Skip to main content

Prisma Cloud

Automate and unify security incident response across your cloud environments while providing control to dedicated cloud teams.

Cloud adoption has expanded the threat surface and created disparate ecosystems that hamper visibility into security vulnerabilities across the network.

In addition, multiple teams often manage cloud provisioning, making it difficult for security teams to monitor.

This pack includes playbooks that automate Prisma Cloud alert response and also includes custom incident fields, views, and layouts to facilitate analyst investigation.

The remediation playbooks orchestrate across multiple native cloud integrations (AWS, GCP, Azure) to automate actions such as changing policies, revoking access, and creating new rules.

With this content pack, you can significantly reduce the time your Security Analysts/Cloud Operations team spends on Cloud Security alerts and standardize the way you manage misconfiguration incidents.

What does this pack do?#

The playbooks included in this pack help automate the remediation of alerts generated from the Prisma Cloud platform.

  • Take action on, remediate, and resolve incidents/alerts from Prisma Cloud.
  • Track configuration issues across all your Cloud environments.
  • Ensure your Cloud environments are compliant and up to date with the latest compliance standards.
  • Configure your Cloud environments using industry best practices.

As part of this pack, you also get out-of-the-box Prisma Cloud incident views, segregated alert layouts, and playbooks. All of these are easily customizable to suit the needs of your organization.

In this Pack#

Automations#

PrismaCloudAttribution

Recursively extracts specified fields from a provided list of assets for Prisma Cloud attribution use case.

Integrations#

The pack contains the Prisma Cloud (RedLock) integration. Read more about the integration in the Prisma Cloud (RedLock) article.

Classifiers & Mappers#

  • Prisma Cloud - Classifier - Classifies incoming Prisma Cloud events that are created through the 'fetch incidents' command in the Prisma Cloud integration.
  • Prisma Cloud - Incoming Mapper - Maps incoming Prisma Cloud event fields that are created through the 'fetch incidents' command in the Prisma Cloud integration.
  • Prisma Cloud App - Classifier - Classifies incoming Prisma Cloud events that are pushed into Cortex XSOAR through the Prisma Cloud App add-on (Meaning Prisma Cloud incidents are pushed to XSOAR through the Prisma Cloud add-on and not by fetch incidents).
  • Prisma Cloud App - Incoming Mapper - Maps incoming Prisma Cloud event fields that are pushed into Cortex XSOAR through the Prisma Cloud App add-on. (Meaning Prisma Cloud incidents are pushed to XSOAR through the Prisma Cloud add-on and not by fetch incidents).

Playbooks#

The pack contains many playbooks, including major playbooks associated with the incident types in the pack, and also sub-playbooks that perform remediation on specific Prisma Cloud policy violations.

Some of the remediation playbooks in the Prisma Cloud pack containing remediation policies for the major cloud providers:

AWS#

Azure#

GCP#

GCP Kubernetes Engine Misconfiguration

Incident types#

  • Prisma Cloud - All alerts that are fetched from the Prisma Cloud integration are classified and mapped into this generic incident type, unless a specific incident type for this alert is supported.
  • AWS CloudTrail Misconfiguration
  • AWS EC2 Instance Misconfiguration
  • AWS IAM Policy Misconfiguration
  • Azure AKS Misconfiguration
  • Azure Network Misconfiguration
  • Azure SQL Misconfiguration
  • Azure Storage Misconfiguration
  • GCP Compute Engine Misconfiguration
  • GCP Kubernetes Engine Misconfiguration

Layouts#

After an incident is fetched from the Prisma Cloud integration, it is automatically classified into one of the incident types in the pack.

The incident types all have a similar layout containing all relevant data from the Prisma Cloud alert. The incident layout enables the analyst to view the incident's workflow and take action.

