes specific to the Queue, use either AWS default selection set them as per policies of your company. Select
      Use SSE
      to keep all messages in Queue encrypted.
      sqs-confiqure-queue.png
    6. Click
      Create Queue
      .
      Your SQS Queue is created and listed.
    7. Click the Queue that you created and view the
      Details
      and copy
      URL
      of this queue.
      You will need to give this value in Prisma Cloud to integrate Prisma Cloud notifications into this Queue.
      sqs-queue-details.png
  2. If you are using encrypted queues in Amazon SQS, Prisma Cloud Role must be granted explicit permission to read the key.
    1. On the Amazon console, select
      IAM
      Encryption Keys
      and select
      Create Key
      sqs-create-encrypted-key.png
    2. Enter Alias and Description. Select
      KMS
      and click
      Next
      .
    3. Add any required
      Tags
      and click
      Next
      .
    4. Choose IAM users who can use this Key through
      KMS
      API and click
      Next
      .
    5. Choose IAM users who can use this key to encrypt and decrypt the data.
    6. Review the Key policy and click
      Finish
      .
  3. Enable read-access permissions to Amazon SQS on the IAM Role policy.
    The Prisma Cloud IAM Role policy you used to onboard your AWS setup needs these permissions:
    "sqs:GetQueueAttributes", "sqs:ListQueues","sqs:SendMessage", "tag:GetResources"
    If you used the CFT templates to onboard your AWS account, Prisma Cloud IAM role policy has the permissions required for Amazon SQS.
  4. Setup Amazon SQS integration in Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Settings
      Integrations
      .
    3. Select the
      Integration Type
      as
      Amazon SQS
      .
    4. Enter a name and description for the Integration.
    5. Enter the
      Queue URL
      that you copied while configuring Prisma Cloud in Amazon SQS.
    6. Click
      Next
      and then click
      Test
      .
      You should get a success message.
      sqs-create-integration-in-prisma-cloud.png
    7. Click
      Save
      .
      After you set up the integration successfully, if the SQS URL becomes unresponsive for any reason, the status transitions to red on
      Settings
      Integrations
      , and updates to green if the issue gets resolved.
  5. Create an Alert Rule or modify an existing rule to enable the Amazon SQS Integration.
  6. Ingest SQS alerts through Splunk add-on.
    1. Create an IAM user (or use AWS role) using the policy given below and store the Access Key ID and Secret Access key generated: E.g.: Value of key ‘Resource’ can be “arn:aws:sqs:us-east-1:123456789101:my_queue”.
      { "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:*" ], "Effect": "Allow", "Resource”: [“arn:aws:sqs:<YOUR_SQS_QUEUE_REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<YOUR_SQS_QUEUE_NAME>" ] } ]}
    2. Install the Prisma Cloud add-on from Splunk Market Place. Use the instructions at Splunk Add-on instructions.
    3. Launch the app and from the
      Inputs
      tab, click
      Create New Input
      .
      sqs-create-new-output.png
    4. Add a new input. Each input will pull messages from a single queue in the region specified using Access Key Id and Secret Access Key provided.
      You can see the log messages using
      index="_internal" "[RL SQS Poller]"
      .
      sqs-rs-sqs-poller.png
      You can also see the events created by this poller using
      index=”<selected index>” source=”rl_sqs_json”
      sqs-rl-sqs-json.png
      An Alerts CIM mapping is also created that can be accessed only if you have “Splunk Common Information Model” app. (https://splunkbase.splunk.com/app/1621) installed in your Splunk environment. To search using data model type
      | datamodel Alerts search
      in the search bar to get all the Alerts generated.
      sqs-data-model-alerts-search.png

Related Documentation