TotalCloud Release 2.17

June 11, 2025

TotalCloud 2.17 brings updates to supported integrations, insights, inventory, and controls.

ServiceNow Integration with TotalCloud CSPM for ITSM

With this release, we have introduced an integration between TotalCloud (CSPM application) and ServiceNow ITSM. This integration enhances cloud security operations by seamlessly managing cloud configuration issues through ITSM workflows.

The ServiceNow ITSM integration introduces the following enhancements:

CMDB Synchronization

  • Cloud inventory data collected by TotalCloud is automatically pushed into the ServiceNow CMDB.
  • Ensures real-time visibility of cloud assets within the ITSM ecosystem.

Misconfiguration Ticket Management

  • Misconfigurations identified by TotalCloud are raised as ServiceNow Incidents or Change Requests.
  • Allows organizations to track, triage, and resolve configuration issues within standard ITSM processes.

Ticket Mapping to Resolver Groups

  • Misconfiguration tickets are intelligently mapped to the respective resolver groups in ServiceNow.
  • Supports faster remediation through correct ticket routing based on asset ownership or domain.

Benefits

  • Streamlines security operations by integrating cloud risk posture into ITSM workflows.
  • Enhances visibility and accountability for cloud misconfigurations across IT and security teams.
  • Reduces manual effort and context switching between CSPM tools and ITSM platforms.

Prerequisites

  • The ServiceNow instance with ITSM and CMDB modules is enabled.
  • TotalCloud setup with active cloud connectors and misconfiguration detection.

Supported Platforms

  • AWS, Azure, GCP (via TotalCloud)
  • ServiceNow (Tokyo, San Diego, and Vancouver versions supported)

Introduced an Attack Path Icon to Supported Insights

With previous releases, we had delivered the Attack Path visualization, which provided you with a clear view of the attack trajectory, its steps and how you can remediate it. 

With this release, we are improving the accessibility of these attack paths with a new Attack Path icon icon next to any insight that supports an Attack Path visualization.

Attack Path Logo

Introduced Attack Path Insights for Azure and AWS Cloud

With this release, we are supporting Attack Path visualization for the following Azure and AWS insights. Now, you can have a comprehensive view of your cloud account's attack surface.

Insight CID Title
5000 Public VM with TruRisk score > 800
5002 Public VM with confirmed vulnerability type
5005 Suspicious communication on public VM
5015 Public VM with vulnerability detected in last 7 days
5017 Public VM with a critical exploitable vulnerability

Microsoft Azure

The following sections describe the enhancements made to the TotalCloud environment in this release for Azure. 

Extended Inventory Support to Azure AI Services

TotalCloud is now adding a new resource to its Azure inventory base. The Azure AI Services provide a detailed view of the AI services running in your Azure environment. 

The inventory can identify and report the following Kind of Azure AI Services:

  • AIServices
  • SpeechServices
  • CustomVision.Prediction
  • CustomVision.Training
  • TextAnalytics
  • FormRecognizer
  • ImmersiveReader
  • ContentSafety
  • ComputerVision
  • TextTranslation
  • OpenAI
  • Face
  • HealthInsights
  • CognitiveServices

We have introduced a new api parameter and a new token to help with accessibility of these resource findings.

Read about the token here.

Read about the API parameter here.

Enhanced Searchability and Accuracy in Policy Selection of CSPM Reports

With this release, we have enhanced the count of policies retrieved when selecting policies for a CSPM report. Previously, TotalCloud had a hardcoded pagination limit which restricted policy retrieval to the first 100 entries, resulting in missing policies across cloud providers.

With TotalCloud 2.17, we have enhanced the policy selection mechanism to ensure all available policies are retrieved, removing the 100-policy limit. As part of this enhancement, we have also introduced a search bar in the Create CSPM Report workflow.

Now, you can use the Qualys Query Logic (QQL) while selecting policies to narrow down the count of policies to match your desired specifications. 

Benefits

  • Ensures complete and accurate listing of all applicable RUN_TIME policies across all cloud providers.
  • Improves searchability during report creation by enabling policy search and comprehensive selection

Control Updates

New Runtime Controls

New runtime controls introduced to the cloud posture analysis.

New Controls in Amazon Web Services 

Runtime controls introduced in AWS.

CID

Title

Service

Resource

560

Ensure SNS Topics are encrypted

SNS

SNS_TOPIC

New Controls in Microsoft Azure 

Runtime controls introduced in Azure.

 CID 

Title

Service

Resource

50434

Ensure that App Configuration should use a SKU that supports private link

APP_
CONFIGURATION

APP_
CONFIGURATION

Control Title Changes

Changes to control titles.

