Network exposure rules detect your assets that are exposed to the Internet.
To create a network exposure rule:
Navigate to Posture Management → Rules & Policies → Rules → Cloud Security.
Select Create Rule → Network Exposure.
In the Overview step, provide the following:
Enter a Rule Name and Description.
Select a Severity. Findings generated by this rule will inherit this severity.
(Optional) Add Labels.
In the Rule Logic step:
In the Select Network Exposure Rule Type step, select Inbound, Outbound, or East-West.
The rule creation process and the attributes that are available differ depending on the asset type. Use the tooltips next to parameter names to get more information about each option and see more information below.
Click on Advanced Settings to access more options.
Click Done to save your rule.
Define network exposure rule logic
When creating network exposure rules, you define the flow of traffic you want to monitor.
On the Rule Logic page, provide the following based on the type of network exposure rules that you would like to create:
Inbound
Provide the following information:
Parameter | Description |
|---|---|
Source Network | Define the origin of the traffic. The default is typically Untrusted Internet (all public IPs), but you can specify a specific IP or CIDR range if you are looking for exposure to a specific network. |
Destination Asset Type | Select the specific resource type you would like to check for exposure. Supported types include VM Instance, Kubernetes, Managed DB, and Serverless Function. |
Cloud Service Provider | Choose the provider (AWS, Azure, or GCP). |
Advanced Settings | |
Protocol/Port | Specify the protocols and ports that will generate findings if exposed (e.g., tcp/80, tcp/443, tcp/22). |
Host State | For VM instances, you can configure the rule to alert on Active (running) workloads or Stopped workloads (which would be exposed upon restart). |
Ingress Route (Kubernetes only) | If you selected Kubernetes as the asset type, you can specify a particular ingress route path (e.g., /home) to check for exposure. |
Use External Probe Validation | Set this to Yes to actively scan the asset from the outside to confirm it is truly reachable before generating a finding.This reduces false positives caused by hidden security controls (such as external firewalls not visible in the cloud config), |
HTTP Response Code | If External Probe Validation is enabled, you can further filter findings based on the HTTP response code returned by the asset (e.g., 200 OK, 403 Forbidden). |
Outbound
Provide the following information:
Parameter | Description |
|---|---|
Source Asset Type | Select asset type to be evaluated by the rule. |
Destination Network | Allow the selection of the destination network that will be evaluated in this rule. |
Cloud Service Provider | Choose the provider (AWS, Azure, or GCP). |
Advanced Settings | |
Protocol/Port | Specify the protocols and ports that will generate findings if exposed (e.g., tcp/80, tcp/443, tcp/22). |
Host State | For VM instances, you can configure the rule to alert on Active (running) workloads or Stopped workloads (which would be exposed upon restart). |
East-West
Provide the following information:
Parameter | Description |
|---|---|
Asset Type | Select asset type to be evaluated by the rule. |
Cloud Service Provider | Choose the provider (AWS, Azure, or GCP). |
Cloud Account | Select the cloud account where the rule will be executed. |
Advanced Settings | |
Protocol/Port | Specify the protocols and ports that will generate findings if exposed (e.g., tcp/80, tcp/443, tcp/22). |
Host State | For VM instances, you can configure the rule to alert on Active (running) workloads or Stopped workloads (which would be exposed upon restart). |