12-08-2022 01:24 AM - edited 12-08-2022 01:41 AM
I am new to RQL and I need to build custom queries quickly for compliance reporting an would appreciate if any SME can help with providing RQL queries for the below, rather than myself spending sleepless nights to re-invent the wheel when an expert somewhere would take them 5 min. Kindly assist
Custom RQL queries needed for :
1) Ensure the unused Key Pairs and Security Groups from AWS console are removed.
2) Ensure that you create Separate Keys and Groups for each set of Application Instance. Don’t use single Security Group and Key Pairs for the entire region
3) Ensure PEM keys for SSH are not shared with User
4) Ensure that you always have source IP address specified in the IAM Policies.
5) Ensure IAM instance roles are used for AWS resource access from instance-to-instance.
6) Ensure User Activity is monitored for the Audit purposes.
7) Ensure CloudTrail logs are encrypted at rest
😎 Ensure a log metric filter and alarm exist for security group changes
9) Ensure appropriate subscribers to each SNS topic
10) Ensure PEM keys for SSH are not shared with User
11) Ensure the usage of different CMK per type of data based on its classification and region
12) Ensure that their is a private connection between VPC and S3 and the traffic never leaves the Amazon network
13) Ensure the In-Transit data encryption in the communication between datacenters and Amazon AWS
14) Ensure that where used secure SSL Ciphers when connecting between the EC2 instance and ELB
15) Ensure standard / approved AMI used to launch the EC2 Instances
appreciate the quick response.
12-09-2022 10:19 AM
I would suggest opening a support case with the relevant account information so we can go ahead and hop on a call with you to determine some of your use cases and work with you on getting these RQL's constructed as well as walk you through some of the RQL related documents we have available.
Support Portal Link: https://support.paloaltonetworks.com/
12-10-2022 05:37 AM
Thank you for the response. I am currently unable to create support cases for some reason. During the recent Office Hours, someone took my email and they said they would look into it. Not heard from them since.
12-12-2022 08:00 AM - edited 12-13-2022 06:43 AM
@FKisambu, you will likely require professional services to develop these custom rules or do it yourself.
Based on my experience, RQL as Prisma Cloud Policies are good for detecting and alerting. Use the native remediation, if possible.
Another option is to automate the remediation then simply code a "daemon" in a popular programming language like python or bash; schedule to run periodically; poll the Alert APIs; implement your decision-making policies then take appropriate action within that daemon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!