Release 2.10

May 13, 2024

What’s New?

TotalCloud 2.10 brings updates to Insights, CDR, mandates, and controls. 

Common Features

Common features introduced to the TotalCloud application in this release.

Added Support of TruRisk Insights for Azure

With this release, we have extended the support for TruRisk Insights to Azure resources. Now, you can prioritize your critical threats based on the Insight findings. The Insight findings expand upon the risks involved with the threats and remediation methods to help you swiftly secure your Azure environment.

You can use the newly introduced Provider token to filter Azure findings.

Integrated Qualys Network Passive Sensor (NPS) with CDR Threat Sensor

With this release, we have integrated the AWS CDR threat sensor with Qualys network passive sensor. This integrations empowers CDR to achieve better management and secure control channel with Qualys Platform’s Security standards. Furthermore, you can find these improvements with CDR.

  • Qualys approves OS Oracle Linux version 8.0.
  • Improved di-sectors for network findings. 
  • CDR is now a FedRAMP-ready appliance.

With the addition of NPS, there are significant changes to the deployment of a threat scanners and setting up CDR. These changes would only impact new CDR deployment, existing deployments are not impacted.

For customers with existing deployments, you can find an AWS (Legacy) tab under the Threat Scanners tab to manage current deployments. The new AWS tab can run new deployments. The downloadable packages and CDR setup instructions have changed for the new deployments.

You can learn more about the changes in the deployment steps on the TotalCloud Online Help.

Amazon Web Services

Added Resources for Cloud Identity Entitlement Management (CIEM)

With this release, we have added new AWS Inventory resources to enable CIEM. These resources can help manage access and identities across your AWS environment. With CIEM, you can ensure that permissions granted to the identities in your cloud follow the principle of least privilege. 

New Resources Introduced

The following are the newly introduced resources in the TotalCloud App.

Added Support for Gateway Load Balancers (GWLB) to AWS CDR

With this release, we are also introducing support for running Gateway Load Balancer endpoints for your CDR deployments. With GWLB support, you can obtain the high-availability, network load balancing and auto-scaling of Network Load Balancer (NLB) along with ensuring single traffic mirror session for the VPCs of all your accounts. You can save significant time from having to set up traffic mirroring on all your networks by setting up a GWLB.

New Insights

With this release, we have introduced support for new insight findings. These findings can greatly improve your threat prioritization.

CID Cloud Provider Insight Title
5000 Azure Public VM with TruRisk score > 800
5002 Azure Public VM with vulnerability type confirmed
5005 Azure Suspicious communication on public VM
5015 Azure Public VM with vulnerability detected in last 7 days
5017 Azure Public VM with a critical exploitable vulnerability

5019 

AWS

Critical exploitable vulnerability on Public VM with administrative privilege 

5020

AWS

Publicly exposed VM with critical exploitable vulnerability has a risk of privilege escalation

5021

AWS

Suspicious communication on Publicly exposed VM with full access to RDS 

5022

AWS

Critical exploitable vulnerability on public VM with destructive permissions for AWS KMS

5023

AWS

Risk of cloud log tampering on public VM with successful SSH brute-forcing

5024

AWS

Public Serverless Function with administrative privilege

5025

AWS

Public VM with the privilege to create IAM artifacts

5026

AWS

Risk of security group tampering on public and vulnerable VM with 'write' permission over security groups

5027

AWS

Malware detected on public and vulnerable VM with risky credential exposure permission 

5028

AWS

IAM User with privilege escalation or administrative privilege have console access with MFA not enabled

5029

AWS

Public VM with data destructive permissions 

5030

AWS

Public VM with elastic IP hijacking permissions

5031

AWS

Public VM allows access to decrypt secrets in Secrets Manager 

5032

AWS

Public VM with AWS Organization management permissions

5033

AWS

Data breach risk due to a public serverless function with RDS database SQL query execution permissions

5034

AWS

Security group tampering risk due to a public serverless function

New Tokens

With this release, we have introduced support for new tokens.

Provider and CID Tokens for Insights

You can find these tokens for finding Insights on the Insights tab.

Navigate to Insights and search for your required cloud provider.

Name

Description

Example

Provider

Displays Insight findings for AWS or Azure resources.

Provider: Azure
CID Displays Insights of the specific cloud resource CID CID: 5017

AWS CIEM Resource Tokens

You can find these tokens for these Resources on the Inventory tab.

Navigate to Inventory, select AWS and open any of the new CIEM Resources (IAM Users, IAM Group, IAM Role, IAM Policy, VPC Endpoint, VPC Endpoint Services) to use these tokens.

