Prisma Cloud
Automate and unify security incident response across your cloud environments while providing control to dedicated cloud teams.
Cloud adoption has expanded the threat surface and created disparate ecosystems that hamper visibility into security vulnerabilities across the network.
In addition, multiple teams often manage cloud provisioning, making it difficult for security teams to monitor.
This pack includes playbooks that automate Prisma Cloud alert response and also includes custom incident fields, views, and layouts to facilitate analyst investigation.
The remediation playbooks orchestrate across multiple native cloud integrations (AWS, GCP, Azure) to automate actions such as changing policies, revoking access, and creating new rules.
With this content pack, you can significantly reduce the time your Security Analysts/Cloud Operations team spends on Cloud Security alerts and standardize the way you manage misconfiguration incidents.
What does this pack do?#
The playbooks included in this pack help automate the remediation of alerts generated from the Prisma Cloud platform.
- Take action on, remediate, and resolve incidents/alerts from Prisma Cloud.
- Track configuration issues across all your Cloud environments.
- Ensure your Cloud environments are compliant and up to date with the latest compliance standards.
- Configure your Cloud environments using industry best practices.
As part of this pack, you also get out-of-the-box Prisma Cloud incident views, segregated alert layouts, and playbooks. All of these are easily customizable to suit the needs of your organization.
In this Pack#
Automations#
PrismaCloudAttribution
Recursively extracts specified fields from a provided list of assets for Prisma Cloud attribution use case.
Integrations#
The pack contains the Prisma Cloud (RedLock) integration. Read more about the integration in the Prisma Cloud (RedLock) article.
Classifiers & Mappers#
- Prisma Cloud - Classifier - Classifies incoming Prisma Cloud events that are created through the 'fetch incidents' command in the Prisma Cloud integration.
- Prisma Cloud - Incoming Mapper - Maps incoming Prisma Cloud event fields that are created through the 'fetch incidents' command in the Prisma Cloud integration.
- Prisma Cloud App - Classifier - Classifies incoming Prisma Cloud events that are pushed into Cortex XSOAR through the Prisma Cloud App add-on (Meaning Prisma Cloud incidents are pushed to XSOAR through the Prisma Cloud add-on and not by fetch incidents).
- Prisma Cloud App - Incoming Mapper - Maps incoming Prisma Cloud event fields that are pushed into Cortex XSOAR through the Prisma Cloud App add-on. (Meaning Prisma Cloud incidents are pushed to XSOAR through the Prisma Cloud add-on and not by fetch incidents).
Playbooks#
The pack contains many playbooks, including major playbooks associated with the incident types in the pack, and also sub-playbooks that perform remediation on specific Prisma Cloud policy violations.
Some of the remediation playbooks in the Prisma Cloud pack containing remediation policies for the major cloud providers:
AWS#
Azure#
GCP#
GCP Kubernetes Engine Misconfiguration
Incident types#
- Prisma Cloud - All alerts that are fetched from the Prisma Cloud integration are classified and mapped into this generic incident type, unless a specific incident type for this alert is supported.
- AWS CloudTrail Misconfiguration
- AWS EC2 Instance Misconfiguration
- AWS IAM Policy Misconfiguration
- Azure AKS Misconfiguration
- Azure Network Misconfiguration
- Azure SQL Misconfiguration
- Azure Storage Misconfiguration
- GCP Compute Engine Misconfiguration
- GCP Kubernetes Engine Misconfiguration
Layouts#
After an incident is fetched from the Prisma Cloud integration, it is automatically classified into one of the incident types in the pack.
The incident types all have a similar layout containing all relevant data from the Prisma Cloud alert. The incident layout enables the analyst to view the incident's workflow and take action.
The Prisma Cloud incident layout contains the following tabs:
- Case Info tab - Provides basic information for the Prisma Cloud alert:
- Investigation tab - Provides a more detailed view of the incident, including the violated policy information, the violating resource details, specific alert rules that triggered the incident, and a list of remediation actions recommended by the Prisma Cloud team for handling the policy violation.
