Prisma Cloud SQS poller to Syslog
Version: 1.2 Author: Eddie Beuerlein
Summary
This script will poll an AWS SQS queue for Prisma Cloud alerts and then format them and send them to a syslog listener (locally or remote). This can be used for QRadar as well.
Requirements and Dependencies
-
Python 3.x or newer
-
Requests (Python library)
sudo pip install requests
- YAML (Python library)
sudo pip install pyyaml
Configuration
- Set environment variables for AWS Key/Secret per boto3 instructions
Boto3 will check these environment variables for credentials:
AWS_ACCESS_KEY_ID
The access key for your AWS account.
AWS_SECRET_ACCESS_KEY
The secret key for your AWS account.
AWS_SESSION_TOKEN
The session key for your AWS account. This is only needed when you are using temporary credentials. The AWS_SECURITY_TOKEN environment variable can also be used, but is only supported for backwards compatibility purposes. AWS_SESSION_TOKEN is supported by multiple AWS SDKs besides python.
-
Navigate to sqs_to_syslog/config/configs.yml
-
Setup the sqs queue and aws region as well as syslog server(defaults to localhost) in the config/configs.yml
-
Schedule to run the main script via cron or something similar: python poll_n_write.py
Run
python poll_n_write.py