Create a Policy on Prisma Cloud

Create a custom policy to meet your specific needs for compliance or monitoring of cloud resources.
Create a custom policy with remediation rules that are tailored to meet the requirements of your organization. When creating a new policy, you can either build the query using RQL or you use a saved search to automatically populate the query you need to match on your cloud resources. For Prisma Cloud DevOps Security, you can also create configuration policies to scan your Infrastructure as Code (IaC) templates that are used to deploy cloud resources. The policies used for scanning IaC templates use a JSON query instead of RQL.
If you want to enable auto-remediation, Prisma Cloud requires write access to the cloud platform to successfully execute the remediation commands.
You can create three types of policies:
  • Config
    —Configuration policies monitor your resource configurations for potential policy violations. Configuration policies on Prisma Cloud can be of two sub-types—Build and Run—to enable a layered approach. Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not make their way into production. The Run policies monitor resources and check for potential issues once these cloud resources are deployed. See Create a Configuration Policy.
  • Network
    —Network policies monitor network activities in your environment. See Create a Network or Audit Event Policy.
  • Audit Event
    —Event policies monitor audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk. See Create a Network or Audit Event Policy.

Create a Configuration Policy

Use these instructions to add a custom configuration policy, for checking resources in the build or run phase of your application lifecycle. Because building the rules takes practice, before you start, take a look at a few Prisma Cloud default policies for directly on the administrative console, and review the query format within the rules.
add-new-view-policies.png
  1. Select
    Policies
    and click
    New Policy
    Config
    .
  2. Enter a
    Policy Name
    .
    You can optionally add a
    Description
    and
    Labels
    .
  3. Select the policy subtype and click
    Next
    .
    You can choose one or both the policy subtypes options:
    Run
    subtype enables you to scan cloud resources that are already deployed on a supported cloud platform.
    Build
    subtype enables you to scan IaC templates—Terraform, CloudFormation, Kubernetes manifest—that are used to deploy cloud resources.
    add-new-config-policy.png
  4. Select the
    Severity
    for the alert that will be generated on a policy violation and click
    Next
    .
  5. Build the query to define the match criteria for your policy.
    1. Add a rule for the
      Run
      phase.
      The Configuration—Run policies use RQL. If you are using a
      Saved Search
      , you can select from predefined options to auto-populate the query. For building a
      New Search
      , enter
      config where
      and use the auto-suggestion to select the available attributes and complete the query.
      build-query-for-policy.png
      Config queries require some mandatory attributes. It should at a minimum have
      api.name
      in conjunction with
      json.rule
      or it can have
      hostfinding.type
      or it can have two
      api.name
      attributes with a
      filter
      attribute.
      config where cloud.type = 'azure' AND api.name = 'azure-network-usage' AND json.rule = StaticPublicIPAddresses.currentValue greater than 1
      config where hostfinding.type = 'Host Vulnerability'
      config where api.name = 'aws-ec2-describe-internet-gateways' as X; config where api.name = 'aws-ec2-describe-vpcs' as Y; filter '$.X.attachments[*].vpcId == $.Y.vpcId and $.Y.tags[*].key contains IsConnected and $.Y.tags[*].value contains true'; show Y;
      When creating a custom policy, as a best practice do not include cloud.account, cloud.account.group or cloud.region attributes in the RQL query. If you have a saved search that includes these attributes, make sure to edit the RQL before you create a custom policy. While these attributes are useful to filter the results you see on the
      Investigate
      tab, they are ignored when used in a custom policy.
    2. Add a rule for the
      Build
      phase.
      If your policy will include both Run and Build checks, and you have added the RQL query, your cloud type for the build rule is automatically selected. It is based on the cloud type referenced in the RQL query.
      1. Select the
        Template Type
        you want to scan—CloudFormation, Kubernetes, or Terraform. You can add one or more types.
        For scanning Terraform templates, you must select the Cloud Type and the Terraform version. Terraform versions 0.11 and 0.12 are supported.
        add-new-config-policy-build-rule-template.png
      2. Add the JSON query that specifies the properties or objects for which you want to apply policy checks.
        add-new-config-policy-build-rule.png
      3. (
        Optional
        ) Upload a file to validate the JSON query.
        You can upload a single file or a .zip file. In addition, you can include a variable name and value to pass to the sample file and verify that the build rule works before you save the policy. For example, if you want to check whether EC2 instances include tags to identify the owner, the variables enable you to quickly validate against the sample template you attached.
  6. Add the compliance standards to your policy.
    1. Choose the compliance
      Standard
      ,
      Requirement
      , and
      Section
      .
    2. Click
      +
      to add more standards as required and click
      Next
      .
  7. Enter details in the remediation section, if you want to automatically remediate alerts on a policy violation.
    1. Select
      Run
      or
      Build
      Build phase policies do not support remediation CLI. You can however add the instructions for manually fixing the issue in the
      Recommendation for Remediation
      .
    2. (
      Configuration—Run policies only
      ) Enter Command Line remediation commands in
      CLI Remediation
      .
      CLI remediation is available for
      config where
      queries only. You can add up to 5 CLI commands, and use a semi-colon to separate the commands in the sequence. The sequence is executed in the order defined in policy, and if a CLI command fails, the execution stops at that command. The parameters that you can use to create remediation commands are displayed on the interface as CLI variables, and a syntax example is:
      gcloud -q compute --project=${account} firewall-rules delete ${resourceName}; gsutil versioning set off gs://${resourceName};
      :
      • $account
        —Account is the Account ID of your account in Prisma Cloud.
      • $azurescope
        (Azure only)
        Allows you to specify the node in the Azure resource hierarchy where the resource is deployed.
      • $gcpzoneid
        (GCP only)
        Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed.
      • $region
        —Region is the name of the cloud region to which the resource belongs.
      • resourcegroup
        (Azure only)
        Allows you to specify the name of the Azure Resource Group that triggered the alert.
      • $resourceid
        —Resource ID is the identification of the resource that triggered the alert.
      • $resourcename
        —Resource name is the name of the resource that triggered the alert.
    3. Click
      Validate syntax
      to validate the syntax of your code.
      If you would like to see an example of the CLI syntax in the default remediable policies on Prisma Cloud, clone any existing policy and edit it.
      The default policies include additional variables that are restricted for use in default policies only, and are not supported in custom policies. Syntax validation displays an error if you use the restricted variables.
    4. Click
      Save
      .
      All your System Administrators and Account Administrators are notified when there is a change to the CLI commands.