The Prisma Cloud incident layout contains the following tabs:

  • Case Info tab - Provides basic information for the Prisma Cloud alert: image
  • Investigation tab - Provides a more detailed view of the incident, including the violated policy information, the violating resource details, specific alert rules that triggered the incident, and a list of remediation actions recommended by the Prisma Cloud team for handling the policy violation. image

Pack Workflow and Configuration#

Once you configure the Prisma Cloud integration to fetch incidents, all incidents that are created in Cortex XSOAR are classified and mapped into the Prisma Cloud generic incident type, unless a specific incident type for this alert is already supported.

This incident type shows all of the generic alert information from Prisma Cloud, but does not trigger any playbook.

For all other supported incident types, the incident triggers the parent playbook that is assigned with this incident type.

The analyst decides whether to use the automatic remediation path in the playbook, or to handle the policy violation manually using the recommendations given in the layout.

Each incident type and assigned playbook can remediate several policy violations that are relevant for the use case, based on the policy ID mapped from the incident.

Before You Start#

As a part of the Prisma Cloud pack, we have created out-of-the-box classification and mapping to create incidents for all of the Prisma Cloud policies that are supported and remediated through this pack.

The classification and remediation policies are:

Policy IDIncident TypePolicy NameDescription
AllPrisma Cloud-The generic incident type for this pack. All incidents that are created through the Prisma Cloud integration and don't have a specific supported incident type yet, are classified and mapped to this incident type.
05befc8b-c78a-45e9-98dc-c7fbaef580e7AWS CloudTrail MisconfigurationCloudTrail is not enabled on the accountChecks that CloudTrail is enabled on the account. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail to have a complete audit trail of activities across various services.
0d07ac51-fbfe-44fe-8edb-3314c9995ee0AWS CloudTrail MisconfigurationCloudTrail trail is not integrated with CloudWatch LogEnabling the CloudTrail trail logs integrated with CloudWatch Logs enables real-time as well as historic activity logging. This improves monitoring and alarm capability.
36a5345a-230d-438e-a04c-a287a513e3dcAWS CloudTrail MisconfigurationAWS CloudTrail is not enabled in all regionsChecks that CloudTrail is enabled across all regions. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail across different regions to have a complete audit trail of activities across various services.
38e3d3cf-b694-46ec-8bd2-8f02194b5040AWS CloudTrail MisconfigurationAWS CloudTrail log validation is not enabled in all regionsIdentifies AWS CloudTrails in which log validation is not enabled in all regions. CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was modified after CloudTrail delivered the log. Palo Alto Networks recommends that file validation be enabled on all CloudTrails.
14d10ad2-51df-4b07-be69-e94951cc7067AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to FTP port (21)Identifies security groups that expose FTP port (21) to the internet. Palo Alto Networks recommends not allowing global permissions to the FTP port (21) in a security group.
2378dbf4-b104-4bda-9b05-7417affbba3fAWS EC2 Instance MisconfigurationAWS Default Security Group does not restrict all trafficIdentifies the default security group, which does not restrict all inbound and outbound traffic. A VPC comes with a default security group whose initial configuration denies all inbound traffic from the internet and allows all outbound traffic. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound traffic.
2dbda57f-33d4-459a-97ae-dec7e81f9ec4AWS EC2 Instance MisconfigurationAWS Security Groups allow internet trafficIdentifies security groups that allow all traffic from the internet. A security group acts as a virtual firewall that controls traffic for one or more instances. Security groups should have restrictive ACLs to only allow incoming traffic from specific IPs to specific ports where the application is listening for connections.
3b642d25-4534-487a-9399-c2622754ecb5AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to PostgreSQL port (5432)Identifies security groups that expose PostgreSQL port (5432) to the internet. Palo Alto Networks recommends not allowing global permissions to the PostgreSQL port (5432) in a security group.
