Configure Flow Logs
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Configure Flow Logs
Prisma Cloud ingests the VPC flow logs from Amazon S3 buckets stored in a logging account and makes it available for network policy alerting and visualization. After onboarding your AWS account, you need to onboard the logging account which has the S3 bucket storing VPC flow logs for the monitored account. The default retention period of flow logs is 30 days after which they are purged. You can query flow logs data for the last 30 days. CloudWatch is the default selection to ingest flow logs and does not require additional configuration.
When creating S3 flow logs on the AWS console, make sure to partition your flow logs for
Every 1 hour (60 minutes)
. The hourly (60 minutes) partition provides better ingestion performance than the 24 hours partition. Selecting additional fields on the AWS console that are used in the Internet exposure calculation in network policies address the false positives for those network policies.- On your AWS console, create a flow log with the following specifications.
- The new flow logs format requires all connection direction related fields. Here’s a sample format:
- Select allinstead of manually selecting each field.Or you can choose custom format and select the following required fields:
- account-id
- action
- interface-id
- srcaddr
- dstaddr
- srcport
- dstport
- protocol
- packets
- bytes
- start
- end
- log-status
- region
- version
- tcp-flags
- flow-direction
- traffic-path
- vpc-id
- subnet-id
- instance-id
- pkt-srcaddr
- pkt-dstaddr
- pkt-src-aws-service
- pkt-dst-aws-service
- SetPartition logs by timetoEvery 1 hour (60 minutes).
- SetLog file formattoText. Prisma Cloud supports ingestion of only text format files.
- You are not required to change anything on Prisma Cloud as long as the S3 bucket does not change.
Onboarded Accounts that Use S3
For your previously onboarded AWS accounts that are using S3 with 24 hours partition, you can now select hourly partition. Prisma Cloud checks whether flow logs have all the necessary permissions required for hourly partition (it does not check for the fields).
- After you Onboard Your AWS Account, select.SettingsCloud Accounts
- Click theView(
) icon next to the AWS account for which you want to configure the logging account and buckets to fetch flow logs from S3.
- ClickThreat Detection.
- SelectS3underFlow Logs.
- ClickConfigure S3.
- Configure Logging Account.
- ClickAdd Logging Accountor select from the logging accounts displayed (if you have previously set up logging accounts).
- ClickNext.
- Enter anAccount ID,Account Name, andRole Nameand clickNext. By default, the role name isprisma-cloud-logging-role, which you can customize.All the configured Logging Accounts are displayed. You can select one of these Logging Accounts which contains the S3 bucket to which the VPC flow logs are being sent for the respective monitored account. Or you canAdda new Logging Account as described in the step above.
- Configure Buckets.
- Enter aBucket Nameand theBucket Regionthat you have configured as destination for flow logs on the AWS Logging Account VPC Console. TheBucket Path Prefix(comma separated list) andKey ARNare optional. If you have any specific path (Bucket Path) prefix for flow logs and configured bucket encryption (Key ARN), you can enter those values.If you’ve enabled hourly partitions, the files are published to the following location: bucket-and-optional-prefix/AWSLogs/account_id/vpcflowlogs/region/year/month/day/hour/In AWS, the bucket-and-optional-prefix is added to the S3 bucket ARN as a folder in the flow log settings page. Make sure you add the same bucket-and-optional-prefix in the prefix section in Prisma Cloud.
- AddorRemovemultiple buckets used for logging.
- ClickNext.
- Follow the steps displayed onLogging Account Template.
- Enter theRole ARN.
- ClickValidate.You can proceed further only if the validation is successful and you see a greenValidatedcheckmark.The CFT template is deployed on the Logging Account through your AWS Management Console.
- ClickSave.
- Configure S3 Flowlogs.
- Select all the applicableLogging Bucketsthat Prisma Cloud can access and from which it can ingest flow logs.
- After selecting the Logging Buckets, clickValidateto make sure Prisma Cloud has all basic required permissions and access.If all the required permissions are present, a greenValidatedcheckmark displays. If not, an error message displays.If you want to configure a different logging account and buckets, click theEditicon.
- ClickSave.You can save your settings, regardless of the validation status.For accounts that are using CloudWatch and now you want to upgrade to S3, theEnable Hourly Partitioncheckbox is enabled (grayed out) by default to ensure it is using hourly partition.