Pack Workflow and Configuration#
Once you configure the Prisma Cloud integration to fetch incidents, all incidents that are created in Cortex XSOAR are classified and mapped into the Prisma Cloud generic incident type, unless a specific incident type for this alert is already supported.
This incident type shows all of the generic alert information from Prisma Cloud, but does not trigger any playbook.
For all other supported incident types, the incident triggers the parent playbook that is assigned with this incident type.
The analyst decides whether to use the automatic remediation path in the playbook, or to handle the policy violation manually using the recommendations given in the layout.
Each incident type and assigned playbook can remediate several policy violations that are relevant for the use case, based on the policy ID mapped from the incident.
Before You Start#
As a part of the Prisma Cloud pack, we have created out-of-the-box classification and mapping to create incidents for all of the Prisma Cloud policies that are supported and remediated through this pack.
The classification and remediation policies are:
| Policy ID | Incident Type | Policy Name | Description |
|---|---|---|---|
| All | Prisma Cloud | - | The generic incident type for this pack. All incidents that are created through the Prisma Cloud integration and don't have a specific supported incident type yet, are classified and mapped to this incident type. |
| 05befc8b-c78a-45e9-98dc-c7fbaef580e7 | AWS CloudTrail Misconfiguration | CloudTrail is not enabled on the account | Checks that CloudTrail is enabled on the account. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail to have a complete audit trail of activities across various services. |
| 0d07ac51-fbfe-44fe-8edb-3314c9995ee0 | AWS CloudTrail Misconfiguration | CloudTrail trail is not integrated with CloudWatch Log | Enabling the CloudTrail trail logs integrated with CloudWatch Logs enables real-time as well as historic activity logging. This improves monitoring and alarm capability. |
| 36a5345a-230d-438e-a04c-a287a513e3dc | AWS CloudTrail Misconfiguration | AWS CloudTrail is not enabled in all regions | Checks that CloudTrail is enabled across all regions. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail across different regions to have a complete audit trail of activities across various services. |
| 38e3d3cf-b694-46ec-8bd2-8f02194b5040 | AWS CloudTrail Misconfiguration | AWS CloudTrail log validation is not enabled in all regions | Identifies AWS CloudTrails in which log validation is not enabled in all regions. CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was modified after CloudTrail delivered the log. Palo Alto Networks recommends that file validation be enabled on all CloudTrails. |
| 14d10ad2-51df-4b07-be69-e94951cc7067 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to FTP port (21) | Identifies security groups that expose FTP port (21) to the internet. Palo Alto Networks recommends not allowing global permissions to the FTP port (21) in a security group. |
| 2378dbf4-b104-4bda-9b05-7417affbba3f | AWS EC2 Instance Misconfiguration | AWS Default Security Group does not restrict all traffic | Identifies the default security group, which does not restrict all inbound and outbound traffic. A VPC comes with a default security group whose initial configuration denies all inbound traffic from the internet and allows all outbound traffic. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound traffic. |
| 2dbda57f-33d4-459a-97ae-dec7e81f9ec4 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic | Identifies security groups that allow all traffic from the internet. A security group acts as a virtual firewall that controls traffic for one or more instances. Security groups should have restrictive ACLs to only allow incoming traffic from specific IPs to specific ports where the application is listening for connections. |
| 3b642d25-4534-487a-9399-c2622754ecb5 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to PostgreSQL port (5432) | Identifies security groups that expose PostgreSQL port (5432) to the internet. Palo Alto Networks recommends not allowing global permissions to the PostgreSQL port (5432) in a security group. |
| 519456f2-f9eb-407b-b32d-064f1ac7f0ca | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to Telnet port (23) | Identifies security groups that expose Telnet port (23) to the internet. Palo Alto Networks recommends not allowing global permissions to the Telnet port (23) in a security group. |
| 520308c5-57e3-4061-b9bf-1ce5325a2d61 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to CIFS port (445) | Identifies security groups that expose CIFS port (445) to the internet. Palo Alto Networks recommends not allowing global permissions to the CIFS port (445) in a security group. |
