Prisma Cloud produces false positives when a corporate-owned IP space is considered part of the Internet IP range. Many companies own part of the public IP space. They connect using SSH or RDP from those spaces using VPNs or other secure means. They do not want these connections to be considered Prisma Cloud findings since they are internal connections. But Prisma Cloud is not aware of the corporate-owned IP ranges. Prisma Cloud uses RQL like the following to determine if access is coming from the internet: network where dest.port IN (3389) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and bytes > 0 This is useful in that it filters out internal (RFC 1918) addresses so local IPs such as 10.0.1.1 would not be considered internet addresses. However, if the company owns several blocks of IP addresses it would be useful to exclude those from consideration as well. So the question is: How can I configure Prisma Cloud to exclude CIDR blocks from analysis? Let's say the CIDR blocks are 220.127.116.11/16 and 18.104.22.168/16. How can I exclude these from the list that Prisma Cloud thinks are internet addresses? I may be able to do this manually. But there are many rules which which would need to be edited, and manual error could easily occur, especially as new rules are added. How do I do this once and for all? How do I remove those CIDR blocks?
... View more