Create a Policy on Prisma Cloud
Create a custom policy to meet your specific needs for compliance or monitoring of cloud resources.
Create a custom policy with remediation rules that are tailored to meet the requirements of your organization. When creating a new policy, you can either build the query using RQL or you use a saved search to automatically populate the query you need to match on your cloud resources. If you want to enable auto-remediation, Prisma Cloud requires write access to the cloud platform to successfully execute the remediation commands.
You can create three types of policies:
- Config—Configuration policies monitor your resource configurations for potential policy violations.
- Network—Network policies monitor network activities in your environment.
- Event—Event policies monitor audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk.
When creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the
Investigatetab, they are ignored when used in a custom policy.
- SelectPoliciesand click+Add New.
- Enter aPolicy NameandSeverityand optionally aDescriptionandLabelsand clickNext.
- Build the query to define the match criteria for your policy by using aNew Searchor aSaved Searchand clickNext.If you are building aQueryusing aNew Search, you can select from predefined options to build the query.Keep in mind that Config queries used in a policy should have some mandatory attributes. It should at a minimum haveapi.namein conjunction withjson.ruleor it can havehostfinding.typeor it can have twoapi.nameattributes with afilterattribute.config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1config where hostfinding.type = 'Host Vulnerability'config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
- Associate compliance standards with your policy.
- Choose the complianceStandard,Requirement, andSection.
- Click+to add more standards as required and clickNext.
- Enter details in the remediation section if you want your policy violation alerts to be automatically remediated.
- Enter steps to remediate your policy inRecommendation for Remediation.
- Enter Command Line remediation commands inCLI Remediation.The parameters that you can use to create remediation commands are displayed on the interface as CLI variables:
- $account—Account is the Account ID of your account in Prisma Cloud.
- $gcpzoneid—(GCP only)Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed.
- $azurescope—(Azure only)Allows you to specify the node in the Azure resource hierarchy where the resource is deployed.
- $region—Region is the name of the cloud region to which the resource belongs.
- $resourceid—Resource ID is the identification of the resource that triggered the alert.
- resourcegroup—(Azure only)Resource Group identifies the Azure Resource Group Name for the resource that triggered the alert.
- $resourcename—Resource name is the name of the resource that triggered the alert.
- ClickValidate syntaxto validate the syntax of your code.
- ClickSave.All your System Administrators and Account Administrators are notified when there is a change to the CLI commands.