Prisma™ Cloud Release Notes
    : Features Introduced in April 2022
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2022
    7. Features Introduced in April 2022
    Download PDF

    Prisma™ Cloud Release Notes

    Features Introduced in April 2022

    Table of Contents

    Features Introduced in April 2022

    Learn what’s new on Prisma™ Cloud in April 2022.

    New Features Introduced in 22.4.2

    New Features

    FEATURE
    DESCRIPTION
    Prisma Cloud Data Security—Scan Resources By True File Type
    When scanning files for data security, files are now identified based on the
    True File Type
     as determined by file metadata, regardless of the file extension for all supported file types.
    Alerts are generated whenever a file that is scanned based on the True File Type, violates a Prisma Cloud Data Security policy.
    Previously, the
    Data Security Settings
     page, displayed the aggregate file size for all files supported for Sensitive Data Scan and Malware Scan based on their file extensions under their respective columns. With True File Type, the page now displays the aggregate file size for all eligible files based on their True File Type, regardless of their file extensions. Prisma Cloud Data Security still only supports files up to 20MB.
    While adding a data policy, if you select the
    File Extension
     checkbox, Prisma Cloud Data Security will only scan files based on True File Type, regardless of their file extensions.
    Auto Completion Updates for Amazon VPC API RQL Query
    On the
    Investigate
     page, the RQL config query for
    aws-describe-vpc-endpoints
     API displays the appropriate fields under policyDocument.Statement[] during auto-completion. For example, if you want to construct the following RQL query config from cloud.resource where api.name = 'aws-describe-vpc-endpoints' AND json.rule = serviceName ends with ".s3" and policyDocument.Statement[].Condition.StringEquals.aws:PrincipalOrgID[] is not member of (o-0hc9vcq8o1, o-slnhz39n91), you can see `policyDocument.Statement[].Condition.StringEquals.aws:PrincipalOrgID[]`options appear in the list automatically.
    Change in Existing Behavior
    Prisma Cloud Data Security—Object Scan for Glacier Deep Archive and Glacier Flexible Retrieval Storage Classes
    The feature which shows the objects that belong to
    Glacier Deep Archive
     and
    Glacier Flexible Retrieval
     (formerly Glacier) as
    Un-supported storage class
     in Inventory is disabled and objects that belong to these two storage classes will display as
    Not Supported
    .
    Update
    Permissions in the GCP Terraform Template
    The GCP Terraform template in
    Monitor & Protect
     mode, used for onboarding GCP accounts on Prisma Cloud, now includes the following permissions to support VM image scanning
    compute.disks.create
    compute.images.get
    compute.images.list
    compute.images.useReadOnlycompute.instances.create
    compute.instances.delete
    compute.instances.get
    compute.instances.list
    compute.instances.setTagscompute.networks.get
    compute.networks.use
    compute.networks.useExternalIp
    compute.subnetworks.use
    compute.subnetworks.useExternalIp
    Update
    AWS CFT Permissions and API Token Duration
    If you are using the Code Security module on Prisma Cloud, the AWS CFTs for onboarding commercial, Gov and China accounts have been updated to include permissions for detecting when resources that are managed using IaC templates, like Terraform or CloudFormation, are modified manually using CLI or Console.
    The permission updates include the addition of:And the managed policy is added.
    lambda:GetLayerVersion
    lambda:GetEventSourceMapping
    lambda:GetFunction
    s3:ListBucket
    sns:GetSubscriptionAttributes
    AWSCloudFormationReadOnlyAccess
    API token duration key is also added
    MaxSessionDuration : 43200
    ; the default was 3600 seconds previously and was not included in the CFT.
    API Ingestions
    Amazon Lex
    aws-lexv2-bot
    Additional permissions required:
    • lex:ListTagsForResource
    • lex:ListBotVersions
    • lex:ListBots
    • lex:DescribeBotVersion
    • lex:DescribeBot
    Amazon Lex
    aws-lex-bot
    Additional permissions required:
    • lex:GetBot
    • lex:GetBots
    • lex:GetBotVersions
    • lex:ListTagsForResource
    Amazon DocumentDB
    aws-docdb-db-cluster
    Additional permissions required:
    • rds:DescribeDBClusters
    • rds:ListTagsForResource
    Azure App Service
    azure-app-service
    Additional permission required:
    Microsoft.Web/sites/config/list/action
    Azure Virtual Network
    azure-vmss-instance-public-ips
    Additional permissions required:
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read
    Azure Virtual Network
    azure-vmss-network-interface
    Additional permissions required:
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read
    Azure Virtual Desktop
    azure-virtual-desktop-workspace
    Additional permissions required:
    • Microsoft.DesktopVirtualization/workspaces/read
    • Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read
    Azure Virtual Desktop
    azure-virtual-desktop-session-host
    Additional permissions required:
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/read
    Google Cloud Recommendation
    gcloud-recommender-iam-service-account-insight
    Additional permission required:
    recommender.iamPolicyInsights.list
    Google Organization Policy
    gcloud-organization-policy-organization-constraint
    Additional permissions required:
    • orgpolicy.constraints.list
    • orgpolicy.policy.get
    Google Certificate Authority Service
    gcloud-certificate-authority-certificate
    Additional permissions required:
    • privateca.caPools.list
    • privateca.certificates.list
    OCI Data Catalog
    oci-datacatalog-catalogs
    Additional permissions required:
    • inspect data-catalogs
    • read data-catalogs
    OCI Containers And Artifacts
    oci-containers-artifacts-containerrepo
    Additional permissions required:
    • inspect repos
    • read repos
    OCI has a limit of 50 policy statements. With the addition of the following new APIs, Prisma Cloud will have 56 policy statements in the Terraform file. To successfully ingest these new OCI APIs, you will have to request a service limit increase on the policy statements.
    OCI Functions
    oci-functions-applications
    Additional permissions required:
    • inspect fn-app
    • read fn-app
    OCI Service Connector Hub
    oci-serviceconnectorhub-serviceconnectors
    Additional permissions required:
    • inspect serviceconnectors
    • read serviceconnectors
    OCI Database
    oci-oracledatabase-databases
    Additional permissions required:
    • inspect db-systems
    • inspect db-homes
    • inspect databases
    Update
    API Ingestion—Amazon EC2
    Amazon EC2
    aws-ec2-describe-instances
    This API is updated to include the following new fields in the resource JSON when
    ingestPublicOwnedAMIs
     is set to
    false
     for a tenant:
    • platformDetails
    • imageName