Platform

CID

Old Title 

New Title

Azure

50188

Ensure that Diagnostic Settings for Storage Blobs are configured with Log Analytics workspace

Ensure that Blob Storage is configured with Diagnostic Settings

Azure

50189

Ensure that Diagnostic Settings for Storage Files are configured with Log Analytics workspace

Ensure that File Storage is configured with Diagnostic Settings

Azure

50190

Ensure that Diagnostic Settings for Storage Queue are configured with Log Analytics workspace

Ensure that Queue Storage is configured with Diagnostic Settings

Azure

50191

Ensure that Diagnostic Settings for Storage Table are configured with Log Analytics workspace

Ensure that Table Storage is configured with Diagnostic Settings

AWS

305

Ensure ECR Image Tags for are immutable

Ensure Image Tags for ECR Repositories are immutable

AWS

377

Ensure ECR image Scanning on push is enabled 

Ensure image Scanning on push is enabled for ECR Repositories

AWS

161

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 22 

Ensure no Network ACLs allow ingress from 0.0.0.0/0 or ::/0 to port 22

AWS

170

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 3389

Ensure no Network ACLs allow ingress from 0.0.0.0/0 or ::/0 to port 3389

AWS

156

Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service domains

Ensure node-to-node encryption feature is enabled for Amazon OpenSearch Service domains

AWS

157

Ensure AWS Elasticsearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs

Ensure Amazon OpenSearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs

AWS

158

Ensure AWS Elasticsearch Service domains are not publicly accessible

Ensure Amazon OpenSearch Service domains are not publicly accessible

AWS

159

Ensure AWS Elasticsearch Service domains are using the latest version of Elasticsearch engine

Ensure Amazon OpenSearch Service domains are using the latest version of OpenSearch engine

AWS

285

Ensure all data stored in the Elasticsearch is securely encrypted at rest

Ensure all data stored in the OpenSearch is securely encrypted at rest

AWS

326

Ensure Elasticsearch Domain enforces HTTPS

Ensure OpenSearch Domain enforces HTTPS

AWS

359

Ensure that Elasticsearch is configured inside a VPC

Ensure that OpenSearch is configured inside a VPC

AWS

495

Ensure advanced security options are enabled for AWS ElasticSearch Domain

Ensure advanced security options are enabled for Amazon OpenSearch Domain

AWS

496

Ensure general purpose SSD node type is used for AWS ElasticSearch Domains

Ensure general purpose SSD node type is used for Amazon OpenSearch Domains

AWS

497

Ensure KMS customer managed keys are used for encryption for AWS ElasticSearch Domains

Ensure KMS customer managed keys are used for encryption for Amazon OpenSearch Domains

AWS

498

Ensure Zone Awareness is enabled for AWS ElasticSearch Domain

Ensure Zone Awareness is enabled for Amazon OpenSearch Domain

AWS

499

Ensure Amazon cognito authentication is enabled for AWS ElasticSearch Domain

Ensure Amazon cognito authentication is enabled for Amazon OpenSearch Domain

AWS

500

Ensure dedicated master nodes are enabled for AWS ElasticSearch Domains

Ensure dedicated master nodes are enabled for Amazon OpenSearch Domains

AWS

160

Ensure that IAM Access analyzer is enabled for all regions

Ensure that IAM External Access analyzer is enabled for all regions

Controls Deprecated for Azure Best Practices Policy (Advanced Notification)

We are deprecating the following 5 controls for the Azure Best Practices Policy in the upcoming release 2.18.

CID Service Resource Title
50215 Storage Account Storage Account Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests.
50246 Data Lake Storage Data Lake Storage Ensure that encryption is enabled for Data Lake Store accounts.
50275 Data Lake Storage Data Lake Storage Ensure that Diagnostic logs are enabled in Azure Data Lake Storage accounts.
50455 Storage Account Storage Account Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests.
50456 Storage Account Storage Account Ensure Storage logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests.

New Tokens

The following section describes the new tokens introduced as part of TotalCloud 2.17.0

Azure AI Services Token

This new Azure token is introduced with TotalCloud 2.17.0.

Name

Description

aiservice.kind Find the required AI Service by its Kind. 

TotalCloud Insights Token

This new Insight token is introduced with TotalCloud 2.17.0.

Name

Description

isAttackPathEnabled Find Insights based on attack path enabled status.

 

Cloud Detection and Response (CDR)

The following sections describe the enhancements made to the CDR environment in the upcoming CDR release. 

