Manage Prisma Cloud Policies
Learn how to select Prisma Cloud policies.
Prisma Cloud policies enable you to monitor and manage potential misconfiguration or risks across your cloud infrastructure. You can use the graphs and tables on
Policies
to assess your policy coverage and utilization of policies.To help you find the relevant policies based on your role, you can interact with graphs or add filters such as Policy Category, Class, Type, and Subtype and use
Group By
to aggregate policies using criteria that is important to you.The graphs help you visualize how many policies are enabled as a number or as a percentage of the total, review the split across different policy types, how many policies of different severities are identified in your infrastructure, and gain greater context on the policy category and Prisma Cloud versus custom policies that are generating alerts.
The
Attack Path
policies are OOTB policies, which identify the confluence of issues that increase the likelihood of a security breach and are based on relationships such as identities, permissions, networking, and infrastructure configuration that would enable an attacker to target an application. These are enabled by default and are also part of the default alert rule based on the prisma_cloud policy label.Policies are in the categories of incidents and risks. An incident is likely a policy that identifies a potential security issue, while a risk is one that checks for risky configurations. The policy type indicates whether the check is performed against the network logs, audit logs, configuration logs, or user activity logs. Each policy type has subtypes for more granularity, for example, Anomaly policies are split into two subtypes—Network and UEBA. Class is another way to logically group policies into buckets such as Misconfiguration or Privileged Activity Monitoring.
Category | Class | Type | Subtype |
Incident | Behavioral | Anomaly | UEBA |
Behavioral | Anomaly | Network | |
Behavioral | Anomaly | DNS | |
Privileged Activity Monitoring | Audit Event | Audit | |
Network Protection | Network | Network Event | |
Runtime | Workload | Run | |
Risk | Misconfiguration | Config | Run |
Misconfiguration | Config | Build | |
Misconfiguration | Data | Data Classification | |
Vulnerability | Data | Malware | |
Vulnerability | Workload | Run |
Use the following workflows to manage your Prisma Cloud policies. You can download policy data, clone, enable, delete, or disable policies from the
Policies
page.- To enable global settings for Prisma Cloud default policies click Settings
and select Enterprise Settings.While some high severity policies are enabled to provide the best security outcomes, by default, policies of medium or low severity are in a disabled state - To enable policies based on severity, selectAuto enable new default policies of the type—Critical, High, Medium, Low or Informational. Based on what you enable, Prisma Cloud will scan your resources in the onboarded cloud accounts against policies that match the severity and generate alerts.For Anomaly policies, you have more customizable settings, see Define Prisma Cloud Enterprise and Anomaly Settings .
When youSaveyour changes, you can choose one of the following options:- Enable and Save—With Enable and Save, you are enabling all existing policies that match your selection criteria and new Prisma Cloud default policies that are periodically added to the service. This option allows you to enable and scan your resources against all existing and new policies to help you stay ahead of threats and misconfigurations.
- Save—With Save, you are saving your selection criteria and enabling new Prisma Cloud default policies only as they are periodically added to the service. New policies that match your selection, are automatically enabled and your resources are scanned against them after you made the change.
- Note the following behavior:If you enable policies of a specific severity, when you then clear the checkbox, the policies that were enabled previously are not disabled; going forward, policies that match the severity you cleared are no longer enabled to scan your cloud resources and generate alerts.
- The audit logs include a record of all activities performed or initiated on Prisma Cloud. To view the audit logs click Settings
and select Audit Logs.
- To view policies, selectPolicies.
- Enable visualizations and change the display as a value or percentage.Use the ellipsis to toggle your preference.
- Add Filtersand select the filtering criteria.The filters enable you to narrow the search results on the page. The values you select within a filter use the AND operator to display results. Across different filters, the selected values work as OR operators. In the table view, you can also use theGroup Byto aggregate policies using criteria that is important to you.
To find all Prisma Cloud policies of a specificPolicy Subtype, when you select the valuesBuildandRun, you can view all policies that are classified as Build policies OR Run policies. To find all policies that are classified as Build and Run, you must select the filter valueBuild, Run. - Downloadthe details of your policies (or a filtered set of policies) in CSV format so that you can have an offline copy.
- Take action on policies.
- To enable or disable any policy toggle theStatus.
- To edit a custom policy, click the policy and you can edit the details.You cannot edit or delete a Prisma Cloud Default policy.
- To clone a policy, select the policy and clickClone.Cloning a policy is creating a copy of an existing policy. Cloning serves as a quick method of creating a new policy if you choose to change few details of the source policy.Prisma Cloud comes with default policies. If you want to modify any details, you can clone a policy and then modify details.
- ViewAlertsassociated with a policy.