    New Policies and Policy Updates

    See the look ahead updates for planned features and policy updates for 22.5.1.
    POLICY UPDATES
    DESCRIPTION
    New Policies
    Instance affected by OMIGOD vulnerability is exposed to network traffic from the internet
    Identifies VM instances installed with Open Management Infrastructure (OMI) version vulnerable for remote code execution (CVE-2021-38647) vulnerability, also known as OMIGOD Vulnerability and exposed to network traffic from the Internet. It is recommended to upgrade OMI to the latest version and limit exposure to the Internet.
    network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-38647')) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
    Azure Service bus namespace configured with overly permissive network access
    Identifies Azure Service bus namespaces (premium tier) configured with overly permissive network access. By default, Service bus namespaces are accessible from the Internet as long as the request comes with valid authentication and authorization. With an IP firewall, you can further restrict it to only a set of IPv4 addresses or IPv4 address ranges. With virtual networks, the network traffic path is secured on both ends. It is recommended to configure the Service bus namespace with an IP firewall or by virtual network so that the Service bus namespace is accessible only to restricted entities.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-service-bus-namespace' AND json.rule = sku.tier equals "Premium" and properties.status equals "Active" and networkRuleSets[*].properties.defaultAction equals "Allow" and networkRuleSets[*].properties.publicNetworkAccess equals Enabled
    GCP VPC network not configured with DNS policy with logging enabled
    Identifies GCP VPC network that is not configured with logging enabled DNS policy. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names and evaluated against threat intelligence. It is recommended to enable DNS logging for all the VPC networks.
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-networks-list' as X; config from cloud.resource where api.name = 'gcloud-dns-policy' as Y; filter 'not($.Y.networks[*].networkUrl contains $.X.name and $.Y.enableLogging is true)'; show X;
    Policy Updates—Metadata
    AWS API gateway request parameter is not validated
    Changes—
     The policy description has been improvised to be more precise.
    Current Description—
     This policy identifies the AWS API gateways for with the request parameters are not validated. It is recommended to validate the request parameters in the URI, query string, and headers of an incoming request to focus on the validation efforts specific to your application.
    Updated Description—
     This policy identifies the AWS API gateways for which the request parameters are not validated. When the validation fails, API Gateway fails the request, returns a 400 error response to the caller, and publishes the validation results in CloudWatch Logs. It is recommended to perform basic validation of an API request before proceeding with the integration request to block unvalidated calls to the backend.
    Impact—
     No impact on policy behavior or existing alerts.
    GCP Kubernetes engine clusters have client certificate disabled
    Changes—
     The cloud type for this policy was incorrect after converting the policy from run-build to build. It is now updated to GCP, which is the correct cloud type.
    Impact—
     No impact on policy behavior or existing alerts.
    Policy Updates—RQL
    GCP Kubernetes Engine Clusters have Master authorized networks disabled
    Changes—
     Auto-remediation CLI has been added to the policy. The RQL has been updated to check clusters with status 'RUNNING'. The recommendation steps have also been updated to match the latest UI changes.
    Permission required for CLI execution:
    container.clusters.update
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'masterAuthorizedNetworksConfig.[*] is empty or masterAuthorizedNetworksConfig.enabled equals false'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING and (masterAuthorizedNetworksConfig.[*] is empty or masterAuthorizedNetworksConfig.enabled equals "false")
    Impact—
     If auto-remediation is enabled for the policy, the alerts will be resolved as ‘REMEDIATED’ or ‘Resource_Updated’. Previously generated alerts with cluster state other than ‘RUNNING’ will be resolved automatically.

    REST API Updates

    CHANGE
    DESCRIPTION
    List User Role Types API for Permission Groups Assignments
    To view the list of roles associated with administrators/users who have access to Prisma Cloud, the following new API endpoint is available:
    GET /user/role/type
    When called, it returns an array of all roles administrators/users can belong to.
    It includes the following role types:
    [ "SYSTEM_ADMIN", "ACCOUNT_ADMIN", "ACCOUNT_READ_ONLY", "SSO_ADMIN", "CLOUD_PROVISIONING_ADMIN", "TENANT_PROVISIONING_ADMIN", "PRISMA_SERVICE_USER", "ACCOUNT_AND_CLOUD_PROVISIONING_ADMIN", "BUILD_AND_DEPLOY_SECURITY", "BUILD_AND_DEPLOY_SECURITY_CI", "COMPUTE_ADMIN", "NETWORK_SECURITY_OPERATOR", "NETWORK_SECURITY_OPERATOR_READ_ONLY", "COMPUTE_ACCOUNT_ADMIN", "DEVELOPER", "COMPUTE_ACCOUNT_READ_ONLY" ]

    New Features Introduced in 22.4.1

    New Features

    FEATURE
    DESCRIPTION
    API Ingestions
    Amazon Neptune
    aws-neptune-db-instance
    Additional permissions required:
    • rds:DescribeDBInstances
    • rds:ListTagsForResource
    Amazon Neptune
    aws-neptune-db-cluster
    Additional permissions required:
    • rds:DescribeDBClusters
    • rds:ListTagsForResource
    AWS MediaStore
    *aws-mediastore-container*
    Additional permissions required:
    • mediastore:ListTagsForResource
    • mediastore:ListContainers
    • mediastore:GetCorsPolicy
    • mediastore:GetContainerPolicy
    Google Access Approval
    gcloud-access-approval-project-approval-setting
    Additional permission required:
    accessapproval.settings.get
    Google Essential Contacts
    gcloud-essential-contacts-organization-contact
    Additional permission required:
    essentialcontacts.contacts.list
    Google Service Directory
    gcloud-service-directory-namespace-service
    Additional permissions required:
    • servicedirectory.endpoints.list
    • servicedirectory.namespaces.list
    • servicedirectory.services.getIamPolicy
    • servicedirectory.services.list
    OCI Bastion
    oci-bastion
    Additional permissions required:
    • inspect bastion-family
    • read bastion-family
    Azure App Service
    azure-app-service
    Additional permission required:
    "Microsoft.Web/sites/config/list/action"

