Release 2.11
August 28, 2024
What’s New?
TotalCloud 2.11.0 brings updates to Insights, CDR, Resources and Controls.
Common Features
Common features introduced to the TotalCloud application in this release.
Introduced Trend Graph to TruRisk Insights
With Totalcloud 2.11, we have introduced an 'Affected Resources' trend graph that displays resources affected with potentials threats over the last 24 hours and 7 days. Upon clicking, you can view the trend analysis of findings. We have also reorganized the insight listing to enhance the user experience.
Amazon Web Service
Added Support for Integration of AWS GuardDuty Events with CDR
With this release, we have introduced a powerful enhancement to CDR's threat detection capabilities with the integration of AWS GuardDuty. This new feature leverages GuardDuty's advanced threat intelligence to provide comprehensive security monitoring across a broader range of cloud assets.
Key Benefits for Users
- Real-Time Visibility: Monitor traffic, flow logs, and activity logs within your cloud accounts, now including AWS activity logs for S3 Storage, IAM users, and IAM roles.
- Expanded Detection Capabilities: Quickly identify and mitigate malicious activities and unauthorized access attempts across critical cloud resources.
- Enhanced Threat Intelligence: GuardDuty’s integration enriches CDR with advanced threat detection, ensuring a fortified security posture for your entire cloud environment.
This integration ensures enhanced threat visibility and enables swift responses to potential security incidents, providing you with robust protection and peace of mind.
You can refer to the TotalCloud Online Help for full instructions on how to set up GuardDuty integration for CDR.
Added New Resources to the Cloud Inventory
With this release, we have included support for new resources on the AWS Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.
New Resources Introduced
The following are the newly introduced resources in the TotalCloud app.
- Secrets
- SageMaker Notebook
- CloudFront Distribution
Microsoft Azure
Added New Resources to the Cloud Inventory
With this release, we have included support for new resources on the Azure Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.
New Resources Introduced
The following are the newly introduced resources in the TotalCloud app.
- Network Interfaces
- POSTGRE Single Server
- Load Balancer
- Firewall
- MySQL
- Storage Account
- Application Gateways
- Secrets
- MariaDB
- Cosmos DB
- NAT Gateways
New Tokens
With this release, we have introduced support for new tokens.
AWS Resource Tokens
Instance
Tokens introduced in the Instance resource. These tokens are CDR findings on the relevant threats to your instances.
Name |
Description |
Example |
---|---|---|
instance.hasThreat | Find instances that have or have not been associated with any detected threats. | `instance.hasThreats: true` |
hasThreat.SuspiciousComm.PortScan | Find assets that have been detected performing port scanning activities. | `hasThreat.SuspiciousComm.PortScan: true` |
hasThreat.SuspiciousComm.AddressScan | Find assets that have been detected performing address scanning activities. | `hasThreat.SuspiciousComm.AddressScan: true` |
hasThreat.LateralMove.RDPHotAccount | Find assets associated with RDP hot accounts. | `hasThreat.LateralMove.RDPHotAccount: true` |
hasThreat.LateralMove.RDPbruteforce | Find assets that have been targets of RDP brute force attempts. | `hasThreat.LateralMove.RDPbruteforce: true` |
hasThreat.LateralMove.RDPScan | Find assets that have been detected performing RDP scanning activities. | `hasThreat.LateralMove.RDPScan: true` |
hasThreat.LateralMove.SSHbruteforce | Find assets that have been targets of SSH brute force attempts. | `hasThreat.LateralMove.SSHbruteforce: true` |
hasThreat.CnC.DNS | Find assets with detected Command and Control (CnC) activity using DNS. | `hasThreat.CnC.DNS: true` |
hasThreat.CnC.HTTPS | Find assets with detected Command and Control (CnC) activity using HTTPS. | `hasThreat.CnC.HTTPS: true` |
hasThreat.CnC.HTTP | Find assets with detected Command and Control (CnC) activity using HTTP. | `hasThreat.CnC.HTTP: true` |
hasThreat.Exfiltration.DNS | Find assets with detected data exfiltration attempts using DNS. | `hasThreat.Exfiltration.DNS: true` |
hasThreat.Malware | Find assets with detected malware presence. | `hasThreat.Malware: true` |
Secrets
Tokens introduced in the Secrets resource.