519456f2-f9eb-407b-b32d-064f1ac7f0caAWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to Telnet port (23)Identifies security groups that expose Telnet port (23) to the internet. Palo Alto Networks recommends not allowing global permissions to the Telnet port (23) in a security group.
520308c5-57e3-4061-b9bf-1ce5325a2d61AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to CIFS port (445)Identifies security groups that expose CIFS port (445) to the internet. Palo Alto Networks recommends not allowing global permissions to the CIFS port (445) in a security group.
5599b97c-2965-4fd2-9370-927c368abd2dAWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to NetBIOS port (137)Identifies security groups that expose NetBIOS port (137) to the internet. Palo Alto Networks recommends not allowing global permissions to the NetBIOS port (137) in a security group.
566686e8-0581-4df5-ae22-5a901ed37b58AWS EC2 Instance MisconfigurationAWS Security Groups with inbound rule overly permissive to all trafficIdentifies security groups that allow inbound traffic on all protocols from the public internet. Allowing this traffic may enable a bad actor to brute force their way into the system and potentially obtain access to the entire network.
65daa6a0-e040-434e-aca3-9d5765c96e7cAWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to MYSQL port (3306)Identifies security groups that expose MYSQL port (3306) to the internet. Palo Alto Networks recommends not allowing global permissions to the MYSQL port (3306) in a security group.
6eaf6455-1659-4c4b-bff5-c8c7b0fda201AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to DNS port (53)Identifies security groups that expose DNS port (53) to the internet. Palo Alto Networks recommends not allowing global permissions to the DNS port (53) in a security group.
760f2823-997e-495f-a538-5fb073c0ee78AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to SQLServer port (1433)Identifies security groups that expose SQLServer port (1433) to the internet. Palo Alto Networks recommends not allowing global permissions to the SQLServer port (1433) in a security group.
89cbc2f1-fcb0-48b9-be71-4cbe2d18a5f7AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to VNC Server port (5900)Identifies security groups that expose VNC Server port (5900) to the internet. Palo Alto Networks recommends not allowing global permissions to the VNC Server port (5900) in a security group.
8dd9e369-0c09-4477-97a2-ff0d50507fe2AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to VNC Listener port (5500)Identifies security groups that expose VNC Listener port (5500) to the internet. Palo Alto Networks recommends not allowing global permissions to the VNC Listener port (5500) in a security group.
a9f1b983-f216-486e-b8ea-7259764fc420AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to NetBIOS port (138)Identifies security groups that expose NetBIOS port (138) to the internet. Palo Alto Networks recommends not allowing global permissions to the NetBIOS port (138) in a security group.
ab7f8eda-18ab-457c-b5d3-fd4f53c722bcAWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to MSQL port (4333)Identifies security groups that expose MSQL port (4333) to the internet. Palo Alto Networks recommends not allowing global permissions to the MSQL port (4333) in a security group.
ab8b6bb8-a730-4bdf-a4d5-080c01e97335AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to Windows RPC port (135)Identifies security groups that expose Windows RPC port (135) to the internet. Palo Alto Networks recommends not allowing global permissions to the Windows RPC port (135) in a security group.
b82f90ce-ed8b-4b49-970c-2268b0a6c2e5AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to RDP port (3389)Identifies security groups that expose RDP port (3389) to the internet. Palo Alto Networks recommends not allowing inbound traffic on RDP port (3389) from the public internet. Allowing this traffic may enable a bad actor to brute force their way into the system and potentially obtain access to the entire network.
c2074d5a-aa28-4dde-90c1-82f528cec55eAWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to SMTP port (25)Identifies security groups that expose SMTP port (25) to the internet. Palo Alto Networks recommends not allowing global permissions to the SMTP port (25) in a security group.
cdcd663c-e9c9-4472-9779-e5f38751524aAWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to FTP-Data port (20)Identifies security groups that expose FTP-Data port (20) to the internet. Palo Alto Networks recommends not allowing global permissions to the FTP-Data port (20) in a security group.
