Features Introduced in May 2021

New Features

FEATURE
DESCRIPTION
Alarm Center
Prisma Cloud generates health notifications called
Alarms
that display system-level issues and errors that have occurred in Integrations status and Cloud Accounts status.
You can enable Alarms on the
Settings
Enterprise Settings
page.
The
Alarm Center
displays the alarms, which you can review and take necessary action to rectify the error or issue.
Support for shared S3 Bucket for AWS CloudTrail Event Logs
To support scenarios where you do not store AWS CloudTrail event logs within the same S3 bucket that you are onboarding to Prisma Cloud for Data Security scanning, you now can specify a central or shared S3 bucket that stores your AWS CloudTrail event logs.
Support for Event Attribution on Google Cloud Platform
For GCP resources that are being monitored on Prisma Cloud, you can now view events related to the resource (audit trail) on the Resource Explorer. This capability is available for AWS and Azure.
API Ingestion
AWS WAF
aws-waf-classic-web-acl-resource
Additional permissions required:
waf-regional:GetLoggingConfiguration
aws-waf-v2-web-acl-resource
Additional permissions required:
wafv2:GetLoggingConfiguration
Google Binary Authorization
gcloud-binary-authorization-policy
Additional permissions required:
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
The permissions are included in the Project Viewer role.
Update
Prisma Cloud CLI
The Prisma Cloud CLI is no longer supported.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS Elastic IP not in use
—Identifies unused Elastic IP (EIP) addresses in your AWS account.
Any EIP in your AWS account adds charges to your monthly bill even if it is not associated with any resources. It is recommended to remove EIPs that are not associated with any resources.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-elastic-address' AND json.rule = associationId does not exist
AWS SNS topic not configured with secure data transport policy
—Identifies AWS SNS topics that are not configured with a secure data transport policy.
AWS SNS topics should enforce encryption of data in transit using Secure Sockets Layer (SSL). It is recommended to add an SNS policy that explicitly denies publish access from anybody who browses to Amazon SNS topics if they are not accessed through HTTPS.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any((Principal.AWS equals * or Principal equals *) and Condition.Bool.aws:SecureTransport does not exist and Action contains Publish)] exists or Policy.Statement[?any((Effect equals Allow and Action contains Publish and (Principal.AWS equals * or Principal equals *) and (Condition.Bool.aws:SecureTransport contains false or Condition.Bool.aws:SecureTransport contains FALSE)) or (Effect equals Deny and Action contains Publish and (Principal.AWS equals * or Principal equals *) and (Condition.Bool.aws:SecureTransport contains true or Condition.Bool.aws:SecureTransport contains TRUE)))] exists
AWS SNS topic with cross-account access
—Identifies AWS SNS topics that are configured with cross-account access.
Allowing unknown cross-account access to your SNS topics will enable other accounts to gain control over your AWS SNS topics. To prevent unknown cross-account access, allow only trusted entities to access your Amazon SNS topics by implementing the appropriate SNS policies.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn))] exists
Azure Storage account containing VHD OS disk is not encrypted with CMK
—Checks for Azure Storage accounts containing VHD OS disk that are not encrypted with CMK.
This policy is mapped to CIS Azure 1.3.0 section 7.7 compliance standard. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better data control.
Impact
—Alerts generated for all Azure Storage accounts which have VHD OS disk and are not encrypted with CMK.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.storageProfile'].osDisk.vhd.uri exists and powerState contains running as X; config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = properties.encryption.keySource equals "Microsoft.Storage" as Y; filter "$.['X'].['properties.storageProfile'].['osDisk'].['vhd'].['uri'] contains $.Y.name"; show Y;
Azure Activity log alert for Delete policy assignment does not exist
—Checks for Azure accounts in which activity log alert for Delete policy assignment does not exist.
This policy is mapped to CIS Azure 1.3.0 section 5.2.2 compliance standard.
Impact
—Alerts generated for all Azure accounts where activity log alert for Delete policy assignment does not exist.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.scopes[*] does not contain resourceGroups and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/delete" as X; count(X) less than 1
Azure Monitor Diagnostic Setting does not captures appropriate categories
—Checks for Azure accounts in which Monitor Diagnostic Setting does not captures appropriate categories.
This policy is mapped to CIS Azure 1.3.0 section 5.1.2 compliance standard.
Impact
—Alerts generated for all Azure accounts where Monitor Diagnostic Setting does not captures appropriate categories.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = properties.logs[?any((enabled is true and category equals Administrative))] exists and properties.logs[?any((enabled is true and category equals Alert))] exists and properties.logs[?any((enabled is true and category equals Policy))] exists and properties.logs[?any((enabled is true and category equals Security))] exists as X; count(X) less than 1
OCI users Auth Tokens aged more than 90 days
—Identifies user authentication tokens on the OCI platform that have not been rotated in more than 90 days.
As a best practice, rotate the authentication tokens on a regular basis to protect access directly, via SDKs, or OCI CLI.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-user' AND json.rule = 'authTokens[?any(lifecycleState equals ACTIVE and (_DateTime.ageInDays(timeCreated) > 90))] exists'
OCI users customer secret keys have aged more than 90 days without being rotated
—Identifies customer secret keys on the OCI platform that have not been rotated in more than 90 days.
As a best practice, rotate customer secret keys on a regular basis to protect access directly, via SDKs, or OCI CLI.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-user' AND json.rule = 'customerSecretKeys[?any(lifecycleState equals ACTIVE and (_DateTime.ageInDays(timeCreated) > 90))] exists'
Policy Updates—RQL and Metadata
AWS Customer Master Key (CMK) rotation is not enabled
to exclude inactive keys
The RQL has been updated with an additional key state check to improve the accuracy of alerts. The description and recommendation have also been updated to maintain a consistent format across all policies.
Impact
—The previous alerts generated for disabled KMS keys will be resolved as Policy_Updated.
Add extra status check for
AWS EC2 instances with Public IP and associated with Security Groups have Internet Access
The RQL has been updated with an extra state check to improve the accuracy of alerts, and the RQL has been optimized using the new nested array grammar.
Impact
—The previous alerts raised for non-running EC2 instances will be resolved as Policy_Updated.
AWS SQS server side encryption not enabled
The policy description has been updated to maintain a consistent format across all policies and the recommendation has been updated as per recent AWS UI changes.
Impact
—None.
AWS CloudFormation stack configured without SNS topic
The recommendation has been updated as per recent AWS UI changes.
Impact
—None.
GCP SQL database instance is not configured with automated backups
The policy is now modified to exclude ON_PREMISES_INSTANCE and READ_REPLICA_INSTANCE of SQL instances.
Impact
—The RQL modification resolves the false positives for ON_PREMISES_INSTANCE and READ_REPLICA_INSTANCE as Policy_Updated. There will be a decrease in the number of alerts generated.
AWS IAM Groups with Administrator Access Permissions
extra whitespace
The extra space at the end of the 'AWS IAM Groups with Administrator Access Permissions' policy is removed.
Impact
—None.
GCP VM instances have block project-wide SSH keys feature disabled
Remediation CLI is added for this policy.
Additional permissions required:
compute.instances.setMetadata
Impact
—None.
Two anomaly.type attributes renamed
The names have been changed for the following two
anomaly.type
event query attributes:
  • From
    Bruteforce Login
    to
    Excessive Login Failures
  • From
    Unusual compute resource provisioning anomaly
    to
    Anomalous Compute Provisioning
Impact
—None.
Updated Audit Logs information for Anomaly Settings changes
The information displayed in the UI is updated for the following audit logs generated by anomaly settings changes:
  • Name
    —Changed from
    enterprise_settings
    to the name of the policy for which the settings were changed
  • Resource
    —Changed from
    Anomalies Settings
    to
    Anomaly Settings
  • Operation
    —Changed from policy ID to policy name
  • Alert Disposition for UEBA Policies
    —Changed from an internal threshold score to
    conservative/moderate/aggressive
    string
Impact
—None.
Old log information
New log information
Update RQL for VM instance policies
The RQL is modified for the following policies:
  • GCP VM instances have block project-wide SSH keys feature disabled
  • GCP VM instances with excessive service account permissions
  • GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)
  • GCP VM instances have IP Forwarding enabled
  • VM Instances enabled with Pre-Emptible termination
  • GCP VM instance using a default service account with full access to all Cloud APIs
  • GCP VM instance with the external IP address
  • VM instances without metadata, zone or label information
  • GCP VM instance configured with default service account
  • VM Instances without any Custom metadata information
  • GCP VM instances have serial port access enabled
  • GCP VM instance with Shielded VM features disabled
  • VM Instances without any Label information
    The names are modified for the following policies:
    • VM Instances enabled with Pre-Emptible termination
    • VM instances without metadata, zone or label information
    • VM Instances without any Label information
    • VM Instances without any custom metadata information
      The policies have the following changes:
      • The GCP VM policies with high alerts had their RQL modified to check the status of the VM instances. The RQL has been modified to alert instances with the status of
        Running
        .
      • The GKE label
        goog-gke-node
        had its check removed from policies as a customer request to resolve inconsistencies associated with GKE instances.
      • The RQL grammar for
        VM Instances without any Custom metadata information
        has been updated.
    • Impact
      —A high number of alerts will be resolved as Policy_Updated.
    The names are modified for the following policies:
    • VM Instances enabled with Pre-Emptible termination
    • VM instances without metadata, zone or label information
    • VM Instances without any Label information
    • VM Instances without any custom metadata information
      The policies have the following changes:
      • The GCP VM policies with high alerts had their RQL modified to check the status of the VM instances. The RQL has been modified to alert instances with the status of
        Running
        .
      • The GKE label
        goog-gke-node
        had its check removed from policies as a customer request to resolve inconsistencies associated with GKE instances.
      • The RQL grammar for
        VM Instances without any Custom metadata information
        has been updated.
    • Impact
      —A high number of alerts will be resolved as Policy_Updated.

REST API Updates

CHANGE
DESCRIPTION
New location for the Prisma Cloud API Reference
The Prisma Cloud API Reference is available at a new URL: https://prisma.pan.dev/api/cloud/cspm/cspm-api. If you’ve save the old URL as a Favorite or Bookmark, please update it.
Enterprise Settings APIs
The response object for the following endpoint includes a new attribute,
alarmEnabled
:
  • GET /settings/enterprise

New Features

FEATURE
DESCRIPTION
Anomaly Settings Updates
When you modify the alert disposition or training model thresholds for Anomaly policies, an audit log is generated to record who made the configuration change and when, to help you track and monitor changes.
For User & Entity Behavior Analytics (UEBA) policies, when you modify the alert disposition or training model thresholds, the updated settings are applicable for new alerts. Existing alerts generated using the previous setting remain as-is, and are not marked as
Resolved
.
With this change, UEBA and Network Anomaly policies are consistent in how anomaly settings changes are processed on Prisma Cloud.
Integration with Azure Sentinel
You can now forward Prisma Cloud alerts to Azure Sentinel using HTTP-triggered Logic App workflow and Webhook integration.
Centralized Scan Settings for Data Security
To help you gauge the volume of data in an S3 bucket and how you have opted to enable scanning, use the updated
Settings
Data
Scan Settings
page.
The page enables you to select the S3 buckets for the onboarded cloud accounts and modify the scan settings to perform Forward & Backward or Forward-scan only. When enabling the scan, you can also review an estimate of the Prisma Cloud credits that will be used for the selected S3 buckets.
You must use the updated AWS CFT to onboard a cloud account to view bucket size estimates. For already onboarded cloud accounts, the bucket size estimation will not be available.
The new table view displays an estimate of the total data in the S3 bucket, and the volume of data eligible for sensitive data scanning, malware scanning, or both based on the supported file types and file size.
Alerts 2.0
Prisma Cloud is rolling out a new alert subsystem. To help you identify if you are on version 2.0, on the
Alerts
Overview
page, check whether the
Version: 2
label displays on the top right above the
Search
box.
With version 2.0, the following changes will take effect:
  • Depending on volume of alerts, the time to update the status of an alert can vary when you update an alert rule. For example, if you remove a policy from an alert rule, all open alerts will transition to a resolved state and the time to reflect this change on the interface can depend on the number of corresponding alerts.
  • When you modify an alert rule, and the conditions that triggered the alert are no longer valid, the alert is updated as
    Resolved
    .
  • (
    New
    ) The
    Active Alert Rules
    name associated with an alert displays as
    N/A
    in the alert details view.
    This N/A state means that the match criteria changed because of the following reasons:
    • The alert rule that triggered the alert is disabled or deleted.
    • The cloud account is no longer included in the alert rule that triggered the alert.
    • The policy that triggered the alert is removed from the alert rule.
  • For alert rules with scheduled notifications, the notification is sent when an alert status changes from one state to anotheras tracked in the
    Alert Status Updated
    timestamp.
    This change will not impact those who have configured notifications for
    Open
    alerts only.
Update
OCI IAM
The
oci-iam-user
API have been modified to ingest the
ListCustomerSecretKeys
and
ListAuthTokens
REST APIs.
These additional APIs are ingested using the permissions in the USER_READ role.
Update
Permission in the AWS CFT
The AWS CFTs that enable you add cloud accounts to Prisma Cloud now includes additional permissions to support the Inventory Configuration for S3 buckets. This inventory list file contains the objects and metadata for the objects in the S3 bucket.
{ "PolicyName": "PrismaCloud-Storage-Inventory-ConfigUpdate", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "RequiredForS3InventoryConfiguration", "Action": "s3:PutInventoryConfiguration", "Effect": "Allow", "Resource": "*" } ] } }

