Release 2.11

August 28, 2024

What’s New?

TotalCloud 2.11.0 brings updates to Insights, CDR, Resources and Controls. 

Common Features

Common features introduced to the TotalCloud application in this release.

Introduced Trend Graph to TruRisk Insights

With Totalcloud 2.11, we have introduced an 'Affected Resources' trend graph that displays resources affected with potentials threats over the last 24 hours and 7 days. Upon clicking, you can view the trend analysis of findings. We have also reorganized the insight listing to enhance the user experience. 

Trend Graph for AWS Insights

Amazon Web Service

Added Support for Integration of AWS GuardDuty Events with CDR 

With this release, we have introduced a powerful enhancement to CDR's threat detection capabilities with the integration of AWS GuardDuty. This new feature leverages GuardDuty's advanced threat intelligence to provide comprehensive security monitoring across a broader range of cloud assets.

Key Benefits for Users

  • Real-Time Visibility: Monitor traffic, flow logs, and activity logs within your cloud accounts, now including AWS activity logs for S3 Storage, IAM users, and IAM roles.
  • Expanded Detection Capabilities: Quickly identify and mitigate malicious activities and unauthorized access attempts across critical cloud resources.
  • Enhanced Threat Intelligence: GuardDuty’s integration enriches CDR with advanced threat detection, ensuring a fortified security posture for your entire cloud environment.

This integration ensures enhanced threat visibility and enables swift responses to potential security incidents, providing you with robust protection and peace of mind.

You can refer to the TotalCloud Online Help for full instructions on how to set up GuardDuty integration for CDR.

Added New Resources to the Cloud Inventory

With this release, we have included support for new resources on the AWS Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.

New Resources Introduced

The following are the newly introduced resources in the TotalCloud app.

  • Secrets
  • SageMaker Notebook
  • CloudFront Distribution

Microsoft Azure

Added New Resources to the Cloud Inventory

With this release, we have included support for new resources on the Azure Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.

New Resources Introduced

The following are the newly introduced resources in the TotalCloud app.

  • Network Interfaces
  • POSTGRE Single Server
  • Load Balancer 
  • Firewall
  • MySQL
  • Storage Account
  • Application Gateways
  • Secrets
  • MariaDB
  • Cosmos DB
  • NAT Gateways

New Tokens

With this release, we have introduced support for new tokens.

AWS Resource Tokens

Instance

Tokens introduced in the Instance resource. These tokens are CDR findings on the relevant threats to your instances.

Name

Description

Example

instance.hasThreat Find instances that have or have not been associated with any detected threats.  `instance.hasThreats: true`
hasThreat.SuspiciousComm.PortScan Find assets that have been detected performing port scanning activities. `hasThreat.SuspiciousComm.PortScan: true`
hasThreat.SuspiciousComm.AddressScan Find assets that have been detected performing address scanning activities. `hasThreat.SuspiciousComm.AddressScan: true`
hasThreat.LateralMove.RDPHotAccount Find assets associated with RDP hot accounts. `hasThreat.LateralMove.RDPHotAccount: true`
hasThreat.LateralMove.RDPbruteforce Find assets that have been targets of RDP brute force attempts. `hasThreat.LateralMove.RDPbruteforce: true`
hasThreat.LateralMove.RDPScan Find assets that have been detected performing RDP scanning activities. `hasThreat.LateralMove.RDPScan: true`
hasThreat.LateralMove.SSHbruteforce Find assets that have been targets of SSH brute force attempts. `hasThreat.LateralMove.SSHbruteforce: true`
hasThreat.CnC.DNS Find assets with detected Command and Control (CnC) activity using DNS. `hasThreat.CnC.DNS: true`
hasThreat.CnC.HTTPS Find assets with detected Command and Control (CnC) activity using HTTPS. `hasThreat.CnC.HTTPS: true`
hasThreat.CnC.HTTP Find assets with detected Command and Control (CnC) activity using HTTP. `hasThreat.CnC.HTTP: true`
hasThreat.Exfiltration.DNS Find assets with detected data exfiltration attempts using DNS. `hasThreat.Exfiltration.DNS: true`
hasThreat.Malware Find assets with detected malware presence. `hasThreat.Malware: true`

Secrets

Tokens introduced in the Secrets resource.

