Ingest Audit Logs Using Amazon EventBridge

Prisma Cloud config ingestion leverages EventBridge and event-assisted ingestion to reduce the time to alert for any misconfigurations or policy violations as well as reduce the number of API calls. It makes the API call only if resource configuration has changed.
By default, Prisma Cloud uses the Amazon CloudTrail service to fetch the change events (ingest the audit logs). You can now configure near real-time visibility in Prisma Cloud to ingest the audit logs using Amazon EventBridge on your onboarded AWS accounts, which enables Prisma Cloud to move from a pull to a push method that triggers ingestion only when changes are made on the resources.
  • If you delete or disable your account, the associated EventBridge rules are correspondingly deleted or disabled in your AWS accounts and Prisma Cloud will not ingest audit logs or process audit logs policies.
  • Ingesting audit logs using EventBridge is only applicable for the management account enabled regions for all the member accounts that are part of the organization. If you individually disable a member account, specific rules for that member account are disabled.
  • When you run the CFT, Prisma Cloud creates rules in all accounts (including member) in only those regions where the management account is enabled.
  • If you delete EventBridge rules from your AWS accounts, Prisma Cloud will not ingest audit logs and will not process audit logs policies. There will also be a significant delay in processing config policies and generating the corresponding alerts.
  • If an AWS region does not support EventBridge, Prisma Cloud cannot support event-assisted ingestion for that region.
  1. Onboard your AWS account.
  2. Ingest audit logs using Amazon EventBridge.
    1. Login to Prisma Cloud.
    2. Select
      Settings
      Cloud Accounts
      .
    3. Edit
      the AWS account for which you want to ingest the audit logs using EventBridge.
      The steps to configure EventBridge are the same for your cloud account and organization. When you configure it for organization, make sure to run the CFT in the management account.
    4. On the Account Overview page, scroll to
      Near Real-Time Visibility
      and click
      Configure
      .
    5. Download EventBridge CFT
      .
      When you run the CFT Prisma Cloud creates rules in all accounts (including member) in only those regions where the management account is enabled.
      If an error message is displayed when you click
      Download EventBridge CFT
      , you need to
      Download IAM Role CFT
      and go through the steps before continuing with EventBridge configuration.
    6. Log in to your AWS account and follow the steps to create a stack, select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names.
      , and click
      Create Stack
      .
    7. Wait for status to display CREATE_COMPLETE.
    8. Return to your Prisma Cloud console and click
      Next
      .
    9. Review the configuration. Once the template is run successfully on the account, the
      Review Status
      displays for each region. Click
      Save
      .
    10. A
      Successful
      message is displayed and Prisma Cloud starts to ingest audit logs from Amazon EventBridge.
    11. The corresponding EventBridge Rules are displayed in AWS.

Troubleshoot EventBridge Errors

In cases where you configured EventBridge successfully and created all the rules required for ingestion, however, the rules were accidentally deleted, or you enabled a region in your account that Prisma Cloud already supported, the
Status
page will display errors across the regions. To resolve this error you need to update the EventBridge CFT as follows:
  1. Click
    Edit
    .
  2. Download EventBridge CFT
    again and follow the steps in your AWS console in order to renable the rules.
  3. Return to the Prisma Cloud console, make sure
    Review Status
    displays
    Successful
    for each region, and click
    Save
    .
  4. Click
    Operational
    located next to
    Audit Logs
    under
    Status
    on the cloud account overview page and verify the status.
  5. Click
    Eventbridge
    to expand and view the status for each region.

Recommended For You