    New Policies and Policy Updates

    See the look ahead updates for planned features and policy updates for 22.4.2.
    POLICY UPDATES
    DESCRIPTION
    New Policies
    Azure Microsoft Defender for Cloud set to Off for Containers
    Identifies Azure Microsoft Defender for Cloud that has defender setting for Containers set to Off. As a best practice, enable Azure Defender for Containers.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals Containers and properties.pricingTier does not equal Standard)] exists
    -
    Instance affected by SpringShell vulnerability is exposed to network traffic from the internet
    Identifies instances installed with the Java Spring Framework version vulnerable to arbitrary code execution (CVE-2022-22963 or CVE-2022-22965) and are exposed to network traffic from the Internet. As a best practice, upgrade the Java Spring Framework version to the latest version to limit exposure to the Internet.
    network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965')) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
    This policy is effective only when Prisma Compute is enabled in your environment.
    GCP Firewall rule exposes GKE clusters by allowing all traffic on read-only port (10255)
    Identifies GCP Firewall rule that allows all traffic on read-only port (10255), which exposes GKE clusters. In GKE, Kubelet exposes a read-only port 10255 which shows the configurations of all pods on the cluster at the /pods API endpoint. GKE itself does not expose this port to the Internet because the default project firewall configuration blocks external access. However, it is possible to inadvertently expose this port publicly on GKE clusters by creating a Google Compute Engine VPC firewall for GKE nodes that allows traffic from all source ranges on all the ports. This configuration publicly exposes all pod configurations, which might contain sensitive information.
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(10255,10255) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp or IPProtocol contains "all")))] exists as X; config from cloud.resource where api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING as Y; filter '$.X.network contains $.Y.networkConfig.network' ; show X;
    New Configuration Policies for Build-Time Checks
    The following new policies are being available to scan your environments monitored by the Code Security module on Prisma Cloud.
    • Deletion protection disabled for load balancer
    • Deletion protection disabled for load balancer
    • RDS instances do not have Multi-AZ enabled
    • AWS QLDB ledger has deletion protection is disabled
    • AWS WAF does not have associated rules
    • AWS WAF Web Access Control Lists logging is disabled
    • AWS Kinesis Video Stream not encrypted using Customer Managed Key
    • AWS FSX Windows filesystem not encrypted using Customer Managed Key
    • AWS Image Builder component not encrypted using Customer Managed Key
    • AWS S3 Object Copy not encrypted using Customer Managed Key
    • AWS Doc DB not encrypted using Customer Managed Key
    • AWS EBS Snapshot Copy not encrypted using Customer Managed Key
    • AWS S3 bucket Object not encrypted using Customer Managed Key
    • AWS Sagemaker domain not encrypted using Customer Managed Key
    • AWS EBS Volume not encrypted using Customer Managed Key
    • AWS Lustre file system not configured with CMK key
    • AWS Elasticache replication group not configured with CMK key
    • WAF enables message lookup in Log4j2
    • AWS EBS volumes are not encrypted
    • EBS volumes do not have encrypted launch configurations
    • Not all data stored in Aurora is securely encrypted at rest
    • AWS resources that support tags do not have Tags
    • Not all data stored in the EBS snapshot is securely encrypted
    • Active Directory is not used for authentication for Service Fabric
    • Secure transfer required is not enabled
    • Azure Key Vault Keys does not have expiration date
    • Azure Key Vault secrets does not have expiration date
    • Azure resources that support tags do not have tags
    • RSASHA1 is used for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSEC
    • Boot disks for instances do not use CSEKs
    • Default Service Account is used at project level
    • Google storage buckets are not encrypted
    • GCP resources that support labels do not have labels
    • GitHub organization security settings do not include 2FA capability
    • GitHub organization security settings do not include SSO
    • GitHub organization security settings do not have IP allow list enabled
    • GitHub branch protection rules do not include signed commits
    • Github merge requests should require at least 2 approvals
    • Gitlab branch protection rules allows force pushes
    • Gitlab organization has groups with no two factor authentication configured
    • NGINX Ingress annotation snippets contains LUA code execution
    • NGINX Ingress has annotation snippets
    • NGINX Ingress has annotation snippets which contain alias statements
    • AWS Postgres RDS have Query Logging disabled
    • AWS WAF2 does not have a Logging Configuration
    • Storage Account name does not follow naming rules
    • AWS IAM policies that allow full administrative privileges are created