Name

Description

Example

secrets.rotationEnabled Find secrets with rotation enabled or disabled. `secrets.rotationEnabled: Enabled`
secrets.kmsKeyId Find secrets associated with a specific AWS Key Management Service (KMS) key ID. `secrets.kmsKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab`
secrets.arn Find secrets with a specific Amazon Resource Name. (ARN) `secrets.arn: arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3`
secrets.name Find secrets with a specific name. `secrets.name: database-credentials`

 

SageMaker Notebook

Tokens introduced in the SageMaker Notebook Instances resource.

Name

Description

Example

sagemaker.notebook.arn Find SageMaker Notebook instances with a specific Amazon Resource Name (ARN). `sagemaker.notebook.arn: arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook`
sagemaker.notebook.name Find SageMaker Notebook instances with a specific name. `sagemaker.notebook.name: data-science-notebook`
sagemaker.notebook.status Find SageMaker Notebook instances based on their current status. `sagemaker.notebook.status: InService`

CloudFront Distribution

Tokens introduced in the CloudFront Distributions resource.

Name

Description

Example

cloudfront.distributions.id Find CloudFront distributions with a specific ID. `cloudfront.distributions.id:
E2QWRUHAPOMQZL`
cloudfront.distributions.domainname Find CloudFront distributions with a specific domain name. `cloudfront.distributions.domainname: d111111abcdef8.cloudfront.net`
cloudfront.distributions.enabled Find CloudFront distributions that are enabled or disabled. `cloudfront.distributions.enabled: Enabled`
cloudfront.distributions.priceclass Find CloudFront distributions based on their price class. `cloudfront.distributions.priceclass:
PriceClass_200`
cloudfront.distributions.staging Find CloudFront distributions that are in staging or production environment. `cloudfront.distributions.staging: true`
cloudfront.distributions.arn Find CloudFront distributions with a specific Amazon Resource Name (ARN). `cloudfront.distributions.arn: arn:aws:cloudfront::123456789012:
distribution/E2QWRUHAPOMQZL`
cloudfront.distributions.loggingEnabled Find CloudFront distributions with logging enabled or disabled. `cloudfront.distributions.loggingEnabled: Enabled`

Azure Resource Tokens

Network Interface

Tokens introduced in the Network Interface resource.

Name

Description

Example

networkinterfaces.vnetEncryptionSupported Find Network Interfaces that support or don't support VNet encryption. `networkinterfaces.vnetEncryptionSupported: true`
networkinterfaces.enableIPForwarding Find Network Interfaces with IP Forwarding enabled or disabled. `networkinterfaces.enableIPForwarding: Enabled`
networkinterfaces.disableTcpStateTracking Find Network Interfaces with TCP State Tracking disabled or enabled. `networkinterfaces.disableTcpStateTracking: Enabled`
networkinterfaces.networkSecurityGroup.id Find Network Interfaces associated with a specific Network Security Group ID.

`networkinterfaces.networkSecurityGroup.id:

/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/
providers/Microsoft.Network/networkSecurityGroups
/myNSG`

POSTGRE Single Server

Tokens introduced in the POSTGRE Single Server resource.

Name

Description

Example

postgresingleserver.backupRetentionDays Find PostgreSQL Single Servers with a specific backup retention period in days. `postgresingleserver.backupRetentionDays: 14`
postgresingleserver.geoRedundantBackup Find PostgreSQL Single Servers with geo-redundant backup enabled or disabled. `postgresingleserver.geoRedundantBackup: Enabled`
postgresingleserver.sslEnforcement Find PostgreSQL Single Servers with SSL enforcement enabled or disabled. `postgresingleserver.sslEnforcement: Enabled`
postgresingleserver.storageAutogrow Find PostgreSQL Single Servers with storage auto-grow enabled or disabled. `postgresingleserver.storageAutogrow: Disabled`
postgresingleserver.byokEnforcement Find PostgreSQL Single Servers with Bring Your Own Key (BYOK) enforcement enabled or disabled. `postgresingleserver.byokEnforcement: Disabled`
postgresingleserver.publicNetworkAccess Find PostgreSQL Single Servers with public network access enabled or disabled. `postgresingleserver.publicNetworkAccess: Disabled`
postgresingleserver.skuTier Find PostgreSQL Single Servers based on their SKU tier. `postgresingleserver.skuTier: GeneralPurpose`
postgresingleserver.minimalTlsVersion Find PostgreSQL Single Servers based on their minimal TLS version. `postgresingleserver.minimalTlsVersion: TLS1_2`

Load Balancer 

Tokens introduced in the Load Balancer resource.

Name

Description

Example

loadbalancer.sku.name Find Load Balancers based on their SKU name. `loadbalancer.sku.name: Standard`
loadbalancer.sku.tier Find Load Balancers based on their SKU tier. `loadbalancer.sku.tier: Regional`
loadbalancer.provisioningState Find Load Balancers based on their provisioning state. `loadbalancer.provisioningState: Succeeded`

Firewall

Tokens introduced in the Firewall resource.

Name

Description

Example

firewall.provisioningState Find firewalls based on their current provisioning state. `firewall.provisioningState: Succeeded`
firewall.threatIntelMode Find firewalls based on their Threat Intelligence mode. `firewall.threatIntelMode: Alert`

MySQL Flexible Server

Tokens introduced in the MySQL Flexible Server resource.

Name

Description

Example

mysqlFlexibleServer.autoGrow Find MySQL Flexible Servers with auto-grow storage enabled or disabled. `mysqlFlexibleServer.autoGrow: Enabled`
mysqlFlexibleServer.publicNetworkAccess Find MySQL Flexible Servers with public network access enabled or disabled. `mysqlFlexibleServer.publicNetworkAccess: Disabled`
mysqlFlexibleServer.backupRetentionDays Find MySQL Flexible Servers with a specific backup retention period in days. `mysqlFlexibleServer.backupRetentionDays: 14`

Storage Account

Tokens introduced in the Storage Account resource.

Name

Description

Example

storageAccount.skuTier Find Storage Accounts based on their SKU tier. `storageAccount.skuTier: Premium`
storageAccount.minimumTlsVersion Find Storage Accounts based on their minimum TLS version. `storageAccount.minimumTlsVersion: TLS1_2`
storageAccount.supportsHttpsTrafficOnly Find Storage Accounts that do or do not support HTTPS traffic only. `storageAccount.supportsHttpsTrafficOnly: true`

Application Gateway

Tokens introduced in the Application Gateway resource.

Name

Description

Example

applicationgateways.provisioningState Find Application Gateways based on their current provisioning state. `applicationgateways.provisioningState: Succeeded`
applicationgateways.sku.name Find Application Gateways based on their SKU name. `applicationgateways.sku.name: WAF_v2`
applicationgateways.sku.tier Find Application Gateways based on their SKU tier. `applicationgateways.sku.tier: Standard_v2`
applicationgateways.sku.family Find Application Gateways based on their SKU family. `applicationgateways.sku.family: Generation_2`
applicationgateways.sku.capacity Find Application Gateways with a specific capacity (number of instances). `applicationgateways.sku.capacity: 2`
applicationgateways.operationalState Find Application Gateways based on their current operational state. `applicationgateways.operationalState: Running`
applicationgateways.enableHttp2 Find Application Gateways with HTTP/2 support enabled or disabled. `applicationgateways.enableHttp2: Disabled`

MariaDB

Tokens introduced in the MariaDB resource.

Name

Description

Example

mariadb.version Find MariaDB servers based on their version. `mariadb.version: 10.3`
mariadb.minimumTLSVersion Find MariaDB servers based on their minimum TLS version. `mariadb.minimumTLSVersion: TLS1_2`
mariadb.publicNetworkAccess Find MariaDB servers with public network access enabled or disabled. `mariadb.publicNetworkAccess: Disabled`
mariadb.sku.tier Find MariaDB servers based on their SKU tier. `mariadb.sku.tier: GeneralPurpose`

Cosmos DB

Tokens introduced in the Cosmos DB resource.

Name

Description

Example

cosmosdb.kind Find Cosmos DB accounts based on their database kind. `cosmosdb.kind: MongoDB`
cosmosdb.publicNetworkAccess Find Cosmos DB accounts with public network access enabled or disabled. `cosmosdb.publicNetworkAccess: Enabled`

NAT Gateways

Tokens introduced in the NAT Gateways resource.

Name

Description

Example

natGateways.provisioningState Find NAT Gateways based on their current provisioning state. `natGateways.provisioningState: Succeeded`
natGateways.idleTimeoutInMinutes Find NAT Gateways with a specific idle timeout setting in minutes. `natGateways.idleTimeoutInMinutes: 15`

Control Changes

Changes introduced to controls in this release.

