About SRohatyn

Hello @SRKhan007  System Admins by default get access keys allowed to them without an option to change it upon creation, similar to how it does so in the UI. You are not doing anything wrong here. We have a feature request to have that modifiable for system admins as well, but that's by design at the moment. Users with other role types can have access key creation option as disabled. ... View more

I will split that into 2: Audit events are point in time of actions that were made; so if it's in the Cloud Provider's audit logs, we'll catch it when we scan. These are not going away anywhere.   Config changes: this is highly dependent on many causes. If we just got the bucket output from its API, then till this scan finishes on that account, we have a specific status on the bucket from that API. Once we touched it, other changes should only be known to us in the next scan.   I hope this helps. ... View more

Hi @MPestell  It is best accessed right after signing in to your tenant, then clicking the blue question mark icon on the bottom right corner of your screen, then API Docs. The API reference page is available only with a token, which is automatically passed upon your sign in to your tenant. ... View more

Hello @DBrennan    You can create IP Whitelisting buckets for that. Each bucket can have multiple CIDR blocks in it.  Let say you call that "Corp public" and add the CIDR blocks, then nex time you run a network query, the tool tips will give you that "Corp public" as a suggestion in this section: ....dest.publicnetwork IN ('.... Even without the dest.publicnetwork IN (' filter, you will then see the network diagrams populate an additional "bucket" for these CIDR blocks communication flow.   To set up IP whitelisting, you can naviaget to the "gear icon" setup menu and click IP whitelisting. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/whitelist-ip-adresses-on-prisma-cloud ... View more

Hi @SAziz    One way could be to click All Time -> then choose Dismissed and Resolved. This should show all alerts with statuses of not open at the moment. You can then click the "disk" save button on the left side to save the filter you just did. Differently, you can also choose all time, no status filter, then on the top right corner coick the download button to get the CSV file for slicing and dicing.   ... View more

Hi @APaul    Looking into CloudTrail's options for the type field, I don't see an option for "Consolepassword" : https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html#cloudtrail-event-reference-user-identity-fields   All types though do not differentiate consoel vs. API operation, just where did it come from, i.e. other account, AD, IAM, assumed role etc.   I think using JSON rule for eventtype might be more beneficial. More info on AWS page, look for eventType: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html AwsApiCall – An API was called. AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own. AwsConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.   So consider doing: event where cloud.type = 'aws' AND operation = 'CreateInstanceSnapshot' AND json.rule = $.eventType = "AwsApiCall" In addition, you can add a filter to include specific email addresses with MATCHES or excluding specific known users from the output.   Did that help?   ... View more

Since this auto remediation isn't possible yet due to multiple aws CLIs, one will need to set an alert rule for the desired policies, then write a piece of automation/code in AWS (Lambda as an example) for looking at the payload for desired policy X and apply the AWS CLI one wishes in that function, in AWS. So in macro level, instead of auto remediation to run from Prisma Cloud, it will look like that (high level example) : - policy X violated - alert created for policy X - alert sent to SQS queue due to alert rule in place - Lambda funtion going through SQS queue and runs a code with wished above AWS CLI to mitigate the violation.   This will also act as an auto remediation, as an interim, due to the limitation of one AWS CLI command per policy.   You will need to create the code in Lambda, while there are a lot of publicly available examples out there. I hope this has informed you well. ... View more