| 5599b97c-2965-4fd2-9370-927c368abd2d | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to NetBIOS port (137) | Identifies security groups that expose NetBIOS port (137) to the internet. Palo Alto Networks recommends not allowing global permissions to the NetBIOS port (137) in a security group. |
| 566686e8-0581-4df5-ae22-5a901ed37b58 | AWS EC2 Instance Misconfiguration | AWS Security Groups with inbound rule overly permissive to all traffic | Identifies security groups that allow inbound traffic on all protocols from the public internet. Allowing this traffic may enable a bad actor to brute force their way into the system and potentially obtain access to the entire network. |
| 65daa6a0-e040-434e-aca3-9d5765c96e7c | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to MYSQL port (3306) | Identifies security groups that expose MYSQL port (3306) to the internet. Palo Alto Networks recommends not allowing global permissions to the MYSQL port (3306) in a security group. |
| 6eaf6455-1659-4c4b-bff5-c8c7b0fda201 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to DNS port (53) | Identifies security groups that expose DNS port (53) to the internet. Palo Alto Networks recommends not allowing global permissions to the DNS port (53) in a security group. |
| 760f2823-997e-495f-a538-5fb073c0ee78 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to SQLServer port (1433) | Identifies security groups that expose SQLServer port (1433) to the internet. Palo Alto Networks recommends not allowing global permissions to the SQLServer port (1433) in a security group. |
| 89cbc2f1-fcb0-48b9-be71-4cbe2d18a5f7 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to VNC Server port (5900) | Identifies security groups that expose VNC Server port (5900) to the internet. Palo Alto Networks recommends not allowing global permissions to the VNC Server port (5900) in a security group. |
| 8dd9e369-0c09-4477-97a2-ff0d50507fe2 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to VNC Listener port (5500) | Identifies security groups that expose VNC Listener port (5500) to the internet. Palo Alto Networks recommends not allowing global permissions to the VNC Listener port (5500) in a security group. |
| a9f1b983-f216-486e-b8ea-7259764fc420 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to NetBIOS port (138) | Identifies security groups that expose NetBIOS port (138) to the internet. Palo Alto Networks recommends not allowing global permissions to the NetBIOS port (138) in a security group. |
| ab7f8eda-18ab-457c-b5d3-fd4f53c722bc | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to MSQL port (4333) | Identifies security groups that expose MSQL port (4333) to the internet. Palo Alto Networks recommends not allowing global permissions to the MSQL port (4333) in a security group. |
| ab8b6bb8-a730-4bdf-a4d5-080c01e97335 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to Windows RPC port (135) | Identifies security groups that expose Windows RPC port (135) to the internet. Palo Alto Networks recommends not allowing global permissions to the Windows RPC port (135) in a security group. |
| b82f90ce-ed8b-4b49-970c-2268b0a6c2e5 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to RDP port (3389) | Identifies security groups that expose RDP port (3389) to the internet. Palo Alto Networks recommends not allowing inbound traffic on RDP port (3389) from the public internet. Allowing this traffic may enable a bad actor to brute force their way into the system and potentially obtain access to the entire network. |
| c2074d5a-aa28-4dde-90c1-82f528cec55e | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to SMTP port (25) | Identifies security groups that expose SMTP port (25) to the internet. Palo Alto Networks recommends not allowing global permissions to the SMTP port (25) in a security group. |
| cdcd663c-e9c9-4472-9779-e5f38751524a | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to FTP-Data port (20) | Identifies security groups that expose FTP-Data port (20) to the internet. Palo Alto Networks recommends not allowing global permissions to the FTP-Data port (20) in a security group. |
| ee03a420-89d6-4745-a0ac-98878cb56cf4 | AWS EC2 Instance Misconfiguration | AWS Security Groups allow internet traffic from the internet to SQL Server port (1434) | Identifies security groups that expose SQL Server port (1434) to the internet. Palo Alto Networks recommends not allowing global permissions to the SQL Server port (1434) in a security group. |
