TotalCloud Release 2.16

May 13, 2025

TotalCloud 2.16 brings updates to Mandates, Inventory, scan techniques, integrations and bug fixes.

Amazon Web Services (AWS)

The following sections describe the enhancements made to the TotalCloud environment in this release for AWS. 

Secrets Detection Integration with TruRiskTM Insights for AWS Instances

With this release, we have enhanced the visibility of exposed secrets across AWS instances and strengthened risk prioritization through enriched insights. You can enable Secrets detection while configuring your Snapshot scan deployment on AWS. The scan discovers the secrets in your AWS workloads and passes it on to your Instance inventory which is then aligned with IAM Insights to provide you with enriched TruRiskTM Insight analysis.

To discover your exposed secrets, you must

  1. Navigate to Create or Edit menu of the connector, select the Enable Secret Detection option under Zero-touch Snapshot Based Scan.

  2. Launch a Snapshot-based scan, and open any resulting instance from the scan to find the Secrets tab for that instance.
    You can also search "instance.hasSecrets: yes" in the QQL search bar and open any resulting Instance.

Oracle Cloud Infrastructure (OCI)

The following sections describe the enhancements made to the TotalCloud environment in this release for OCI. 

Extended Support for Alerting to OCI

With this release, TotalCloud supports Oracle Cloud Infrastructure (OCI) in its alerting framework, allowing security and operations teams to monitor misconfigurations, policy violations, and other key findings across OCI environments. We have extended alerting capabilities for OCI, in addition to existing cloud providers like AWS, Azure, and GCP.

Notification Channels Supported:

  • Email
  • PagerDuty
  • Slack
  • Teams

To create rules for OCI,

  1. Navigate to the TotalCloud application > Responses tab > Actions.
  2. Create an Action and then proceed to the Rule Manager tab.
  3. Create a Rule.
  4. Select OCI Monitor from the dropdown in Rule Query.

Common Cloud Updates

The following sections describe the enhancements made to the TotalCloud environment in this release, common to all cloud providers. 

AMI Images Scanning in TotalCloud

TotalCloud now extends its vulnerability management capabilities to include Amazon Machine Images (AMIs), allowing organizations to assess security posture before runtime deployment. This supports proactive hardening of golden images and minimizes exposure in production environments.

This feature will be available after QFlow version 1.15.1 is deployed.

Benefits

Inventory Support for AMIs

  • Automatically discover and list AMIs and Azure Images using existing cloud connectors.
  • Display AMIs under the Inventory section alongside other cloud resources.

Vulnerability Scanning for AMIs

  • AMIs are scanned using Snapshot-based techniques similar to virtual machines.
  • Vulnerability findings are displayed per AMI.

To enable Image Scanning for AMIs images,

  1. Navigate to Create or Edit menu of the connector, select the Enable AMI Scanning option under Zero-touch Snapshot Based Scan.
  2. Deploy your AWS Snapshot-scan CloudFormation template with AMI scanning enabled.
  3. Navigate to the inventory > Choose AWS> Select AMI Images.
  4. View the scan findings by clicking on any image and analyzing the detailed image information.

Jira Integration with TotalCloud CSPM

TotalCloud CSPM introduces Jira integration as a response action, enabling customers to automatically raise tickets in Jira for critical misconfigurations. This integration supports automated, rule-based notifications and ticket creation in Jira using QQL-based alerting and customizable response workflows.

TotalCloud users can:

  • Track and manage critical cloud misconfigurations via Jira.
  • Integrate with ITSM and DevOps processes through existing Jira workflows.
  • Ensure compliance and operational response by pushing findings from TotalCloud to Jira.

Ticketing Scheme

The integration supports the creation of the following ticket type in Jira:

Resource Tickets

Triggered based on alert rules using QQL tokens from CSPM evaluation. The resource tickets can track individual misconfigured resources.

To enable the Jira Integration,

  1. Create a Jira connector from the Connectors Application.
  2. Navigate to TotalCloud and create a Jira Action from the Response Tab.
  3. Create a rule from the Rule Manager for Jira ticket updates.

Cloud Detection and Response (CDR)

The following sections describe the enhancements made to the CDR environment in this release, common to all cloud providers. 

