Prisma Cloud: Alerts for policy Azure Cosmos DB (PaaS) instance reachable from untrust internet source

Prisma Cloud: Alerts for policy Azure Cosmos DB (PaaS) instance reachable from untrust internet source

9832
Created On 05/25/23 17:47 PM - Last Modified 04/29/25 23:21 PM


Symptom


We have X number of alerts for violating the "Azure Cosmos DB (PaaS) instance reachable from untrust internet source" policy. And we need help to understand how this policy is identifying the untrust internet source and from where its getting the IP addresses.

Environment


  • Prisma Cloud
  • Azure Cloud

Cause


When one get an alert for policy Azure Cosmos DB (PaaS) instance reachable from untrust internet source and tries to investigate further by inputting the Policy's RQL into investigate they are met with little information as to what IP's are untrusted and connecting:

config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'PaaS' and dest.cloud.type = 'AZURE' and dest.paas.service.type in ('MicrosoftDocumentDBDatabaseAccount')

RQL.png
As you can see we only have two resources in the Network Path Analysis which is not very helpful in investigating what IPs are actually making the connection. So it will be hard to determine what IPs we need to add to the Trusted Alert IP Addresses under Prisma Cloud -> Settings -> Trusted IP Addresses.

 

Resolution


There are two possible solutions for getting the IPs making the connection. 

  1. You can refer to this document that will guide you within the Azure console to get the IPs in question.
  2. You can investigate using Prisma Cloud RQL as well. Please navigate to Prisma Cloud -> Investigate and input the following RQL:
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.ipRangeFilter is not empty addcolumn properties.ipRangeFilter

And find the matching resource from the RQL used in the cause above. In this case we will use az-static-cosmos-db

GUI Path: Investigate Pageimage.png

There are two things to note in the above screenshot.

  1. If you had a look at the document provided in step 1 of the resolution , you will see that a lot of the IPs are the same:
104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26

That is because one is allowing requests from the Azure portal and these are the IPs that Azure uses to access the PaaS resource.

Once we get the list of IPs and we add the list of IPs to the Trusted Alert IP Addresses all open alerts should get resolved and this policy should not trigger anymore alerts if the source IP matches any of the gathered ones.

GUI Path: Trusted Alert IP Addresses under Prisma Cloud > Settings > Trusted IP Addresses

image.png

Additional Information


Any IP addresses or CIDR that you have not defined as Trusted IP Addresses on Prisma Cloud and are not part of your cloud environment are considered as UNTRUST_INTERNET.

Please refer to this doc for more details.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bplcCAA&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language