Amazon Web Services

Control Title Changes

Changes to the titles of existing controls.

 CID 

Old Title

New Title

4

Ensure access key1 is rotated every 90 days or less

Ensure access key 1 is rotated every 90 days or less

5

Ensure access key2 is rotated every 90 days or less

Ensure access key 2 is rotated every 90 days or less

6

Ensure IAM Password Policy is Enabled

Ensure that custom IAM Password Policy is Defined

7

Ensure IAM password policy requires at least one uppercase letter

Ensure that custom IAM password policy requires at least one uppercase letter

8

Ensure IAM password policy require at least one lowercase letter

Ensure that custom IAM password policy requires at least one lowercase letter

9

Ensure IAM password policy require at least one symbol

Ensure that custom IAM password policy require at least one symbol

10

Ensure IAM password policy require at least one number

Ensure that custom IAM password policy require at least one number

11

Ensure IAM password policy requires minimum length of 14 or greater

Ensure that custom IAM password policy require minimum length of 14 or greater

12

Ensure IAM password policy prevents password reuse

Ensure that custom IAM password policy prevents password reuse

13

Ensure IAM password policy expires passwords within 90 days or less

Ensure that custom IAM password policy expires passwords within 90 days or less

16

 Ensure hardware MFA is enabled for the root account

Ensure hardware MFA is enabled for the root user account

199

Ensure not to setup access keys during initial user setup for all IAM users that have a console password except for the master account

Ensure not to setup access keys during initial user setup for all IAM users that have a console password

New controls in "AWS Best Practices Policy"

 CID 

Title

Service

Resource

534

Ensure AppFlow Flows are encrypted with customer managed master keys

APPFLOW

FLOWS

535

Ensure encryption is enabled for entity recognition analysis jobs

COMPREHEND

ANALYSIS_JOBS

536

Ensure DomainKeys Identified Mail (DKIM) is enabled for SES identities

SES

IDENTITIES

Google Cloud Platform

New controls in "GCP Best Practices Policy"

 CID 

Old Title

New Title

 

52180

Ensure Big Table Instance Clusters are encrypted with Customer Managed Encryption Keys

BIGTABLE

BIGTABLE_INSTANCE_CLUSTER

52181

Ensure Spanner Instance Databases are encrypted with Customer Managed Encryption Keys

SPANNER

SPANNER_INSTANCE_DATABASE

52182

Ensure that IP forwarding is not enabled on Instance Templates

COMPUTE_ENGINE

INSTANCE_TEMPLATE

52183

Ensure to Remove Old Persistent Disk Snapshots to incur less charges

COMPUTE_ENGINE

DISK_SNAPSHOTS

52184

Ensure No Custom Disk Images are Publicly Accessible

COMPUTE_ENGINE

DISK_IMAGES

52185

Ensure GCP Artifact Registry Repositories are not Publicly Accessible

ARTIFACT_REGISTRY

ARTIFACT_REGISTRY_REPOSITORIES

52186

Ensure No Cloud Run Service is Publicly Accessible

CLOUD_RUN

CLOUD_RUN_SERVICES

Oracle Cloud Infrastructure

New controls in "Oracle Cloud Infrastructure Best Practices Policy"

New Controls introduced in Oracle Cloud Infrastructure Best Practices Policy.

 CID 

Title

Service

Resource

40049

Ensure Compute Instance Legacy Metadata service endpoint is disabled

COMPUTE

INSTANCE

40042

Ensure customer created Customer Managed Key (CMK) is rotated at least annually

VAULT

KEY

50461

Ensure that Public Network Access is Disabled for storage accounts

STORAGE_ACCOUNT

STORAGE_ACCOUNT

50462

Ensure that Allow Blob Anonymous Access is set to Disabled

STORAGE_ACCOUNT

STORAGE_ACCOUNT

Issues Addressed

  • We updated the detection logic of the following controls to resolve false positive cases - CID 433, 52002, 52138 & 52024.
  • We fixed an issue where the following controls took longer time to evaluate than expected - CID 1,2,3,4 & 5.
  • We have updated the control logic of CID 19, 50002, CID 52013, 52014, 52015 and 52016 to prevent evaluation failures.
  • We fixed an issue where customers were unable to download CSV files of their inventory reports.
  • We fixed an issue where the 'tags.name' QQL token failed to retrieve data when the query included backticks (``).