Create a Network or Audit Event Policy

Use the following instructions to add a custom Network or Audit Event policy on Prisma Cloud.
  1. Select
    Policies
    and click
    New Policy
    .
  2. Select
    Audit Event
    or
    Network
    .
    add-new-policy-0.png
  3. Enter a
    Policy Name
    and
    Severity
    .
  4. Add an optional
    Description
    and
    Labels
    before you click
    Next
    .
    add-new-policy.png
  5. Build the query to define the match criteria for your policy by using a
    New Search
    or a
    Saved Search
    and click
    Next
    .
    If you are using a
    Saved Search
    , you can select from the list of predefined options to auto-populate the query. The
    Select Saved Search
    drop-down displays the RQL for saved searches that match the policy type you selected in Step 2 above.
    For a building a
    New Search
    , the RQL query must begin with
    event where
    for an Audit Event policy or
    network where
    for a Network policy. You can then use the auto-suggestion to select the available attributes and complete the query.
    add-new-policy-2.png
  6. Select the compliance standards for your policy.
    1. Choose the compliance
      Standard
      ,
      Requirement
      , and
      Section
      .
    2. Click
      +
      to add more standards as required and click
      Next
      .
  7. (
    Optional
    ) Provide a
    Recommendation for Remediation
    .
    CLI commands to enable automatic remediation are not supported on Audit Event or Network policy.
  8. Save
    the policy.

Recommended For You