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS ECS cluster not configured with active services
Identifies ECS clusters that are not configured with active services. ECS service enables you to run and maintain a specified number of instances of a task definition simultaneously in an Amazon ECS cluster. It is recommended to remove Idle ECS clusters to reduce the container attack surface or create new services for the reported ECS cluster.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecs-cluster' AND json.rule = status equals ACTIVE and activeServicesCount equals 0
AWS ECS cluster not configured with a registered instance
Identifies ECS clusters that are not configured with a registered instance. The ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent, and has been registered into an Amazon ECS cluster. It is recommended to remove idle ECS clusters to reduce the container attack surface or to register a new instance for the reported ECS cluster.
config from cloud.resource where api.name = 'aws-ecs-service' AND json.rule = launchType equals EC2 as X; config from cloud.resource where api.name = 'aws-ecs-cluster' AND json.rule = status equals ACTIVE and registeredContainerInstancesCount equals 0 as Y; filter '$.X.clusterArn equals $.Y.clusterArn'; show Y;
AWS Amazon Machine Image (AMI) infected with mining malware
Identifies Amazon Machine Images (AMIs) that are infected with mining malware. Research showed that an AMI Windows 2008 was hosted by an unverified vendor and contained malicious code running an unidentified crypto miner (Monero). It is recommended to delete such AMIs to protect from malicious activity and attacks.
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule = image.platform contains windows and image.imageId contains ami-1e542176
AWS SNS topic is exposed to unauthorized access
Identifies AWS SNS topics that are exposed to unauthorized access. Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients. To protect these messages from attackers and unauthorized access, permissions should be given to only authorized users.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Condition does not exist)] exists
Azure Security Center Defender set to Off for Container Registries
Checks Azure Security Center and determines if the Defender setting for Container Registries is set to
Off
. This could impact alerts being generated for all Azure Security Center where the Defender setting is Off for Container Registries. This policy is mapped to CIS Azure 1.3.0 section 2.7 compliance standard.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals ContainerRegistry and properties.pricingTier does not equal Standard)] exists
Azure Security Center Defender set to Off for SQL servers on machines
Checks Azure Security Center and determines if the Defender setting for SQL servers on machines is set to
Off
. This could impact alerts being generated for all Azure Security Center where the Defender setting on machines is set to
Off
for SQL servers. This policy is mapped to CIS Azure 1.3.0 section 2.4 compliance standard.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any( name equals SqlServerVirtualMachines and properties.pricingTier does not equal Standard)] exists
Anomalous Compute Provisioning Activity
The new Anomaly policy detects unusual activity related to the provisioning of compute resources such as high number of instances being brought up, the provisioning activity originating from TOR nodes or from multiple distant locations in a short duration of time. This behavior typically indicates the creation of an unauthorized network of compute instances for cryptojacking.
Policy Updates
AWS IAM policy allows assume role permission across all services
The RQL is updated to exclude unattached policies from reporting and is modified as follows:
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and Action contains sts:AssumeRole and Resource equals * and Condition does not exist)] exists
Impact
—Existing alerts generated for unattached policies will be resolved as Policy_Updated.
Azure Load Balancer diagnostics logs are disabled
The policy recommendation has been updated because the steps for Azure Load Balancer with Basic SKU was missing.
Impact
—No impact on existing alerts.
GCP Projects have OS Login Disabled
The policy RQL is modified as follows:
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-project-info' AND json.rule = 'commonInstanceMetadata.items[*].key does not contain enable-oslogin or (commonInstanceMetadata.items[?any(key contains enable-oslogin and (value contains false or value contains FALSE))] exists)'
Impact
—This updates the accuracy of alerts and reduces the number of alerts that are generated.
GCP Firewall rules allow inbound traffic from anywhere with no target tags set
The policy RQL is modified to escape
Deny
rules because the policy was giving false positives due to the policy RQL not being set to check if the GCP is an
Allow
or a
Deny
rule.
The policy RQL is modified as follows:
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'direction equals "INGRESS" and allowed[*] exists and sourceRanges[*] contains 0.0.0.0/0 and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
Impact
—The update is going to resolve false positive alerts and therefore reduce the number of alerts being generated.

REST API Updates

CHANGE
DESCRIPTION
New Data Security APIs
The following new Data Security APIs are available:
  • GET /dlp/api/v1/object-inventory/resource
    Lists AWS S3 bucket resources and corresponding amounts of data eligible for sensitive data scans, malware scans, or both, based on supported file types and file sizes.
  • PUT /dlp/api/config/v2/resource
    Updates the data security settings scan configuration for specific resources.
Account Group API update
A successful
POST /cloud/group
request to create an account group now returns the created account group.

Recommended For You