TotalCloud Release 2.16
May 13, 2025
TotalCloud 2.16 brings updates to Mandates, Inventory, scan techniques, integrations and bug fixes.
Amazon Web Services (AWS)
The following sections describe the enhancements made to the TotalCloud environment in this release for AWS.
Secrets Detection Integration with TruRiskTM Insights for AWS Instances
With this release, we have enhanced the visibility of exposed secrets across AWS instances and strengthened risk prioritization through enriched insights. You can enable Secrets detection while configuring your Snapshot scan deployment on AWS. The scan discovers the secrets in your AWS workloads and passes it on to your Instance inventory which is then aligned with IAM Insights to provide you with enriched TruRiskTM Insight analysis.
To discover your exposed secrets, you must
- Navigate to Create or Edit menu of the connector, select the Enable Secret Detection option under Zero-touch Snapshot Based Scan.
- Launch a Snapshot-based scan, and open any resulting instance from the scan to find the Secrets tab for that instance.
You can also search "instance.hasSecrets: yes" in the QQL search bar and open any resulting Instance.
Oracle Cloud Infrastructure (OCI)
The following sections describe the enhancements made to the TotalCloud environment in this release for OCI.
Extended Support for Alerting to OCI
With this release, TotalCloud supports Oracle Cloud Infrastructure (OCI) in its alerting framework, allowing security and operations teams to monitor misconfigurations, policy violations, and other key findings across OCI environments. We have extended alerting capabilities for OCI, in addition to existing cloud providers like AWS, Azure, and GCP.
Notification Channels Supported:
- PagerDuty
- Slack
- Teams
To create rules for OCI,
- Navigate to the TotalCloud application > Responses tab > Actions.
- Create an Action and then proceed to the Rule Manager tab.
- Create a Rule.
- Select OCI Monitor from the dropdown in Rule Query.
Common Cloud Updates
The following sections describe the enhancements made to the TotalCloud environment in this release, common to all cloud providers.
AMI Images Scanning in TotalCloud
TotalCloud now extends its vulnerability management capabilities to include Amazon Machine Images (AMIs), allowing organizations to assess security posture before runtime deployment. This supports proactive hardening of golden images and minimizes exposure in production environments.
This feature will be available after QFlow version 1.15.1 is deployed.
Benefits
Inventory Support for AMIs
- Automatically discover and list AMIs and Azure Images using existing cloud connectors.
- Display AMIs under the Inventory section alongside other cloud resources.
Vulnerability Scanning for AMIs
- AMIs are scanned using Snapshot-based techniques similar to virtual machines.
- Vulnerability findings are displayed per AMI.
To enable Image Scanning for AMIs images,
- Navigate to Create or Edit menu of the connector, select the Enable AMI Scanning option under Zero-touch Snapshot Based Scan.
- Deploy your AWS Snapshot-scan CloudFormation template with AMI scanning enabled.
- Navigate to the inventory > Choose AWS> Select AMI Images.
- View the scan findings by clicking on any image and analyzing the detailed image information.
Jira Integration with TotalCloud CSPM
TotalCloud CSPM introduces Jira integration as a response action, enabling customers to automatically raise tickets in Jira for critical misconfigurations. This integration supports automated, rule-based notifications and ticket creation in Jira using QQL-based alerting and customizable response workflows.
TotalCloud users can:
- Track and manage critical cloud misconfigurations via Jira.
- Integrate with ITSM and DevOps processes through existing Jira workflows.
- Ensure compliance and operational response by pushing findings from TotalCloud to Jira.
Ticketing Scheme
The integration supports the creation of the following ticket type in Jira:
Resource Tickets
Triggered based on alert rules using QQL tokens from CSPM evaluation. The resource tickets can track individual misconfigured resources.
To enable the Jira Integration,
- Create a Jira connector from the Connectors Application.
- Navigate to TotalCloud and create a Jira Action from the Response Tab.
- Create a rule from the Rule Manager for Jira ticket updates.
Cloud Detection and Response (CDR)
The following sections describe the enhancements made to the CDR environment in this release, common to all cloud providers.
Introduced the Ability to View Findings by Remote IP.
With this release, we have added the ability to view findings by IP addresses in the Investigate tab for easier tracking and analysis. This enhancement provides:
- More visibility into the total number of events or communications, both inbound and outbound, associated with each IP address.
