Network Isolation via Auto Remediation Alert Rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Network Isolation via Auto Remediation Alert Rule

L2 Linker

Is it possible to build an RQL query to look at a certain host and determine if it is talking to a suspicious IP address and create an auto-remediation rule that restricts the host traffic and isolates it so it is no longer talking to the suspicious IP or the internet at all?  Looking at the video for creation of a custom remediation policy this looks to be possible but I need some ideas to build the query.  If that is not an option are there any integrations or ways that we can create an isolation policy for hosts in the cloud or on prem to not talk to those suspicious IPs?  Either with the CSPM side of Prisma Cloud Enterprise Edition or Prisma Cloud Compute tab?  Thanks in advance.

1 accepted solution

Accepted Solutions

L3 Networker

Hi @ramyfrahman 

 

You can run the RQL to find all "Internet exposed instances" where talking with Suspicious IPs.

NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )

 

The problem is that Auto-remediation is not supported for Network and audit policies only for config policies. 

 

But maybe you can do something like this.

RQL

config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true'

Remediation:

aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"

 

I hope i could help you a bit with that

Regards,

Torsten

"With unity we can do great things"

View solution in original post

1 REPLY 1

L3 Networker

Hi @ramyfrahman 

 

You can run the RQL to find all "Internet exposed instances" where talking with Suspicious IPs.

NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )

 

The problem is that Auto-remediation is not supported for Network and audit policies only for config policies. 

 

But maybe you can do something like this.

RQL

config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true'

Remediation:

aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"

 

I hope i could help you a bit with that

Regards,

Torsten

"With unity we can do great things"
  • 1 accepted solution
  • 3590 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!