ee03a420-89d6-4745-a0ac-98878cb56cf4AWS EC2 Instance MisconfigurationAWS Security Groups allow internet traffic from the internet to SQL Server port (1434)Identifies security groups that expose SQL Server port (1434) to the internet. Palo Alto Networks recommends not allowing global permissions to the SQL Server port (1434) in a security group.
168bfaa0-8c1d-427e-bfa8-4d96d82e3d83AWS IAM Policy MisconfigurationAWS IAM password policy does not have a minimum of 14 charactersChecks that the IAM password policy requires a minimum of 14 characters. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
31626ca9-f659-4d25-9d88-fa32262bbba7AWS IAM Policy MisconfigurationAWS IAM password policy does not have an uppercase characterChecks that the IAM password policy requires an uppercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
9a5813af-17a3-4058-be13-588ea00b4bfaAWS IAM Policy MisconfigurationAWS IAM password policy does not have a numberChecks that the IAM password policy requires a number. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
a2107824-6ed5-4c67-9450-8b154bb1fd2bAWS IAM Policy MisconfigurationAWS IAM password policy allows password reuseIdentifies IAM policies which allow password reuse. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
a8dcc272-0b02-4534-8627-cf70ddd264c5AWS IAM Policy MisconfigurationAWS IAM password policy does not have password expiration periodChecks that the IAM password policy has an expiration period. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
b1acdeff-4959-4c14-8a5e-2adc1016a3d5AWS IAM Policy MisconfigurationAWS IAM Password policy is unsecureChecks that the IAM password policy is in place for cloud accounts. As a security best practice, customers should have strong password policies in place.
ef7c537b-72eb-42a7-bab7-cb2d22c76a0dAWS IAM Policy MisconfigurationAWS IAM password policy does not have a lowercase characterChecks that the IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
f53107a2-00b2-46fb-98a9-1f12262c7d44AWS IAM Policy MisconfigurationAWS IAM password policy does not expire in 90 daysIdentifies IAM policies that do not have password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
fd4dae57-509e-4374-96d3-e136821fc3f3AWS IAM Policy MisconfigurationAWS IAM password policy does not have a symbolChecks that the IAM password policy requires a symbol. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place.
be55c11a-981a-4f34-a2e7-81ce40d71aa5Azure AKS MisconfigurationAzure AKS cluster monitoring not enabledAzure Monitor for containers is a feature designed to monitor the performance of container workloads deployed to either Azure Container Instances or managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). Monitoring your containers is critical, especially when running a production cluster, at scale, with multiple applications.
0429670c-5d2d-4d0f-ab33-59eb5e000305Azure AKS MisconfigurationAzure AKS cluster HTTP application routing enabledHTTP application routing configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. While this makes it easy to access applications that are deployed to your Azure AKS cluster, this add on is not recommended for production use.
3beed53c-3f2d-47b6-bb6f-95da39ff0f26Azure Network MisconfigurationAzure Network Security Group (NSG) allows SSH traffic from the internet on port 22Blocking SSH port 22 protects users from attacks such as account compromise.
a36a7170-d628-47fe-aab2-0e734702373dAzure Network MisconfigurationAzure Network Security Group (NSG) allows traffic from the internet on port 3389Blocking RDP port 3389 protects users from attacks such as account compromise, denial of service and ransomware.
0c620876-4549-46c4-a5b3-16e86e3cefe7Azure Network MisconfigurationAzure Network Security Group allows DNS (TCP Port 53)Detects any NSG rule that allows DNS traffic on TCP port 53 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict DNS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
472e08a2-c741-43eb-a3ca-e2f5cd275cf7Azure Network MisconfigurationAzure Network Security Group allows FTP (TCP Port 21)Detects any NSG rule that allows FTP traffic on TCP port 21 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict FTP solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
f48eda6b-5d66-4d73-a62e-671de3844555Azure Network MisconfigurationAzure Network Security Group allows FTP-Data (TCP Port 20)Detects any NSG rule that allows FTP-Data traffic on TCP port 20 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict FTP-Data solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
5826e50f-2f29-4444-9cad-3bb4e66ee3caAzure Network MisconfigurationAzure Network Security Group allows MSQL (TCP Port 4333)Detects any NSG rule that allows MSQL traffic on TCP port 4333 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict MSQL solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