| 168bfaa0-8c1d-427e-bfa8-4d96d82e3d83 | AWS IAM Policy Misconfiguration | AWS IAM password policy does not have a minimum of 14 characters | Checks that the IAM password policy requires a minimum of 14 characters. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| 31626ca9-f659-4d25-9d88-fa32262bbba7 | AWS IAM Policy Misconfiguration | AWS IAM password policy does not have an uppercase character | Checks that the IAM password policy requires an uppercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| 9a5813af-17a3-4058-be13-588ea00b4bfa | AWS IAM Policy Misconfiguration | AWS IAM password policy does not have a number | Checks that the IAM password policy requires a number. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| a2107824-6ed5-4c67-9450-8b154bb1fd2b | AWS IAM Policy Misconfiguration | AWS IAM password policy allows password reuse | Identifies IAM policies which allow password reuse. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| a8dcc272-0b02-4534-8627-cf70ddd264c5 | AWS IAM Policy Misconfiguration | AWS IAM password policy does not have password expiration period | Checks that the IAM password policy has an expiration period. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| b1acdeff-4959-4c14-8a5e-2adc1016a3d5 | AWS IAM Policy Misconfiguration | AWS IAM Password policy is unsecure | Checks that the IAM password policy is in place for cloud accounts. As a security best practice, customers should have strong password policies in place. |
| ef7c537b-72eb-42a7-bab7-cb2d22c76a0d | AWS IAM Policy Misconfiguration | AWS IAM password policy does not have a lowercase character | Checks that the IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| f53107a2-00b2-46fb-98a9-1f12262c7d44 | AWS IAM Policy Misconfiguration | AWS IAM password policy does not expire in 90 days | Identifies IAM policies that do not have password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| fd4dae57-509e-4374-96d3-e136821fc3f3 | AWS IAM Policy Misconfiguration | AWS IAM password policy does not have a symbol | Checks that the IAM password policy requires a symbol. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers should have strong password policies in place. |
| be55c11a-981a-4f34-a2e7-81ce40d71aa5 | Azure AKS Misconfiguration | Azure AKS cluster monitoring not enabled | Azure Monitor for containers is a feature designed to monitor the performance of container workloads deployed to either Azure Container Instances or managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). Monitoring your containers is critical, especially when running a production cluster, at scale, with multiple applications. |
| 0429670c-5d2d-4d0f-ab33-59eb5e000305 | Azure AKS Misconfiguration | Azure AKS cluster HTTP application routing enabled | HTTP application routing configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. While this makes it easy to access applications that are deployed to your Azure AKS cluster, this add on is not recommended for production use. |
| 3beed53c-3f2d-47b6-bb6f-95da39ff0f26 | Azure Network Misconfiguration | Azure Network Security Group (NSG) allows SSH traffic from the internet on port 22 | Blocking SSH port 22 protects users from attacks such as account compromise. |
| a36a7170-d628-47fe-aab2-0e734702373d | Azure Network Misconfiguration | Azure Network Security Group (NSG) allows traffic from the internet on port 3389 | Blocking RDP port 3389 protects users from attacks such as account compromise, denial of service and ransomware. |
| 0c620876-4549-46c4-a5b3-16e86e3cefe7 | Azure Network Misconfiguration | Azure Network Security Group allows DNS (TCP Port 53) | Detects any NSG rule that allows DNS traffic on TCP port 53 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict DNS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 472e08a2-c741-43eb-a3ca-e2f5cd275cf7 | Azure Network Misconfiguration | Azure Network Security Group allows FTP (TCP Port 21) | Detects any NSG rule that allows FTP traffic on TCP port 21 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict FTP solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| f48eda6b-5d66-4d73-a62e-671de3844555 | Azure Network Misconfiguration | Azure Network Security Group allows FTP-Data (TCP Port 20) | Detects any NSG rule that allows FTP-Data traffic on TCP port 20 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict FTP-Data solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 5826e50f-2f29-4444-9cad-3bb4e66ee3ca | Azure Network Misconfiguration | Azure Network Security Group allows MSQL (TCP Port 4333) | Detects any NSG rule that allows MSQL traffic on TCP port 4333 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict MSQL solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 5dbd0da1-cfa4-4bce-a753-56dade428bd4 | Azure Network Misconfiguration | Azure Network Security Group allows MySQL (TCP Port 3306) | Detects any NSG rule that allows MySQL traffic on TCP port 3306 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict MySQL solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 4afdc071-53ca-4516-8a3c-d5c91345c409 | Azure Network Misconfiguration | Azure Network Security Group allows Windows RPC (TCP Port 135) | Detects any NSG rule that allows Windows RPC traffic on TCP port 135 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict Windows RPC solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 500e9f2a-1063-4066-8eea-780efa90a0d7 | Azure Network Misconfiguration | Azure Network Security Group allows Windows SMB (TCP Port 445) | Detects any NSG rule that allows Windows SMB traffic on TCP port 445 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict Windows SMB solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| a0791206-a669-4948-a845-cc735212013c | Azure Network Misconfiguration | Azure Network Security Group allows PostgreSQL (TCP Port 5432) | Detects any NSG rule that allows PostgreSQL traffic on TCP port 5432 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict PostgreSQL solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| ac851899-1007-48c8-842f-dddb9a38c4ba | Azure Network Misconfiguration | Azure Network Security Group allows SMTP (TCP Port 25) | Detects any NSG rule that allows SMTP traffic on TCP port 25 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict SMTP solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 3aa12e75-d78b-4157-9eca-6049187a30d7 | Azure Network Misconfiguration | Azure Network Security Group allows SQL Server (TCP Port 1433) | Detects any NSG rule that allows SQL Server traffic on TCP port 1433 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict SQL Server solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 936dd3cb-a9cc-4a13-9a2c-ea5d40856072 | Azure Network Misconfiguration | Azure Network Security Group allows Telnet (TCP Port 23) | Detects any NSG rule that allows Telnet traffic on TCP port 23 from the internet. Telnet provides a plain text connection to manage devices using the command line, and is less secure than SSH. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict Telnet solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 91a53c5d-d629-45bb-9610-fbd2cb4c6f3c | Azure Network Misconfiguration | Azure Network Security Group allows VNC Listener (TCP Port 5500) | Detects any NSG rule that allows VNC Listener traffic on TCP port 5500 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict VNC Listener solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 840b4b1c-a50b-11e8-98d0-529269fb1459 | Azure Network Misconfiguration | Azure Network Security Group (NSG) with inbound rule overly permissive to all traffic from the internet on any protocol | Identifies Azure Network Security Groups (NSGs) that are overly permissive to all traffic from the internet on any protocol. A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. As a best practice, Palo Alto Networks recommends configuring NSGs to restrict traffic to only known sources, allowing only authorized protocols and ports. |
| 0a3f1d49-4c05-47c4-98e2-3a42b822d05b | Azure Network Misconfiguration | Azure Network Security Group allows ICMP (Ping) | Detects any NSG rule that allows ICMP (Ping) traffic from the internet. ICMP is used by devices to communicate error messages and statuses. While ICMP is useful for diagnostics and troubleshooting, it can also be used to exploit or disrupt systems. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict ICMP (Ping) solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| bc7929f8-fe70-48ec-8690-4288aa0b98ae | Azure Network Misconfiguration | Azure Network Security Group allows CIFS (UDP Port 445) | Detects any NSG rule that allows CIFS traffic on UDP port 445 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict CIFS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 18e1dd76-9d0f-4cdb-96d4-9d01b5cd68dc | Azure Network Misconfiguration | Azure Network Security Group allows NetBIOS (UDP Port 137) | Detects any NSG rule that allows NetBIOS traffic on UDP port 137 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict NetBIOS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 3784cdfd-dd25-4cf3-b506-ad77033ccc35 | Azure Network Misconfiguration | Azure Network Security Group allows NetBIOS (UDP Port 138) | Detects any NSG rule that allows NetBIOS traffic on UDP port 138 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict NetBIOS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 0546188d-6f21-449d-948e-677c285a5fcf | Azure Network Misconfiguration | Azure Network Security Group allows SQL Server (UDP Port 1434) | Detects any NSG rule that allows SQL Server traffic on UDP port 1434 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict SQL Server solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| 709b47cd-6b7a-4500-b99e-a58529a6c79e | Azure Network Misconfiguration | Azure Network Security Group allows DNS (UDP Port 53) | Detects any NSG rule that allows DNS traffic on UDP port 53 from the internet. Review your list of NSG rules to ensure that your resources are not exposed. As a best practice, restrict DNS solely to known static IP addresses. Limit the access list to include only known hosts, services, or specific employees. |