These CDR enhancements will be available starting in July. 

IPv6 Support Added for AWS 

With this release, we have added IPv6 addressing support for AWS to the previously supported IPv4 addressing. This enhancement allows you to view findings for AWS and Azure resources with IPv6 addresses in the Investigate tab.

Currently, IPv6 addresses do not have the option to redirect to their respective details page when selected. This feature will be available in future releases.

IPv6 in Investigate Tab

Integrated Container Security Runtime Process Events

With this release, we have integrated the Container Runtime Security (CRS) Process-Events logs with the CDR Investigate menu. The CRS process event logs are analysed based on a predefined set of rules. When a CRS process event meets the criteria, a corresponding alert is generated in CDR Investigate corresponding to that CRS event.

Additionally, we have added MITRE information for the CRS process-based alerts. You can use the QQL tokens to filter the findings based on their MITRE information, such as rule name, tactic ID, tactic name, technique ID, and technique name.

Prerequisites

  • Container Security version 1.39.0
  • Runtime Sensor build 1.2.0
  • Helm Chart version 2.5.0

Benefits

  • Provides streamlined access to real-time CRS process-level monitoring for live containers, improving visibility and response efficiency.
  • Monitors unusual behaviour and suspicious activities within containers by establishing behavioural baselines.
  • Allows for continuous monitoring, detection, and response to threats in real-time, assisting in prioritizing high-risk containers and reducing attack surfaces in dynamic cloud-native environments.
  • This feature requires an active Container Security subscription.
  • The MITRE column will display information exclusively for CRS process-based alerts and will remain blank for other finding types.
  • This new MITRE column in Investigate replaces the findings Category column. You can still use the QQL tokens to search CDR findings based on their category.

Navigate to Investigate and select Container from the Findings Type drop-down menu to view all the CS related process-based alerts.

Risk Acceptance Rules

The MITRE column shows the MITRE Tactic Name and Tactic ID information for each alert.

MITRE Attack Information

New Tokens

Starting in July, these new Tokens will be available to help search for specific findings in Investigate.

Name

Description

Example

tc.findings.nodeName Search findings based on the node names
'tc.findings.nodeName: ip-10-**-10-2**'
tc.findings.clusterName Find CS event alerts based on cluster name
'tc.findings.clusterName: ip-10-**-9-**02'
tc.findings.namespace Find CS event alerts based on namespace
`tc.findings.namespace: defaultname`
tc.findings.pod Find CS event alerts based on CS workloads (PODs)
`tc.findings.pod: xen`
tc.findings.containerName Find CS event alerts based on container names
`tc.findings.containerName: ubuntu-container`
tc.findings.procesName Find event alerts based on CS process Names
`tc.findings.procesName: /usr/bin/cat`
tc.findings.mitre.attack.technique.name Find CS event alerts based on MITRE technique name
`tc.findings.mitre.attack.technique.name: Indicator Removal`
tc.findings.mitre.attack.technique.id Find CS event alerts based on MITRE technique Id
`tc.findings.mitre.attack.technique.id: TXXXX.XX5`
tc.findings.mitre.attack.tactic.id Find CS event alerts based on MITRE tactic Id
`tc.findings.mitre.attack.tactic.id: TXXXX5`
tc.findings.mitre.attack.tactic.name Find CS event alerts based on MITRE tactic name
`tc.findings.mitre.attack.tactic.name: Unsecured Credentials`
tc.findings.mitre.attack.rule.name Find CS event alerts based on MITRE rule name
`tc.findings.mitre.attack.rule.name: Cloud Credentials Accessed`

 

Issues Addressed

The following reported and notable customer issues are fixed in this release:

Category/Component Issue
CV-False Negative We updated the detection logic of the following controls to resolve false negative cases - CID 50188 and 50189
CV-ControlEnhancement We have introduced a control (CID 560) in TotalCloud that checks whether the encryption for the SNS topic is activated. 
CV-False Positive We updated the detection logic of the following controls to resolve false positive cases - CID 122, 161, 170, and 50169
CV-ControlEnhancement We have fixed an issue where Azure controls for log analysis only provided remediation with older Diagnostics settings. The issue was fixed by enhancing the remediation logic for the following controls - CIDs 50215, 50455, and 50456.
CV-UI We fixed an issue where the customer wasn unable to view posture details of the Azure resources. 
CV-ControlEnhancement

We have enhanced the detection logic of CID 351 to ensure Load Balancers without any listeners do not fail the evaluation. Since Load Balancers without listeners cannot accept traffic, they do not pose a security risk and thus, pass the evaluation criteria.