5dbd0da1-cfa4-4bce-a753-56dade428bd4Azure Network MisconfigurationAzure Network Security Group allows MySQL (TCP Port 3306)Detects any NSG rule that allows MySQL traffic on TCP port 3306 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict MySQL solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
4afdc071-53ca-4516-8a3c-d5c91345c409Azure Network MisconfigurationAzure Network Security Group allows Windows RPC (TCP Port 135)Detects any NSG rule that allows Windows RPC traffic on TCP port 135 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict Windows RPC solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
500e9f2a-1063-4066-8eea-780efa90a0d7Azure Network MisconfigurationAzure Network Security Group allows Windows SMB (TCP Port 445)Detects any NSG rule that allows Windows SMB traffic on TCP port 445 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict Windows SMB solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
a0791206-a669-4948-a845-cc735212013cAzure Network MisconfigurationAzure Network Security Group allows PostgreSQL (TCP Port 5432)Detects any NSG rule that allows PostgreSQL traffic on TCP port 5432 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict PostgreSQL solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
ac851899-1007-48c8-842f-dddb9a38c4baAzure Network MisconfigurationAzure Network Security Group allows SMTP (TCP Port 25)Detects any NSG rule that allows SMTP traffic on TCP port 25 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict SMTP solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
3aa12e75-d78b-4157-9eca-6049187a30d7Azure Network MisconfigurationAzure Network Security Group allows SQL Server (TCP Port 1433)Detects any NSG rule that allows SQL Server traffic on TCP port 1433 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict SQL Server solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
936dd3cb-a9cc-4a13-9a2c-ea5d40856072Azure Network MisconfigurationAzure Network Security Group allows Telnet (TCP Port 23)Detects any NSG rule that allows Telnet traffic on TCP port 23 from the internet. Telnet provides a plain text connection to manage devices using the command line, and is less secure than SSH. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict Telnet solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
91a53c5d-d629-45bb-9610-fbd2cb4c6f3cAzure Network MisconfigurationAzure Network Security Group allows VNC Listener (TCP Port 5500)Detects any NSG rule that allows VNC Listener traffic on TCP port 5500 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict VNC Listener solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
840b4b1c-a50b-11e8-98d0-529269fb1459Azure Network MisconfigurationAzure Network Security Group (NSG) with inbound rule overly permissive to all traffic from the internet on any protocolIdentifies Azure Network Security Groups (NSGs) that are overly permissive to all traffic from the internet on any protocol. A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. As a best practice, Palo Alto Networks recommends configuring NSGs to restrict traffic to only known sources, allowing only authorized protocols and ports.
0a3f1d49-4c05-47c4-98e2-3a42b822d05bAzure Network MisconfigurationAzure Network Security Group allows ICMP (Ping)Detects any NSG rule that allows ICMP (Ping) traffic from the internet. ICMP is used by devices to communicate error messages and statuses. While ICMP is useful for diagnostics and troubleshooting, it can also be used to exploit or disrupt systems. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict ICMP (Ping) solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
bc7929f8-fe70-48ec-8690-4288aa0b98aeAzure Network MisconfigurationAzure Network Security Group allows CIFS (UDP Port 445)Detects any NSG rule that allows CIFS traffic on UDP port 445 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict CIFS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
18e1dd76-9d0f-4cdb-96d4-9d01b5cd68dcAzure Network MisconfigurationAzure Network Security Group allows NetBIOS (UDP Port 137)Detects any NSG rule that allows NetBIOS traffic on UDP port 137 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict NetBIOS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
3784cdfd-dd25-4cf3-b506-ad77033ccc35Azure Network MisconfigurationAzure Network Security Group allows NetBIOS (UDP Port 138)Detects any NSG rule that allows NetBIOS traffic on UDP port 138 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict NetBIOS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
