Features Introduced in July 2021

Learn what’s new on Prisma™ Cloud in July 2021.

New Features

FEATURE
DESCRIPTION
Limited GA
Support for Cloud Account Group Hierarchy With Nested Account Groups
Prisma Cloud now supports nested account groups which enables you to nest, or, place account groups inside of each other. Organizations now have greater flexibility in how they map out their internal hierarchy and delegate permissions and alert rules.
Create a nested account group by creating a parent and then add children to it. Select
Settings
Account Groups
Add Account Group
, and then create a parent account group by entering
Name
and
Description
; select
Make this a parent account group
, and then select the account groups that you want to be its children.
The hierarchy ( ) icon indicates that the account group you're trying to add is already included as a child of another parent. If you select such an account group in a new parent account group the child account will be migrated from the existing parent account group to the new one. This might result in alerts getting resolved since the account group might not be processed under the new parent.
Prisma Cloud supports nested account groups 10-levels deep, and with 300-accounts at each level. Contact Prisma Cloud customer support to enable this feature on your tenant.
Limited GA
Support for Azure Resource Groups
Support for Azure Resource Groups provides another level of role-based access or grouping in Prisma Cloud. Prisma Cloud now enables you to create Azure Resource Groups under
Settings
Resource Lists
. When a Resource List with one or more Azure Resource Groups is created and attached to a role, users with that role will only have access to the assets and alert data in the Resource List thereby restricting their purview. You can filter based on Azure Resource Groups on the Asset Inventory page, the Investigate page, the Compliance pages, the Alerts Overview, and Alert and Compliance Reports.
On the Sec Ops dashboard, Azure Resource Groups is not available as an explicit filter. However, the results shown will be implicitly filtered based on the Azure Resource Groups that are applied to the user's role when they log in to Prisma Cloud.
Only System Admins can create Resource Groups. You can reach out to Prisma Cloud Customer Success if you want to try it on your Prisma Cloud instance.
Update
Improvement to the UEBA models and anomaly detection
The UEBA models and anomaly detection capabilities on Prisma cloud are being improved to include
assumerole
events by default. As a result, if you have
assumerole
events in your logs, you may see an increase in the number of alerts generated for the
Unusual User Activity
and
Account Hijacking Attempts
policies.
Update
ServiceNow Notification Template
You can use the following additional variables while configuring notifications using the ServiceNow template:
  • AccountAncestors
  • AccountOwners
  • GCP_ResourceLabel
Notifications sent to Google Cloud Security Command Center (CSCC), Azure Queuing Service (AQS), Splunk, and Webhook will also contain:
  • AccountAncestors
  • AccountOwners
You must be on the Alerts subsystem 2.0 to be able to use these additional variables.
Integration with Amazon S3
You can integrate Amazon S3 with Prisma Cloud to get notifications for configuration, audit, and anomaly policy violations.
Alerts Visualization
The three new visualizations on the
Alerts Overview
page are alert aggregations that help you decide which alerts to address first:
  • Alert Coverage
    —across various policies
  • Alerts By Severity
    —high, medium, and low
  • Top Incidents & Risks
GCP Ancestry Information in the Alert Payload
The GCP ancestry owner information is now available directly in the Alert Payload. It is displayed on the Alerts L2 page and is also included in the notifications.
Update
Ingestion for azure-event-hub-namespace
The structure of the following Prisma API has been modified:
azure-event-hub-namespace
The JSON attributes
firewallRules
and
virtualNetworkRules
, which used to be present at the root level are now moved under the
networkRuleSet
JSON block; the
firewallRules
attribute is now renamed to
ipRules
. The
zoneRedundant
attribute which was previously under the properties section is now removed.
Impact
—There are Prisma Cloud System default policies that are impacted by this change. If you have custom policies, you must review the change in the JSON metadata structure and update the RQL for your custom policy.
API Ingestions
Azure Event Hubs
azure-event-hub-namespace-private-endpoint-connections
Additional permissions required—None
Azure Event Hubs
azure-event-hub
Additional permissions required—None
Azure Event Hubs
azure-event-hub-cluster
Additional permissions required—None
Azure DNS
azure-dns-recordsets
Additional permissions required—None
Azure DNS
azure-dns-zones
Additional permissions required—None
Amazon EC2
aws-ec2-ebs-encryption
Additional permissions required—
ec2:GetEbsEncryptionByDefault
Amazon EC2
aws-ec2-classic-instances
Additional permissions required—None
OCI Database
oci-oracledatabase-bmvm-dbsystem
Additional permissions required—
db-system-inspect
New
JSON Array Operator in RQL
You can use the
?all
JSON array operator to specify conditions to return results when
all
of the array elements are satisfied.
Example
config from cloud.resource where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?all(egress is true and ruleAction contains deny)] exists

New Policies and Policy Updates

This release includes several important updates to Prisma Cloud Policies that results in a noticeable reduction in alert volume and significantly improves accuracy of the cloud misconfiguration alerts:
  • RQL updates of 18 Configuration policies
  • Deletion of 4 Configuration policies
  • Deletion of 12 Audit policies
You will see many of the related policy violation alerts resolved immediately after the PCS 21.7.2 upgrade. Review the following list to note the policy deletions and RQL updates implemented and view the GitHub changelog.
POLICY UPDATES
DESCRIPTION
New Policy
Network Data Exfiltration Activity
This new network anomaly detection policy uses machine learning to learn the normal traffic pattern of each virtual machine and alerts when there is an abnormal amount of egress traffic to known TOR exit nodes.
AWS EBS volume region with encryption is disabled
Identifies AWS regions in which newly created EBS volumes are not encrypted using an encryption key.
It provides coverage for CIS v1.4.0 (AWS) section 2.2.1 and is a replacement for the existing
AWS EBS volumes are not encrypted
policy, which was earlier mapped to this CIS section.
AWS EBS volume region with encryption is disabled
is also mapped to other relevant compliance standards.
AWS EBS volumes are not encrypted
will be deleted in this release.
config from cloud.resource where api.name = 'aws-ec2-ebs-encryption' AND json.rule = ebsEncryptionByDefault is false as X; config from cloud.resource where api.name = 'aws-region' AND json.rule = optInStatus does not equal not-opted-in as Y; filter '$.X.region equals $.Y.regionName'; show X;
Policy Updates—RQL
AWS RDS instance with copy tags to snapshots disabled
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = 'dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
AWS RDS instance is not encrypted
Current
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-rds-describe-db-instances' AND json.rule='dbiResourceId does not equal null and storageEncrypted is false'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-rds-describe-db-instances' AND json.rule= 'engine is not member of ("sqlserver-ex") and dbinstanceStatus equals available and dbiResourceId does not equal null' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '$.X.storageEncrypted does not exist or $.X.storageEncrypted is false or ($.X.storageEncrypted is true and $.X.kmsKeyId exists and $.Y.keyMetadata.keyState equals Disabled and $.X.kmsKeyId equals $.Y.keyMetadata.arn)'; show X;
AWS EBS snapshot is not encrypted
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.encrypted is false
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.state equals completed and snapshot.encrypted is false
AWS RDS retention policy less than 7 days
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = backupRetentionPeriod does not exist or backupRetentionPeriod less than 7
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (backupRetentionPeriod does not exist or backupRetentionPeriod less than 7)
AWS RDS DB snapshot is encrypted using default KMS key instead of CMK
Current
config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '(X.snapshot.encrypted is true) and ($.X.snapshot.kmsKeyId equals $.Y.key.keyArn) and ($.Y.keyMetadata.keyManager does not equal CUSTOMER)' ; show X;
Updated to
config from cloud.resource where api.name = 'aws-rds-describe-db-snapshots' AND json.rule = snapshot.status equals available and snapshot.encrypted is true as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyManager does not equal CUSTOMER or (keyMetadata.keyManager equals CUSTOMER and keyMetadata.keyState equals Disabled) as Y; filter '$.X.snapshot.kmsKeyId equals $.Y.key.keyArn'; show X;
AWS RDS instance with Multi-Availability Zone disabled
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(engine does not contain aurora and engine does not contain sqlserver and engine does not contain docdb) and (multiAZ is false or multiAZ does not exist)'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (engine does not contain aurora and engine does not contain sqlserver and engine does not contain docdb) and (multiAZ is false or multiAZ does not exist)
AWS EBS Snapshot with access for unmonitored cloud accounts
Current
config from cloud.resource where api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'createVolumePermissions[*].userId size != 0 and _AWSCloudAccount.isRedLockMonitored($.createVolumePermissions[*].userId) is false'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-snapshots' AND json.rule = 'snapshot.state equals completed and createVolumePermissions[*].userId size != 0 and _AWSCloudAccount.isRedLockMonitored($.createVolumePermissions[*].userId) is false'
AWS Elastic Load Balancer v2 (ELBv2) listener that allow connection requests over HTTP
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = listeners[?any(protocol equals HTTP and defaultActions[?any(type equals redirect and redirectConfig.protocol equals HTTPS)] does not exist )] exists
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code contains active and listeners[?any(protocol equals HTTP and defaultActions[?any(type equals redirect and redirectConfig.protocol equals HTTPS)] does not exist )] exists
AWS Elastic Load Balancer v2 (ELBv2) with access log disabled
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = "['attributes'].['access_logs.s3.enabled'] contains false"
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = "state.code contains active and ['attributes'].['access_logs.s3.enabled'] contains false"
AWS Elastic Load Balancer v2 (ELBv2) with listener TLS/SSL is not configured
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = '((listeners[*].protocol equals HTTPS or listeners[*].protocol equals TLS) and listeners[*].certificates[*].certificateArn does not exist) or listeners[*].protocol equals HTTP or listeners[*].protocol equals TCP or listeners[*].protocol equals UDP or listeners[*].protocol equals TCP_UDP'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = 'state.code contains active and ((listeners[*].protocol equals HTTPS or listeners[*].protocol equals TLS) and listeners[*].certificates[*].certificateArn does not exist) or listeners[*].protocol equals HTTP or listeners[*].protocol equals TCP or listeners[*].protocol equals UDP or listeners[*].protocol equals TCP_UDP'
AWS Network ACLs with Inbound rule to allow All Traffic
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = "(entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.ipv6CidrBlock=='::/0')].egress contains false) or (entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.cidrBlock=='0.0.0.0/0')].egress contains false)"
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = associations[*] is not empty and entries[?any( ruleAction equals allow and protocol equals -1 and (ipv6CidrBlock equals ::/0 or cidrBlock equals 0.0.0.0/0) and egress is false )] exists
AWS Network ACLs with Outbound rule to allow All Traffic
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = "(entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.ipv6CidrBlock=='::/0')].egress contains true) or (entries[?(@.ruleAction=='allow' && @.protocol=='-1' && @.cidrBlock=='0.0.0.0/0')].egress contains true)"
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-network-acls' and json.rule = associations[*] is not empty and entries[?any( ruleAction equals allow and protocol equals -1 and (ipv6CidrBlock equals ::/0 or cidrBlock equals 0.0.0.0/0) and egress is true )] exists
Azure Virtual Machine is not assigned to an availability set
Current
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.availabilitySet'] does not exist
Updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState contains running and ['properties.availabilitySet'] does not exist and ['properties.priority'] does not equal Spot
Azure Virtual Machine Boot Diagnostics Disabled
The policy RQL has been updated to check for virtual machine’s power state and fixed false positive where Azure Spot instance virtual machine’s were created.
Current
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.diagnosticsProfile'].['bootDiagnostics'].['enabled'] is false
Updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState contains running and ['properties.diagnosticsProfile'].['bootDiagnostics'].['enabled'] is false
Impact
—Previously generated alerts for virtual machine’s that are stopped or deallocated and Azure Spot instance virtual machines will get resolved as Policy_Updated.
Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK
Current
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
Updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type is not member of ("EncryptionAtRestWithCustomerKey", "EncryptionAtRestWithPlatformAndCustomerKeys")'
Azure SQL databases Defender setting is set to Off
Current
config from cloud.resource where api.name = 'azure-sql-db-list' as X; config from cloud.resource where api.name = 'azure-sql-server-list' as Y; filter "($.X.securityAlertPolicy.properties.state equals Disabled or $.X.securityAlertPolicy !exists or $.X.securityAlertPolicy.[*] isEmpty) and ($.X.blobAuditPolicy.id contains $.Y.sqlServer.name and $.Y.serverSecurityAlertPolicy.properties.state == Disabled or $.Y.serverSecurityAlertPolicy !exists or $.Y.serverSecurityAlertPolicy isEmpty)"; show X;
Updated to
config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = sqlDatabase.properties.status equals Online and (securityAlertPolicy.properties.state equals Disabled or securityAlertPolicy does not exist or securityAlertPolicy.[*] isEmpty) as X; config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = ['sqlServer'].['properties.state'] equals Ready and (serverSecurityAlertPolicy.properties.state equals Disabled or serverSecurityAlertPolicy does not exist or serverSecurityAlertPolicy isEmpty) as Y; filter "$.X.blobAuditPolicy.id contains $.Y.sqlServer.name"; show X;
Impact
—Previously generated alerts for non-active resources will be resolved as Policy_Updated.
Alibaba Cloud disk automatic snapshot policy is disabled
Current
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-disk' AND json.rule = 'enableAutomatedSnapshotPolicy is false'
Updated to
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-disk' AND json.rule = status contains In_use and enableAutomatedSnapshotPolicy is false
Alibaba Cloud ECS instance release protection is disabled
Current
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-instance' AND json.rule = 'instanceChargeType equals PostPaid and deletionProtection is false'
Updated to
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ecs-instance' AND json.rule = status equals Running and instanceChargeType equals PostPaid and deletionProtection is false
Policy Deletions
Sensitive network configuration updates in AWS
event from cloud.audit_logs where operation IN ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'CreateVpc', 'DeleteFlowLogs', 'DeleteVpc', 'ModifyVpcAttribute', 'RevokeSecurityGroupIngress')
Root user activities
event from cloud.audit_logs where ip EXISTS AND user = 'root'
AWS IAM sensitive configuration updates
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND operation IN ('UpdateAccountPasswordPolicy', 'DeleteAccountPasswordPolicy', 'UpdateAssumeRolePolicy', 'DeleteAccessKey', 'DeleteSAMLProvider', 'DeleteLoginProfile')
AWS IAM sensitive activities by User
event from cloud.audit_logs where operation IN ('AttachGroupPolicy', 'AttachRolePolicy', 'DeleteGroupPolicy', 'DeleteKeyPair', 'DeleteLogGroup')
Sensitive permission exposed for website configuration updates of S3 buckets
event from cloud.audit_logs where operation IN ( 'GetBucketWebsite', 'PutBucketWebsite', 'DeleteBucketWebsite')
Sensitive configuration updates
event from cloud.audit_logs where operation IN ('DeleteBucket', 'DeleteConfigRule', 'DeleteTrail', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')
GCP Load balancer sensitive configuration updates
event from cloud.audit_logs where operation IN ('v1.compute.urlMaps.update', 'v1.compute.urlMaps.delete', 'v1.compute.backendServices.delete', 'v1.compute.backendBuckets.delete', 'v1.compute.backendServices.update', 'v1.compute.globalForwardingRules.delete', 'v1.compute.urlMaps.delete', 'v1.compute.targetHttpsProxies.delete', 'v1.compute.targetHttpsProxies.setSslPolicy', 'v1.compute.targetHttpsProxies.setSslCertificates')
Sensitive IAM updates
event from cloud.audit_logs where operation IN ('google.iam.admin.v1.CreateServiceAccountKey', 'google.iam.admin.v1.DeleteServiceAccountKey', 'SetIamPolicy')
Sensitive Network configuration updates in GCP
event from cloud.audit_logs where operation IN ('v1.compute.networks.delete','beta.compute.networks.insert','v1.compute.routes.delete','v1.compute.firewalls.insert','v1.compute.firewalls.delete')
Sensitive SQL instance updates
event from cloud.audit_logs where operation IN ('cloudsql.instances.update','cloudsql.sslCerts.create','cloudsql.instances.create','cloudsql.instances.delete')
Sensitive storage configuration updates
event from cloud.audit_logs where operation IN ('storage.buckets.create', 'storage.setIamPermissions','storage.buckets.delete')
Sensitive User Actions
event from cloud.audit_logs where operation IN ('CreateCryptoKey','DestroyCryptoKeyVersion','v1.compute.disks.createSnapshot')
AWS EBS volumes are not encrypted
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-volumes' AND json.rule = 'encrypted is false'
GCP VM Instances without any Label information
config from cloud.resource where api.name= 'gcloud-compute-instances-list' AND json.rule = labels does not exist AND (status equals RUNNING and name does not start with "gke-")
Azure Virtual Machine does not have endpoint protection installed
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = Extensions[*] does not contain EndpointSecurity and Extensions[*] does not contain TrendMicroDSA and Extensions[*] does not contain Antimalware and Extensions[*] does not contain EndpointProtection and Extensions[*] does not contain SCWPAgent and Extensions[*] does not contain PortalProtectExtension and Extensions[*] does not contain FileSecurity
AWS EBS volume not encrypted using Customer Managed Key
config from cloud.resource where api.name = 'aws-ec2-describe-volumes' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '$.X.encrypted is true and $.X.kmsKeyId equals $.Y.key.keyArn and $.Y.keyMetadata.keyManager contains AWS'; show X;

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
CIS AWS v.1.4.0
New compliance support for CIS Amazon Web Services Foundations Benchmark v.1.4.0 that supersedes the legacy version 1.3.0. The AWS services in scope for this benchmark include:
  • AWS Identity and Access Management (IAM)
  • IAM Access Analyzer
  • AWS Config
  • AWS CloudTrail
  • AWS CloudWatch
  • AWS Simple Notification Service (SNS)
  • AWS Simple Storage Service (S3)
  • Elastic Compute Cloud (EC2)
  • Relational Database Service (RDS)
  • AWS VPC
Impact
—v.1.4.0 supersedes version 1.3.0, so consider using this new version. CIS AWS v.1.3.0 on Prisma Cloud will be deprecated and support will be removed in a future release.
CSA CCM v.4.0.1
New CSA Cloud Controls Matrix (CCM) compliance v.4.0.1 support for AWS, Azure, Alibaba, GCP, and OCI.

REST API Updates

Change
Description
Limited GA
Cloud Account Ancestors for GCP
The response objects for the endpoints listed below will include an array of up to ten account ancestors in a new attribute called
cloudAccountAncestors
for GCP cloud accounts.
  • GET /v2/alert
  • POST /v2/alert

New Features

FEATURE
DESCRIPTION
Account Owner Details For Azure and GCP Accounts
Prisma Cloud now displays the account owners associated with the Azure and GCP cloud accounts in a new column in the details from
Alerts
Overview
.
When you filter for the GCP and Azure cloud types on
Alerts
Overview
, and click the link in the
Alerts
column, the
Violating Resources
table displays.
The
Account Owners
column displays up to five account owners associated with a cloud account in alphabetical order; this column will display by default, but if no values are present then this column will be grayed out. For offline access, when you download ( ) the list of resources the
Account Owners
information is included in the CSV file.
You must be on the Alerts subsystem 2.0 to view the account owner column. To identify the alerts subsystem version on your Prisma Cloud instance, select
Alerts
Overview
and check for the
Version: 2
above the filter ( ) icon.
Support for Europe Central 2 region on GCP
Prisma Cloud can now ingest data on your resources deployed in the GCP Warsaw region 'Europe Central 2'.
Filters
Change in Behavior
When saving filters on
Alerts
Overview
, the time range is saved with the other filters you apply and the choices are preserved for the session.
If you apply a saved filter that has fewer filters than your current preserved session, the additional filters will remain but the selections will be cleared out so that they are not applied, and you will see a combination of your saved filters and your current session filters.
API Ingestion
Google Cloud Task
gcloud-cloud-task
The permissions are included in the primitive Viewer role.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
Azure Active Directory Security Defaults is disabled
Identifies Azure AD that has security defaults disabled which could impact alerts being generated for all Azure AD with this setting. This policy is mapped to CIS Azure 1.2.0, section 1.3.0, compliance standard 1.22.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-enforcement-policy' AND json.rule = isEnabled is false
Azure AD Users can consent to apps accessing company data on their behalf is enabled
Identifies Azure AD which has the following setting enabled:
Users can consent to apps accessing company data on their behalf
. This could impact alerts being generated for all Azure AD which has this setting enabled. This policy is mapped to CIS Azure 1.1.0, sections 1.2.0 and 1.3.0, compliance standard 1.9.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-authorization-policy' AND json.rule = permissionGrantPolicyIdsAssignedToDefaultUserRole[*] contains microsoft-user-default-legacy
GCP Storage Bucket should not log to itself
Identifies GCP storage buckets that are sending logs to themselves. When storage buckets use the same bucket to send their access logs, a loop of logs will be created which is not recommended. As a best practice, spin up new and different log buckets for storage bucket logging.
config from cloud.resource where cloud.type = 'gcp' AND api.name= 'gcloud-storage-buckets-list' AND json.rule = logging.logBucket equals $.name
GCP Storage Bucket is not configured with default event-based hold
Identifies GCP storage buckets that are not configured with default event-based hold. This setting enables you to protect individual objects which allows an object to persist in your bucket for a specified length of time after a given event occurs.
Policy descriptions update
The following policies descriptions have been updated:
  • AWS EMR cluster is not enabled with local disk encryption using CMK
  • AWS EMR cluster is not enabled with local disk encryption
The word
slave
was removed from the policy description.
Impact
—No changes on alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
NIST CSF 1.1
The NIST Cybersecurity Framework v.1.1 compliance standard is being updated with more policy mappings across all clouds—AWS, Azure, Alibaba, GCP, and OCI.

REST API Updates

Change
Description
Cloud Account Owners for Azure and GCP
The response object for Alert endpoints will include an array that lists up to five account owners in a new attribute called
cloudAccountOwners
for the Azure and GCP cloud accounts.
In the
CloudResourceModel
object the new attribute
cloudAccountOwners
is included for the following endpoints:
  • GET /v2/alert
  • POST /v2/alert

Recommended For You