Features Introduced in September 2020

Learn what’s new on Prisma™ Cloud in September 2020.

Features Introduced in 20.9.2

New Features

Feature
Description
License Credits Used for Non-Onboarded Cloud Accounts
If you have deployed Prisma Cloud Defenders on environments that Prisma Cloud is not monitoring or protecting—such as private cloud or on-premises environments, or public cloud providers that are not supported on Prisma Cloud, or on accounts that you have not added to Prisma Cloud— you can now view the credits used to protect the associated resources on the
Licensing
page.
prisma-cloud-licensing-non-onboarded-accounts.png
GCP Cloud Account Onboarding Status Updates
When you add your GCP account on Prisma Cloud, the status message is improved to inform you of missing permissions. The details in the message help you identify the additional permissions you need to grant to the GCP IAM service account for Prisma Cloud.
gcp-status-improvements.png
Nested Rules in Config RQL to Query Data Within JSON Arrays
Nested rules extend the use of logical expressions for metadata contained within a JSON array so that you can use more than primitive operators for comparisons and a richer query format. With this enhancement, the auto completion for
json.rule =
also becomes available when you construct RQL.
The enhancement allows you to rewrite RQL that was
config where api.name='a' and json.rule = “$.path[?(@.x == true || @.y == 'str' ..)].val is false”
as
config where api.name='a' and json.rule="$.path[?any[<logical expression>]] exists | does not exist"
As an example, if you used:
config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0"
you can now rewrite it as:
config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any(grantee.typeIdentifier equals id and grantee.identifier is not empty)] exists
And some more examples:
config where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?any(egress is true and ruleAction contains deny)] exists or tags[?any(value contains production)] exists or tags[*] is empty
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists
, where you can check when
toPort
and
cidrIp
are included within the same array element.
Policy Descriptor
A human readable unique policy identifier is added to Prisma Cloud Default policies of type Config, Audit event and Network. See the new
Policy Descriptor
column on the
Policies
page. This unique descriptor is an additional field, and it does not replace the existing Policy ID that is available when you use the REST API.
policy-descriptor.png
Support for Audit Event Logs on AWS China and Azure China
Prisma Cloud tenants deployed on AWS China and Azure China regions, can now ingest events recorded in audit logs from your cloud environments. With this data, you can use
event where
RQL queries and see alerts for policies that match on audit events to identify compliance, and operational risks across your infrastructure.
API Ingestion
AWS Transit Gateway
aws-vpc-transit-gateway
Additional permissions required:
ec2:DescribeTransitGateways
The permission is included with the SecurityAudit predefined role.
AWS Database Migration Service
aws-dms-endpoint
Additional permissions required:
dms:DescribeEndpoints
dms:ListTagsForResource
The permissions are included with the SecurityAudit predefined role.
Updated
AWS Elasticbeanstalk
aws-elasticbeanstalk-configuration-settings
Additional permissions required:
s3:GetObject
for the resources on:
  • AWS commercial
    arn:aws:s3:::elasticbeanstalk-*/*"
  • AWS GovCloud and Fedramp
    arn:aws-us-gov:s3:::elasticbeanstalk-*/*
  • AWS China
    arn:aws-cn:s3:::elasticbeanstalk-*/*
The CFTs are updated to include a new policy for
PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk
Azure Compute
azure-disk-list
Azure Logic Apps
azure-logic-app-custom-connector
Additional permissions required:
Microsoft.Web/customApis/read
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json.
Azure Resource Manager
azure-role-assignment
Azure Virtual Network
azure-network-public-ip-address
Additional permissions required:
Microsoft.Network/publicIPAddresses/read
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json.
Google Cloud Bigtable
gcloud-bigtable-table
Additional permissions required:
bigtable.tables.list
bigtable.tables.getIamPolicy
These permissions are included in the predefined Project Viewer role.
Google Access Context Manager
gcloud-access-policy
Additional permissions required:
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessLevels.list
accesscontextmanager.servicePerimeters.list
These permissions are already part of the Project Viewer role. Alternatively, you can use the predefined role
Access Context Manager Reader
.
Google Compute Engine
gcloud-compute-route
Additional permissions required:
compute.routes.list
These permissions are included in the predefined Project Viewer role.
Terraform Script Updates
If you are using the Terraform scripts that Prisma Cloud provides for onboarding a new GCP account on Prisma Cloud, the scripts are updated to enable additional GCP APIs and to include new permissions that are not included in the predefined Viewer role.
Permissions added:
storage.buckets.getIamPolicy
pubsub.topics.getIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.snapshots.getIamPolicy
bigquery.tables.get
bigquery.tables.list
GCP APIs additionally enabled by default:
accesscontextmanager.googleapis.com
pubsub.googleapis.com
run.googleapis.com
appengine.googleapis.com
serviceusage.googleapis.com
bigtableadmin.googleapis.com
dataproc.googleapis.com
recommender.googleapis.com
cloudfunctions.googleapis.com
redis.googleapis.com
Permission Updates on AWS CloudFormation Templates for Prisma Cloud Compute Workloads
The AWS CFTs now have additional permissions added to ingest data on Compute workloads deployed within AWS cloud accounts that are onboarded to Prisma Cloud.
PrismaCloud-ReadOnly-Policy-Compute
role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute.
PrismaCloud-Remediation-Policy-Compute
role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.
  • If you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, for AWS accounts onboarded to Prisma Cloud, you can remove these roles from the CFT.
  • Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
Policy Name
Description
New Policies
AWS S3 Buckets Block public access setting disabled
—Identifies AWS S3 buckets with the
Block public access
setting disabled. Enabling
Block public access
on publicly accessible S3 buckets enables you to ensure that data is never accidentally or maliciously exposed publicly.
This policy includes the CLI for automated remediation, when you provide the permissions required.
Saved Search Additions
The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:
  • AWS IAM user/role/policy has unused permissions in the last 90 days_RL
  • AWS S3 bucket having policy overly permissive to VPC endpoints
  • AWS IAM role with cross-account access_RL
Policy Updates—RQL and Metadata
The RQL in the following policies are updated:
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on TCP protocol
Policy Name Updated—
Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol
Updated RQL—The RQL has been updated to handle the traffic on protocol 'tcp' and 'any'(*) properly. With this change this policy will alert on inbound traffic using TCP.
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule="securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='Tcp' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound OR securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='*' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound"
Azure Network Security Group allows SQL Server (UDP Port 1434)
Policy Name Updated—
Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag
Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy.
config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434)"
Azure Network Security Group (NSG) allows SSH traffic from internet on port 22
Policy Name Updated—
Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22
Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy.
config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22)"
Azure Network Security Group allows ICMP (Ping)
Updated RQL—The RQL has been updated to handle ICMP pings from both Source 'Any' and 'Internet' service tag.
This change affects the number of alerts generated against this policy.
config where api.name= 'azure-network-nsg-list' AND json.rule = " securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * "
AWS Default Security Group does not restrict all traffic
Updated RQL and the Recommendation instructions—The RQL is now modified to handle all the default Security groups having inbound/outbound rules irrespective of public/private IPrange attached to it.
This change affects the number of alerts generated against this policy.
config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))'
AWS S3 buckets are accessible to public
Updated Remediation: The remediation has been removed because the RQL update requires pipelined multiline execution of CLI command, which is currently not supported on Prisma Cloud. With this change, this policy no longer
Remediable
from Prisma Cloud.
Updated RQL—The RQL has been updated to check for S3 account level block access (
aws-s3control-public-access-block
) setting and to verify when the account level block access setting is not modified. With this change, any inaccurately generated alerts will get resolved.
"config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = \"((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist\""
Policy Deletions
The following policies are being removed from Prisma Cloud:
AWS SQS does not have a dead letter queue configured
Any open alerts generated against this policy will be resolved and marked
Policy Deleted
.

REST API Updates

Change
Description
User Role
The response object for the following APIs include a new property
additionalAttributes.hasDefenderPermissions
:
  • GET /user/role
  • GET /user/role/{id}
The request body parameters for the following APIs also include additionalAttributes.hasDefenderPermissions as a new parameter:
  • POST /user/role
  • PUT /user/role/{id}
Policy
The response object for GET /filter/policy/suggest includes a new filter suggestion
policy.class
.

Features Introduced in 20.9.1

New Features

Feature
Description
Support for AWS Organizations on Prisma Cloud
If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.
aws-org-support.png
Consolidation of Unusual User Activity / UEBA Anomaly Settings
The Unusual User Activity / UEBA settings are now on
Settings
Anomaly Settings
along with the Anomaly settings for policies that alert you to network-related incidents.
ueba-anomaly-settings.png
You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts.
Expanded Support for Roles with Just-in-Time (JIT) Provisioning
If you use JIT provisioning to create administrative users on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud.
The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP.
Rich Text Editor in Email Notification Template
Use the rich text editor to customize the message body in your email notification template on
Alerts
Notification Templates
. And as you craft it, you can preview how the content will look on the right-hand pane.
custom-email-notification.png
Limited GA
Prisma Cloud Data Security
Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.
prisma-cloud-data-security.png
API Ingestion
AWS
AWS Elastic Map Reduce—
aws-emr-public-access-block
Additional permissions required:
elasticmapreduce:GetBlockPublicAccessConfiguration
Azure
  • Azure Event Hubs—
    azure-event-hubs-namespace
  • Azure Logic Apps—
    azure-logic-apps-workflow
GCP
  • Google Compute—
    gcloud-compute-image
    Additional permissions required:
    compute.images.list
    compute.images.getIamPolicy
  • Google PubSub—
    • gcloud-pubsub-topic
      Additional permissions required:
      pubsub.topics.getIamPolicy
      pubsub.topics.list
    • gcloud-pubsub-subscription
      Additional permissions required:
      pubsub.subscriptions.getIamPolicy
      pubsub.subscriptions.list
    • gcloud-pubsub-snapshot
      Additional permissions required:
      pubsub.snapshots.getIamPolicy
      pubsub.snapshots.list

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
Policy Name
Description
Saved Search Additions
The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:
  • GCP IAM user with overly permissive privileges
  • GCP IAM user not used for the last 90 days
  • AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions
Policy Updates- Metadata
Policy Name Update
Current Name—
Azure Security Center 'Also send email notification to subscription owners' value is not set
New Name—
Azure Security Center email notification for subscription owner is not set
Policy Updates—RQL
The RQL in the following policies are updated:
AWS Security Groups allow internet traffic to SSH port (22)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to Windows RPC port (135)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to NetBIOS port (138)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to MSQL port (4333)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to RDP port (3389)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to Telnet port (23)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to SQLServer port (1434)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to CIFS port (445)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic to ports which are not commonly used
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipv6Ranges[*].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipRanges[*] contains 0.0.0.0/0)\"
AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS Security Groups allow internet traffic from internet to NetBIOS port (137)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
AWS IAM policy allows full administrative privileges
Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='*' )].Action equals * and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"
AWS EKS cluster security group overly permissive to all traffic
Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*] contains ::/0) and $.Y.isShared is false'; show Y;
AWS RDS instance with copy tags to snapshots disabled
Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
Azure SQL Database with Auditing Retention less than 90 days
Updated the description, recommendation, and RQL.
Updated RQL—
config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;

REST API Updates

Change
Description
Cloud Accounts
The REST API now support AWS organizations. The following have new request body parameters for this support:
  • POST /cloud/{cloud_type}
  • PUT /cloud/{cloud_type}
  • POST /cloud/status/{cloud_type}
Policies
The response object for the REST API request
GET /v2/policy
had included an unused field
openAlertsCount
. The response object for
GET /v2/policy
no longer includes this field. The issue ID is RLP-23362.

Recommended For You