1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2021
    7. Features Introduced in July 2021

    Features Introduced in July 2021

    Learn what’s new on Prisma™ Cloud in July 2021.

    New Features

    FEATURE
    DESCRIPTION
    Limited GA
     Support for Cloud Account Group Hierarchy With Nested Account Groups
    Prisma Cloud now supports nested account groups which enables you to nest, or, place account groups inside of each other. Organizations now have greater flexibility in how they map out their internal hierarchy and delegate permissions and alert rules.
    Create a nested account group by creating a parent and then add children to it. Select
    Settings
    Account Groups
    Add Account Group
    , and then create a parent account group by entering
    Name
     and
    Description
    ; select
    Make this a parent account group
    , and then select the account groups that you want to be its children.
    The hierarchy ( ) icon indicates that the account group you're trying to add is already included as a child of another parent. If you select such an account group in a new parent account group the child account will be migrated from the existing parent account group to the new one. This might result in alerts getting resolved since the account group might not be processed under the new parent.
    Prisma Cloud supports nested account groups 10-levels deep, and with 300-accounts at each level. Contact Prisma Cloud customer support to enable this feature on your tenant.
    Limited GA
     Support for Azure Resource Groups
    Support for Azure Resource Groups provides another level of role-based access or grouping in Prisma Cloud. Prisma Cloud now enables you to create Azure Resource Groups under
    Settings
    Resource Lists
    . When a Resource List with one or more Azure Resource Groups is created and attached to a role, users with that role will only have access to the assets and alert data in the Resource List thereby restricting their purview. You can filter based on Azure Resource Groups on the Asset Inventory page, the Investigate page, the Compliance pages, the Alerts Overview, and Alert and Compliance Reports.
    On the Sec Ops dashboard, Azure Resource Groups is not available as an explicit filter. However, the results shown will be implicitly filtered based on the Azure Resource Groups that are applied to the user's role when they log in to Prisma Cloud.
    Only System Admins can create Resource Groups. You can reach out to Prisma Cloud Customer Success if you want to try it on your Prisma Cloud instance.
    Update
     Improvement to the UEBA models and anomaly detection
    The UEBA models and anomaly detection capabilities on Prisma cloud are being improved to include
    assumerole
     events by default. As a result, if you have
    assumerole
     events in your logs, you may see an increase in the number of alerts generated for the
    Unusual User Activity
     and
    Account Hijacking Attempts
     policies.
    Update
     ServiceNow Notification Template
    You can use the following additional variables while configuring notifications using the ServiceNow template:
    • AccountAncestors
    • AccountOwners
    • GCP_ResourceLabel
    Notifications sent to Google Cloud Security Command Center (CSCC), Azure Queuing Service (AQS), Splunk, and Webhook will also contain:
    • AccountAncestors
    • AccountOwners
    You must be on the Alerts subsystem 2.0 to be able to use these additional variables.
    Integration with Amazon S3
    You can integrate Amazon S3 with Prisma Cloud to get notifications for configuration, audit, and anomaly policy violations.
    Alerts Visualization
    The three new visualizations on the
    Alerts Overview
     page are alert aggregations that help you decide which alerts to address first:
    • Alert Coverage
      —across various policies
    • Alerts By Severity
      —high, medium, and low
    • Top Incidents & Risks
    GCP Ancestry Information in the Alert Payload
    The GCP ancestry owner information is now available directly in the Alert Payload. It is displayed on the Alerts L2 page and is also included in the notifications.
    Update
    Ingestion for azure-event-hub-namespace
    The structure of the following Prisma API has been modified:
    azure-event-hub-namespace
    The JSON attributes
    firewallRules
     and
    virtualNetworkRules
    , which used to be present at the root level are now moved under the
    networkRuleSet
     JSON block; the
    firewallRules
     attribute is now renamed to
    ipRules
    . The
    zoneRedundant
     attribute which was previously under the properties section is now removed.
    Impact
    —There are Prisma Cloud System default policies that are impacted by this change. If you have custom policies, you must review the change in the JSON metadata structure and update the RQL for your custom policy.
    API Ingestions
    Azure Event Hubs
    azure-event-hub-namespace-private-endpoint-connections
    Additional permissions required—None
    Azure Event Hubs
    azure-event-hub
    Additional permissions required—None
    Azure Event Hubs
    azure-event-hub-cluster
    Additional permissions required—None
    Azure DNS
    azure-dns-recordsets
    Additional permissions required—None
    Azure DNS
    azure-dns-zones
    Additional permissions required—None
    Amazon EC2
    aws-ec2-ebs-encryption
    Additional permissions required—
    ec2:GetEbsEncryptionByDefault
    Amazon EC2
    aws-ec2-classic-instances
    Additional permissions required—None
    OCI Database
    oci-oracledatabase-bmvm-dbsystem
    Additional permissions required—
    db-system-inspect
    New
     JSON Array Operator in RQL
    You can use the
    ?all
     JSON array operator to specify conditions to return results when
    all
     of the array elements are satisfied.
    Example
    config from cloud.resource where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?all(egress is true and ruleAction contains deny)] exists

    New Policies and Policy Updates

    This release includes several important updates to Prisma Cloud Policies that results in a noticeable reduction in alert volume and significantly improves accuracy of the cloud misconfiguration alerts:
    • RQL updates of 18 Configuration policies
    • Deletion of 4 Configuration policies
    • Deletion of 12 Audit policies
    You will see many of the related policy violation alerts resolved immediately after the PCS 21.7.2 upgrade. Review the following list to note the policy deletions and RQL updates implemented and view the GitHub changelog.
    POLICY UPDATES
    DESCRIPTION
    New Policy
    Network Data Exfiltration Activity
    This new network anomaly detection policy uses machine learning to learn the normal traffic pattern of each virtual machine and alerts when there is an abnormal amount of egress traffic to known TOR exit nodes.
    AWS EBS volume region with encryption is disabled
    Identifies AWS regions in which newly created EBS volumes are not encrypted using an encryption key.
    It provides coverage for CIS v1.4.0 (AWS) section 2.2.1 and is a replacement for the existing
    AWS EBS volumes are not encrypted
     policy, which was earlier mapped to this CIS section.
    AWS EBS volume region with encryption is disabled
     is also mapped to other relevant compliance standards.
    AWS EBS volumes are not encrypted
     will be deleted in this release.
    config from cloud.resource where api.name = 'aws-ec2-ebs-encryption' AND json.rule = ebsEncryptionByDefault is false as X; config from cloud.resource where api.name = 'aws-region' AND json.rule = optInStatus does not equal not-opted-in as Y; filter '$.X.region equals $.Y.regionName'; show X;
    Policy Updates—RQL
    AWS RDS instance with copy tags to snapshots disabled
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = 'dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
    AWS RDS instance is not encrypted
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name='aws-rds-describe-db-instances' AND json.rule='dbiResourceId does not equal null and storageEncrypted is false'
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name='aws-rds-describe-db-instances' AND json.rule= 'engine is not member of ("sqlserver-ex") and  dbinstanceStatus equals available and dbiResourceId does not equal null' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '$.X.storageEncrypted does not exist or $.X.storageEncrypted is false or ($.X.storageEncrypted is true and $.X.kmsKeyId exists and $.Y.keyMetadata.keyState equals Disabled and $.X.kmsKeyId equals $.Y.keyMetadata.arn)'; show X;
    AWS EBS snapshot is not encrypted
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.encrypted is false
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.state equals completed and snapshot.encrypted is false
    AWS RDS retention policy less than 7 days
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = backupRetentionPeriod does not exist or backupRetentionPeriod less than 7
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (backupRetentionPeriod does not exist or backupRetentionPeriod less than 7)
    AWS RDS DB snapshot is encrypted using default KMS key instead of CMK
    Current
    config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '(X.snapshot.encrypted is true) and ($.X.snapshot.kmsKeyId equals $.Y.key.keyArn) and ($.Y.keyMetadata.keyManager does not equal CUSTOMER)' ; show X;
    Updated to
    config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.status equals available and snapshot.encrypted is true as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyManager does not equal CUSTOMER or (keyMetadata.keyManager equals CUSTOMER and keyMetadata.keyState equals Disabled) as Y; filter '$.X.snapshot.kmsKeyId equals $.Y.key.keyArn'; show X;
    AWS RDS instance with Multi-Availability Zone disabled
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(engine does not contain aurora and engine does not contain sqlserver and engine does not contain docdb) and (multiAZ is false or multiAZ does not exist)'
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (engine does not contain aurora and engine does not contain sqlserver and engine does not contain docdb) and (multiAZ is false or multiAZ does not exist)
    AWS EBS Snapshot with access for unmonitored cloud accounts
    Current
    config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[*].userId size != 0 and _AWSCloudAccount.isRedLockMonitored($.createVolumePermissions[*].userId) is false'
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'snapshot.state equals completed and createVolumePermissions[*].userId size != 0 and _AWSCloudAccount.isRedLockMonitored($.createVolumePermissions[*].userId) is false'
    AWS Elastic Load Balancer v2 (ELBv2) listener that allow connection requests over HTTP
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = listeners[?any(protocol equals HTTP and defaultActions[?any(type equals redirect and redirectConfig.protocol equals HTTPS)] does not exist )] exists
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code contains active and listeners[?any(protocol equals HTTP and defaultActions[?any(type equals redirect and redirectConfig.protocol equals HTTPS)] does not exist )] exists
    AWS Elastic Load Balancer v2 (ELBv2) with access log disabled
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = "['attributes'].['access_logs.s3.enabled'] contains false"
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = "state.code contains active and ['attributes'].['access_logs.s3.enabled'] contains false"
    AWS Elastic Load Balancer v2 (ELBv2) with listener TLS/SSL is not configured
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = '((listeners[*].protocol equals HTTPS or listeners[*].protocol equals TLS) and listeners[*].certificates[*].certificateArn does not exist) or listeners[*].protocol equals HTTP or listeners[*].protocol equals TCP or listeners[*].protocol equals UDP or listeners[*].protocol equals TCP_UDP'
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = 'state.code contains active and ((listeners[*].protocol equals HTTPS or listeners[*].protocol equals TLS) and listeners[*].certificates[*].certificateArn does not exist) or listeners[*].protocol equals HTTP or listeners[*].protocol equals TCP or listeners[*].protocol equals UDP or listeners[*].protocol equals TCP_UDP'
    AWS Network ACLs with Inbound rule to allow All Traffic
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = "(entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.ipv6CidrBlock=='::/0')].egress contains false) or (entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.cidrBlock=='0.0.0.0/0')].egress contains false)"
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = associations[*] is not empty and entries[?any( ruleAction equals allow and protocol equals -1 and (ipv6CidrBlock equals ::/0 or cidrBlock equals 0.0.0.0/0) and egress is false )] exists
    AWS Network ACLs with Outbound rule to allow All Traffic
    Current
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = "(entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.ipv6CidrBlock=='::/0')].egress contains true) or (entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.cidrBlock=='0.0.0.0/0')].egress contains true)"
    Updated to
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = associations[*] is not empty and entries[?any( ruleAction equals allow and protocol equals -1 and (ipv6CidrBlock equals ::/0 or cidrBlock equals 0.0.0.0/0) and egress is true )] exists
    Azure Virtual Machine is not assigned to an availability set
    Current
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.availabilitySet'] does not exist
    Updated to
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState contains running and ['properties.availabilitySet'] does not exist and ['properties.priority'] does not equal Spot
    Azure Virtual Machine Boot Diagnostics Disabled
    The policy RQL has been updated to check for virtual machine’s power state and fixed false positive where Azure Spot instance virtual machine’s were created.
    Current
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.diagnosticsProfile'].['bootDiagnostics'].['enabled'] is false
    Updated to
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState contains running and ['properties.diagnosticsProfile'].['bootDiagnostics'].['enabled'] is false
    Impact
    —Previously generated alerts for virtual machine’s that are stopped or deallocated and Azure Spot instance virtual machines will get resolved as Policy_Updated.
    Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK
    Current
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
    Updated to
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type is not member of ("EncryptionAtRestWithCustomerKey", "EncryptionAtRestWithPlatformAndCustomerKeys")'
    Azure SQL databases Defender setting is set to Off
    Current
    config from cloud.resource where api.name = 'azure-sql-db-list' as X; config from cloud.resource where api.name = 'azure-sql-server-list' as Y; filter "($.X.securityAlertPolicy.properties.state equals Disabled or $.X.securityAlertPolicy !exists or $.X.securityAlertPolicy.[*] isEmpty) and ($.X.blobAuditPolicy.id contains $.Y.sqlServer.name and $.Y.serverSecurityAlertPolicy.properties.state == Disabled or $.Y.serverSecurityAlertPolicy !exists or $.Y.serverSecurityAlertPolicy isEmpty)"; show X;
    Updated to
    config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = sqlDatabase.properties.status equals Online and (securityAlertPolicy.properties.state equals Disabled or securityAlertPolicy does not exist or securityAlertPolicy.[*] isEmpty) as X; config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = ['sqlServer'].['properties.state'] equals Ready and (serverSecurityAlertPolicy.properties.state equals Disabled or serverSecurityAlertPolicy does not exist or serverSecurityAlertPolicy isEmpty) as Y; filter "$.X.blobAuditPolicy.id contains $.Y.sqlServer.name"; show X;
    Impact
    —Previously generated alerts for non-active resources will be resolved as Policy_Updated.
    Alibaba Cloud disk automatic snapshot policy is disabled
    Current
    config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-disk' AND json.rule = 'enableAutomatedSnapshotPolicy is false'
    Updated to
    config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-disk' AND json.rule = status contains In_use and enableAutomatedSnapshotPolicy is false
    Alibaba Cloud ECS instance release protection is disabled
    Current
    config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-instance' AND json.rule = 'instanceChargeType equals PostPaid and deletionProtection is false'
    Updated to
    config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-instance' AND json.rule = status equals Running and instanceChargeType equals PostPaid and deletionProtection is false
    Policy Deletions
    Sensitive network configuration updates in AWS
    event from cloud.audit_logs where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')
    Root user activities
    event from cloud.audit_logs where ip EXISTS AND user = 'root'
    AWS IAM sensitive configuration updates
    event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND operation IN ('UpdateAccountPasswordPolicy', 'DeleteAccountPasswordPolicy', 'UpdateAssumeRolePolicy', 'DeleteAccessKey', 'DeleteSAMLProvider', 'DeleteLoginProfile')
    AWS IAM sensitive activities by User
    event from cloud.audit_logs where operation IN ('AttachGroupPolicy', 'AttachRolePolicy', 'DeleteGroupPolicy', 'DeleteKeyPair', 'DeleteLogGroup')
    Sensitive permission exposed for website configuration updates of S3 buckets
    event from cloud.audit_logs where operation IN ( 'GetBucketWebsite', 'PutBucketWebsite', 'DeleteBucketWebsite')
    Sensitive configuration updates
    event from cloud.audit_logs where operation IN ('DeleteBucket', 'DeleteConfigRule', 'DeleteTrail', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')
    GCP Load balancer sensitive configuration updates
    event from cloud.audit_logs where operation IN ('v1.compute.urlMaps.update', 'v1.compute.urlMaps.delete', 'v1.compute.backendServices.delete', 'v1.compute.backendBuckets.delete', 'v1.compute.backendServices.update', 'v1.compute.globalForwardingRules.delete', 'v1.compute.urlMaps.delete', 'v1.compute.targetHttpsProxies.delete', 'v1.compute.targetHttpsProxies.setSslPolicy', 'v1.compute.targetHttpsProxies.setSslCertificates')
    Sensitive IAM updates
    event from cloud.audit_logs where operation IN ('google.iam.admin.v1.CreateServiceAccountKey', 'google.iam.admin.v1.DeleteServiceAccountKey', 'SetIamPolicy')
    Sensitive Network configuration updates in GCP
    event from cloud.audit_logs where operation IN ('v1.compute.networks.delete','beta.compute.networks.insert','v1.compute.routes.delete','v1.compute.firewalls.insert','v1.compute.firewalls.delete')
    Sensitive SQL instance updates
    event from cloud.audit_logs where operation IN ('cloudsql.instances.update','cloudsql.sslCerts.create','cloudsql.instances.create','cloudsql.instances.delete')
    Sensitive storage configuration updates
    event from cloud.audit_logs where operation IN ('storage.buckets.create', 'storage.setIamPermissions','storage.buckets.delete')
    Sensitive User Actions
    event from cloud.audit_logs where operation IN ('CreateCryptoKey','DestroyCryptoKeyVersion','v1.compute.disks.createSnapshot')
    AWS EBS volumes are not encrypted
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-volumes' AND json.rule = 'encrypted is false'
    GCP VM Instances without any Label information
    config from cloud.resource where api.name= 'gcloud-compute-instances-list' AND json.rule = labels does not exist AND (status equals RUNNING and name does not start with "gke-")
    Azure Virtual Machine does not have endpoint protection installed
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = Extensions[*] does not contain EndpointSecurity and Extensions[*] does not contain TrendMicroDSA and Extensions[*] does not contain Antimalware and Extensions[*] does not contain EndpointProtection and Extensions[*] does not contain SCWPAgent and Extensions[*] does not contain PortalProtectExtension and Extensions[*] does not contain FileSecurity
    AWS EBS volume not encrypted using Customer Managed Key
    config from cloud.resource where api.name = 'aws-ec2-describe-volumes' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '$.X.encrypted is true and $.X.kmsKeyId equals $.Y.key.keyArn and $.Y.keyMetadata.keyManager contains AWS'; show X;

    New Compliance Benchmarks and Updates

    COMPLIANCE BENCHMARK
    DESCRIPTION
    CIS AWS v.1.4.0
    New compliance support for CIS Amazon Web Services Foundations Benchmark v.1.4.0 that supersedes the legacy version 1.3.0. The AWS services in scope for this benchmark include:
    • AWS Identity and Access Management (IAM)
    • IAM Access Analyzer
    • AWS Config
    • AWS CloudTrail
    • AWS CloudWatch
    • AWS Simple Notification Service (SNS)
    • AWS Simple Storage Service (S3)
    • Elastic Compute Cloud (EC2)
    • Relational Database Service (RDS)
    • AWS VPC
    Impact
    —v.1.4.0 supersedes version 1.3.0, so consider using this new version. CIS AWS v.1.3.0 on Prisma Cloud will be deprecated and support will be removed in a future release.
    CSA CCM v.4.0.1
    New CSA Cloud Controls Matrix (CCM) compliance v.4.0.1 support for AWS, Azure, Alibaba, GCP, and OCI.

    REST API Updates

    Change
    Description
    Limited GA
     Cloud Account Ancestors for GCP
    The response objects for the endpoints listed below will include an array of up to ten account ancestors in a new attribute called
    cloudAccountAncestors
     for GCP cloud accounts.
    • GET /v2/alert
    • POST /v2/alert

    New Features

    FEATURE
    DESCRIPTION
    Account Owner Details For Azure and GCP Accounts
    Prisma Cloud now displays the account owners associated with the Azure and GCP cloud accounts in a new column in the details from
    Alerts
    Overview
    .
    When you filter for the GCP and Azure cloud types on
    Alerts
    Overview
    , and click the link in the
    Alerts
     column, the
    Violating Resources
     table displays.
    The
    Account Owners
    column displays up to five account owners associated with a cloud account in alphabetical order; this column will display by default, but if no values are present then this column will be grayed out. For offline access, when you download ( ) the list of resources the
    Account Owners
     information is included in the CSV file.
    You must be on the Alerts subsystem 2.0 to view the account owner column. To identify the alerts subsystem version on your Prisma Cloud instance, select
    Alerts
    Overview
     and check for the
    Version: 2
     above the filter ( ) icon.
    Support for Europe Central 2 region on GCP
    Prisma Cloud can now ingest data on your resources deployed in the GCP Warsaw region 'Europe Central 2'.
    Filters
    Change in Behavior
    When saving filters on
    Alerts
    Overview
    , the time range is saved with the other filters you apply and the choices are preserved for the session.
    If you apply a saved filter that has fewer filters than your current preserved session, the additional filters will remain but the selections will be cleared out so that they are not applied, and you will see a combination of your saved filters and your current session filters.
    API Ingestion
    Google Cloud Task
    gcloud-cloud-task
    The permissions are included in the primitive Viewer role.

    New Policies and Policy Updates

    POLICY UPDATES
    DESCRIPTION
    Azure Active Directory Security Defaults is disabled
    Identifies Azure AD that has security defaults disabled which could impact alerts being generated for all Azure AD with this setting. This policy is mapped to CIS Azure 1.2.0, section 1.3.0, compliance standard 1.22. 
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-enforcement-policy' AND json.rule = isEnabled is false
    Azure AD Users can consent to apps accessing company data on their behalf is enabled
    Identifies Azure AD which has the following setting enabled:
    Users can consent to apps accessing company data on their behalf
    . This could impact alerts being generated for all Azure AD which has this setting enabled. This policy is mapped to CIS Azure 1.1.0, sections 1.2.0 and 1.3.0, compliance standard 1.9.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-authorization-policy' AND json.rule = permissionGrantPolicyIdsAssignedToDefaultUserRole[*] contains microsoft-user-default-legacy
    GCP Storage Bucket should not log to itself
    Identifies GCP storage buckets that are sending logs to themselves. When storage buckets use the same bucket to send their access logs, a loop of logs will be created which is not recommended. As a best practice, spin up new and different log buckets for storage bucket logging.
    config from cloud.resource where cloud.type = 'gcp' AND api.name= 'gcloud-storage-buckets-list' AND json.rule = logging.logBucket equals $.name
    GCP Storage Bucket is not configured with default event-based hold
    Identifies GCP storage buckets that are not configured with default event-based hold. This setting enables you to protect individual objects which allows an object to persist in your bucket for a specified length of time after a given event occurs.
    Policy descriptions update
    The following policies descriptions have been updated:
    • AWS EMR cluster is not enabled with local disk encryption using CMK
    • AWS EMR cluster is not enabled with local disk encryption
    The word
    slave
     was removed from the policy description.
    Impact
    —No changes on alerts.

    New Compliance Benchmarks and Updates

    COMPLIANCE BENCHMARK
    DESCRIPTION
    NIST CSF 1.1
    The NIST Cybersecurity Framework v.1.1 compliance standard is being updated with more policy mappings across all clouds—AWS, Azure, Alibaba, GCP, and OCI.

    REST API Updates

    Change
    Description
    Cloud Account Owners for Azure and GCP
    The response object for Alert endpoints will include an array that lists up to five account owners in a new attribute called
    cloudAccountOwners
     for the Azure and GCP cloud accounts.
    In the
    CloudResourceModel
     object the new attribute
    cloudAccountOwners
     is included for the following endpoints:
    • GET /v2/alert
    • POST /v2/alert

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo