Network Isolation via Auto Remediation Alert Rule

L2 Linker

Network Isolation via Auto Remediation Alert Rule

Is it possible to build an RQL query to look at a certain host and determine if it is talking to a suspicious IP address and create an auto-remediation rule that restricts the host traffic and isolates it so it is no longer talking to the suspicious IP or the internet at all?  Looking at the video for creation of a custom remediation policy this looks to be possible but I need some ideas to build the query.  If that is not an option are there any integrations or ways that we can create an isolation policy for hosts in the cloud or on prem to not talk to those suspicious IPs?  Either with the CSPM side of Prisma Cloud Enterprise Edition or Prisma Cloud Compute tab?  Thanks in advance.

L2 Linker

Hi @ramyfrahman 


You can run the RQL to find all "Internet exposed instances" where talking with Suspicious IPs.

NETWORK WHERE src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' )


The problem is that Auto-remediation is not supported for Network and audit policies only for config policies. 


But maybe you can do something like this.


config where cloud.type = 'aws' AND'aws-ec2-describe-images' AND json.rule='image.public is true'


aws ec2 --region ${region} modify-image-attribute --image-id ${resourceId} --launch-permission "{\"Remove\": [{\"Group\":\"all\"}]}"


I hope i could help you a bit with that



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!