TotalCloud Release 2.17
June 11, 2025
TotalCloud 2.17 brings updates to supported integrations, insights, inventory, and controls.
ServiceNow Integration with TotalCloud CSPM for ITSM
With this release, we have introduced an integration between TotalCloud (CSPM application) and ServiceNow ITSM. This integration enhances cloud security operations by seamlessly managing cloud configuration issues through ITSM workflows.
The ServiceNow ITSM integration introduces the following enhancements:
CMDB Synchronization
- Cloud inventory data collected by TotalCloud is automatically pushed into the ServiceNow CMDB.
- Ensures real-time visibility of cloud assets within the ITSM ecosystem.
Misconfiguration Ticket Management
- Misconfigurations identified by TotalCloud are raised as ServiceNow Incidents or Change Requests.
- Allows organizations to track, triage, and resolve configuration issues within standard ITSM processes.
Ticket Mapping to Resolver Groups
- Misconfiguration tickets are intelligently mapped to the respective resolver groups in ServiceNow.
- Supports faster remediation through correct ticket routing based on asset ownership or domain.
Benefits
- Streamlines security operations by integrating cloud risk posture into ITSM workflows.
- Enhances visibility and accountability for cloud misconfigurations across IT and security teams.
- Reduces manual effort and context switching between CSPM tools and ITSM platforms.
Prerequisites
- The ServiceNow instance with ITSM and CMDB modules is enabled.
- TotalCloud setup with active cloud connectors and misconfiguration detection.
Supported Platforms
- AWS, Azure, GCP (via TotalCloud)
- ServiceNow (Tokyo, San Diego, and Vancouver versions supported)
Introduced an Attack Path Icon to Supported Insights
With previous releases, we had delivered the Attack Path visualization, which provided you with a clear view of the attack trajectory, its steps and how you can remediate it.
With this release, we are improving the accessibility of these attack paths with a new icon next to any insight that supports an Attack Path visualization.
Introduced Attack Path Insights for Azure and AWS Cloud
With this release, we are supporting Attack Path visualization for the following Azure and AWS insights. Now, you can have a comprehensive view of your cloud account's attack surface.
Insight CID | Title |
---|---|
5000 | Public VM with TruRisk score > 800 |
5002 | Public VM with confirmed vulnerability type |
5005 | Suspicious communication on public VM |
5015 | Public VM with vulnerability detected in last 7 days |
5017 | Public VM with a critical exploitable vulnerability |
Microsoft Azure
The following sections describe the enhancements made to the TotalCloud environment in this release for Azure.
Extended Inventory Support to Azure AI Services
TotalCloud is now adding a new resource to its Azure inventory base. The Azure AI Services provide a detailed view of the AI services running in your Azure environment.
The inventory can identify and report the following Kind of Azure AI Services:
- AIServices
- SpeechServices
- CustomVision.Prediction
- CustomVision.Training
- TextAnalytics
- FormRecognizer
- ImmersiveReader
- ContentSafety
- ComputerVision
- TextTranslation
- OpenAI
- Face
- HealthInsights
- CognitiveServices
We have introduced a new api parameter and a new token to help with accessibility of these resource findings.
Read about the token here.
Read about the API parameter here.
Enhanced Searchability and Accuracy in Policy Selection of CSPM Reports
With this release, we have enhanced the count of policies retrieved when selecting policies for a CSPM report. Previously, TotalCloud had a hardcoded pagination limit which restricted policy retrieval to the first 100 entries, resulting in missing policies across cloud providers.
With TotalCloud 2.17, we have enhanced the policy selection mechanism to ensure all available policies are retrieved, removing the 100-policy limit. As part of this enhancement, we have also introduced a search bar in the Create CSPM Report workflow.
Now, you can use the Qualys Query Logic (QQL) while selecting policies to narrow down the count of policies to match your desired specifications.
Benefits
- Ensures complete and accurate listing of all applicable RUN_TIME policies across all cloud providers.
- Improves searchability during report creation by enabling policy search and comprehensive selection
Control Updates
New Runtime Controls
New runtime controls introduced to the cloud posture analysis.
New Controls in Amazon Web Services
Runtime controls introduced in AWS.
CID |
Title |
Service |
Resource |
---|---|---|---|
560 |
Ensure SNS Topics are encrypted |
SNS |
SNS_TOPIC |
New Controls in Microsoft Azure
Runtime controls introduced in Azure.
CID |
Title |
Service |
Resource |
---|---|---|---|
50434 |
Ensure that App Configuration should use a SKU that supports private link |
APP_ |
APP_ |
Control Title Changes
Changes to control titles.
Platform |
CID |
Old Title |
New Title |
---|---|---|---|
Azure |
50188 |
Ensure that Diagnostic Settings for Storage Blobs are configured with Log Analytics workspace |
Ensure that Blob Storage is configured with Diagnostic Settings |
Azure |
50189 |
Ensure that Diagnostic Settings for Storage Files are configured with Log Analytics workspace |
Ensure that File Storage is configured with Diagnostic Settings |
Azure |
50190 |
Ensure that Diagnostic Settings for Storage Queue are configured with Log Analytics workspace |
Ensure that Queue Storage is configured with Diagnostic Settings |
Azure |
50191 |
Ensure that Diagnostic Settings for Storage Table are configured with Log Analytics workspace |
Ensure that Table Storage is configured with Diagnostic Settings |
AWS |
305 |
Ensure ECR Image Tags for are immutable |
Ensure Image Tags for ECR Repositories are immutable |
AWS |
377 |
Ensure ECR image Scanning on push is enabled |
Ensure image Scanning on push is enabled for ECR Repositories |
AWS |
161 |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 22 |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 or ::/0 to port 22 |
AWS |
170 |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 3389 |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 or ::/0 to port 3389 |
AWS |
156 |
Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service domains |
Ensure node-to-node encryption feature is enabled for Amazon OpenSearch Service domains |
AWS |
157 |
Ensure AWS Elasticsearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs |
Ensure Amazon OpenSearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs |
AWS |
158 |
Ensure AWS Elasticsearch Service domains are not publicly accessible |
Ensure Amazon OpenSearch Service domains are not publicly accessible |
AWS |
159 |
Ensure AWS Elasticsearch Service domains are using the latest version of Elasticsearch engine |
Ensure Amazon OpenSearch Service domains are using the latest version of OpenSearch engine |
AWS |
285 |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Ensure all data stored in the OpenSearch is securely encrypted at rest |
AWS |
326 |
Ensure Elasticsearch Domain enforces HTTPS |
Ensure OpenSearch Domain enforces HTTPS |
AWS |
359 |
Ensure that Elasticsearch is configured inside a VPC |
Ensure that OpenSearch is configured inside a VPC |
AWS |
495 |
Ensure advanced security options are enabled for AWS ElasticSearch Domain |
Ensure advanced security options are enabled for Amazon OpenSearch Domain |
AWS |
496 |
Ensure general purpose SSD node type is used for AWS ElasticSearch Domains |
Ensure general purpose SSD node type is used for Amazon OpenSearch Domains |
AWS |
497 |
Ensure KMS customer managed keys are used for encryption for AWS ElasticSearch Domains |
Ensure KMS customer managed keys are used for encryption for Amazon OpenSearch Domains |
AWS |
498 |
Ensure Zone Awareness is enabled for AWS ElasticSearch Domain |
Ensure Zone Awareness is enabled for Amazon OpenSearch Domain |
AWS |
499 |
Ensure Amazon cognito authentication is enabled for AWS ElasticSearch Domain |
Ensure Amazon cognito authentication is enabled for Amazon OpenSearch Domain |
AWS |
500 |
Ensure dedicated master nodes are enabled for AWS ElasticSearch Domains |
Ensure dedicated master nodes are enabled for Amazon OpenSearch Domains |
AWS |
160 |
Ensure that IAM Access analyzer is enabled for all regions |
Ensure that IAM External Access analyzer is enabled for all regions |
Controls Deprecated for Azure Best Practices Policy (Advanced Notification)
We are deprecating the following 5 controls for the Azure Best Practices Policy in the upcoming release 2.18.
CID | Service | Resource | Title |
---|---|---|---|
50215 | Storage Account | Storage Account | Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests. |
50246 | Data Lake Storage | Data Lake Storage | Ensure that encryption is enabled for Data Lake Store accounts. |
50275 | Data Lake Storage | Data Lake Storage | Ensure that Diagnostic logs are enabled in Azure Data Lake Storage accounts. |
50455 | Storage Account | Storage Account | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests. |
50456 | Storage Account | Storage Account | Ensure Storage logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests. |
New Tokens
The following section describes the new tokens introduced as part of TotalCloud 2.17.0
Azure AI Services Token
This new Azure token is introduced with TotalCloud 2.17.0.
Name |
Description |
---|---|
aiservice.kind | Find the required AI Service by its Kind. |
TotalCloud Insights Token
This new Insight token is introduced with TotalCloud 2.17.0.
Name |
Description |
---|---|
isAttackPathEnabled | Find Insights based on attack path enabled status. |
Cloud Detection and Response (CDR)
The following sections describe the enhancements made to the CDR environment in the upcoming CDR release.