IAM Users

Name

Description

Example

iamuser.group.name Find IAM users with a certain group name

iamuser.group.name: Admin

iamuser.policy.arn Find Users with the Policy Amazon Resource Name (ARN) of interest. iamuser.policy.arn: 'arn:aws:iam::383031258652:user/LOCAL_1234'
iamuser.boundaryPolicy Find the IAM User based on the provided Boundary Policy iamuser.boundaryPolicy: DelegatedBoundaries
iamuser.accesskey.id Find the IAM User based on the provided Access Key ID iamuser.accesskey.Id: AKIAIOSFODNN7EXAMPLE

IAM Policy

Name

Description

Example

policy.type

Choose from the policy types AWS MANAGED, CUSTOMER MANAGED to find policies belonging to the specified type policy.type: CUSTOMER MANAGED
policy.subType Choose from the policy sub types GLOBAL, US_GOV to find policies belonging to the specified subtype
ID
policy.subType: GLOBAL

IAM Group

Name

Description

Example

group.managedPolicy.arn Find groups based on their policy ARN

group.managedPolicy.arn: aws-policy

group.inlinePolicy.policyName Find groups based on their Inline policy name group.inlinePolicy.policyName: inline-aws-policy

IAM Role

Name

Description

Example

path

Find roles based on their path path: "/"
role.lastActivity.lastUsedDate Use a date range or specific date to find when the role was used. role.lastActivity.lastUsedDate:[2018-01-01 ... 2018-03-01]

VPC Endpoint

Name

Description

Example

vpcendpoint.vpc Find VPC Endpoints by providing VPC ID vpcendpoint.vpc: vpc-7b955c06
vpcendpoint.type Find VPC Endpoints by providing VPC types such as 'Interface', 'Gateway', and 'Gateway Load Balancer'. vpcendpoint.vpc: Interface
vpcendpoint.state Find VPC Endpoints by providing the state such as 'Available', 'Deleted', 'Deleting', and 'Pending'. vpcendpoint.state: Available
vpcendpoint.privatednsenabled Find VPC Endpoints with Private DNS Enabled. vpcendpoint.privatednsenabled: true
vpcendpoint.requestermanaged Find VPC Endpoints with VPC manage set to true/false. vpcendpoint.requestermanaged: true
vpcendpoint.ipaddresstype Find VPC Endpoints by providing the state as ipv4 or ipv6

vpcendpoint.ipaddresstype: ipv4

VPC Endpoint Services

Name

Description

Example

vpcendpointservice.type Find VPC Endpoints by providing VPC types such as 'Interface', 'Gateway', and 'Gateway Load Balancer'. vpcendpointservice.type: Interface
vpcendpointservice.ipaddresstype Find VPC Endpoints by providing the state as ipv4 or ipv6 vpcendpointservice.supportedIpAddressTypee:ipv4
vpcendpointservice.acceptancerequired Find VPC Endpoints with acceptance set to required vpcendpointservice.acceptancerequired: true
vpcendpointservice.owner Find VPC Endpoint service based on the VPC owner vpcendpointservice.owner:951386378875 

Updated Mandates

With this release, we bring updates to a mandate.

Doc ID Document Name Publisher Version
9685 The NIST Cybersecurity Framework (CSF)  National Institute of Standards and Technology (NIST)  2.0

Control Changes

Changes introduced to controls in this release.

Control Title Changes

AWS

 CID 

Old Title

New Title

2

Ensure console credentials unused for 90 days or greater are disabled

Ensure console credentials unused for 45 days or greater are disabled

14

Ensure no root account access key exists

Ensure no root user account access key exists

15

Ensure MFA is enabled for the root account

Ensure MFA is enabled for the root user account

50

Ensure IAM policies that allow full administrative privileges are not created

Ensure IAM policies that allow full *:* administrative privileges are not attached

