Create a Policy on Prisma Cloud

Create a custom policy to meet your specific needs for compliance or monitoring of cloud resources.
Create a custom policy with remediation rules that are tailored to meet the requirements of your organization. When creating a new policy, you can either build the query using RQL or you use a saved search to automatically populate the query you need to match on your cloud resources. If you want to enable auto-remediation, Prisma Cloud requires write access to the cloud platform to successfully execute the remediation commands.
You can create three types of policies:
  • Config
    —Configuration policies monitor your resource configurations for potential policy violations.
  • Network
    —Network policies monitor network activities in your environment.
  • Event
    —Event policies monitor audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk.
When creating a custom policy, as a best practice do not include cloud.account, or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the
tab, they are ignored when used in a custom policy.
  1. Select
    and click
    +Add New
  2. Enter a
    Policy Name
    and optionally a
    and click
  3. Build the query to define the match criteria for your policy by using a
    New Search
    or a
    Saved Search
    and click
    If you are building a
    using a
    New Search
    , you can select from predefined options to build the query.
    Keep in mind that Config queries used in a policy should have some mandatory attributes. It should at a minimum have
    in conjunction with
    or it can have
    or it can have two
    attributes with a
    config where cloud.type = 'azure' AND = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1
    config where hostfinding.type = 'Host Vulnerability'
    config where = 'aws-ec2-describe-internet-gateways' as X; config where = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
  4. Associate compliance standards with your policy.
    1. Choose the compliance
      , and
    2. Click
      to add more standards as required and click
  5. Enter details in the remediation section if you want your policy violation alerts to be automatically remediated.
    1. Enter steps to remediate your policy in
      Recommendation for Remediation
    2. Enter Command Line remediation commands in
      CLI Remediation
      You can up to 5 CLI commands, and use a semi-colon to separate the commands in the sequence. The sequence is executed in the order defined in policy, and if a CLI command fails, the execution stops at that command.The parameters that you can use to create remediation commands are displayed on the interface as CLI variables:
      • $account
        —Account is the Account ID of your account in Prisma Cloud.
      • $gcpzoneid
        (GCP only)
        Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed.
      • $azurescope
        (Azure only)
        Allows you to specify the node in the Azure resource hierarchy where the resource is deployed.
      • $region
        —Region is the name of the cloud region to which the resource belongs.
      • $resourceid
        —Resource ID is the identification of the resource that triggered the alert.
      • resourcegroup
        (Azure only)
        Resource Group identifies the Azure Resource Group Name for the resource that triggered the alert.
      • $resourcename
        —Resource name is the name of the resource that triggered the alert.
    3. Click
      Validate syntax
      to validate the syntax of your code.
    4. Click
      All your System Administrators and Account Administrators are notified when there is a change to the CLI commands.

Recommended For You