Posture Control (ZPC)

Creating a New Investigation

You can choose to investigate with focus on an asset or an identity. For example, you may want to investigate publicly accessible virtual machines that have admin permissions or human admin identities that have access to publicly accessible virtual machines. To learn more about investigation, see About Investigation. To create a new investigation:

1. Start a new investigation.
1. In the left-hand navigation, select Investigation.
2. Select your Cloud Type.
3. Under Focus on, select either Assets or Identities.
4. Click Start Investigation.
Close

2. Build a query.

ZPC offers the following predicates and respective operators to build highly contextual queries:

Asset Predicates

Property

You can use the following asset property predicates:

Asset ID
Returns the asset ID. Accepts the following operators:
- == : Equal to
- != : Not equal to
- in : Match in a list of values
- like : Compare with the % wildcard
Close

Asset Property

The asset property predicate translates the entire asset metadata for all asset types into predicates. The asset metadata describes all the asset attributes as key-value pairs. ZPC ensures a holistic metadata by consolidating the attributes of each asset from the cloud service providers on asset details. For example, information regarding hard drives connected to EC2s is not part of the EC2 metadata on AWS, but ZPC collects the information and presents it as part of the metadata.

ZPC offers a drop-down menu for the asset properties and their corresponding values. ZPC accommodates for attributes with array values and multiple values. ZPC also allows you to search for attributes by entering partial values. For example, the metadata for an Azure VM contains a disk name with multiple statuses. The asset property predicate can find matches across all the available statuses. See image.

The asset property predicate accepts the following operators:

Property Type	Operators
String	= : Is ≠ : Is not ⊆ : Included In ⊈ : Not Included In ∋ : Contains ∌ : Doesn't Contain ⊇ : Includes ⊉ : Doesn't Include
Date	= : Is <= : Before or on >= : After or on
Boolean	= : Is ≠ : Is not
Number	= : Is ≠ : Is not <= : Less than or Equal >= : More than or Equal ⊆ : Included In ⊈ : Not Included In
IP Address	= : Is ≠ : Is not ⊆ : Included In ⊈ : Not Included In

Consider the following use case to learn more about using the asset property predicate:

Investigate AWS EC2 instances that run Linux, SUSE Linux, or Red Hat Enterprise Linux
Close

Asset Metadata
Returns the asset configuration metadata JSON object. Requests a key-value pair. Accepts the following operators:
- == : Equal to
- != : Not equal to
Close
Asset Name
Returns the asset display name. Accepts the following operators:
- == : Equal to
- != : Not equal to
- in : Match in a list of values
- like : Compare with the % wildcard
Close
Asset Type
Returns the asset type. Accepts the following operators:
- == : Equal to
- != : Not equal to
- in : Match in a list of values
- like : Compare with the % wildcard
Close
Cloud Provider
Returns the cloud service provider where the asset is defined. Accepts the following operators:
- == : Equal to
- != : Not equal to
- in : Match in a list of values
- like : Compare with the % wildcard
Close
Creation Date
Returns the date the asset was created. Accepts the following operators:
- == : Equal to
- ≤ : Lesser than or equal to
- ≥ : Greater than or equal to
Close
Tags
Returns assets that are associated with the specified tags. Accepts the following operators:
- ⊆ : Included In
- ⊈ : Not Included In
Close
Clusters
Returns Kubernetes clusters. Accepts the following operators:
- = : Is
- ≠ : Is not
- ⊆ : Included In
- ∋ : Contains
This predicate is only available for investigating Kubernetes clusters.
Close
Namespaces
Returns Kubernetes namespaces. Accepts the following operators:
- = : Is
- ≠ : Is not
- ⊆ : Included In
- ∋ : Contains
This predicate is only available for investigating Kubernetes clusters.
Close
Running
Returns true if the kubernetes cluster is running. Accepts the following operator:
= : Is
This predicate is only available for investigating Kubernetes clusters.
Close
Publicly Exposed
Returns true if the kubernetes cluster is publicly exposed. Accepts the following operator:
= : Is
This predicate is only available for investigating Kubernetes clusters.
Close

Access
You can use the following network access asset predicates:
- Internet Facing
  Returns true if the asset is publicly exposed to the internet. Accepts the following operator:
  = : Is
  Close
- Public Exposure Details
  Returns the public exposure details JSON object. Requests a key-value pair. Accepts the following operators:
  - == : Equal to
  - != : Not equal to
  - like : Compare with the % wildcard
  - ≤ : Lesser than or equal to
  - ≥ : Greater than or equal to
  - < : Lesser than
  - > : Greater than
  Close
- Publicly Accessible
  Returns True if the asset is exposed to access from the internet. Accepts the following operator:
  == : Equal to
  Close
Close
Relationship
The relationship predicates switch to discovering identities related to the described asset. The relationship predicates do not need operators, but opens a nested condition to describe the identity using the identity predicates. You can always use the outer Add icon to continue describing the assets.
You can use the following relationship asset predicates:
- Can be accessed by Identity
  Create a relationship with all identities that can access the asset.
  Close
- Has Package
  Describes the package name or package version of an asset.
  Close
- Has Identity
  Returns True if the asset is attached to an identity.
  Close
Close
Vulnerability
You can use the following asset vulnerability predicates:
Is Vulnerable
Returns true if the asset has at least one vulnerability found by the ZPC vulnerability scanner. Accepts the following operator:
= : Is
Close
Close

Identity Predicates

Property
You can use the following identity property predicates:
- Is Permission Management
  Returns true if the identity can manage other identities. Accepts the following operator:
  == : Equal to
  Close
- Identity Name
  Returns the identity name. Accepts the following operators:
  - == : Equal to
  - != : Not equal to
  - in : Match in a list of values
  - like : Compare with the % wildcard
  Close
- Identity ID
  Returns the Identity ID. Accepts the following operators:
  - == : Equal to
  - != : Not equal to
  - in : Match in a list of values
  - like : Compare with the % wildcard
  Close
- Identity Metadata
  Returns the identity configuration metadata JSON object. Requests a key-value pair. Accepts the following operators:
  - == : Equal to
  - != : Not equal to
  - like : Compare with the % wildcard
  - ≤ : Lesser than or equal to
  - ≥ : Greater than or equal to
  - < : Lesser than
  - > : Greater than
  Close
- Creation Date
  Returns the timestamp for when the IAM user was created on the cloud service provider.
  - = : Is
  - ≤ : Lesser than or equal to
  - ≥ : Greater than or equal to
  - ≬ : Between
  Close
Close
Source
You can use the following identity source predicates:
- Human Identity
  Returns true for human identities. Accepts the following operator:
  == : Equal to
  Close
- Local Identity
  Returns true for local identities. Accepts the following operator:
  == : Equal to
  Close
- External
  Returns true for external users. Accepts the following operator:
  == : Equal to
  Close
Close
Authentication
You can use the following identity authentication predicates:
- MFA required for login
  Returns true if the identity needs to use multi-factor authentication. Accepts the following operator:
  == : Equal to
  Close
- Can use password
  Returns "Yes" if the IAM user has a password, "No" if the IAM user does not have a password, and "Unknown" for identities that ZPC does not have visibility into. Accepts the following operator:
  = : Is
  Available only for AWS identity focus queries.
  Close
- Can use Access Keys
  Returns "Yes" if the IAM user has an acess key and the access key status is active, "No" if the IAM user does not have an access key, and "Unknown" for identities that ZPC does not have visibility into . Accepts the following operator:
  = : Is
  Available only for AWS identity focus queries.
  Close
- Assigned Certificate
  Returns "Yes" if the IAM user has an X.509 signing certificate and the certificate status is active, "No" if the IAM user does not have signing certificate, and "Unknown" for identities that ZPC does not have visibility into. Accepts the following operator:
  = : Is
  Available only for AWS identity focus queries.
  Close
Close
Relationship
The relationship predicates switch to discovering resources related to the described identity. The relationship predicates do not need operators, but open a nested condition to describe the resource using the resource-specific predicates. You can always use the outer Add icon to continue describing the identity.
You can use the following identity relationship predicates:
- Has Password
  You can use the following predicates to describe the password in relationship to the identity:
  - Password Last Used
    Returns the timestamp for AWS local identities that authenticated on to the AWS website. You can specify the time range using operators and the calendar value drop-down menu. Accepts the following operators:
    = : Is
    ≤ : Lesser than or equal to
    ≥ : Greater than or equal to
    ≬ : Between
    Close
  - Password Last Changed
    Returns the timestamp for AWS local identities that had their password changed. You can specify the time range using operators and the calendar value drop-down menu. Accepts the following operators:
    = : Is
    ≤ : Lesser than or equal to
    ≥ : Greater than or equal to
    ≬ : Between
    Close
  - Password Next Rotated
    Returns the timestamp for AWS local identities that need to have their password changed based on the password policy for the cloud account. You can specify the time range using operators and the calendar value drop-down menu. Accepts the following operators:
    = : Is
    ≤ : Lesser than or equal to
    ≥ : Greater than or equal to
    ≬ : Between
    Close
  Close
- Has Access Keys
  You can use the following predicates to describe the access keys in relationship to the identity:
  - Access Key Last Used
    Returns the timestamp for AWS local identities that used an access key to sign an AWS API request. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field on AWS. You can specify the time range using operators and the calendar value drop-down menu. Accepts the following operators:
    = : Is
    ≤ : Lesser than or equal to
    ≥ : Greater than or equal to
    ≬ : Between
    Close
  - Access Key Last Changed
    Returns the timestamp for AWS local identities that had an access key created or changed. You can specify the time range using operators and the calendar value drop-down menu. Accepts the following operators:
    = : Is
    ≤ : Lesser than or equal to
    ≥ : Greater than or equal to
    ≬ : Between
    Close
  - Last Used Region
    Returns the AWS Region where the access key was most recently used. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field on AWS. Accepts the following operators:
    = : Is
    ≠ : Is not
    ∋ : Contains
    Close
  - Last Used Service
    Returns the AWS Service in which the access key was most recently used to access. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field on AWS. Accepts the following operators:
    = : Is
    ≠ : Is not
    ∋ : Contains
    Close
  Close
- Has Certificate Identity
  You can use the following predicates to describe the certificate in relationship to the identity:
  - Certificate Last Rotated
    Returns the timestamp for AWS local identities that had a signing certificate created or changed. You can specify the time range using operators and the calendar value drop-down menu. Accepts the following operators:
    = : Is
    ≤ : Lesser than or equal to
    ≥ : Greater than or equal to
    ≬ : Between
    Close
  Close
Close
Permission
You can use the following identity permission predicates:
- Power Score
  Returns a numerical value between 1-100 which is the identity's power score. Accepts the following operators:
  - == : Equal to
  - != : Not equal to
  - ≤ : Lesser than or equal to
  - ≥ : Greater than or equal to
  - < : Lesser than
  - > : Greater than
  Close
- Root
  Returns true if the identity is a root account. Accepts the following operator:
  == : Equal to
  Close
- Access Key Enabled
  Returns true if the identity has active access keys. Accepts the following operator:
  == : Equal to
  Close
- Admin
  Returns true if the identity is an administrator in at least one account. Accepts the following operator:
  == : Equal to
  Close
- Power User
  Returns true if the power score for the identity is above 80. Accepts the following operator:
  == : Equal to
  Close
Close