| d979e854-a50d-11e8-98d0-529269fb1459 | Azure Network Misconfiguration | Azure Network Security Group (NSG) with inbound rule overly permissive to all traffic from the internet on UDP protocol | Identifies Azure Network Security Groups (NSGs) that are overly permissive to all traffic from the internet on UDP protocol. A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. As a best practice, Palo Alto Networks recommends configuring NSGs to restrict traffic only to known sources, allowing only authorized protocols and ports. |
| 543c6a0a-a50c-11e8-98d0-529269fb1459 | Azure Network Misconfiguration | Azure Network Security Group (NSG) with inbound rule overly permissive to all traffic from the internet on TCP protocol | Identifies Azure Network Security Groups (NSGs) that are overly permissive to all traffic from the internet on TCP protocol. A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. As a best practice, Palo Alto Networks recommends configuring NSGs to restrict traffic only to known sources, allowing only authorized protocols and ports. |
| 96b1b8e3-6936-434f-94ab-a154cd5967d9 | Azure SQL Misconfiguration | Auditing for SQL database should be set to On | Identifies SQL Databases that have auditing set to Off. Database events are tracked by the auditing feature and events are written to an audit log in your Azure storage account. This process helps you monitor database activity and get insight into anomalies that could indicate business concerns or suspected security violations. |
| fa6fa903-8887-49dd-917f-91687df98dd1 | Azure SQL Misconfiguration | Azure SQL Database with Auditing Retention less than 90 days | Identifies SQL Databases that have Auditing Retention set for less than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access. Palo Alto Networks recommends configuring SQL database Audit Retention to be greater than or equal to 90 days. |
| 8f7eee48-dffb-4f18-9207-8ea48680b0e2 | Azure SQL Misconfiguration | Threat Detection on SQL databases is set to Off | Identifies SQL Databases that have Threat Detection set to Off. SQL Threat Detection provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and provide recommendations for how to investigate and mitigate threats. |
| c83a7b1d-ac74-475b-80fe-b1244daa1b27 | Azure SQL Misconfiguration | Azure SQL Database with Threat Retention less than or equal to 90 days | Identifies SQL Databases that have Threat Retention less than or equal to 90 days. Threat Logs can be used to check for anomalies and give an understanding of suspected breaches or misuse of data and access. Palo Alto Networks recommends configuring SQL database Threat Retention to be greater than 90 days. |
| 7a506ab4-d0a2-48ee-a6f5-75a97f11397d | Azure Storage Misconfiguration | Azure storage accounts have blob container(s) with public access | 'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you grant read-only access to these resources without sharing your account key, and without requiring a shared access signature. This policy identifies blob containers within an Azure storage account that allow anonymous/public access ('CONTAINER' or 'BLOB'). As a best practice, do not allow anonymous/public access to blob containers. Instead, consider using a shared access signature token to provide controlled and time-limited access to blob containers. |
| bc4e467f-10fa-471e-aa9b-28981dc73e93 | Azure Storage Misconfiguration | Storage Accounts without secure transfer enabled | The secure transfer option enhances the security of your storage account by allowing requests to the storage account only via a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When you use the Azure files service, connections without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some versions of the Linux SMB client. Since Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name. |
| 10bc76ee-6f29-4c04-98bb-b9f8bafb0964 | GCP Compute Engine Misconfiguration | VM instances without any custom metadata information | Identifies VM instance without any custom metadata. Custom metadata is used for easy identification and searches. |
