Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About ramyfrahman
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About ramyfrahman
03-29-2021
22Posts
5Likes
2Solutions
Mar 29, 2021Last Visited
User
Activity
User
Profile
Latest posts by ramyfrahman
| Subject | Views | Posted |
|---|---|---|
| 2612 | 11-24-2020 10:19 AM | |
| 904 | 11-23-2020 09:24 AM | |
| 2935 | 11-11-2020 04:16 PM | |
| 1344 | 11-11-2020 04:14 PM | |
| 815 | 11-11-2020 04:10 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 11-11-2020 04:16 PM | |
| 2 Likes | 11-11-2020 04:01 PM |
User Badges
Community Statistics
| Member Since | 09-27-2016 04:13 PM |
| Date Last Visited | 03-29-2021 12:48 PM |
| Posts | 22 |
| Total Likes Received | 3 |
11-24-2020
10:19 AM
https://exchange.xforce.ibmcloud.com/hub/extension/d249296e8dba167cc65eb0c38ee67ef1 https://exchange.xforce.ibmcloud.com/hub/extension/46ede8c0299f5e4945fa664997f81521 Both currently use the SQS to Syslog found here, but using OOTB API support is on the roadmap. https://github.com/PaloAltoNetworks/prismacloud_sqs_to_syslog Or a function step here: https://github.com/PaloAltoNetworks/Prisma-CloudFunction-Syslog
... View more
11-23-2020
09:24 AM
I have the thresholds for Unusual Server Port Internal activity set to the most conservative settings to minimize false positives but it seems like the highest port consistently gets flagged as "unusual". In the example below there are 15 ports labeled as usual and the Kafka port (9092) is being flagged as unusual. Upon further investigation we always find out that this is the intended purpose and traffic volumes support that this is normal activity. For example another similar alert was fired off on MongoDB but going into the investigate tab I can see months and hundreds of Gb of Mongo DB traffic so it should NOT have flagged this traffic coming from a host labeled as MongoDB (not that the naming convention has anything to do with it but I had to figure out if the resource this was connected to was legit a MongoDB server and client). I may enter a feature request to give "allowed ports" check box based on alerts generated for Unusual server port Internal.
... View more
11-11-2020
04:16 PM
1 Kudo
I had this link bookmarked a while ago and now it seems to have been taken down. Is there still native integration? I can't find any documentation around it and it does not show up as an option under enterprise settings->integrations. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-qradar.html
... View more
11-11-2020
04:14 PM
I would actually like to validate that integration still exists. I bookmarked the documentation but the link seems to be broken: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-qradar.html
... View more
11-11-2020
04:10 PM
If you have an AWS EC2 instance with 443 exposed to the internet, you would get an alert but what would be a good way to validate that a particular instance has a WAF protecting it? One thing I was thinking of would be to do a joins looking at the EC2 security group API and the AWS WAF API but is there some other way we can look through a cloud config that would look for this? I understand you can't run joins across network and config queries but the use case is pretty valid when you have large cloud teams that are constantly doing testing and making things exposed publicly exposed with a compensating control. In this example I wouldn't have access to the actual resource to deploy a Defender and use the WAAS which is part of the reason we need to look for the cloud native WAF in say AWS or Azure. Thanks in advance.
... View more
11-11-2020
04:01 PM
2 Kudos
"Am I right understanding what with regards to AWS Serverless there are two modes - initial assessment (can be done without any modifications to Lambda) and continuous protection (requires some additional code to be added). What about checking IAM rules for security? Are there features in the Prisma Cloud adding additional value on the top of IAM Analizer? Is there a built-in code review for Lambda?' So there are two aspects of the product. All of the PureSec/TwistLock/Evident functionality is integrated. The CSPM (Cloud Security Posture Management) side of the product has about 4 policies specific to Lambda functions but there are several others that relate to IAM in general across the cloud itself. Here is a screenshot of the Lambda policies that don't require a "Defender" which is the snippet of code for Serverless or service that runs on a host, container etc whether on prem or in the cloud. And yes, https://docs.paloaltonetworks.com/prisma/prisma-cloud Is the best place to navigate for the documentation which is very good. Another very useful feature once you adopt the platform specifically in the Compute tab is the help which actually takes you directly to the updated web url for that section of the admin guide so if you want to "Learn More about this Feature" and you're in the Compute tab under the WAAS settings it shows the documentation for the Web Application and API security. One other place that has an entirely different set of documentation that is related to the Prisma Cloud API is here: api.docs.prismacloud.io/reference Also in reference to the other part of your question there are several other configurable protections once you get a Defender code deployed in Lambda like that WAAS capabilities or shoring up compliance violations or protecting the functions. Hope this helps.
... View more
09-23-2020
02:23 PM
At first glance, it looks as if there is no real way to put a setting to the Anomaly Setting for "Port Scan Activity (External)". The rationale behind the question is, you're only looking at the amount of scans for the Conservative Moderate and Aggressive settings and looks at 500,200 and 50 ports respectively. 500 ports in a minute is obviously aggressive but 500 over a longer setting of time may be something else. Is there no way to modify the threshold of time of which it looks at this data?
... View more
09-23-2020
10:20 AM
Looks like this was submitted and upvoted 15 times. https://prismacloud.ideas.aha.io/ideas/PANW-I-190 It is unclear if this is "will not implement" it is "New Idea". Any clarity if that is on the roadmap?
... View more
09-23-2020
10:16 AM
Looking to see if this is on the roadmap. I will also ask on the Aha Feature Request site.
... View more
09-22-2020
03:38 PM
Ok so I think we are getting closer. This was helpful but maybe I can ask this a different way If I wanted to get a list of all the alerts that were in a config query like below that have a finding severity of HIGH, is that possible? config where api.name = 'gcloud-compute-instances-list' and json.rule = status contains RUNNING
... View more
09-09-2020
07:01 AM
so is there any limitation to the data? Or Database ? If you have an extremely large volume of data is there any potential for corruption?
... View more
09-08-2020
07:42 PM
If you were to need to monitor a set of assets such as Google Cloud VPCs and any changes that have been made in a set date range, what would be an RQL you could write that would yield the audit trail and show those changes? I would have to imagine it starts with an event query based on something similar I pulled up for AWS: event where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress') or maybe RQL: config where cloud.type = 'aws' AND api.name = 'aws-elbv2-target-group' But how would be the best practice to possible get a list of a set of assets you want to monitor highly for changes. Maybe leveraging tags?
... View more
08-28-2020
01:46 PM
An kind of limitations on the metadata which gets collected on the either the CSPM side or CWPP side? As multi cloud environments grow, are there any limitations on retention of that data? If you want to run RQLs from 5 years ago or more is that something you would have available or is it limited to the retention of say CloudTrail logs in AWS etc?
... View more
- Tags:
- prisma cloud
Labels:
- Labels:
-
Prisma Cloud
08-28-2020
10:18 AM
Is it possible to build an RQL query to look at a certain host and determine if it is talking to a suspicious IP address and create an auto-remediation rule that restricts the host traffic and isolates it so it is no longer talking to the suspicious IP or the internet at all? Looking at the video for creation of a custom remediation policy this looks to be possible but I need some ideas to build the query. If that is not an option are there any integrations or ways that we can create an isolation policy for hosts in the cloud or on prem to not talk to those suspicious IPs? Either with the CSPM side of Prisma Cloud Enterprise Edition or Prisma Cloud Compute tab? Thanks in advance.
... View more
Labels:
- Labels:
-
Prisma Cloud
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-29-2021
12:48 PM
|
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks
