Features Introduced in February 2021

This is the Prisma Cloud's release notes for February 2021.

New Features Introduced in 21.2.2

New Features

Feature
Description
Support for Oracle Cloud Infrastructure
If you have adopted Oracle Cloud Infrastructure (OCI), you can now use Prisma Cloud for visibility and governance of your resources. To get started, add your OCI account on Prisma Cloud, and monitor for configuration issues using RQL and alerts.
add-oci.png
Support for Anomaly and Advanced Threat Detection on Prisma Cloud China
Prisma Cloud tracks user and network activity and user behavior-based analytics to detect and alert on privileged activity deviations and advanced network threats across your cloud accounts. With this release, Prisma Cloud China tenants get access to all of the out-of-the-box anomaly detection capabilities and the settings to fine-tune it.
Prisma Cloud IaC Scan now supports Helm Charts 3.0
Prisma Cloud IaC Scan now includes Helm Charts 3.0 which is a simpler way to configure and package your Kubernetes templates. Identify potential issues in your Kubernetes template manifest (k8s) by scanning your IaC templates against a comprehensive list of IaC policies. 
API Ingestion
OCI Compute
oci-compute-instance
read instances
 permission
oci-compute-boot-volume-backup
inspect boot-volume-backups
 permission
OCI IAM
oci-iam-user
read users
 permission
oci-iam-group
read groups
 permission
oci-iam-policy
read policies
 permission
oci-iam-authentication-policy
read authentication-policies
 permission
OCI Networking
oci-networking-vcn
read vcns
 permission
oci-networking-nsg
read network-security-groups
 permission
oci-networking-security-list
read security-lists
 permission
OCI Object Storage
oci-object-storage-bucket
read buckets
 and 
read objectstorage-namespaces
 permissions
OCI Notifications
oci-notifications-ons-topic
read ons-topics
 and 
read ons-subscriptions
 permissions
OCI Events
oci-events-rule
read cloudevents-rules
 permission
OCI Block Storage
oci-block-storage-volume
inspect volumes
 and 
read backup-policy-assignments
 permissions
oci-block-storage-volume-backup
read volume-backups
 permissions
OCI File Storage
oci-file-storage-file-system
read file-systems
 permission
oci-file-storage-export
read export-sets 
permission
AWS VPC
aws-vpc-transit-gateway-route-table
Additional permissions required:
ec2:DescribeTransitGatewayRouteTables
The Security Audit role includes the permission.
AWS VPC
aws-vpc-search-transit-gateway-routes
Additional permissions required:
ec2:SearchTransitGatewayRoutes
Azure Active Directory
azure-active-directory-group
Additional permissions required:
GroupMember.Read.All
Group.Read.All
Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.

New Policies and Policy Updates

Policy Name
Description
New Policies
AWS S3 configuration updates invoked from Kali Linux machine
Identifies the AWS configuration updates invoked from the Kali Linux machine. S3 Configuration changes such as creating, deleting, or modifying bucket policies are triggered from Kali Linux by S3 API calls using credentials that belong to your AWS account.
event from cloud.audit_logs where cloud.service = 's3.amazonaws.com' AND json.rule = $.userAgent contains 'kali'
AWS S3 configuration updates invoked from Parrot Security Linux machine
Identifies AWS configuration updates invoked from the Parrot Security Linux machine. S3 Configuration changes such as creating, deleting, or modifying bucket policies are triggered from Parrot Security Linux by S3 API calls using credentials that belong to your AWS account.
event from cloud.audit_logs where cloud.service = 's3.amazonaws.com' AND json.rule = $.userAgent contains 'parrot'
AWS S3 configuration updates invoked from Pentoo Linux machine
Identifies AWS configuration updates invoked from the Pentoo Linux machine. S3 Configuration changes such as creating, deleting, or modifying bucket policies are triggered from Pentoo Linux by S3 API calls using the credentials that belong to your AWS account. 
event from cloud.audit_logs where cloud.service = 's3.amazonaws.com' AND json.rule = $.userAgent contains 'pentoo'
Azure CDN Endpoint Custom domains is not configured with HTTPS
Identifies Azure CDN Endpoint Custom domains which have not been configured with HTTPS. This could impact alerts being generated for all Azure CDN Endpoint Custom domains where HTTPs is not configured.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cdn-endpoint' AND json.rule = properties.customDomains[?any( properties.customHttpsProvisioningState does not equal Enabled )] exists
Azure CDN Endpoint Custom domains using insecure TLS version
Checks for Azure CDN Endpoint Custom domains which has an insecure TLS version. This could impact alerts being generated for all 
Azure CDN Endpoint Custom domains using insecure TLS version
.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cdn-endpoint' AND json.rule = properties.customDomains[?any( properties.customHttpsProvisioningState equals Enabled and properties.customHttpsParameters.minimumTlsVersion equals TLS10 )] exists
Oracle Cloud Infrastructure—New policies
The following new policies are also being added for scanning your resources on the OCI:
  • OCI IAM password policy for local (non-federated) users does not have a symbol
  • OCI Event Rule and Notification does not exist for IAM policy changes
  • OCI Block Storage Block Volume is not restorable
  • OCI Network Security Groups (NSG) has stateful security rules
  • OCI Event Rule and Notification does not exist for Identity Provider changes
  • OCI Compute Instance has monitoring disabled
  • OCI Security List allows all traffic on SSH port (22)
  • OCI VCN Security list has stateful security rules
  • OCI Network Security Group allows all traffic on RDP port (3389)
  • OCI File Storage File System access is not restricted to root users
  • OCI Event Rule and Notification does not exist for security list changes
  • OCI Event Rule and Notification does not exist for IAM group changes
  • OCI Object Storage Bucket has object Versioning disabled
  • OCI Event Rule and Notification does not exist for Identity Provider Group (IdP) group mapping changes
  • OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)
  • OCI Event Rule and Notification does not exist for route tables changes
  • OCI File Storage File System Export is publicly accessible
  • OCI IAM password policy for local (non-federated) users does not have a lowercase character
  • OCI IAM local (non-federated) user account does not have a valid and current email address
  • OCI Default Security List of every VCN allows all traffic on SSH port (22)
  • OCI Event Rule and Notification does not exist for VCN changes
  • OCI tenancy administrator users are associated with API keys
  • OCI IAM password policy for local (non-federated) users does not have an uppercase character
  • OCI Event Rule and Notification does not exist for user changes
  • OCI Compute Instance has Legacy MetaData service endpoint enabled
  • OCI Object Storage bucket is publicly accessible
  • OCI File Storage File Systems are not encrypted with a Customer Managed Key (CMK)
  • OCI security group allows unrestricted ingress access to port 22
  • OCI IAM password policy for local (non-federated) users does not have minimum 14 characters
  • OCI Event Rule and Notification does not exist for network gateways changes
  • OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)
  • OCI Object Storage bucket does not emit object events
  • OCI Compute Instance boot volume has in-transit data encryption is disabled
  • OCI Block Storage Block Volume does not have backup enabled
  • OCI VCN has no inbound security list
  • OCI IAM password policy for local (non-federated) users does not have a number
  • OCI security lists allows unrestricted ingress access to port 3389
  • OCI Event Rule and Notification does not exist for Network Security Groups changes
  • OCI MFA is disabled for IAM users
  • OCI users API keys have aged more than 90 days without being rotated
Policy Updates—RQL and Metadata
GCP VM instances have the block project-wide SSH keys feature disabled
Kubernetes (K8s) clusters do not have an option to enable or disable SSH keys. K8s clusters are generating alerts when there should not be any for the GKE clusters. Since there is no provision to configure the remediation steps for GKE instances, the updated RQL will filter out the alerts for GKE clusters.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.kind equals "compute#metadata" and commonInstanceMetadata.items[?any(key contains "block-project-ssh-keys" and (value contains "true" or value contains "TRUE" or value contains "1"))] does not exist as X; config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = (metadata.items[?any(key exists and key contains "block-project-ssh-keys" and (value contains "true" or value contains "TRUE" or value contains "1"))] does not exist and (name does not start with "gke-" or (name starts with "gke-" and labels.goog-gke-node does not exist) ) )as Y; filter ' $.Y.zone contains $.X.name'; show Y;
Impact
—This will resolve a high number of alerts for GKE instances.
AWS S3 buckets are accessible to public
Updated Remediation CLI
 to block public access to S3 buckets.
Impact
—None. Does not affect any existing alerts for the policy.

Compliance Benchmarks

Compliance Benchmark
Description
CIS Oracle Cloud Infrastructure Foundations Benchmark v1.1.0
The CIS Oracle Cloud Infrastructure Foundations Benchmark v1.1.0 includes the following OCI services: 
  1. Identity and Access Management
  2. Networking
  3. Logging and Monitoring
  4. Object Storage
  5. Asset Management
CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0.0
The CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0.0 includes the following OCI services:
  1. Identity and Access Management
  2. Networking
  3. Logging and Monitoring

Rest API Updates

Change
Description
Oracle Cloud Infrastructure (OCI) Cloud Account Support
Prisma Cloud APIs now support cloud type OCI.
Data Security APIs
Prisma Cloud APIs for Data Security are now available.
Update
 Deprecated Compliance Dashboard APIs are no longer supported
The following deprecated APIs are no longer supported:
  • GET /compliance/dashboard
  • GET /compliance/dashboard/history
  • GET /filter/compliance/suggest
  • POST /filter/compliance/suggest
Update
 Deprecated Asset Inventory APIs are no longer supported
The following deprecated APIs are no longer supported:
  • GET /filter/inventory/suggest 
  • POST /filter/inventory/suggest
  • POST /inventory/dashboard
  • POST /inventory/dashboard/history
Update
 Deprecated User Profile APIs are no longer supported
The following deprecated APIs are no longer supported:
  • GET /user
  • POST /user
  • GET /user/{id}
  • PUT /user/{id}

New Features Introduced in 21.2.1

New Features

To learn what’s new in Prisma Cloud Compute- Update 2, see the Release Notes.
Feature
Description
Prisma Cloud Data Security Available in EMEA
Prisma Cloud tenants on https://app.eu.prismacloud.io and https://app2.eu.prismacloud.io can now use the Prisma Cloud Data Security module to secure data stored in S3 buckets. These tenants have a new Prisma Cloud default policy 
Objects containing GDPR publicly exposed
 to identify sensitive content that is exposed and in violation of GDPR regulations.
Snippets for Data Pattern Match
If you are using Prisma Cloud Data Security, you can now view 
snippets
 and mask how that data is stored and displayed on Prisma Cloud. A snippet is a piece of data that matches the data pattern that you want to identify within your files.
Snippet masking enables you to control how this sensitive data, such as credit card numbers or Social Security numbers, displays to administrators who can view the snippet within Prisma Cloud. By default, data is set to display with partial mask, which means that only the last four digits of the value is in clear text. To change your masking preference, select 
Settings
Data
Snippet Masking
use-snippet-masking.png
API Ingestion
AWS EC2
aws-region
Additional permissions required are: 
ec2:DescribeRegions
The Security Audit role includes the permission.
IAM Access Analyzer
aws-access-analyzer
Additional permissions required are:
access-analyzer:ListAnalyzers
The Security Audit role includes the permission.
AWS System Manager
aws-ssm-document
Additional permissions required are:
ssm:GetDocument
ssm:ListDocument
The Security Audit role includes the permission.
AWS VPC
aws-vpc-managed-prefix-list
Additional permissions required are:
ec2:DescribeManagedPrefixLists
ec2:GetManagedPrefixListEntries
The Security Audit role includes the permission.
Azure Container Registry
azure-container-registry
The Reader role includes the permissions required.
Google Compute Engine
gcloud-compute-instance-template
Additional permissions required are: 
compute.instanceTemplates.list
compute.instanceTemplates.getIamPolicy
The Project Viewer role includes the permissions.

New Policies and Policy Updates

Policy Name
Description 
New Policies 
AWS Classic Load Balancer is in use for internet-facing applications
Identifies Classic Load Balancers that are being used for internet facing HTTP/HTTPS applications. Classic Load Balancers should be used when you have an existing application running in the EC2-Classic network. Application Load Balancers (ALB) is recommended for internet-facing HTTP/HTTPS web applications.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elb-describe-load-balancers' AND json.rule = description.scheme contains internet-facing
AWS KMS Key policy overly permissive
Identifies KMS Keys that have a key policy of overly permissive. It is a best practice to follow the principle of least privilege to ensure that the KMS key policy does not have all the permissions to complete a malicious action.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and policies.default.Statement[?any(Principal.AWS equals * and Condition does not exist)] exists
AWS KMS sensitive configuration updates
Identifies AWS KMS entities that have permission for sensitive configuration updates such as KMS key policy updates, retire grants, key deletion, revoking grants, and disabling key and deletion of imported key materials. Changing the KMS configuration by unauthorized users may leave cloud workloads in a vulnerable state, and it is important that security teams have visibility and get alerted when sensitive KMS operations are performed.
event from cloud.audit_logs where operation IN ( 'PutKeyPolicy', 'RetireGrant', 'ScheduleKeyDeletion', 'RevokeGrant', 'DisableKey', 'DeleteImportedKeyMaterial' )
AWS SageMaker notebook instance with root access enabled
Identifies SageMaker notebook instances which are enabled with root access. Removing root access prevents notebook users from deleting system-level software, installing new software, and modifying essential environment components.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sagemaker-notebook-instance' AND json.rule = notebookInstanceStatus equals InService and rootAccess equals Enabled and notebookInstanceLifecycleConfigName does not exist
AWS S3 bucket publicly readable
Identifies the S3 buckets that are publicly readable by the Get/Read/List/Create bucket operations. These permissions permit anyone, malicious or not, to Get/Read/List/Create bucket operations on your S3 bucket if they can guess the namespace. S3 does not protect the namespace if ACLs and Bucket policy is not handled properly, which puts your data at risk of being compromised. 
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = ((((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false)) and acl.grantsAsList[?any(grantee equals AllUsers and permission is member of (ReadAcp,Read,FullControl))] exists) or ((policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))) and (policy.Statement[?any(Effect equals Allow and (Principal equals * or Principal.AWS equals *) and (Action contains s3:* or Action contains s3:Get or Action contains s3:List) and (Condition does not exist))] exists))) and websiteConfiguration does not exist
AWS S3 bucket publicly writable
Identifies the S3 buckets that are publicly writable by Put/Update/Write/Delete bucket operations. These permissions permit anyone, malicious or not, to Put/Update/Write/Delete bucket operations on your S3 buckets if they can guess the namespace. S3 does not protect the namespace if ACLs and Bucket policy is not handled properly, which puts your data at risk of being compromised. 
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = ((((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false)) and acl.grantsAsList[?any(grantee equals AllUsers and permission is member of (WriteAcp,Write,FullControl))] exists) or ((policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))) and (policy.Statement[?any(Effect equals Allow and (Principal equals * or Principal.AWS equals *) and (Action contains s3:* or Action contains s3:Put or Action contains s3:Create or Action contains s3:Replicate or Action contains s3:Update or Action contains s3:Delete) and (Condition does not exist))] exists))) and websiteConfiguration does not exist
Azure Security Center MCAS integration Disabled
Identifies Azure Security Center that have MCAS integration Disabled. This impact alerts generated for Azure Security Center that has MCAS integration disabled.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = settings[?any( name equals MCAS and properties.enabled is false )] exists
Azure Security Center WDATP integration Disabled
Identifies checks for Azure Security Center which has WDATP integration Disabled. This impact alerts generated in Azure Security Center where WDATP integration is Disabled. 
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = settings[?any( name equals WDATP and properties.enabled is false )] exists
Azure SQL Server ADS Vulnerability Assessment ‘Also send email notifications to admins and subscription owners’ is disabled
Identifies Azure SQL Servers that have the ADS Vulnerability Assessment, “Also send email notifications to admins and subscription owners” disabled. As a best practice, enable email notifications for ADS VA scan reports to reduce time in identifying risks and taking correction actions.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = vulnerabilityAssessments[].properties.storageContainerPath exists and vulnerabilityAssessments[].properties.recurringScans.emailSubscriptionAdmins is false
Azure SQL Server ADS Vulnerability Assessment is disabled
Identifies Azure SQL Servers that have ADS Vulnerability Assessment set to disabled. Advanced Data Security - Vulnerability Assessment service scans SQL databases for known security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = vulnerabilityAssessments[*].properties.storageContainerPath does not exist
Azure SQL Server ADS Vulnerability Assessment Periodic recurring scans is disabled
Identifies Azure SQL Servers that have ADS Vulnerability Assessment Periodic recurring scans disabled. As a best practice, enable ADS - VA Periodic recurring scans for risk visibility based on updated known vulnerability signatures and best practices.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = vulnerabilityAssessments[].properties.storageContainerPath exists and vulnerabilityAssessments[].properties.recurringScans.isEnabled is false
Azure SQL Server ADS Vulnerability Assessment ‘Send scan reports to’ is not configured
Identifies Azure SQL Servers that are not configured with an email address to “Send scan reports to", for ADS Vulnerability Assessments.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = vulnerabilityAssessments[].properties.storageContainerPath exists and vulnerabilityAssessments[].properties.recurringScans.emails[*] is empty
Azure Storage accounts soft delete is disabled
Identifies Azure Storage accounts that have soft delete disabled. Because Azure Storage can contain important access logs, financial data, personal and other secret information, to prevent accidental data loss by a user or application, enable soft delete.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = deleteRetentionPolicy.blob.enabled is false
GCP API key not restricting any specific API
Identifies GCP API keys that are not restricting any specific APIs. As a best practice restrict API keys to call only APIs required by an application.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' AND json.rule = restrictions.apiTargets does not exist
GCP API key not rotating in every 90 days
Identifies GCP API keys for which the creation date is aged more than 90 days. API keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' AND json.rule = "_DateTime.ageInDays(createTime) > 90"
GCP compute engine image not encrypted using customer-managed key
Identifies GCP compute engine images that are not encrypted using customer-managed keys. The project that holds your encryption keys can then be independent of the project that contains your buckets, thus allowing for better separation of duties.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-image' AND json.rule = imageEncryptionKey.kmsKeyName does not exist
GCP GCE Disk snapshot not encrypted with CSEK
Identifies GCP GCE Disk snapshots that are not encrypted with CSEK. It is a best practice to avoid data leakage by providing your own encryption keys.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instance-disk-snapshot' AND json.rule = snapshotEncryptionKey.sha256 does not exist
GCP KMS encryption key not rotating in every 90 days
Identifies GCP KMS encryption keys that are not rotating every 90 days. It's a best practice to ensure the rotation period is set to a specific time to ensure data cannot be accessed through the old key
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-kms-keyring-list' AND json.rule ='cryptoKeys[*].rotationPeriod does not exist or cryptoKeys[*].rotationPeriod greater than 7776000'
Policy Updates—RQL and Metadata
AWS IAM policy allows assume role permission across all services
The RQL has been updated to reflect the changes in JSON metadata for the IAM policy on AWS.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any(Action contains sts:AssumeRole and Resource equals * and Condition does not exist)] exists
Impact
—New alerts will be generated when a policy match occurs.
GCP Firewall rule allows internet traffic to DNS port (53)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on DNS port (53)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to FTP port (21)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policies name and description have been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on FTP port (21)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to HTTP port (80)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policies name and description have been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on HTTP port (80)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to Microsoft-DS port (445)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policies name and description have been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on Microsoft-DS port (445)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to MongoDB port (27017)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on MongoDB port (27017)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to MySQL DB port (3306)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on MySQL DB port (3306)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on NetBIOS-SSN port (139)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to Oracle DB port (1521)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on Oracle DB port (1521)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to POP3 port (110)
The RQL of the above policies has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on POP3 port (110)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to PostgreSQL port (5432)
The RQL of the above policy has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on PostgreSQL port (5432)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to Telnet port (23)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on Telnet port (23)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(23,23) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to RDP port (3389)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on RDP port (3389)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Firewall rule allows internet traffic to SSH port (22)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on SSH port (22)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated..
GCP Firewall rule allows internet traffic to SMTP port (25)
The RQL has been updated with new grammar (Nested array) to leverage the advantage of new grammar for RQL optimization. The policy name and description has been updated to remove the word 
internet
.
Updated Policy Name
—GCP Firewall rule allows all traffic on SMTP port (25)
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Impact
—No change in the number of alerts generated.
GCP Storage buckets are publicly accessible to all users
 and 
GCP Storage buckets are publicly accessible to all authenticated users
Updated Remediation CLI
Impact
—The remediation CLI will delete the 
allusers
 and 
allAuthenticatedUsers
 public access from GCP cloud buckets.

Rest API Updates

Change
Description
No changes

Recommended For You