08-29-2019 01:41 PM - last edited on 09-02-2020 10:19 AM by kwadsack
Prisma Cloud produces false positives when a corporate-owned IP space is considered part of the Internet IP range. Many companies own part of the public IP space. They connect using SSH or RDP from those spaces using VPNs or other secure means. They do not want these connections to be considered Prisma Cloud findings since they are internal connections. But Prisma Cloud is not aware of the corporate-owned IP ranges.
Prisma Cloud uses RQL like the following to determine if access is coming from the internet:
network where dest.port IN (3389) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and bytes > 0
This is useful in that it filters out internal (RFC 1918) addresses so local IPs such as 10.0.1.1 would not be considered internet addresses.
However, if the company owns several blocks of IP addresses it would be useful to exclude those from consideration as well. So the question is:
How can I configure Prisma Cloud to exclude CIDR blocks from analysis? Let's say the CIDR blocks are 1.1.1.0/16 and 2.2.2.0/16. How can I exclude these from the list that Prisma Cloud thinks are internet addresses? I may be able to do this manually. But there are many rules which which would need to be edited, and manual error could easily occur, especially as new rules are added. How do I do this once and for all? How do I remove those CIDR blocks?
08-30-2019 02:16 AM
Hello @DBrennan
You can create IP Whitelisting buckets for that.
Each bucket can have multiple CIDR blocks in it.
Let say you call that "Corp public" and add the CIDR blocks, then nex time you run a network query, the tool tips will give you that "Corp public" as a suggestion in this section: ....dest.publicnetwork IN ('....
Even without the dest.publicnetwork IN (' filter, you will then see the network diagrams populate an additional "bucket" for these CIDR blocks communication flow.
To set up IP whitelisting, you can naviaget to the "gear icon" setup menu and click IP whitelisting.
08-30-2019 02:16 AM
Hello @DBrennan
You can create IP Whitelisting buckets for that.
Each bucket can have multiple CIDR blocks in it.
Let say you call that "Corp public" and add the CIDR blocks, then nex time you run a network query, the tool tips will give you that "Corp public" as a suggestion in this section: ....dest.publicnetwork IN ('....
Even without the dest.publicnetwork IN (' filter, you will then see the network diagrams populate an additional "bucket" for these CIDR blocks communication flow.
To set up IP whitelisting, you can naviaget to the "gear icon" setup menu and click IP whitelisting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