0546188d-6f21-449d-948e-677c285a5fcfAzure Network MisconfigurationAzure Network Security Group allows SQL Server (UDP Port 1434)Detects any NSG rule that allows SQL Server traffic on UDP port 1434 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict SQL Server solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
709b47cd-6b7a-4500-b99e-a58529a6c79eAzure Network MisconfigurationAzure Network Security Group allows DNS (UDP Port 53)Detects any NSG rule that allows DNS traffic on UDP port 53 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict DNS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees.
d979e854-a50d-11e8-98d0-529269fb1459Azure Network MisconfigurationAzure Network Security Group (NSG) with inbound rule overly permissive to all traffic from the internet on UDP protocolIdentifies Azure Network Security Groups (NSGs) that are overly permissive to all traffic from the internet on UDP protocol. A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. As a best practice, Palo Alto Networks recommends configuring NSGs to restrict traffic only to known sources, allowing only authorized protocols and ports.
543c6a0a-a50c-11e8-98d0-529269fb1459Azure Network MisconfigurationAzure Network Security Group (NSG) with inbound rule overly permissive to all traffic from the internet on TCP protocolIdentifies Azure Network Security Groups (NSGs) that are overly permissive to all traffic from the internet on TCP protocol. A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. As a best practice, Palo Alto Networks recommends configuring NSGs to restrict traffic only to known sources, allowing only authorized protocols and ports.
96b1b8e3-6936-434f-94ab-a154cd5967d9Azure SQL MisconfigurationAuditing for SQL database should be set to OnIdentifies SQL Databases that have auditing set to Off. Database events are tracked by the auditing feature and events are written to an audit log in your Azure storage account. This process helps you monitor database activity and get insight into anomalies that could indicate business concerns or suspected security violations.
fa6fa903-8887-49dd-917f-91687df98dd1Azure SQL MisconfigurationAzure SQL Database with Auditing Retention less than 90 daysIdentifies SQL Databases that have Auditing Retention set for less than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access. Palo Alto Networks recommends configuring SQL database Audit Retention to be greater than or equal to 90 days.
8f7eee48-dffb-4f18-9207-8ea48680b0e2Azure SQL MisconfigurationThreat Detection on SQL databases is set to OffIdentifies SQL Databases that have Threat Detection set to Off. SQL Threat Detection provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and provide recommendations for how to investigate and mitigate threats.
c83a7b1d-ac74-475b-80fe-b1244daa1b27Azure SQL MisconfigurationAzure SQL Database with Threat Retention less than or equal to 90 daysIdentifies SQL Databases that have Threat Retention less than or equal to 90 days. Threat Logs can be used to check for anomalies and give an understanding of suspected breaches or misuse of data and access. Palo Alto Networks recommends configuring SQL database Threat Retention to be greater than 90 days.
7a506ab4-d0a2-48ee-a6f5-75a97f11397dAzure Storage MisconfigurationAzure storage accounts have blob container(s) with public access'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you grant read-only access to these resources without sharing your account key, and without requiring a shared access signature. This policy identifies blob containers within an Azure storage account that allow anonymous/public access ('CONTAINER' or 'BLOB'). As a best practice, do not allow anonymous/public access to blob containers. Instead, consider using a shared access signature token to provide controlled and time-limited access to blob containers.
bc4e467f-10fa-471e-aa9b-28981dc73e93Azure Storage MisconfigurationStorage Accounts without secure transfer enabledThe secure transfer option enhances the security of your storage account by allowing requests to the storage account only via a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When you use the Azure files service, connections without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some versions of the Linux SMB client. Since Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name.
10bc76ee-6f29-4c04-98bb-b9f8bafb0964GCP Compute Engine MisconfigurationVM instances without any custom metadata informationIdentifies VM instance without any custom metadata. Custom metadata is used for easy identification and searches.