These CDR enhancements will be available starting in July.
IPv6 Support Added for AWS
With this release, we have added IPv6 addressing support for AWS to the previously supported IPv4 addressing. This enhancement allows you to view findings for AWS and Azure resources with IPv6 addresses in the Investigate tab.
Currently, IPv6 addresses do not have the option to redirect to their respective details page when selected. This feature will be available in future releases.
Integrated Container Security Runtime Process Events
With this release, we have integrated the Container Runtime Security (CRS) Process-Events logs with the CDR Investigate menu. The CRS process event logs are analysed based on a predefined set of rules. When a CRS process event meets the criteria, a corresponding alert is generated in CDR Investigate corresponding to that CRS event.
Additionally, we have added MITRE information for the CRS process-based alerts. You can use the QQL tokens to filter the findings based on their MITRE information, such as rule name, tactic ID, tactic name, technique ID, and technique name.
Prerequisites
- Container Security version 1.39.0
- Runtime Sensor build 1.2.0
- Helm Chart version 2.5.0
Benefits
- Provides streamlined access to real-time CRS process-level monitoring for live containers, improving visibility and response efficiency.
- Monitors unusual behaviour and suspicious activities within containers by establishing behavioural baselines.
- Allows for continuous monitoring, detection, and response to threats in real-time, assisting in prioritizing high-risk containers and reducing attack surfaces in dynamic cloud-native environments.
- This feature requires an active Container Security subscription.
- The MITRE column will display information exclusively for CRS process-based alerts and will remain blank for other finding types.
- This new MITRE column in Investigate replaces the findings Category column. You can still use the QQL tokens to search CDR findings based on their category.
Navigate to Investigate and select Container from the Findings Type drop-down menu to view all the CS related process-based alerts.
The MITRE column shows the MITRE Tactic Name and Tactic ID information for each alert.
New Tokens
Starting in July, these new Tokens will be available to help search for specific findings in Investigate.
Name |
Description |
Example |
---|---|---|
tc.findings.nodeName | Search findings based on the node names |
'tc.findings.nodeName: ip-10-**-10-2**' |
tc.findings.clusterName | Find CS event alerts based on cluster name |
'tc.findings.clusterName: ip-10-**-9-**02' |
tc.findings.namespace | Find CS event alerts based on namespace |
`tc.findings.namespace: defaultname` |
tc.findings.pod | Find CS event alerts based on CS workloads (PODs) |
`tc.findings.pod: xen` |
tc.findings.containerName | Find CS event alerts based on container names |
`tc.findings.containerName: ubuntu-container`
|
tc.findings.procesName | Find event alerts based on CS process Names |
`tc.findings.procesName: /usr/bin/cat` |
tc.findings.mitre.attack.technique.name | Find CS event alerts based on MITRE technique name |
`tc.findings.mitre.attack.technique.name: Indicator Removal` |
tc.findings.mitre.attack.technique.id | Find CS event alerts based on MITRE technique Id |
`tc.findings.mitre.attack.technique.id: TXXXX.XX5` |
tc.findings.mitre.attack.tactic.id | Find CS event alerts based on MITRE tactic Id |
`tc.findings.mitre.attack.tactic.id: TXXXX5` |
tc.findings.mitre.attack.tactic.name | Find CS event alerts based on MITRE tactic name |
`tc.findings.mitre.attack.tactic.name: Unsecured Credentials` |
tc.findings.mitre.attack.rule.name | Find CS event alerts based on MITRE rule name |
`tc.findings.mitre.attack.rule.name: Cloud Credentials Accessed` |
Issues Addressed
The following reported and notable customer issues are fixed in this release:
Category/Component | Issue |
---|---|
CV-False Negative | We updated the detection logic of the following controls to resolve false negative cases - CID 50188 and 50189 |
CV-ControlEnhancement | We have introduced a control (CID 560) in TotalCloud that checks whether the encryption for the SNS topic is activated. |
CV-False Positive | We updated the detection logic of the following controls to resolve false positive cases - CID 122, 161, 170, and 50169 |
CV-ControlEnhancement | We have fixed an issue where Azure controls for log analysis only provided remediation with older Diagnostics settings. The issue was fixed by enhancing the remediation logic for the following controls - CIDs 50215, 50455, and 50456. |
CV-UI | We fixed an issue where the customer wasn unable to view posture details of the Azure resources. |
CV-ControlEnhancement |
We have enhanced the detection logic of CID 351 to ensure Load Balancers without any listeners do not fail the evaluation. Since Load Balancers without listeners cannot accept traffic, they do not pose a security risk and thus, pass the evaluation criteria. |