Configure Audit Logs

Prisma Cloud by default uses the Amazon CloudTrail service to fetch the change events (ingest the audit logs). You can configure near real-time visibility in Prisma Cloud to ingest the audit logs using Amazon EventBridge on your onboarded AWS accounts, which enables Prisma Cloud to move from a pull to a push method that triggers ingestion only when changes are made on the resources.
Prisma Cloud config ingestion leverages EventBridge and event-assisted ingestion to reduce the time to alert for any misconfigurations or policy violations as well as reduce the number of API calls. It makes the API call only if resource configuration has changed.
  • If you delete or disable your account, the associated EventBridge rules are correspondingly deleted or disabled in your AWS accounts and Prisma Cloud will not ingest audit logs or process audit logs policies.
  • Ingesting audit logs using EventBridge is only applicable for the management account enabled regions for all the member accounts that are part of the organization. If you individually disable a member account, specific rules for that member account are disabled.
  • When you run the CFT, Prisma Cloud creates rules in all accounts (including member) in only those regions where the management account is enabled.
  • If you delete EventBridge rules from your AWS accounts, Prisma Cloud will not ingest audit logs and will not process audit logs policies. There will also be a significant delay in processing config policies and generating the corresponding alerts.
  • If an AWS region does not support EventBridge, Prisma Cloud cannot support event-assisted ingestion for that region.
  1. After you Onboard Your AWS Account or Onboard Your AWS Organization, select
    Cloud Accounts
    The steps to configure EventBridge are the same for your cloud account and organization. When you configure it for organization, make sure to run the CFT in the management account.
  2. Click the
    ( ) icon next to the AWS account or organization for which you want to ingest the audit logs using EventBridge.
  3. Click
  4. Click
    Near Real-Time Visibility
  5. Configure Details
    1. Click
      Download EventBridge CFT
      When you run the CFT Prisma Cloud creates rules for all accounts (including member accounts) in only those regions where the management account is enabled.
      If an error message displays when you click
      Download EventBridge CFT
      , you need to first
      Download IAM Role CFT
      and complete the required steps in your AWS console before continuing with EventBridge configuration.
    2. Log in to your AWS account and follow the steps to create a stack, select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      , and click
      Create Stack
    3. Wait for status to display CREATE_COMPLETE.
  6. Return to your Prisma Cloud console.
  7. Click
  8. Review Status
    Review the status of the configuration. Once the template is run successfully on your account, a
    message is displayed for each region and Prisma Cloud starts to ingest audit logs from Amazon EventBridge.
  9. Click
    The corresponding EventBridge Rules are displayed in AWS.

Recommended For You