Integrate Prisma Cloud with Amazon SQS

Learn how to integrate Prisma™ Cloud with Amazon Simple Queue Service (SQS).
Prisma™ Cloud supports Amazon Simple Queue Service (SQS) to send alerts to customers, who can consume these alerts through a Splunk add-on or through the AWS CloudFormation service to enable custom workflows.
Alert notifications that include the entire alert payload are triggered for each alert generated as it happens and sent to Amazon SQS and Splunk. The command-line interface (CLI) remediation (the actual CLI commands and any instructions for those commands) are included in the alert payload.
  1. Configure Amazon SQS to receive Prisma Cloud alerts.
    1. Log in to the Amazon console with the necessary credentials to create and configure the SQS.
    2. Click
      Simple Queue Services
      (under
      Messaging services
      ).
    3. Create New Queue
      or use an existing queue.
      sqs-create-new-queue.png
    4. Enter a Queue ame and choose a Queue Type
      Standard
      or
      FIFO
      .
    5. Click
      Configure Queue
      .
      For the attributes specific to the Queue, use either the AWS default selection or set them per your company policies.
      Use SSE
      to keep all messages in the Queue encrypted.
      sqs-confiqure-queue.png
    6. Create Queue
      .
      This creates and displays your SQS Queue
    7. Click the Queue that you created and view the
      Details
      and copy the
      URL
      for this queue.
      You provide this value in Prisma Cloud to integrate Prisma Cloud notifications in to this Queue.
      sqs-queue-details.png
  2. If you are using encrypted queues in Amazon SQS, you must configure the Prisma Cloud Role with explicit permission to read the key.
    1. On the Amazon console, select
      IAM
      Encryption Keys
      and
      Create Key
      .
      sqs-create-encrypted-key.png
    2. Enter an Alias and Description. Select
      KMS
      and click
      Next
      .
    3. Add any required
      Tags
      and click
      Next
      .
    4. Select the IAM users who can use this key through the
      KMS
      API and click
      Next
      .
    5. Select the IAM users who can use this key to encrypt and decrypt the data.
    6. Review the key policy and click
      Finish
      .
  3. Enable read-access permissions to Amazon SQS on the IAM Role policy.
    The Prisma Cloud IAM Role policy you use to onboard your AWS setup needs these permissions:
    "sqs:GetQueueAttributes", "sqs:ListQueues","sqs:SendMessage", "tag:GetResources"
    If you used the CFT templates to onboard your AWS account, Prisma Cloud IAM Role policy already has the permissions required for Amazon SQS.
  4. Set up Amazon SQS integration in Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Settings
      Integrations
      .
    3. Set the
      Integration Type
      to
      Amazon SQS
      .
    4. Enter a name and description for the integration.
    5. Enter the
      Queue URL
      that you copied when you configured Prisma Cloud in Amazon SQS.
    6. Click
      Next
      and then
      Test
      .
      You should a success message.
      sqs-create-integration-in-prisma-cloud.png
    7. Click
      Save
      .
      After you set up the integration successfully, if the SQS URL is unresponsive, the status red (
      Settings
      Integrations
      ) and green when the issue is resolved.
  5. Create an Alert Rule or modify an existing rule to enable the Amazon SQS Integration.
  6. Ingest SQS alerts through the Splunk add-on.
    1. Create an IAM user (or use the AWS role) using the policy below and store the AWS Access Key ID and the AWS Secret Access ey generated. For example, the value of the key Resource can be “arn:aws:sqs:us-east-1:123456789101:my_queue”.
      { "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:*" ], "Effect": "Allow", "Resource”: [“arn:aws:sqs:<YOUR_SQS_QUEUE_REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<YOUR_SQS_QUEUE_NAME>" ] } ]}
    2. Install the Prisma Cloud add-on from Splunk Market Place using the Splunk Add-on instructions.
    3. Launch the app and from the
      Inputs
      tab and
      Create New Input
      .
      sqs-create-new-output.png
    4. Add a new input. Each input will pull messages from a single queue in the region you specify and will use the AWS Access Key ID and the AWS Secret Access Key you provided.
      You can see the log messages using
      index="_internal" "[RL SQS Poller]"
      .
      sqs-rs-sqs-poller.png
      You can also see the events created by this poller using
      index=”<selected index>” source=”rl_sqs_json”
      .
      sqs-rl-sqs-json.png
      An Alerts CIM mapping is also created that you can only if you have the “Splunk Common Information Model” app. (https://splunkbase.splunk.com/app/1621) installed in your Splunk environment. To search using data model, type
      | datamodel Alerts search
      in the search bar to get all the alerts generated.
      sqs-data-model-alerts-search.png

Related Documentation