Custom feeds
Table of Contents
Self.Hosted 22.06 (EoL)
Expand all | Collapse all
-
- Getting started
- System Requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift v4
- Console on Fargate
- Amazon ECS
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- IBM Kubernetes Service (IKS)
- Windows
- Defender types
- Cluster Context
-
- Install a single Container Defender
- Automatically Install Container Defender in a Cluster
- App-Embedded Defender
- App-Embedded Defender for Fargate
- Default setting for App-Embedded Defender file system protection
- VMware Tanzu Application Service (TAS) Defender
- Serverless Defender
- Serverless Defender as a Lambda layer
- Auto-defend serverless functions
- Install a single Host Defender
- Auto-defend hosts
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Decommission Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure Agentless Scanning
- Agentless Scanning Modes
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Credentials store
- Cloud accounts
-
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure Registry Scans
-
- Scan Images in Sonatype Nexus Registry
- Scan images in Alibaba Cloud Container Registry
- Scan images in Amazon EC2 Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan images in Docker Registry v2 (including Docker Hub)
- Scan images in Google Artifact Registry
- Scan images in Google Container Registry (GCR)
- Scan images in Harbor Registry
- Scan images in IBM Cloud Container Registry
- Scan images in Artifactory Docker Registry
- Scan images in OpenShift integrated Docker registry
- Trigger registry scans with Webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Vulnerabilities Detection
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- Cloud discovery
- OSS license management
- API
End-of-Life (EoL)
Custom feeds
You can supplement the Prisma Cloud Intelligence Stream with your own custom data, including:
- Suspicious or high-risk IP addresses
- Malware signatures
- Trusted executables
- Allowed CVEs
For each data type, you can add individual entries to a table from the Console web interface, bulk upload a list from a CSV file, or submit a JSON object using the Prisma Cloud API.
Supplementing the IP reputation list
You can supplement the Prisma Cloud Intelligence Stream with your own list of suspicious or high-risk IP addresses that you want to ban on your network.
- Open Console.
- Go toManage > System > Custom Feeds.
- ClickIP Reputation Lists, and either clickAdd IPorImport CSV.Your list of banned IP addresses is immediately enforced when your data is imported. A default runtime defense rule,Default - detect suspicious runtime behavior, logs an alert when a container tries to connect to a banned IP address.You can manually add one entry at a time, or do a bulk upload from a CSV file. The maximum file size for a csv is 20MB.The first line in your CSV file must be a header record that contains the field names. Specify one IP address per line. For example:ip 99.104.125.48 101.200.81.187 103.19.89.118Review the default ruleGo toDefend > Runtime > {Container Policy | Host Policy}, then click manage for theDefault - detect suspicious runtime behaviorrule. You should see thatPrisma Cloud Advanced Threat Protectionis set toOn.
Create a list of malware signatures and trusted executables
You can supplement the Prisma Cloud Intelligence Stream with your own custom malware signatures and trusted executable list.
The trusted executable list is a mechanism to address potential misidentification of legitimate files as malware.
You can add MD5 hashes of custom malicious executables to the malware signatures list, it enables you to monitor malware that you want to alert or block in runtime rules.
Malware scanning and detection is supported for Linux container images and hosts only.
Windows containers and hosts are not supported.
When you add MD5 hashes (signatures of binaries) to the trusted executables list, it enables you to ensure that a legitimate binary is not potentially identified as malicious by file system based defense capability in runtime rules.
The trusted executable list does not apply to other runtime defense capabilities, such as process runtime protection. To exclude files from other runtime detection capabilities use the allowed list in the runtime defense section.
- Open Console.
- Go toManage > System > Custom Feeds.
- SelectMalware signaturesorTrusted executables.
- Choose how to add the MD5 hashes for malware signatures or trusted executables.The MD5 hashes you add to either list of custom feed, are used in all subsequent image scans. It is also used immediately by the runtime defense file system sensor, which assesses all writes to the host and container file system.
- ForAdd MD5, you can manually add one entry at a time.
- ForImport CSV, you can bulk upload from a CSV file.The maximum file size is 20MB.The first line in your CSV file must be a header record that contains the field names.Specify one entry per line. Each entry must include the MD5, followed by a good description to identify why the MD5 is trusted ( in the case of trusted executables) or is known to be malicious (in the case of malware signatures).For example:md5,name 194836fbe0f121a25b145e55e80cef22,legitimate binary built in-house 0aeb0cac186a81a6ac45776d6b56dd70,test file 33cc273ae3aa8bce6a22c92e7d11f63a,benign file
- Review the default rule.A default runtime defense rule,Default - detect suspicious runtime behavior, logs an alert when malware is detected using signatures from the Prisma Cloud data set or your custom data set.To review the default rule, go toDefend > Runtime > {Container Policy | Host Policy}, then click manage for theDefault - detect suspicious runtime behaviorrule. You should see thatPrisma Cloud Advanced Threat Protectionis set toOn.
Allowing CVEs globally
Some organizations have have very sophisticated CI pipelines that encompass many teams and products.
When your security team concludes that a CVE doesn’t impact the organization, they want to dismiss it globally without having to manage individual rules or exceptions.
The CVE Allow List lets you allow CVEs system-wide.
Any entry in the CVE Allow List affects all flows in the product, including twistcli, the Jenkins plugin, registry scanning, deployment blocking, Vulnerability Explorer, and so on.
Adding a CVE to this list effectively filters it out from the data in the Prisma Cloud Intelligence Stream before it’s used by the scanner.
The CVE Allow List takes precedence over any rule that’s been created under
Defend > Vulnerabilities
.
It is a feature designed to complement rules.
Rules also let you allow a CVE, but more granularly, by scoping them to specific resources or parts of your environment.- Open Console.
- Go toManage > System > Custom Feeds.
- ClickCVE Allow List, and either clickAdd CVEorImport CSV.You can set an expiration date for the CVE, if you want to set a time restriction for when it should no longer be allowed.
Test Prisma Cloud malware detection capabilities
Safely simulate malware in your environment to test the malware detection capabilities on Prisma Cloud.
Configure a custom malware feed
Set up a custom feed by uploading the provided CSV file to Prisma Cloud Console.
This file specifies the MD5 signature for a file that will be considered malware for the purposes of this demo.
- Download malware.csv.
- In Console, go toManage > System > Custom Feeds > Malware Signatures.
- ClickImport CSV, and upload malware.csv.
Detect malware at runtime
Test how Prisma Cloud detects malware being downloaded into a container at runtime.
Prerequisites:
The default runtime rule, Default - alert on suspicious runtime behavior
under Defend > Runtime > Container Policy
is in place.
If you have deleted or changed the default rule, create a new one.- Go toDefend > Runtime > Container Policy, and clickAdd rule.
- Enter a name for the rule.
- In theGeneraltab, verifyPrisma Cloud Advanced Threat ProtectionisOn.
- In each of theProcess,Networking,File System, andSystem Callstabs, setEffecttoAlert.
- Run a container and download malware into it.$ docker run -ti alpine sh / # wget https://cdn.twistlock.com/docs/attachments/evilLook at resulting audit. Open Console and browse toMonitor > Events > Container Audits. You will see a file system audit that says malware was detected.