Integrate Prisma Cloud with Amazon SQS

Learn how to integrate Prisma™ Cloud with Amazon Simple Queue Service (SQS).
Prisma™ Cloud supports Amazon Simple Queue Service (SQS) to send alerts to customers, who can consume these alerts through a Splunk add-on or through the AWS CloudFormation service to enable custom workflows.
Alert notifications that include the entire alert payload are triggered for each alert generated as it happens and sent to Amazon SQS and Splunk. The command-line interface (CLI) remediation (the actual CLI commands and any instructions for those commands) are included in the alert payload.
  1. Configure Amazon SQS to receive Prisma Cloud alerts.
    1. Log in to the Amazon console with the necessary credentials to create and configure the SQS.
    2. Click
      Simple Queue Services
      Application Integration
    3. Create New Queue
      or use an existing queue.
    4. Enter a Queue Name and choose a Queue Type—
    5. Click
      Configure Queue
      For the attributes specific to the Queue, use either the AWS default selection or set them per your company policies.
      Use SSE
      to keep all messages in the Queue encrypted, and select the default AWS KMS Customer Master Key (CMK) or enter your CMK ARN.
    6. Create Queue
      This creates and displays your SQS Queue
    7. Click the Queue that you created and view the
      and copy the
      for this queue.
      You provide this value in Prisma Cloud to integrate Prisma Cloud notifications in to this Queue.
  2. If you are using a Customer Managed Key to encrypt queues in Amazon SQS, you must configure the Prisma Cloud Role with explicit permission to read the key.
    1. On the Amazon console, select
      Customer Managed Keys
      Create Key
      Refer to the AWS documentation for details on creating keys.
    2. Enter an Alias and Description, and add any required
      and click
    3. Select the IAM users and roles who can use this key through the
      API and click
    4. Select the IAM users and roles who can use this key to encrypt and decrypt the data.
    5. Review the key policy and click
  3. Enable read-access permissions to Amazon SQS on the IAM Role policy.
    The Prisma Cloud IAM Role policy you use to onboard your AWS setup needs these permissions:
    "sqs:GetQueueAttributes", "sqs:ListQueues","sqs:SendMessage", "tag:GetResources"
    If you used the CFT templates to onboard your AWS account, Prisma Cloud IAM Role policy already has the permissions required for Amazon SQS.
  4. Set up Amazon SQS integration in Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
    3. Set the
      Integration Type
      Amazon SQS
    4. Enter a
      for the integration.
    5. Enter the
      Queue URL
      that you copied when you configured Prisma Cloud in Amazon SQS.
    6. Click
      and then
      You should receive a success message.
    7. Click
      After you set up the integration successfully, if the SQS URL is unresponsive, the status red (
      ) and green when the issue is resolved.
  5. Create an Alert Rule or modify an existing rule to enable the Amazon SQS Integration.
  6. Ingest SQS alerts through the Splunk add-on.
    1. Create an IAM user (or use the AWS role) using the policy below and store the AWS Access Key ID and the AWS Secret Access ey generated. For example, the value of the key Resource can be “arn:aws:sqs:us-east-1:123456789101:my_queue”.
      { "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:*" ], "Effect": "Allow", "Resource”: [“arn:aws:sqs:<YOUR_SQS_QUEUE_REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<YOUR_SQS_QUEUE_NAME>" ] } ]}
    2. Install the Prisma Cloud add-on from Splunk Market Place using the Splunk Add-on instructions.
    3. Launch the app and from the
      tab and
      Create New Input
    4. Add a new input. Each input will pull messages from a single queue in the region you specify and will use the AWS Access Key ID and the AWS Secret Access Key you provided.
      You can see the log messages using
      index="_internal" "[RL SQS Poller]"
      You can also see the events created by this poller using
      index=”<selected index>” source=”rl_sqs_json”
      An Alerts CIM mapping is also created that you can only if you have the “Splunk Common Information Model” app. ( installed in your Splunk environment. To search using data model, type
      | datamodel Alerts search
      in the search bar to get all the alerts generated.

Recommended For You