https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/network-isolation-via-auto-remediation-alert-rule/m-p/352073#M321 <P>Hi&nbsp;@Retired Member&nbsp;</P><P>&nbsp;</P><P>You can run the RQL to find all "Internet exposed instances" where talking with&nbsp;<SPAN>Suspicious IPs.</SPAN></P><P><SPAN>NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )</SPAN></P><P>&nbsp;</P><P><SPAN>The problem is that Auto-remediation is not supported for Network and audit policies only for config policies.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>But maybe you can do something like this.</SPAN></P><P><STRONG>RQL</STRONG></P><P><SPAN>config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true'</SPAN></P><P><STRONG>Remediation:</STRONG></P><P><SPAN>aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"</SPAN></P><P>&nbsp;</P><P><SPAN>I hope i could help you a bit with that</SPAN></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Torsten</SPAN></P> Fri, 25 Sep 2020 08:45:51 GMT tostern 2020-09-25T08:45:51Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/network-isolation-via-auto-remediation-alert-rule/m-p/345878#M296 <P>Is it possible to build an RQL query to look at a certain host and determine if it is talking to a suspicious IP address and create an auto-remediation rule that restricts the host traffic and isolates it so it is no longer talking to the suspicious IP or the internet at all?&nbsp; Looking at the video for creation of a custom remediation policy this looks to be possible but I need some ideas to build the query.&nbsp; If that is not an option are there any integrations or ways that we can create an isolation policy for hosts in the cloud or on prem to not talk to those suspicious IPs?&nbsp; Either with the CSPM side of Prisma Cloud Enterprise Edition or Prisma Cloud Compute tab?&nbsp; Thanks in advance.</P> Wed, 02 Sep 2020 17:42:19 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/network-isolation-via-auto-remediation-alert-rule/m-p/345878#M296 Retired Member 2020-09-02T17:42:19Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/network-isolation-via-auto-remediation-alert-rule/m-p/352073#M321 <P>Hi&nbsp;@Retired Member&nbsp;</P><P>&nbsp;</P><P>You can run the RQL to find all "Internet exposed instances" where talking with&nbsp;<SPAN>Suspicious IPs.</SPAN></P><P><SPAN>NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )</SPAN></P><P>&nbsp;</P><P><SPAN>The problem is that Auto-remediation is not supported for Network and audit policies only for config policies.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>But maybe you can do something like this.</SPAN></P><P><STRONG>RQL</STRONG></P><P><SPAN>config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true'</SPAN></P><P><STRONG>Remediation:</STRONG></P><P><SPAN>aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"</SPAN></P><P>&nbsp;</P><P><SPAN>I hope i could help you a bit with that</SPAN></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Torsten</SPAN></P> Fri, 25 Sep 2020 08:45:51 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/network-isolation-via-auto-remediation-alert-rule/m-p/352073#M321 tostern 2020-09-25T08:45:51Z