Name |
Description |
Example |
---|---|---|
secrets.rotationEnabled | Find secrets with rotation enabled or disabled. | `secrets.rotationEnabled: Enabled` |
secrets.kmsKeyId | Find secrets associated with a specific AWS Key Management Service (KMS) key ID. | `secrets.kmsKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab` |
secrets.arn | Find secrets with a specific Amazon Resource Name. (ARN) | `secrets.arn: arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3` |
secrets.name | Find secrets with a specific name. | `secrets.name: database-credentials` |
SageMaker Notebook
Tokens introduced in the SageMaker Notebook Instances resource.
Name |
Description |
Example |
---|---|---|
sagemaker.notebook.arn | Find SageMaker Notebook instances with a specific Amazon Resource Name (ARN). | `sagemaker.notebook.arn: arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook` |
sagemaker.notebook.name | Find SageMaker Notebook instances with a specific name. | `sagemaker.notebook.name: data-science-notebook` |
sagemaker.notebook.status | Find SageMaker Notebook instances based on their current status. | `sagemaker.notebook.status: InService` |
CloudFront Distribution
Tokens introduced in the CloudFront Distributions resource.
Name |
Description |
Example |
---|---|---|
cloudfront.distributions.id | Find CloudFront distributions with a specific ID. | `cloudfront.distributions.id: |
cloudfront.distributions.domainname | Find CloudFront distributions with a specific domain name. | `cloudfront.distributions.domainname: d111111abcdef8.cloudfront.net` |
cloudfront.distributions.enabled | Find CloudFront distributions that are enabled or disabled. | `cloudfront.distributions.enabled: Enabled` |
cloudfront.distributions.priceclass | Find CloudFront distributions based on their price class. | `cloudfront.distributions.priceclass: |
cloudfront.distributions.staging | Find CloudFront distributions that are in staging or production environment. | `cloudfront.distributions.staging: true` |
cloudfront.distributions.arn | Find CloudFront distributions with a specific Amazon Resource Name (ARN). | `cloudfront.distributions.arn: arn:aws:cloudfront::123456789012: |
cloudfront.distributions.loggingEnabled | Find CloudFront distributions with logging enabled or disabled. | `cloudfront.distributions.loggingEnabled: Enabled` |
Azure Resource Tokens
Network Interface
Tokens introduced in the Network Interface resource.
Name |
Description |
Example |
---|---|---|
networkinterfaces.vnetEncryptionSupported | Find Network Interfaces that support or don't support VNet encryption. | `networkinterfaces.vnetEncryptionSupported: true` |
networkinterfaces.enableIPForwarding | Find Network Interfaces with IP Forwarding enabled or disabled. | `networkinterfaces.enableIPForwarding: Enabled` |
networkinterfaces.disableTcpStateTracking | Find Network Interfaces with TCP State Tracking disabled or enabled. | `networkinterfaces.disableTcpStateTracking: Enabled` |
networkinterfaces.networkSecurityGroup.id | Find Network Interfaces associated with a specific Network Security Group ID. |
|
POSTGRE Single Server
Tokens introduced in the POSTGRE Single Server resource.
Name |
Description |
Example |
---|---|---|
postgresingleserver.backupRetentionDays | Find PostgreSQL Single Servers with a specific backup retention period in days. | `postgresingleserver.backupRetentionDays: 14` |
postgresingleserver.geoRedundantBackup | Find PostgreSQL Single Servers with geo-redundant backup enabled or disabled. | `postgresingleserver.geoRedundantBackup: Enabled` |
postgresingleserver.sslEnforcement | Find PostgreSQL Single Servers with SSL enforcement enabled or disabled. | `postgresingleserver.sslEnforcement: Enabled` |
postgresingleserver.storageAutogrow | Find PostgreSQL Single Servers with storage auto-grow enabled or disabled. | `postgresingleserver.storageAutogrow: Disabled` |
postgresingleserver.byokEnforcement | Find PostgreSQL Single Servers with Bring Your Own Key (BYOK) enforcement enabled or disabled. | `postgresingleserver.byokEnforcement: Disabled` |
postgresingleserver.publicNetworkAccess | Find PostgreSQL Single Servers with public network access enabled or disabled. | `postgresingleserver.publicNetworkAccess: Disabled` |
postgresingleserver.skuTier | Find PostgreSQL Single Servers based on their SKU tier. | `postgresingleserver.skuTier: GeneralPurpose` |
postgresingleserver.minimalTlsVersion | Find PostgreSQL Single Servers based on their minimal TLS version. | `postgresingleserver.minimalTlsVersion: TLS1_2` |
Load Balancer
Tokens introduced in the Load Balancer resource.