55

Ensure auto minor version upgrade is enabled for a RDS Database Instance

Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances

433

Ensure EC2 Instances are using IAM Roles

Ensure IAM instance roles are used for AWS resource access from instances

Azure

 CID 

Old Title

New Title

50004

Ensure that Automatic provisioning of monitoring agent is set to On

Ensure that Auto provisioning of Log Analytics agent for Azure VMs is set to On

50015

Ensure that Azure Defender is set to On for Servers

Ensure that Microsoft Defender for Servers is set to On

50035

Ensure that Azure Active Directory Admin is configured for a SQL Server

Ensure that Microsoft Entra authentication is configured for SQL Servers

50050

Ensure that Register with Azure Active Directory is enabled on web App Service

Ensure that Register with Entra ID is enabled on App Service

50073

Ensure that no custom subscription owner roles are created

Ensure that no custom subscription Administrator Roles exist

50079

Ensure that Azure Defender is set to On for Azure SQL database servers

Ensure that Microsoft Defender for Azure SQL Databases is set to On

50080

Ensure that Azure Defender is set to On for App Service

Ensure that Microsoft Defender for App Services is set to On

50081

Ensure that Azure Defender is set to On for App Service

Ensure that Microsoft Defender for Storage is set to On

50099

Ensure that Azure Cosmos DB accounts have firewall rules

Ensure that Azure Cosmos DB accounts Firewalls and Networks is limited to use Selected Networks instead of All Networks

50140

Ensure that Azure Defender is set to On for Container Registries

[LEGACY] Ensure that Microsoft Defender is set to On for Container Registries

50141

Ensure that Azure Defender is set to On for Key Vault

Ensure that Microsoft Defender for Key Vault is set to On

50172

Ensure that Azure Defender is set to On for Open-Source Relational Databases

Ensure that Microsoft Defender for Open-NSource Relational Databases is set to On

50197

Ensure that Azure Defender for DNS is enabled

[LEGACY] Ensure that Microsoft Defender for DNS is set to On

50226

Ensure that Azure Defender for Resource Manager is enabled

Ensure that Microsoft Defender for Resource Manager is set to On

50231

Ensure that Azure Defender is set to On for SQL servers on machines

Ensure that Microsoft Defender for SQL Servers on Machines is set to On

50240

Ensure that PostgreSQL server has infrastructure encryption enabled

Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled

50360

Ensure that Azure Defender is set to On for Azure Cosmos DB

Ensure that Microsoft Defender for Azure Cosmos DB is set to On

New Controls in CIS Microsoft Azure Foundation Benchmark Policy

 CID 

Title

Service

Resource

40049

Ensure Compute Instance Legacy Metadata service endpoint is disabled

COMPUTE

INSTANCE

40042

Ensure customer created Customer Managed Key (CMK) is rotated at least annually

 VAULT

 KEY

50461

Ensure that Public Network Access is Disabled for storage accounts

STORAGE_ACCOUNT

STORAGE_ACCOUNT

50462

Ensure that Allow Blob Anonymous Access is set to Disabled

STORAGE_ACCOUNT

STORAGE_ACCOUNT

New controls in GCP Best Practices Policy

 CID 

Title

Service

Resource

52139

Ensure Dataproc Clusters are not using Default VPC

DATAPROC

DATAPROC_CLUSTER

 

New controls in CIS Oracle Cloud Infrastructure Foundation Benchmark Policy

 CID 

Title

Service

Resource

40049

Ensure Compute Instance Legacy Metadata service endpoint is disabled

COMPUTE
INSTANCE

40042

Ensure customer created Customer Managed Key (CMK) is rotated at least annually

 VAULT

 KEY

 

Control Migrations

Controls

Source Policy

Destination Policy

CID 50013, 50044, 50221, 50349, 50350

Azure Best Practice Policy

Azure Database Policy

CID 50058, 50227, 50341

Azure Best Practice Policy

Azure Function App Policy

CID 21, 22

CIS AWS Foundations Benchmark

AWS Best Practice Policy

CID 50458

Azure Best Practices Policy

CIS Microsoft Azure Foundations Benchmark

CID 50240

Azure Database Service Best Practices Policy

CIS Microsoft Azure Foundations Benchmark

CID 50012, 50049, 50076, 50082, 50083

CIS Microsoft Azure Foundations Benchmark

Azure Best Practices Policy

Issues Addressed

  • We updated the detection logic of the following controls to resolve false postive cases- CID 26, 53, 187, 231, 294, 438, 50082, 50325.
  • We have updated the control logic of CID 231 to comply to the latest AWS Best Practices standards.
  • We have updated the control logic of CID 52116 to ensure following the recommended remediation steps will result in PASS result.
  • We fixed an issue where CID 52002 continued to evaluate a deleted service account showed FAIL results for its controls.
  • We fixed an issue where the assessment reports for Azure, GCP and OCI resources returned empty CSV files when the search query contained resourceType token.
  • We fixed an issue where there "TotalCloud with FlexScan" widget from the widget library produced 404 errors when clicked for detailed view.
  • We fixed an issue where the vulnerabilities view from the Insights listing screen failed to display data. 
  • We fixed an issue where IAM users where falsely associated with North Virgina region. We have updated this to Global region.