| 72b422c8-bef1-4842-a6c6-7230bf0b3492 | GCP Compute Engine Misconfiguration | GCP VM instances have block project-wide SSH keys feature disabled | Identifies VM instances that have block project-wide SSH keys feature disabled. Project-wide SSH keys are stored in Compute/Project-metadata. Project-wide SSH keys can be used to log in to all the instances within a project. Using project-wide SSH keys eases SSH key management but if compromised, poses a security risk which can impact all instances within a project. Palo Alto Networks recommends using instance specific SSH keys that limit the attack surface if the SSH keys are compromised. |
| 6e125379-081e-4b06-a7ba-f04da2f0901a | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled | Identifies Kubernetes Engine Clusters that have Basic authentication enabled. Basic authentication allows a user to authenticate to the cluster with a username and password. Disabling Basic authentication prevents attacks such as brute force. Instead, authenticate using client certificate or IAM. |
| f57baa2a-6039-4a17-94e8-0be723bcdc75 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have Legacy Authorization enabled | Identifies GCP Kubernetes Engine Clusters that have legacy authorizer enabled. The legacy authorizer in Kubernetes Engine grants broad and statically defined permissions to all cluster users. After legacy authorizer setting is disabled, RBAC can limit permissions for authorized users based on need. |
| e1b70bb4-bb77-4326-93d5-5dd9c5170d3f | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have Master authorized networks disabled | Identifies Kubernetes Engine Clusters that have Master authorized networks disabled. Master authorized networks enables the Kubernetes Engine to block untrusted non-GCP source IPs from accessing the Kubernetes master through HTTPS. |
| 6ddbfdfe-3936-43d0-8157-97a7899beae6 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have Network policy disabled | Identifies Kubernetes Engine Clusters that have network policy disabled. A network policy defines how groups of pods are allowed to communicate with each other and with other network endpoints. When network policy is enabled in a namespace for a pod, it rejects any connections that are not allowed by the network policy. |
| 53793c32-dd41-430f-bbea-2f002ddafe42 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have Stackdriver Logging disabled | Identifies Kubernetes Engine Clusters that have disabled Stackdriver Logging. Stackdriver Logging enables the Kubernetes Engine to collect, process, and store container and system logs in a dedicated persistent data store. |
| ca4b4654-d36a-4b17-a055-9c5063fa2f41 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled | Identifies Kubernetes Engine Clusters that have Stackdriver Monitoring disabled. Stackdriver Monitoring enables the Kubernetes Engine to monitor signals and build operations in the clusters. |
| fe81b03a-c602-4b16-8ae9-973724c1adae | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled | Identifies Kubernetes Engine Clusters that have Kubernetes web UI/Dashboard enabled. Since all of the data is being transmitted over HTTP protocol, disabling Kubernetes web UI/Dashboard protects the data from sniffers on the same network. |
| a3688f2e-eb5b-4b8d-b26f-90d40f08fd84 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have HTTP load balancing disabled | Identifies GCP Kubernetes Engine Clusters that have HTTP load balancing disabled. HTTP/HTTPS load balancing provides global load balancing for HTTP/HTTPS requests destined for your instances. Enabling HTTP/HTTPS load balancers will enable the Kubernetes Engine to terminate unauthorized HTTP/HTTPS requests and make better context-aware load balancing decisions. |
| 50d5ec3b-1710-4ff7-bb09-061c30deef96 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes Engine Clusters have binary authorization disabled | Identifies Google Kubernetes Engine (GKE) clusters that have binary authorization disabled. Binary authorization is a security control that ensures only trusted container images are deployed on GKE clusters. As a best practice, verify images prior to deployment to reduce the risk of running unintended or malicious code in your environment. |
| bee0893d-85fb-403f-9ba7-a5269a46d382 | GCP Kubernetes Engine Misconfiguration | GCP Kubernetes cluster intranode visibility disabled | Checks your cluster's intranode visibility feature and generates an alert if it's disabled. With intranode visibility, all network traffic in your cluster is seen by the Google Cloud Platform network, and you can see flow logs for all traffic between Pods, including traffic between Pods on the same node. You can create firewall rules that apply to all traffic between Pods. |