- An integrated VirusTotal link that provides an enriched context for each public IP, providing deeper insight into its nature.
- Improved threat visibility, enabling faster decision-making and quicker incident response when necessary.
Navigate to the Investigate tab and select Remote IP from the Group By filter drop-down.
Click VirusTotal to get more insight into the IP's nature.
The VirusTotal page gathers results from multiple antivirus engines and website scanners, which allows you to identify threats and verify potential false positives.
Introduced an Overview Section for Findings
With this release, we have added an overview tab to the security findings detail view page. This section extracts and highlights key information from the raw data associated with each finding and presents it in an accessible and structured format.
The Raw Data tab provides detailed information about any findings in a JSON format.
On the Investigate page, click Quick Actions > View Details to see the overview of any finding.
The Overview provides a concise summary of the information extracted from the Raw Data, improving overall readability.
|
Overview |
Raw Data |
|
|
|
Added Support for Integration with Microsoft Sentinel
With this release, TotalCloud 2.16 introduces support for CDR event forwarding to Microsoft Sentinel, enabling security teams to centralize threat detection and streamline incident management within their existing MS Sentinel SIEM workflows.
Benefits
- Enhances cloud-native threat visibility within Microsoft Sentinel.
- Allows proactive response to threats, improving overall security posture.
- Facilitates faster incident response and compliance reporting.
You can read about how to get started with executing the APIs for this integration by referring to CDR-MS Sentinel Integration.
Mandate Updates
Deprecated Mandates
The following mandates have been deprecated and are no longer supported in TotalCloud:
|
ID |
Title |
Version |
Publisher |
|---|---|---|---|
|
4962 |
Cybersecurity Maturity Model Certification (CMMC) Level 1 |
v1.02 (18 March 2020) |
US Government - OUSD(A&S) |
|
4963 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 |
v1.02 (18 March 2020) |
US Government - OUSD(A&S) |
|
4967 |
Cybersecurity Maturity Model Certification (CMMC) Level 3 |
v1.02 (18 March 2020) |
US Government - OUSD(A&S) |
|
4965 |
Cybersecurity Maturity Model Certification (CMMC) Level 4 |
v1.02 (18 March 2020) |
US Government - OUSD(A&S) |
|
4966 |
Cybersecurity Maturity Model Certification (CMMC) Level 5 |
v1.02 (18 March 2020) |
US Government - OUSD(A&S) |
|
5102 |
Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 |
Ver. 3.2.1 |
PCI Security Standards Council |
|
2443 |
ISO/IEC 27001:2013 |
Edition 2013-11 |
ISO/IEC JTC 1/SC 27 |
New Mandates
The following mandates have been newly added to the platform:
|
ID |
Title |
Publisher |
Version |
|---|---|---|---|
|
6121 |
California Consumer Privacy Act of 2018 (SB-1121) |
California State Legislature, USA |
Effective 1st January, 2020 |
|
6323 |
US Gramm Leach Bliley Act (GLBA) |
Federal |
Sept 2004 |
|
10061 |
Microsoft Cloud Security Benchmark |
Microsoft |
v1 |
|
10103 |
Australian Signals Directorate Information Security Manual (ISM) |
Australian Cyber Security Center (ACSC) |
June 2024 |
|
10067 |
CIS Controls Version 8.1 |
Center for Internet Security (CIS) |
Ver 8.1 |
|
8841 |
The Network and Information Systems (NIS 2 Directive) (EU) 2022/2555 |
European Parliament |
2022/2555 |
Updated Mandates
The following mandates have been updated to their latest versions:
|
Previous ID |
Previous Title |
Current Version |
New ID |
New Title |
New Version |
Publisher |
|---|---|---|---|---|---|---|
|
4329 |
NIST Special Publication 800-171 |
Rev. 2 |
10301 |
NIST Special Publication 800-171 |
Rev. 3 |
National Institute of Standards and Technology (NIST) |
|
6022 |
SWIFT Customer Security Controls Framework - Customer Security Programme v2021 |
Ver 2021 |
9641 |
SWIFT Customer Security Controls Framework - Customer Security Programme |
Ver 2024 |
Society for Worldwide Interbank Financial Telecommunication (SWIFT) |
|
7382 |
Australian Signals Directorate - Essential Eight Maturity Model |
November 2022 |
9921 |
The Australian Signals Directorate - The Essential 8 Strategies (ASD 8) |
November 2023 |
Australian Cyber Security Center (ACSC) |
Control Updates
New Runtime Controls
New runtime controls introduced to the cloud posture analysis.