Name |
Description |
Example |
---|---|---|
loadbalancer.sku.name | Find Load Balancers based on their SKU name. | `loadbalancer.sku.name: Standard` |
loadbalancer.sku.tier | Find Load Balancers based on their SKU tier. | `loadbalancer.sku.tier: Regional` |
loadbalancer.provisioningState | Find Load Balancers based on their provisioning state. | `loadbalancer.provisioningState: Succeeded` |
Firewall
Tokens introduced in the Firewall resource.
Name |
Description |
Example |
---|---|---|
firewall.provisioningState | Find firewalls based on their current provisioning state. | `firewall.provisioningState: Succeeded` |
firewall.threatIntelMode | Find firewalls based on their Threat Intelligence mode. | `firewall.threatIntelMode: Alert` |
MySQL Flexible Server
Tokens introduced in the MySQL Flexible Server resource.
Name |
Description |
Example |
---|---|---|
mysqlFlexibleServer.autoGrow | Find MySQL Flexible Servers with auto-grow storage enabled or disabled. | `mysqlFlexibleServer.autoGrow: Enabled` |
mysqlFlexibleServer.publicNetworkAccess | Find MySQL Flexible Servers with public network access enabled or disabled. | `mysqlFlexibleServer.publicNetworkAccess: Disabled` |
mysqlFlexibleServer.backupRetentionDays | Find MySQL Flexible Servers with a specific backup retention period in days. | `mysqlFlexibleServer.backupRetentionDays: 14` |
Storage Account
Tokens introduced in the Storage Account resource.
Name |
Description |
Example |
---|---|---|
storageAccount.skuTier | Find Storage Accounts based on their SKU tier. | `storageAccount.skuTier: Premium` |
storageAccount.minimumTlsVersion | Find Storage Accounts based on their minimum TLS version. | `storageAccount.minimumTlsVersion: TLS1_2` |
storageAccount.supportsHttpsTrafficOnly | Find Storage Accounts that do or do not support HTTPS traffic only. | `storageAccount.supportsHttpsTrafficOnly: true` |
Application Gateway
Tokens introduced in the Application Gateway resource.
Name |
Description |
Example |
---|---|---|
applicationgateways.provisioningState | Find Application Gateways based on their current provisioning state. | `applicationgateways.provisioningState: Succeeded` |
applicationgateways.sku.name | Find Application Gateways based on their SKU name. | `applicationgateways.sku.name: WAF_v2` |
applicationgateways.sku.tier | Find Application Gateways based on their SKU tier. | `applicationgateways.sku.tier: Standard_v2` |
applicationgateways.sku.family | Find Application Gateways based on their SKU family. | `applicationgateways.sku.family: Generation_2` |
applicationgateways.sku.capacity | Find Application Gateways with a specific capacity (number of instances). | `applicationgateways.sku.capacity: 2` |
applicationgateways.operationalState | Find Application Gateways based on their current operational state. | `applicationgateways.operationalState: Running` |
applicationgateways.enableHttp2 | Find Application Gateways with HTTP/2 support enabled or disabled. | `applicationgateways.enableHttp2: Disabled` |
MariaDB
Tokens introduced in the MariaDB resource.
Name |
Description |
Example |
---|---|---|
mariadb.version | Find MariaDB servers based on their version. | `mariadb.version: 10.3` |
mariadb.minimumTLSVersion | Find MariaDB servers based on their minimum TLS version. | `mariadb.minimumTLSVersion: TLS1_2` |
mariadb.publicNetworkAccess | Find MariaDB servers with public network access enabled or disabled. | `mariadb.publicNetworkAccess: Disabled` |
mariadb.sku.tier | Find MariaDB servers based on their SKU tier. | `mariadb.sku.tier: GeneralPurpose` |
Cosmos DB
Tokens introduced in the Cosmos DB resource.
Name |
Description |
Example |
---|---|---|
cosmosdb.kind | Find Cosmos DB accounts based on their database kind. | `cosmosdb.kind: MongoDB` |
cosmosdb.publicNetworkAccess | Find Cosmos DB accounts with public network access enabled or disabled. | `cosmosdb.publicNetworkAccess: Enabled` |
NAT Gateways
Tokens introduced in the NAT Gateways resource.
Name |
Description |
Example |
---|---|---|
natGateways.provisioningState | Find NAT Gateways based on their current provisioning state. | `natGateways.provisioningState: Succeeded` |
natGateways.idleTimeoutInMinutes | Find NAT Gateways with a specific idle timeout setting in minutes. | `natGateways.idleTimeoutInMinutes: 15` |
Control Changes
Changes introduced to controls in this release.
