Prisma Cloud:尽管只读取了审计事件,但审计事件 RQL 显示“无结果”

Prisma Cloud:尽管只读取了审计事件,但审计事件 RQL 显示“无结果”

2863
Created On 01/22/24 21:55 PM - Last Modified 01/07/25 04:29 AM


Symptom


AssumeRole log occurs AWS Cloudtrail, for read only events.

Cloudtrail_readonly_option.png


Despite having read only CloudTrail events, there is no result for the Audit Even RQL query in PrismaCloud.
Cloud account status is green under (Settings > Cloud Account). 
event from cloud.audit_logs where operation = 'AssumeRole'

GUI Path: Investigate Page > RQL
Prisma_Operation_AssumeRole_log.png

Environment


  • Prisma Cloud
  • 审计事件 RQL

Cause


Prisma Cloud 不采集只读日志。开发团队有能力做出特定的例外并允许采集某些读取事件,但这并不是对所有只读事件的全面采集。Prisma Cloud 的内部限制是采集 10 个只读事件。否则,API 速率限制会超时。

Resolution


因此 Prisma Cloud 仅支持在 AWS CloudTrail 中写入事件。
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WiKCAU&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language