- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-28-2020 10:18 AM - last edited on 09-02-2020 10:42 AM by CHopson
Is it possible to build an RQL query to look at a certain host and determine if it is talking to a suspicious IP address and create an auto-remediation rule that restricts the host traffic and isolates it so it is no longer talking to the suspicious IP or the internet at all? Looking at the video for creation of a custom remediation policy this looks to be possible but I need some ideas to build the query. If that is not an option are there any integrations or ways that we can create an isolation policy for hosts in the cloud or on prem to not talk to those suspicious IPs? Either with the CSPM side of Prisma Cloud Enterprise Edition or Prisma Cloud Compute tab? Thanks in advance.
09-25-2020 01:45 AM
Hi @ramyfrahman
You can run the RQL to find all "Internet exposed instances" where talking with Suspicious IPs.
NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )
The problem is that Auto-remediation is not supported for Network and audit policies only for config policies.
But maybe you can do something like this.
RQL
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true'
Remediation:
aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"
I hope i could help you a bit with that
Regards,
Torsten
09-25-2020 01:45 AM
Hi @ramyfrahman
You can run the RQL to find all "Internet exposed instances" where talking with Suspicious IPs.
NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )
The problem is that Auto-remediation is not supported for Network and audit policies only for config policies.
But maybe you can do something like this.
RQL
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule='image.public is true'
Remediation:
aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"
I hope i could help you a bit with that
Regards,
Torsten
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!