AWS – New Controls
New Control introduced to the AWS cloud.
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
541 |
Ensure CloudFront distribution should use custom SSL/TLS certificate |
Cloudfront |
Cloudfront Distribution |
|
542 |
Ensure CloudFront distribution should use SNI to serve HTTPS requests |
Cloudfront |
Cloudfront Distribution |
|
543 |
Ensure DynamoDB table should have deletion protection enabled |
DynamoDB |
DYNAMO_DB_TABLE |
|
544 |
Ensure DynamoDB Accelerator cluster should be encrypted in transit |
DynamoDB |
DAX_CLUSTER |
|
545 |
Ensure Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests |
VPC |
Transit Gateways |
|
546 |
Ensure Amazon EC2 paravirtual instance types should not be used |
EC2 |
Instance |
|
547 |
Ensure Amazon ECS task definitions should have secure networking modes and user definitions |
ECS |
ECS_TASK_DEFINITION |
|
548 |
Ensure ECS task definitions should not share the host's process namespace |
ECS |
ECS_TASK_DEFINITION |
|
549 |
Ensure ECS containers should run as non-privileged |
ECS |
ECS_TASK_DEFINITION |
|
550 |
Ensure ECS containers should be limited to read-only access to root filesystems |
ECS |
ECS_TASK_DEFINITION |
|
551 |
Ensure Neptune DB clusters should be configured to copy tags to snapshots |
Neptune |
NEPTUNE_DB_CLUSTERS |
|
552 |
Ensure ElastiCache replication groups should be encrypted at rest |
ElasticCache |
ELASTICACHE |
|
553 |
Athena workgroups should have logging enabled |
Athena |
Athena Workgroup |
|
555 |
Ensure ActiveMQ brokers should stream audit logs to CloudWatch |
MQ |
MQ Broker |
|
556 |
Ensure Network Firewall Logging Should be enabled |
VPC |
NETWORK_FIREWALL |
|
557 |
Ensure Redshift clusters should not use the default database name |
Redshift |
REDSHIFT_CLUSTERS |
|
558 |
Ensure OpenSearch domains should have at least three data nodes |
Elasticsearch |
ES_DOMAIN |
GCP – New Control
New Control introduced to the GCP cloud.
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
52187 |
Ensure KMS encryption keys are rotated within 90 days |
IAM |
CRYPTOGRAPHIC_KEYS |
OCI – New Control
New Control introduced to the OCI cloud.
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
40088 |
Ensure no policies have 'manage-all resources' permission in a compartment |
IAM |
POLICY |
This control is also added to the OCI Best Practices Policy.
Azure – New Control
New Control introduced to the Azure cloud.
|
CID |
Title |
Service |
Resource |
Policy |
|---|---|---|---|---|
|
50482 |
Ensure that Diagnostic logs are enabled in Logic Apps (Standard) |
LOGIC_APPS |
LOGIC_APPS |
Azure Best Practices Policy |
Control Title Changes
Changes to the titles of existing controls.
|
CID |
Old Title |
New Title |
|---|---|---|
|
235 |
Ensure to enable data in transit encryption for EMR security configuration |
Ensure to enable data in transit encryption for EMR Cluster using security configuration |
|
351 |
Ensure that Elastic Load Balancer(s) use SSL certificates provided by AWS Certificate Manager |
Ensure that Application Load Balancer(s) Listeners uses SSL certificates from ACM |
|
50169 |
Ensure that Advanced Threat Protection is enabled on Classic Storage Accounts |
Ensure that Advanced Threat Protection is enabled on Storage Accounts with Microsoft Defender Plan (Classic) |
|
50114 |
Ensure that network access is restricted in Cognitive Services accounts |
Ensure that public network access is disabled or restricted in Cognitive Services accounts |
New Tokens
New Tokens introduced in TotalCloud 2.16.0
Amazon Web Services
Tokens introduced in AWS Resources
Secretes
With this release, we have added support for Secrets in the Resource Inventory. Use the following tokens to find Secrets from the AWS Inventory.
|
Name |
Description |
|---|---|
| secret.severity | Find secrets based on their severity level. |
| secret.secretType | Find secrets based on their type. |
| secret.category | Find secrets based on their category. |
| secret.filePath | Find secrets with the specified directory/file path. |