72b422c8-bef1-4842-a6c6-7230bf0b3492GCP Compute Engine MisconfigurationGCP VM instances have block project-wide SSH keys feature disabledIdentifies VM instances that have block project-wide SSH keys feature disabled. Project-wide SSH keys are stored in Compute/Project-metadata. Project-wide SSH keys can be used to log in to all the instances within a project. Using project-wide SSH keys eases SSH key management but if compromised, poses a security risk which can impact all instances within a project. Palo Alto Networks recommends using instance specific SSH keys that limit the attack surface if the SSH keys are compromised.
6e125379-081e-4b06-a7ba-f04da2f0901aGCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters Basic Authentication is set to EnabledIdentifies Kubernetes Engine Clusters that have Basic authentication enabled. Basic authentication allows a user to authenticate to the cluster with a username and password. Disabling Basic authentication prevents attacks such as brute force. Instead, authenticate using client certificate or IAM.
f57baa2a-6039-4a17-94e8-0be723bcdc75GCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have Legacy Authorization enabledIdentifies GCP Kubernetes Engine Clusters that have legacy authorizer enabled. The legacy authorizer in Kubernetes Engine grants broad and statically defined permissions to all cluster users. After legacy authorizer setting is disabled, RBAC can limit permissions for authorized users based on need.
e1b70bb4-bb77-4326-93d5-5dd9c5170d3fGCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have Master authorized networks disabledIdentifies Kubernetes Engine Clusters that have Master authorized networks disabled. Master authorized networks enables the Kubernetes Engine to block untrusted non-GCP source IPs from accessing the Kubernetes master through HTTPS.
6ddbfdfe-3936-43d0-8157-97a7899beae6GCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have Network policy disabledIdentifies Kubernetes Engine Clusters that have network policy disabled. A network policy defines how groups of pods are allowed to communicate with each other and with other network endpoints. When network policy is enabled in a namespace for a pod, it rejects any connections that are not allowed by the network policy.
53793c32-dd41-430f-bbea-2f002ddafe42GCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have Stackdriver Logging disabledIdentifies Kubernetes Engine Clusters that have disabled Stackdriver Logging. Stackdriver Logging enables the Kubernetes Engine to collect, process, and store container and system logs in a dedicated persistent data store.
ca4b4654-d36a-4b17-a055-9c5063fa2f41GCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have Stackdriver Monitoring disabledIdentifies Kubernetes Engine Clusters that have Stackdriver Monitoring disabled. Stackdriver Monitoring enables the Kubernetes Engine to monitor signals and build operations in the clusters.
fe81b03a-c602-4b16-8ae9-973724c1adaeGCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters web UI/Dashboard is set to EnabledIdentifies Kubernetes Engine Clusters that have Kubernetes web UI/Dashboard enabled. Since all of the data is being transmitted over HTTP protocol, disabling Kubernetes web UI/Dashboard protects the data from sniffers on the same network.
a3688f2e-eb5b-4b8d-b26f-90d40f08fd84GCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have HTTP load balancing disabledIdentifies GCP Kubernetes Engine Clusters that have HTTP load balancing disabled. HTTP/HTTPS load balancing provides global load balancing for HTTP/HTTPS requests destined for your instances. Enabling HTTP/HTTPS load balancers will enable the Kubernetes Engine to terminate unauthorized HTTP/HTTPS requests and make better context-aware load balancing decisions.
50d5ec3b-1710-4ff7-bb09-061c30deef96GCP Kubernetes Engine MisconfigurationGCP Kubernetes Engine Clusters have binary authorization disabledIdentifies Google Kubernetes Engine (GKE) clusters that have binary authorization disabled. Binary authorization is a security control that ensures only trusted container images are deployed on GKE clusters. As a best practice, verify images prior to deployment to reduce the risk of running unintended or malicious code in your environment.
bee0893d-85fb-403f-9ba7-a5269a46d382GCP Kubernetes Engine MisconfigurationGCP Kubernetes cluster intranode visibility disabledChecks your cluster's intranode visibility feature and generates an alert if it's disabled. With intranode visibility, all network traffic in your cluster is seen by the Google Cloud Platform network, and you can see flow logs for all traffic between Pods, including traffic between Pods on the same node. You can create firewall rules that apply to all traffic between Pods.