Create a Policy on Prisma Cloud

Create a custom policy to meet your specific needs for compliance or monitoring of cloud resources.
Create a custom policy with remediation rules that are tailored to meet the requirements of your organization. When creating a new policy, you can either build the query using RQL or you use a saved search to automatically populate the query you need to match on your cloud resources. If you want to enable auto-remediation, Prisma Cloud requires write access to the cloud platform to successfully execute the remediation commands.
You can create three types of policies:
  • Config
    —Configuration policies monitor your resource configurations for potential policy violations.
  • Network
    —Network policies monitor network activities in your environment.
  • Event
    —Event policies monitor audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk.
When creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the
Investigate
tab, they are ignored when used in a custom policy.
  1. Select
    Policies
    and click
    +Add New
    .
  2. Enter a
    Policy Name
    and
    Severity
    and optionally a
    Description
    and
    Labels
    and click
    Next
    .
    add-new-policy.png
  3. Build the query to define the match criteria for your policy by using a
    New Search
    or a
    Saved Search
    and click
    Next
    .
    If you are building a
    Query
    using a
    New Search
    , you can select from predefined options to build the query.
    build-query-for-policy.png
    Keep in mind that Config queries used in a policy should have some mandatory attributes. It should at a minimum have
    api.name
    in conjunction with
    json.rule
    or it can have
    hostfinding.type
    or it can have two
    api.name
    attributes with a
    filter
    attribute.
    config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1
    config where hostfinding.type = 'Host Vulnerability'
    config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
  4. Associate compliance standards with your policy.
    1. Choose the compliance
      Standard
      ,
      Requirement
      , and
      Section
      .
    2. Click
      +
      to add more standards as required and click
      Next
      .
  5. Enter details in the remediation section if you want your policy violation alerts to be automatically remediated.
    1. Enter steps to remediate your policy in
      Recommendation for Remediation
      .
    2. Enter Command Line remediation commands in
      CLI Remediation
      .
      The parameters that you can use to create remediation commands are displayed on the interface as CLI variables:
      • $account
        —Account is the Account ID of your account in Prisma Cloud.
      • $gcpzoneid
        (GCP only)
        Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed.
      • $azurescope
        (Azure only)
        Allows you to specify the node in the Azure resource hierarchy where the resource is deployed.
      • $region
        —Region is the name of the cloud region to which the resource belongs.
      • $resourceid
        —Resource ID is the identification of the resource that triggered the alert.
      • resourcegroup
        (Azure only)
        Resource Group identifies the Azure Resource Group Name for the resource that triggered the alert.
      • $resourcename
        —Resource name is the name of the resource that triggered the alert.
    3. Click
      Validate syntax
      to validate the syntax of your code.
    4. Click
      Save
      .
      All your System Administrators and Account Administrators are notified when there is a change to the CLI commands.

Related Documentation