Prisma Cloud: Integration between QRadar and Prisma Cloud through AWS SQS

Prisma Cloud: Integration between QRadar and Prisma Cloud through AWS SQS

1123
Created On 10/03/23 17:55 PM - Last Modified 09/17/25 20:19 PM


Symptom


  • Integration between QRadar and Prisma through AWS SQS but IBM Qradar is rejecting the data.
  • User has opened a case with IBM QRadar support, some fields are not included. IBM QRadar has the DSM available so not sure why fields are missing.

Environment


  • Prisma Cloud

Cause


  • You can setup a S3 integration from Prisma Cloud.
  • QRadar support for the SQS messaging and integration.

Resolution


After setting up an S3 integration with Prisma Cloud, the client will need to perform the following:

  1. Setup SQS queue for ObjectCreated notification
    a. Identify or create an S3 bucket for storing logs
    b. Identify or create a SQS queue
  2. Once created, setup permission that allows the S3 bucket to send a message to the queue.
    c. Create ObjectCreate notification
    d. Create a rule in Eventbridge to forward the notification to the SQS queue.
  3. Create an AWS account for qradar so it can access the s3 resources. (this can be done in many ways)
  4. Add the new log source to Qradar using the Protocol Configuration Type: S3 REST API.

Additional Information


Check out the IBM QRadar blog for more information.   
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgkjCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail