Prisma Cloud: Audit Event RQL shows "No Results" despite having read only Audit Events

Prisma Cloud: Audit Event RQL shows "No Results" despite having read only Audit Events

2865
Created On 01/22/24 21:55 PM - Last Modified 10/02/24 20:46 PM


Symptom


AssumeRole log occurs AWS Cloudtrail, for read only events. 

Cloudtrail_readonly_option.png


Despite having read only CloudTrail events, there is no result for the Audit Even RQL query in PrismaCloud.
Cloud account status is green under (Settings > Cloud Account). 
  
event from cloud.audit_logs where operation = 'AssumeRole'

GUI Path: Investigate Page > RQL 
Prisma_Operation_AssumeRole_log.png

Environment


  • Prisma Cloud
  • Audit Event RQL 

Cause


Prisma Cloud does not ingest read-only logs. The dev team has the ability to make specific exceptions and allow certain read events to ingest, but it’s not a blanket ingestion of all read-only events.Prisma Cloud has an internal limitation of 10 read-only events to be ingested. If not there would be an API rate limitation timeout. 
 

Resolution


Therefore Prisma Cloud only supports write events in AWS CloudTrail. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WiKCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language