Seeing False Positive Alerts for Prisma Cloud Policy 'Azure Virtual Network subnet is not configured with a Network Security Group'

Seeing False Positive Alerts for Prisma Cloud Policy 'Azure Virtual Network subnet is not configured with a Network Security Group'

190
Created On 04/30/23 10:02 AM - Last Modified 12/17/25 22:11 PM


Symptom


  • Seeing False Positive Alerts for Prisma Cloud Policy 'Azure Virtual Network subnet is not configured with a Network Security Group'

Environment


  • Prisma Cloud
  • Azure Cloud (Azure Bastion Service enabled)

Cause


  • Azure Bastion Service is a Managed Service and AzureBastionSubnet (hardcoded in Azure Cloud Account while its name can't be changed) is a special subnet that is created by Azure when enabling Azure Bastion Service
  • In few Azure Subscription Deployment Environments, Network Security Group (NSG) is not created on this Bastion Subnet
  • Meanwhile, Prisma Cloud Policy 'Azure Virtual Network subnet is not configured with a Network Security Group' identifies Azure Virtual Network (VNet) subnets that are not associated with a Network Security Group (NSG)
Default RQL of this Policy 
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name does not equal ignore case "GatewaySubnet" and name does not equal ignore case "RouteServerSubnet" and name does not equal ignore case "AzureFirewallSubnet" and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes"
  • Since the Bastion Subnet does not have an NSG associated, Alerts for this Policy are expected
  • However, these are considered False Positives for all Environments that don't create NSG on Bastion Subnet
Note: This Policy will not report for subnets used by Azure Firewall, Gateway, NetApp File Share, Private endpoints and Private links as Azure recommends not to configure Network Security Group (NSG) for these services

Resolution


Modify the RQL Query:

       Step 1 : Search this Policy with its name in the Policies Tab
       Step 2 : Under Actions, click on Clone the Policy
       Step 3 : Replace the RQL query with the following one that 'excludes' all Azure Virtual Networks (VNet) which contain AzureBastionSubnet 
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name does not equal ignore case "GatewaySubnet" and name does not equal ignore case "AzureFirewallSubnet" and name does not equal ignore case "AzureBastionSubnet" and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes" and ['properties.privateEndpointNetworkPolicies'] equals Enabled and ['properties.privateLinkServiceNetworkPolicies'] equals Enabled
       
       Step 4. Save the Policy.
       Step 5. Disable the original Default Policy and Enable the new Policy

Note : Name of Bastion Subnet cannot be changed

Additional Information


Example

  • As shown below, the RQL of the Default Predefined Policy 'Azure Virtual Network subnet is not configured with a Network Security Group' returns all Azure Virtual Network (VNet) subnets that are not associated with a Network Security Group (NSG) including AzureBastionSubnet

  • However, we exclude all Azure Virtual Networks (VNet) which contain AzureBastionSubnet with the modified RQL query


 


Prisma Cloud : How to distinguish between False Positive and Genuine Alerts?
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1dMCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail