Features Introduced in January 2021

Learn about the new features introduced on Prisma Cloud in January 2021.

New Features Introduced in 21.1.2

New Features

Feature
Description
Limited GA
IAM Security
Prisma Cloud IAM Security automatically calculates effective permissions across cloud service providers, detects overly permissive access and suggests corrections to reach least privilege entitlements. It includes out-of-the-box policies that govern IAM best practices to help you identify risky permissions and get to the ideal set of privileges for your deployment.
If you use Okta as your IdP, enable the Okta integration to federate user identity easily. Prisma Cloud ingests single sign-on (SSO) data for an effective permissions calculation and lists the effective permissions of Okta users across cloud accounts. You can then leverage RQL and query for identity-related entitlements and events to investigate and address issues to gain control over your cloud entitlements.
Suppression of Anomaly Alerts for Trusted Resources
The Anomaly Trusted List includes support for more resources for which you can suppress alerts. You can now specify a Machine Image ID, Tag associated with a cloud resource, Cloud Service name, or a Resource identifier for supported cloud providers, and list the anomaly policies against which you do not want to generate alerts.
For example, if the JSON metadata for your VM on Azure has the following tag:
"tags": {
"purpose": "ds-flowlogs-bucket"
}
Key = purpose
Value = ds-flowlogs-bucket
You must provide the key and the value from the JSON element as the
Key
and the
Value
when you add the tag to the Anomaly Trusted list.
Support for APRA CPS 234 Compliance Standard
Prisma Cloud adds support for the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 234 regulatory standard. This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats. The Prisma Cloud default policies that are mapped to this standard enable continuous monitoring of your organisation’s cyber risk profile.
Custom Data Patterns and Data Profiles for Prisma Cloud Data Security
Prisma Cloud Data Security is GA now! Beyond the predefined data patterns and profiles, you now can define a data pattern from scratch, and also create a data profile with a collection of data patterns that meet your content scanning needs on
Settings
Data
.
A data pattern can use a combination of content analysis techniques—regular expressions, and proximity keywords—to identify the content and rate it with a low to high confidence score.
RQL Function—_IPAddress.areAllInCIDRRange()
RQL introduces a new function
_IPAddress.areAllInCIDRRange()
that confirms whether
all
the IP addresses assigned to a resource are within a specified CIDR block. It provides a yes or no answer to your question, “Do my databases have all IP addresses in the 10.0.0.0/24 IP address range?“.This differs slightly from the existing _IPAddress.inCIDRRange() function, which returns true if at least one of the given IP addresses fall within the specified CIDR range.
The function takes two arguments
_IPAddress.areAllInCIDRRange(Resource,CIDR)
. The first argument allows you to specify the metadata within the resource configuration where you want to look that contains the IP address(es) and the second argument is a CIDR block to match. For example:
config from cloud.resource where api.name = 'aws-ec2-describe-network-interfaces' AND json.rule = _IPAddress.areAllInCIDRRange(privateIpAddresses[*].privateIpAddress,172.31.67.71/24) is true
returns a list of network interfaces that have private IP addresses that all fall entirely within the 172.31.67.71/24 CIDR block.
Permission Group Enhancement for Access to Prisma Cloud Compute Only
When assigning administrative permissions on Prisma Cloud, you can now grant granular access for Prisma Cloud Compute capabilities only, and restrict access to the rest of the Prisma Cloud administrator console.
For the Account and Cloud Provisioning Admin, Account Group Admin, and Account Group Read Only roles, you can enable the
Only for Compute capabilities
option to allow access to the
Compute
and
Settings
Access Keys
page on the Prisma Cloud administrator console.
API Ingestion
Azure Cloud Delivery Network (CDN)
  • azure-cdn-profile
  • azure-cdn-endpoint
Additional permissions required are:
Microsoft.Cdn/profiles/read
Microsoft.Cdn/profiles/endpoints/read
Microsoft.Cdn/profiles/endpoints/customdomains/read
The Reader role includes the permissions
Google Compute Engine
gcloud-compute-target-ssl-proxy
Additional permissions required are:
compute.targetSslProxies.list
Both the Project Viewer role and Compute Network Viewer role include the permission.
Google Cloud Load Balancing
gcloud-compute-regional-forwarding-rule

New Policies and Policy Updates

Policy Name
Description
New Policies
AWS Application Load Balancer (ALB) is not using the latest predefined security policy
Identifies Application Load Balancers (ALBs) that are not using the latest predefined security policy. It is a best practice to use the latest predefined security policy which uses only secured protocol and ciphers.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = type equals application and listeners[?any(protocol equals HTTPS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-FS-1-2-Res-2020-10 and sslPolicy does not contain ELBSecurityPolicy-TLS-1-2-Ext-2018-06))] exists
AWS Database Migration Service (DMS) has expired certificates
Identifies expired certificates that are in the AWS Database Migration Service (DMS). It is a best practice to delete expired certificates.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-dms-certificate' AND json.rule = '_DateTime.ageInDays(validToDate) > -1'
AWS Glue connection do not have SSL configured
Identifies Glue connections that are not configured with SSL to encrypt connections. It is a best practice to use a SSL connection with hostname matching enforced for the DB connection on a client; enforcing SSL connections protect against 'man in the middle' attacks by encrypting the data stream between connections.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-glue-connection' AND json.rule = (connectionType equals KAFKA and connectionProperties.KAFKA_SSL_ENABLED is false) or (connectionType does not equal KAFKA and connectionProperties.JDBC_ENFORCE_SSL is false)
AWS EBS snapshot is not encrypted
Identifies Elastic Block Store (EBS) snapshots which are not encrypted. As a best practice implement encryption to protect sensitive information from unauthorized access.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.encrypted is false
AWS Elastic Load Balancer v2 (ELBv2) with invalid security groups
Identifies ELBv2 load balancers that do not have security groups with a valid inbound or outbound rule. ELBv2 security groups should have at least one inbound or outbound rule, as ELBs will deny all incoming/outgoing traffic to or from any resources configured behind that ELBv2 rendering it ineffective.
config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissions[*] is empty or ipPermissionsEgress[*] is empty as Y; filter '$.X.securityGroups[*] contains $.Y.groupId'; show X;
AWS Network Load Balancer (NLB) is not using the latest predefined security policy
Identifies Network Load Balancers (NLBs) that are not using the latest predefined security policy. It is a best practice to use the latest predefined security policy which uses only secured protocol and ciphers.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = type equals network and listeners[?any(protocol equals TLS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-FS-1-2-Res-2020-10 and sslPolicy does not contain ELBSecurityPolicy-TLS-1-2-Ext-2018-06))] exists
AWS SQS queue access policy is overly permissive
Identifies Simple Queue Service (SQS) queues that have an overly permissive access policy. It is a best practice to have the least privileged access policy to protect the SQS queue from data leakage and unauthorized access.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sqs-get-queue-attributes' AND json.rule = attributes.Policy.Statement[?any(Principal equals * and Effect equals Allow)] exists
Azure PostgreSQL Database Server Firewall rule allow access to all IPV4 address
Identifies Azure PostgreSQL Database Server which has Firewall rule that allow access to all IPV4 addresses.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = firewallRules.value[?any(properties.startIpAddress equals 0.0.0.0 and properties.endIpAddress equals 255.255.255.255)] exists
Azure Security Center Defender set to Off for App Service
Identifies that the Defender setting for Azure SQL database server is set to off in Azure Security Center.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals AppServices and properties.pricingTier does not equal Standard)] exists
Azure Security Center Defender set to Off for Key Vault
Identifies that the Defender setting for Key Vault is set to Off in Azure Security Center.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals KeyVaults and properties.pricingTier does not equal Standard)] exists
Azure Security Center Defender set to Off for Kubernetes
Identifies that the Defender setting for Kubernetes is set to Off in Azure Security Center.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals KubernetesService and properties.pricingTier does not equal Standard)] exists
Azure Security Center Defender set to Off for Servers
Identifies that the Defender setting for Servers is set to Off in Azure Security Center.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals VirtualMachines and properties.pricingTier does not equal Standard)] exists
Azure Security Center Defender set to Off for Storage
Identifies that the Defender setting for Storage is set to Off in Azure Security Center.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals StorageAccounts and properties.pricingTier does not equal Standard)] exists
Azure Security Center Defender set to On for Azure SQL database servers
Identifies that the Defender setting for Azure SQL database servers is set to Off in Azure Security Center.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals SqlServers and properties.pricingTier does not equal Standard)] exists
Azure SQL Servers Firewall rule allow access to all IPV4 addresses
Identifies Azure SQL Servers which has firewall rule that allow access to all IPV4 address. Having a firewall rule with start IP being 0.0.0.0, and end IP being 255.255.255.255, would allow access to the SQL server from any host on the Internet. It is a best practice not to use this type of firewall rule on any SQL server.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = firewallRules[?any(startIpAddress equals 0.0.0.0 and endIpAddress equals 255.255.255.255)] exists
Azure Virtual machine NIC has IP forwarding enabled
Identifies Azure Virtual machine NICs which have IP forwarding enabled.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-nic-list' AND json.rule = ['properties.virtualMachine'].id is not empty and ['properties.enableIPForwarding'] exists and ['properties.enableIPForwarding'] is true
GCP GCR Container Vulnerability Scanning is disabled
Identifies GCP accounts where GCR Container Vulnerability Scanning is not enabled. It is a best practice to enable vulnerability scanning for images stored in Google Container Registry.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-services-list' AND json.rule = services[?any( config.name contains containerscanning.googleapis.com and state contains ENABLED)] does not exist
GCP Kubernetes cluster shielded GKE node with Integrity Monitoring disabled
Identifies GCP Kubernetes cluster shielded GKE nodes that are not enabled with Integrity Monitoring. Integrity Monitoring provides active alerting for Shielded GKE nodes which allows administrators to respond to integrity failures and prevent compromised nodes from being deployed into the cluster.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = nodePools[?any(config.shieldedInstanceConfig.enableIntegrityMonitoring does not exist or config.shieldedInstanceConfig.enableIntegrityMonitoring is false)] exists
GCP Kubernetes cluster shielded GKE node with Secure Boot disabled
Identifies GCP shielded GKE nodes with Secure Boot disabled. This allows attackers to alter boot components to persist malware or root kits during system initialization. As a best practice, enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = nodePools[?any(config.shieldedInstanceConfig.enableSecureBoot does not exist or config.shieldedInstanceConfig.enableSecureBoot is false)] exists
GCP Kubernetes Engine cluster not using Release Channel for version management
Identifies GCP Kubernetes Engine clusters that are not using Release Channel for version management. Subscribing to a specific release channel reduces version management complexity.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = releaseChannel.channel does not exist
GCP Kubernetes Engine cluster workload identity is disabled
Identifies GCP Kubernetes Engine clusters for which workload identity is disabled. Manual approaches for authenticating Kubernetes workloads violates the principle of least privilege on a multi-tenanted node when one pod needs to have access to a service, but every other pod on the node that uses the service account does not. Enabling Workload Identity manages the distribution and rotation of Service account keys for the workloads to use.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = (workloadIdentityConfig[*] does not exist and nodePools[?any(config.workloadMetadataConfig does not exist )] exists) or (workloadIdentityConfig[*] exists and (nodePools[?any(config.workloadMetadataConfig does not contain GKE_METADATA)] exists))
Policy Updates—RQL and Metadata
AWS Application Load Balancer (ALB) listener that allow connection requests over HTTP
Policy RQL has been updated with new nested RQL grammar to leverage the advantage of RQL optimization. The policy name and recommendation steps have been updated to make it generic to various ELBv2 types instead of ALB only.
Impact
—No impact on alerts.
AWS Elastic Load Balancer v2 (ELBv2) Application Load Balancer (ALB) with access log disabled
Policy name and recommendation steps have been updated to make it generic to various ELBv2 types instead of ALB only.
Impact
—No impact on alerts.
AWS IAM policy allows full administrative privileges
The RQL is updated with new nested RQL grammar and is optimized to evaluate multiple entries of policy statements for more accuracy.Policy recommendation steps are also updated.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = 'document.Statement[?any(Action equals * and Resource equals * and Effect equals Allow)] exists and (policyArn exists and policyArn does not contain iam::aws:policy/AdministratorAccess)'
Impact
—With this change, open alerts that are no longer identified as policy violations will be resolved as Policy_Updated.
GCP IAM primitive roles are in use
Identifies GCP IAM users with primitive roles. Primitive roles (owner/editor) existed prior to GCP IAM and provides broader access to resources making them prone to attacks. Predefined roles provide more granular controls and should therefore be used.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-projects-get-iam-user' AND json.rule = '(user does not contain appspot.gserviceaccount.com and user does not contain developer.gserviceaccount.com and user does not contain cloudservices.gserviceaccount.com and user does not contain system.gserviceaccount.com and user does not contain cloudbuild.gserviceaccount.com) and (roles contains roles/editor or roles contains roles/owner)'
Impact
—With this change, default service and Google managed service accounts will now be excluded from alerts.
Internet exposed instances policy name has been updated
The policy name has been updated to 'Instances exposed to network traffic from the internet.' The policy name has been updated to differentiate Risk from Incident type policies.
Publicly exposed DB Ports policy name has been updated
The policy name has been updated to 'DB ports exposed to network traffic from the internet.' The policy name has been updated to differentiate Risk from Incident type policies.

Rest API Updates

Change
Description
Anomaly Trusted List APIs
The Anomaly Trusted List APIs support the following new trusted list types:
  • resource
    : Resource ID
  • image
    : Machine image ID
  • tag
    : Tag
  • service
    : Service name
As a result, the response objects for the following APIs include some new attributes:
  • GET /anomalies/trusted_list
  • GET /anomalies/trusted_list/{id}
And the request object for the following APIs include some new optional body parameters:
  • POST /anomalies/trusted_list
  • PUT /anomalies/trusted_list/{id}
The new attributes/parameters are in a nested object that describes the network anomaly trusted list entry. This nested object includes the following new attributes/parameters:
  • resourceID
  • imageID
  • tagKey
  • tagValue
  • service
New attributes for some Cloud Account and Account Group API response objects
The response objects for the following APIs currently include some new attributes:
  • GET /cloud/{cloud_type}/{id}
  • GET /cloud
  • GET /cloud/{cloud_type}/{id}/project
The new attributes are in a nested object that describes the account group info. This nested object includes two new attributes:
  • groupId
    : The account group ID
  • autoCreated
    : Whether or not the group was auto-created

New Features

Feature
Description
Support for CIS Microsoft Azure Foundations Benchmark v.1.2.0
Prisma Cloud adds support for CIS Microsoft Azure Foundations Benchmark v.1.2.0, which includes policy checks for the following Azure services—Identity and Access Management, Security Center, Storage Accounts, Database Services, Logging and Monitoring, Networking, Virtual Machines, Other Security Considerations, and AppService.
Expanded Scope for Anomaly Trusted List
For a resource that is identified as the trigger or
violating resource
in an Anomaly alert, you can now suppress alerts for all traffic where the IP address of the resource is involved as the source or the destination for the associated network flows.
With this enhancement, when you add an IP address to the
Anomalies Trusted List
and specify the anomaly policies for which to suppress alerts, Prisma Cloud will not generate alerts for any network flow where the IP address is identified as the source or destination host.
For example, anomaly policies that identify unusual activities which use an unusual port or protocol, previously allowed you to suppress alerts for the first targeted host (destination) only. The details for the first targeted host was displayed as the
Resource Name
associated with the Anomaly alert. If the same IP address was the client that originated the flow (or source host) and not the destination, the alert was not suppressed. With this enhancement, all alerts for the policy are suppressed regardless of whether the IP address (resource name identified in the Anomaly alert) is the client (source) or target (destination) host.
An anomaly alert for unusual port scan activity in the following example is suppressed
when you add the IP address—194.61.53.242—to the Anomaly Trusted List. Prisma Cloud will not generate any alerts where the IP address is either the source or destination IP address.
Bitbucket Server Plugin for Scanning IaC Templates
Try the new Bitbucket Server plugin to perform IaC scans on Bitbucket pull requests and check them against Prisma Cloud default policies, or the custom policies that you define; this allows you to mitigate security or compliance risks in your DevOps processes and provides visibility on the scan results on the
Inventory
DevOps
.
The Bitbucket Server plugin performs a full repository scan for the branch that the pull request was made on, and if policy violations exceed the severity-based criteria that you defined, then the pull request will be blocked.
AWS CodePipelines IaC Scan Plugin Update
The AWS CodePipelines plugin is updated to support the IaC Scan v2 API, and it replaces custom actions with a simplified docker-based CodeBuild solution.
Custom actions are no longer supported.
API Ingestion
AWS Direct Connect
aws-direct-connect-interface
Additional permission required is:
directconnect:DescribeVirtualInterfaces
The Security Audit role includes the permission.
AWS Glue
aws-glue-connection
Azure SQL Database
azure-sql-server-list
Additional permissions required are:
Microsoft.Sql/servers/vulnerabilityAssessments/read
The Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
Azure Security Center
azure-security-center-settings
Additional permissions required are:
Microsoft.Security/settings/read
The Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
Azure Storage
azure-storage-account-list
No new permissions, the Reader role includes the required permissions.

Updates to Existing Behavior

Feature
Description
Skip Ingestion of high Volume Audit Event Metadata from Azure
Owing to the amount of data generated for Azure activity logs—for the RQL query
event from cloud.audit_logs where cloud.type = 'azure'
— the following event metadata will no longer be ingested on Prisma Cloud:
  • 'auditIfNotExists' policy action
  • (EndRequest) - Microsoft.Insights/AutoscaleSettings/Flapping/Action (Flapping)
  • Health Event Activated
  • Microsoft.Authorization/policies/append/action (EndRequest)

New Policies and Policy Updates

Policy Name
Description
New Policies
AWS Elastic Load Balancer v2 (ELBv2) SSL negotiation policy configured with weak ciphers
Identifies Elastic Load Balancers v2 (ELBv2) which are configured for SSL negotiation with weak ciphers. As a best practice, use only the ciphers recommended in the AWS documentation.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = listeners[?any(sslPolicy contains ELBSecurityPolicy-TLS-1-0-2015-04)] exists
AWS Elastic Load Balancer v2 (ELBv2) with deletion protection feature disabled
Identifies Elastic Load Balancers v2 (ELBv2) which are configured with the deletion protection feature disabled. Enabling delete protection for these ELBs prevents irreversible data loss resulting from accidental or malicious operations.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = "['attributes'].['deletion_protection.enabled'] contains false"
AWS IAM role/user with unused CloudTrail delete or full permission
Identifies IAM roles/users that have unused CloudTrail delete permission or CloudTrail full permissions. As a best practice grant the least privilege access to perform a task and limit unintended access to your critical CloudTrail infrastructure.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = 'document.Statement[?any(Action equals * and Resource equals * and Effect equals Allow)] exists and (policyArn exists and policyArn does not contain iam::aws:policy/AdministratorAccess)'
AWS S3 buckets with overly permissive to VPC endpoints policy
Identifies S3 buckets that have the bucket policy overly permissive to VPC endpoints. As a best practice, follow the principle of least privileges to ensure that the VPC endpoints have only the necessary permissions instead of full permission on S3 operations.
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = 'policy.Statement[?any((Condition.StringNotEquals contains aws:sourceVpce and Effect equals Deny and (Action contains s3:* or Action[*] contains s3:*)) or (Condition.StringEquals contains aws:SourceVpce and Effect equals Allow and (Action contains s3:* or Action[*] contains s3:*)))] exists'
Azure App Services FTP deployment is all allowed
Identifies Azure app services which has FTP deployment setting as 'all allowed' because it increases risk of attackers gaining full control of the app or service. As a best practice, use FTPS if FTP deployment for workflow is essential, otherwise, disable the FTP deployment for Azure App Services.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = config.ftpsState equals AllAllowed
Azure custom role administering resource locks not assigned
Identifies Azure Custom Role Administering Resource Locks that are not assigned to any user. As a best practice, create a custom role for Resource Locks and assign to appropriate user.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-role-assignment' AND json.rule = (properties.roleDefinition.properties.type equals CustomRole and (properties.roleDefinition.properties.permissions[?any((actions[*] equals Microsoft.Authorization/locks/delete and actions[*] equals Microsoft.Authorization/locks/read and actions[*] equals Microsoft.Authorization/locks/write) or actions[*] equals Microsoft.Authorization/locks/*)] exists) and (properties.roleDefinition.properties.permissions[?any(notActions[*] equals Microsoft.Authorization/locks/delete or notActions[*] equals Microsoft.Authorization/locks/read or notActions[*] equals Microsoft.Authorization/locks/write or notActions[*] equals Microsoft.Authorization/locks/*)] does not exist)) as X; count(X) less than 1References:
Azure Key Vault diagnostics logs are disabled
Identifies Azure Key Vault that have not enabled diagnostics logs.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = diagnosticSettings.value[*] size equals 0
Azure PostgreSQL database server ‘Allow access to Azure services’ enabled
Identifies Azure PostgreSQL database servers that have the 'Allow access to Azure services' settings enabled and accepts connections from all Azure resources including resources in other subscriptions. As a best practice, use firewall rules or VNET rules to allow access from specific network ranges or virtual networks.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = firewallRules.value[*].properties.startIpAddress equals 0.0.0.0 and firewallRules.value[*].properties.endIpAddress equals 0.0.0.0
Azure Storage account encryption customer managed keys disabled
Identifies Azure Storage accounts that are not enabled for encryption using customer managed keys. By default, all data at rest in Azure Storage account is encrypted using Microsoft Managed Keys. As a best practice, use customer managed keys to encrypt data in Azure Storage accounts.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = properties.encryption.keySource equals "Microsoft.Storage"
Azure Virtual Machines are not utilizing Managed Disks
Identifies Azure Virtual Machines which are not utilizing Managed Disks. This impacts alerts for virtual machines where traditional BLOB based VHDs are used.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.storageProfile'].['osDisk'].['vhd'].['uri'] exists
Azure Virtual Machine scale sets are not utilizing managed disks
Identifies Azure Virtual Machines scale sets that are not utilizing Managed Disks. This policy will generate alerts for all virtual machines that use traditional BLOB-based Virtual Hard Disks (VHDs).
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.storageProfile'].['osDisk'].['vhd'].['uri'] exists
Policy Updates—RQL and Metadata
Internet connectivity via TCP over insecure port
  • RQL has been updated to exclude Azure and GCP ELB resources.
  • Description and Recommendations have been updated to be applicable for all cloud providers.
Updated RQL
—The updated RQL is
network from vpc.flow_record where src.ip=0.0.0.0 AND protocol='TCP' AND dest.port IN (21,23,80) AND source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) AND dest.resource IN ( resource where role not in ( 'AWS ELB', 'AWS NAT Gateway', 'AZURE ELB', 'GCP ELB' )) AND accepted.bytes > 0
Impact
—Alerts generated for Azure and GCP ELB resources will be resolved as Policy_Updated.
AWS default security group does not restrict all traffic
The policy description and recommendation steps have been updated to remove the word
internet
.
Impact
—No impact to existing alerts.
AWS EKS cluster security group overly permissive to all traffic
  • RQL has been updated with new grammar (nested array).
  • The policy description and recommendation steps have been updated to remove the word
    internet.
Impact
—No impact to existing alerts.
AWS Security Group overly permissive to all traffic
  • RQL has been updated with new grammar (nested array) to check for TCP, UDP, ICMP and ICMPv6.
  • The policy description and recommendation steps have been updated to remove the word
    internet.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[?any((ipProtocol equals tcp or ipProtocol equals icmp or ipProtocol equals icmpv6 or ipProtocol equals udp) and (ipRanges[*] contains 0.0.0.0/0 or ipv6Ranges[*].cidrIpv6 contains ::/0))] exists)
Impact
—Existing open alerts will be resolved as Policy_Updated for protocol -1(all), and new alerts will be generated using the revised query.
AWS Security Group allows all traffic on ports which are not commonly used
  • RQL has been updated with new grammar (nested array).
  • The policy name and description has been updated to remove the word
    internet.
Impact
—No impact to existing alerts.
AWS security groups with inbound rule overly permissive to all traffic
  • The RQL has been updated with new grammar (nested array).
  • The policy name, description, and recommendation steps have been updated to remove the word
    internet.
Impact
—No impact to existing alerts.

Rest API Updates

Change
Description
Infrastructure-As-Code (IaC) Scan APIs Version 2
Two new IaC Scan APIs are available:
  • GET /iac/v2/scans
    returns a list of IaC scans
  • GET /iac/v2/scans/export
    exports an assets scans report
New query parameters for some Cloud Account and Account Group APIs
The following APIs have new query parameters to offer more control over API performance:
  • For the cloud accounts API, the following optional query parameters enable you to include or exclude account groups:
    • GET /cloud
    • GET /cloud/{cloud_type}/{id}
    • GET /cloud/{cloud_type}/{id}/project
  • For the account group API, the following optional query parameters enable you to include or exclude cloud account information:
    • GET /cloud/group
    • GET /cloud/group/{id}
In support of these options, the response object for GET /cloud/group/{id} includes new attributes related to the cloud accounts with which the requested account group is associated.

Recommended For You