Create a Policy on Prisma Cloud
Create a custom policy to meet your specific needs for
compliance or monitoring of cloud resources.
Create a custom policy with remediation rules
that are tailored to meet the requirements of your organization.
When creating a new policy, you can either build the query using RQL or you use a saved
search to automatically populate the query you need to match on
your cloud resources. If you want to enable auto-remediation, Prisma
Cloud requires write access to the cloud platform to successfully
execute the remediation commands.
You can create three types
of policies:
- Config—Configuration policies monitor your resource configurations for potential policy violations.
- Network—Network policies monitor network activities in your environment.
- Event—Event policies monitor audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk.
When creating a custom policy, as a best
practice do not include cloud.account, cloud.account.group or cloud.region
attributes in the RQL query. If you have a saved search that includes
these attributes, make sure to edit the RQL before you create a
custom policy. While these attributes are useful to filter the results
you see on the
Investigate
tab, they are
ignored when used in a custom policy. - SelectPoliciesand click+Add New.
- Enter aPolicy NameandSeverityand optionally aDescriptionandLabelsand clickNext.
- Build the query to define the match criteria for your policy by using aNew Searchor aSaved Searchand clickNext.If you are building aQueryusing aNew Search, you can select from predefined options to build the query.
Keep in mind that Config queries used in a policy should have some mandatory attributes. It should at a minimum haveapi.namein conjunction withjson.ruleor it can havehostfinding.typeor it can have twoapi.nameattributes with afilterattribute.config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1config where hostfinding.type = 'Host Vulnerability'config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y; - Associate compliance standards with your policy.
- Choose the complianceStandard,Requirement, andSection.
- Click+to add more standards as required and clickNext.
- Enter details in the remediation section if you want your policy violation alerts to be automatically remediated.
- Enter steps to remediate your policy inRecommendation for Remediation.
- Enter Command Line remediation commands inCLI Remediation.You can up to 5 CLI commands, and use a semi-colon to separate the commands in the sequence. The sequence is executed in the order defined in policy, and if a CLI command fails, the execution stops at that command.The parameters that you can use to create remediation commands are displayed on the interface as CLI variables:
- $account—Account is the Account ID of your account in Prisma Cloud.
- $gcpzoneid—(GCP only)Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed.
- $azurescope—(Azure only)Allows you to specify the node in the Azure resource hierarchy where the resource is deployed.
- $region—Region is the name of the cloud region to which the resource belongs.
- $resourceid—Resource ID is the identification of the resource that triggered the alert.
- resourcegroup—(Azure only)Resource Group identifies the Azure Resource Group Name for the resource that triggered the alert.
- $resourcename—Resource name is the name of the resource that triggered the alert.
- ClickValidate syntaxto validate the syntax of your code.
- ClickSave.All your System Administrators and Account Administrators are notified when there is a change to the CLI commands.