Ingest Audit Logs Using Amazon EventBridge
Prisma Cloud config ingestion leverages EventBridge and event-assisted ingestion to reduce the time to alert for any misconfigurations or policy violations as well as reduce the number of API calls. It makes the API call only if resource configuration has changed.
By default, Prisma Cloud uses the Amazon CloudTrail service to fetch the change events (ingest the audit logs). You can now configure near real-time visibility in Prisma Cloud to ingest the audit logs using Amazon EventBridge on your onboarded AWS accounts, which enables Prisma Cloud to move from a pull to a push method that triggers ingestion only when changes are made on the resources.
- If you delete or disable your account, the associated EventBridge rules are correspondingly deleted or disabled in your AWS accounts and Prisma Cloud will not ingest audit logs or process audit logs policies.
- Ingesting audit logs using EventBridge is only applicable for the management account enabled regions for all the member accounts that are part of the organization. If you individually disable a member account, specific rules for that member account are disabled.
- When you run the CFT, Prisma Cloud creates rules in all accounts (including member) in only those regions where the management account is enabled.
- If you delete EventBridge rules from your AWS accounts, Prisma Cloud will not ingest audit logs and will not process audit logs policies. There will also be a significant delay in processing config policies and generating the corresponding alerts.
- If an AWS region does not support EventBridge, Prisma Cloud cannot support event-assisted ingestion for that region.
- Onboard your AWS account.
- Ingest audit logs using Amazon EventBridge.
- Login to Prisma Cloud.
- Select .
- Editthe AWS account for which you want to ingest the audit logs using EventBridge.The steps to configure EventBridge are the same for your cloud account and organization. When you configure it for organization, make sure to run the CFT in the management account.
- On the Account Overview page, scroll toNear Real-Time Visibilityand clickConfigure.
- Download EventBridge CFT.
When you run the CFT Prisma Cloud creates rules in all accounts (including member) in only those regions where the management account is enabled.If an error message is displayed when you clickDownload EventBridge CFT, you need toDownload IAM Role CFTand go through the steps before continuing with EventBridge configuration. - Log in to your AWS account and follow the steps to create a stack, selectI acknowledge that AWS CloudFormation might create IAM resources with custom names., and clickCreate Stack.
- Wait for status to display CREATE_COMPLETE.
- Return to your Prisma Cloud console and clickNext.
- Review the configuration. Once the template is run successfully on the account, theReview Statusdisplays for each region. ClickSave.
- ASuccessfulmessage is displayed and Prisma Cloud starts to ingest audit logs from Amazon EventBridge.
- The corresponding EventBridge Rules are displayed in AWS.
Troubleshoot EventBridge Errors
In cases where you configured EventBridge successfully and created all the rules required for ingestion, however, the rules were accidentally deleted, or you enabled a region in your account that Prisma Cloud already supported, the
Status
page will display errors across the regions. To resolve this error you need to update the EventBridge CFT as follows:- ClickEdit.
- Download EventBridge CFTagain and follow the steps in your AWS console in order to renable the rules.
- Return to the Prisma Cloud console, make sureReview StatusdisplaysSuccessfulfor each region, and clickSave.
- ClickOperationallocated next toAudit LogsunderStatuson the cloud account overview page and verify the status.
- ClickEventbridgeto expand and view the status for each region.