The following predicate values can also be entered via text along with selecting from the available drop-down menu:

Asset Name
Asset ID
Asset Type
Identity Name
Identity ID
Permission Set Name
Allowed Action
Permission Set Type
Group Membership
Account ID
CVE ID
Package Name
Image ID

Use Cases

Consider the following use cases:

Asset Focus Use Case

Consider that you want to investigate publicly accessible virtual machine instances which have admin permissions.

Identity Focus Use Case

Consider that you want to investigate powerful human identities that do not have MFA enabled.

You can use the following asset data security predicates:

Sensitive Data

Returns true if the asset has at least one file containing sensitive data detected by the ZPC data security scan. Accepts the following operators:

= : Is

3. Analyze query results.
After you run the query, you can:
1. View the query statement.
2. Save the query as a custom policy. To learn more, see Creating Custom Security Policies.
3. Export the investigation result as an excel file.
4. View asset details for asset-focused queries:
  - Asset Name: View the cloud asset name.
  - Asset ID: View the cloud asset ID.
  - Alerts: View the alert count.
  - Asset Type: View the asset type count.
  - Region: View the region where the asset is deployed.
  View identity details for identity-focused queries:
  - Type: View whether the identity is human or non-human.
  - Name: View the identity name as defined in your cloud service provider.
  - Source: View whether the identity is federated, local, or external.
  - Alerts: View the alert count related to the identity.
  - Power Category: View the power category the identity belongs to, such as Data Admin.
  - Entitlements: View the entitlement count which the identity can access.
  - Used(%): View the entitlement count percentage which the identity is accessing.
  - Assets: View the number of assets the identity can access.
  - Asset Type: View the number of asset types.
  - Last Activity: View the time stamp for when the identity performed it's last activity.
5. Start a new investigation.
6. Save the current investigation.
Close