Amazon Web Services
Control Title Changes
Changes to the titles of existing controls.
CID |
Old Title |
New Title |
---|---|---|
4 |
Ensure access key1 is rotated every 90 days or less |
Ensure access key 1 is rotated every 90 days or less |
5 |
Ensure access key2 is rotated every 90 days or less |
Ensure access key 2 is rotated every 90 days or less |
6 |
Ensure IAM Password Policy is Enabled |
Ensure that custom IAM Password Policy is Defined |
7 |
Ensure IAM password policy requires at least one uppercase letter |
Ensure that custom IAM password policy requires at least one uppercase letter |
8 |
Ensure IAM password policy require at least one lowercase letter |
Ensure that custom IAM password policy requires at least one lowercase letter |
9 |
Ensure IAM password policy require at least one symbol |
Ensure that custom IAM password policy require at least one symbol |
10 |
Ensure IAM password policy require at least one number |
Ensure that custom IAM password policy require at least one number |
11 |
Ensure IAM password policy requires minimum length of 14 or greater |
Ensure that custom IAM password policy require minimum length of 14 or greater |
12 |
Ensure IAM password policy prevents password reuse |
Ensure that custom IAM password policy prevents password reuse |
13 |
Ensure IAM password policy expires passwords within 90 days or less |
Ensure that custom IAM password policy expires passwords within 90 days or less |
16 |
Ensure hardware MFA is enabled for the root account |
Ensure hardware MFA is enabled for the root user account |
199 |
Ensure not to setup access keys during initial user setup for all IAM users that have a console password except for the master account |
Ensure not to setup access keys during initial user setup for all IAM users that have a console password |
New controls in "AWS Best Practices Policy"
CID |
Title |
Service |
Resource |
---|---|---|---|
534 |
Ensure AppFlow Flows are encrypted with customer managed master keys |
APPFLOW |
FLOWS |
535 |
Ensure encryption is enabled for entity recognition analysis jobs |
COMPREHEND |
ANALYSIS_JOBS |
536 |
Ensure DomainKeys Identified Mail (DKIM) is enabled for SES identities |
SES |
IDENTITIES |
Google Cloud Platform
New controls in "GCP Best Practices Policy"
CID |
Old Title |
New Title |
|
---|---|---|---|
52180 |
Ensure Big Table Instance Clusters are encrypted with Customer Managed Encryption Keys |
BIGTABLE |
BIGTABLE_INSTANCE_CLUSTER |
52181 |
Ensure Spanner Instance Databases are encrypted with Customer Managed Encryption Keys |
SPANNER |
SPANNER_INSTANCE_DATABASE |
52182 |
Ensure that IP forwarding is not enabled on Instance Templates |
COMPUTE_ENGINE |
INSTANCE_TEMPLATE |
52183 |
Ensure to Remove Old Persistent Disk Snapshots to incur less charges |
COMPUTE_ENGINE |
DISK_SNAPSHOTS |
52184 |
Ensure No Custom Disk Images are Publicly Accessible |
COMPUTE_ENGINE |
DISK_IMAGES |
52185 |
Ensure GCP Artifact Registry Repositories are not Publicly Accessible |
ARTIFACT_REGISTRY |
ARTIFACT_REGISTRY_REPOSITORIES |
52186 |
Ensure No Cloud Run Service is Publicly Accessible |
CLOUD_RUN |
CLOUD_RUN_SERVICES |
Oracle Cloud Infrastructure
New controls in "Oracle Cloud Infrastructure Best Practices Policy"
New Controls introduced in Oracle Cloud Infrastructure Best Practices Policy.
CID |
Title |
Service |
Resource |
---|---|---|---|
40049 |
Ensure Compute Instance Legacy Metadata service endpoint is disabled |
|
|
40042 |
Ensure customer created Customer Managed Key (CMK) is rotated at least annually |
|
|
50461 |
Ensure that Public Network Access is Disabled for storage accounts |
|
|
50462 |
Ensure that Allow Blob Anonymous Access is set to Disabled |
|
|
Issues Addressed
- We updated the detection logic of the following controls to resolve false positive cases - CID 433, 52002, 52138 & 52024.
- We fixed an issue where the following controls took longer time to evaluate than expected - CID 1,2,3,4 & 5.
- We have updated the control logic of CID 19, 50002, CID 52013, 52014, 52015 and 52016 to prevent evaluation failures.
- We fixed an issue where customers were unable to download CSV files of their inventory reports.
- We fixed an issue where the 'tags.name' QQL token failed to retrieve data when the query included backticks (``).