Introduced the Ability to View Findings by Remote IP.

With this release, we have added the ability to view findings by IP addresses in the Investigate tab for easier tracking and analysis. This enhancement provides:

  • More visibility into the total number of events or communications, both inbound and outbound, associated with each IP address.
  • An integrated VirusTotal link that provides an enriched context for each public IP, providing deeper insight into its nature.
  • Improved threat visibility, enabling faster decision-making and quicker incident response when necessary.

Navigate to the Investigate tab and select Remote IP from the Group By filter drop-down.

Remote IP

Click VirusTotal to get more insight into the IP's nature.

VirusTotal

The VirusTotal page gathers results from multiple antivirus engines and website scanners, which allows you to identify threats and verify potential false positives.

VirusTotal Page

Introduced an Overview Section for Findings

With this release, we have added an overview tab to the security findings detail view page. This section extracts and highlights key information from the raw data associated with each finding and presents it in an accessible and structured format.

 The Raw Data tab provides detailed information about any findings in a JSON format.

On the Investigate page, click Quick Actions > View Details to see the overview of any finding.

View Details

The Overview provides a concise summary of the information extracted from the Raw Data, improving overall readability.

Overview

Raw Data

Details Overview

Raw Data

Added Support for Integration with Microsoft Sentinel

With this release, TotalCloud 2.16 introduces support for CDR event forwarding to Microsoft Sentinel, enabling security teams to centralize threat detection and streamline incident management within their existing MS Sentinel SIEM workflows.

Benefits

  • Enhances cloud-native threat visibility within Microsoft Sentinel.
  • Allows proactive response to threats, improving overall security posture.
  • Facilitates faster incident response and compliance reporting.

You can read about how to get started with executing the APIs for this integration by referring to CDR-MS Sentinel Integration.

Mandate Updates

Deprecated Mandates

The following mandates have been deprecated and are no longer supported in TotalCloud:

ID

Title

Version

Publisher

4962

Cybersecurity Maturity Model Certification (CMMC) Level 1

v1.02 (18 March 2020)

US Government - OUSD(A&S)

4963

Cybersecurity Maturity Model Certification (CMMC) Level 2

v1.02 (18 March 2020)

US Government - OUSD(A&S)

4967

Cybersecurity Maturity Model Certification (CMMC) Level 3

v1.02 (18 March 2020)

US Government - OUSD(A&S)

4965

Cybersecurity Maturity Model Certification (CMMC) Level 4

v1.02 (18 March 2020)

US Government - OUSD(A&S)

4966

Cybersecurity Maturity Model Certification (CMMC) Level 5

v1.02 (18 March 2020)

US Government - OUSD(A&S)

5102

Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1

Ver. 3.2.1

PCI Security Standards Council

2443

ISO/IEC 27001:2013

Edition 2013-11

ISO/IEC JTC 1/SC 27

New Mandates

The following mandates have been newly added to the platform:

ID

Title

Publisher

Version

6121

California Consumer Privacy Act of 2018 (SB-1121)

California State Legislature, USA

Effective 1st January, 2020

6323

US Gramm Leach Bliley Act (GLBA)

Federal

Sept 2004

10061

Microsoft Cloud Security Benchmark

Microsoft

v1

10103

Australian Signals Directorate Information Security Manual (ISM)

Australian Cyber Security Center (ACSC)

June 2024

10067

CIS Controls Version 8.1

Center for Internet Security (CIS)

Ver 8.1

8841

The Network and Information Systems (NIS 2 Directive) (EU) 2022/2555

European Parliament

2022/2555

Updated Mandates

The following mandates have been updated to their latest versions:

Previous ID

Previous Title

Current Version

New ID

New Title

New Version

Publisher

4329

NIST Special Publication 800-171

Rev. 2

10301

NIST Special Publication 800-171

Rev. 3

National Institute of Standards and Technology (NIST)

6022

SWIFT Customer Security Controls Framework - Customer Security Programme v2021

Ver 2021

9641

SWIFT Customer Security Controls Framework - Customer Security Programme

Ver 2024

Society for Worldwide Interbank Financial Telecommunication (SWIFT)

7382

Australian Signals Directorate - Essential Eight Maturity Model

November 2022

9921

The Australian Signals Directorate - The Essential 8 Strategies (ASD 8)

November 2023

Australian Cyber Security Center (ACSC)

Control Updates

New Runtime Controls

New runtime controls introduced to the cloud posture analysis.

AWS – New Controls 

New Control introduced to the AWS cloud.

CID

Title

Service

Resource

541

Ensure CloudFront distribution should use custom SSL/TLS certificate

Cloudfront

Cloudfront Distribution

542

Ensure CloudFront distribution should use SNI to serve HTTPS requests

Cloudfront

Cloudfront Distribution

543

Ensure DynamoDB table should have deletion protection enabled

DynamoDB

DYNAMO_DB_TABLE

544

Ensure DynamoDB Accelerator cluster should be encrypted in transit

DynamoDB

DAX_CLUSTER

545

Ensure Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests

VPC

Transit Gateways

546

Ensure Amazon EC2 paravirtual instance types should not be used

EC2

Instance

547

Ensure Amazon ECS task definitions should have secure networking modes and user definitions

ECS

ECS_TASK_DEFINITION

548

Ensure ECS task definitions should not share the host's process namespace

ECS

ECS_TASK_DEFINITION

549

Ensure ECS containers should run as non-privileged

ECS

ECS_TASK_DEFINITION

550

Ensure ECS containers should be limited to read-only access to root filesystems

ECS

ECS_TASK_DEFINITION

551

Ensure Neptune DB clusters should be configured to copy tags to snapshots

Neptune

NEPTUNE_DB_CLUSTERS

552

Ensure ElastiCache replication groups should be encrypted at rest

ElasticCache

ELASTICACHE

553

Athena workgroups should have logging enabled

Athena

Athena Workgroup

555

Ensure ActiveMQ brokers should stream audit logs to CloudWatch

MQ

MQ Broker

556

Ensure Network Firewall Logging Should be enabled

VPC

NETWORK_FIREWALL

557

Ensure Redshift clusters should not use the default database name

Redshift

REDSHIFT_CLUSTERS

558

Ensure OpenSearch domains should have at least three data nodes

Elasticsearch

ES_DOMAIN

GCP – New Control

New Control introduced to the GCP cloud.

CID

Title

Service

Resource

52187

Ensure KMS encryption keys are rotated within 90 days

IAM

CRYPTOGRAPHIC_KEYS

OCI – New Control

New Control introduced to the OCI cloud.

CID

Title

Service

Resource

40088

Ensure no policies have 'manage-all resources' permission in a compartment

IAM

POLICY

This control is also added to the OCI Best Practices Policy.

Azure – New Control

New Control introduced to the Azure cloud.

CID

Title

Service

Resource

Policy

50482

Ensure that Diagnostic logs are enabled in Logic Apps (Standard)

LOGIC_APPS

LOGIC_APPS

Azure Best Practices Policy

Control Title Changes

Changes to the titles of existing controls.

CID

Old Title

New Title

235

Ensure to enable data in transit encryption for EMR security configuration

Ensure to enable data in transit encryption for EMR Cluster using security configuration

351

Ensure that Elastic Load Balancer(s) use SSL certificates provided by AWS Certificate Manager

Ensure that Application Load Balancer(s) Listeners uses SSL certificates from ACM

50169

Ensure that Advanced Threat Protection is enabled on Classic Storage Accounts

Ensure that Advanced Threat Protection is enabled on Storage Accounts with Microsoft Defender Plan (Classic)

50114

Ensure that network access is restricted in Cognitive Services accounts

Ensure that public network access is disabled or restricted in Cognitive Services accounts

New Tokens

New Tokens introduced in TotalCloud 2.16.0

Amazon Web Services

Tokens introduced in AWS Resources

Secretes

With this release, we have added support for Secrets in the Resource Inventory. Use the following tokens to find Secrets from the AWS Inventory.

Name

Description

secret.severity Find secrets based on their severity level.
secret.secretType Find secrets based on their type.
secret.category Find secrets based on their category.
secret.filePath Find secrets with the specified directory/file path.