    • AWS Elasticsearch is not configured inside a VPC
    • AWS S3 bucket ACL grants READ permission to everyone
    • AWS IAM policy documents do not allow * (asterisk) as a statement’s action
    • AWS S3 Buckets has block public access setting disabled
    • AWS S3 Bucket BlockPublicPolicy is set to True
    • AWS S3 bucket IgnorePublicAcls is set to True
    • AWS S3 bucket RestrictPublicBucket is set to True
    • AWS S3 Bucket has an ACL defined which allows public WRITE access
    • AWS API gateway methods are publicly accessible
    • AWS IAM role allows all services or principals to be assumed
    • Azure Network Security Group allows all traffic on SSH (port 22)
    • Azure SQL Servers Firewall rule allow ingress access from 0.0.0.0/0
    • Azure application gateway does not have WAF enabled
    • Azure storage account has a blob container that is publicly accessible
    • Azure storage account does allow public access
    • Azure AKS cluster network policies are not enforced
    • Azure App Service Web app does not have a Managed Service Identity
    • Azure App Service Web app doesn’t use latest .Net framework version
    • Azure App Service Web app does not use latest PHP version
    • Azure App Service Web app does not use latest Python version
    • Azure App Service Web app does not use latest Java version
    • Azure RDP Internet access is not restricted
    • GCP SQL database is publicly accessible
    • GCP SQL database instance does not have backup configuration enabled
    • GCP IAM user are assigned Service Account User or Service Account Token creator roles at project level
    • GCP IAM Service account does have admin privileges
    • GCP SQL Instances do not have SSL configured for incoming connections
    • GCP Cloud SQL database instances have public IPs
    • Azure Storage account Encryption CMKs Disabled
    • Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured
    • Azure SQL Server ADS Vulnerability Assessment (VA) 'Also send email notifications to admins and subscription owners' is disabled
    • Azure SQL servers which doesn’t have Azure Active Directory admin configured
    • Azure Virtual Machines does not utilise Managed Disks
    • AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
    • AWS CloudWatch Log groups not configured with definite retention days
    • AWS EC2 instance detailed monitoring disabled
    • AWS Amazon RDS instances Enhanced Monitoring is disabled
    • AWS Secrets Manager secret is not encrypted using KMS CMK
    • Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is disabled
    New Configuration Policies for Run-Time and Build-Time Checks
    • Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
    • Ensure cosmosdb does not allow privileged escalation by restricting management plane changes
    • Ensure Front Door WAF prevents message lookup in Log4j2
    • Ensure Application Gateway WAF prevents message lookup in Log4j2
    • Ensure that 'Send email notification for high severity alerts' is set to 'On'
    • Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
    • Ensure that IP forwarding is not enabled on Instances
    • Ensure Compute instances are launched with Shielded VM enabled
    • Ensure Cloud Armor prevents message lookup in Log4j2
    Policy Updates—RQL
    The following policies have been deleted:
    Azure Microsoft Defender for Cloud is set to Off for Kubernetes
    Azure Microsoft Defender for Cloud is set to Off for Container Registries
    Changes—
     The two services Microsoft Defender for Kubernetes and container registries have been replaced with Microsoft Defender for Containers. The corresponding policies and compliance references have been deleted.
    Impact—
     Previously generated alerts will be resolved as Policy_Deleted.
    Azure Security Center Defender plans is set to Off
    Changes—
     The policy RQL has been updated to factor deprecated features in the query. The policy recommendation has also been updated.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(properties.pricingTier does not equal Standard and (properties.deprecated does not exist or properties.deprecated is false))] exists
    Impact—
     Previously generated alerts will be resolved as Policy_Updated.
    GCP VM instance with the external IP address
    Changes—
     The RQL has been updated.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instances-list' AND json.rule = 'status equals RUNNING and networkInterfaces[*].accessConfigs exists and (name does not start with gke- and name does not contains default-pool)'
    Updated to—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instances-list' AND json.rule = status equals RUNNING and networkInterfaces[*].accessConfigs exists and (name does not start with gke- and name does not contain default-pool)
    Impact—
     No impact on existing alerts.
    GCP GCR Container Vulnerability Scanning is disabled
    Changes—
     The RQL, recommendation steps, and API have been modified: The RQL has been updated to match the updated JSON response of the
    gcloud-services-list
     API. The recommendation steps have been updated to reflect the latest UI updates. In addition, the
    gcloud-services-list
     API has been modified and due to the ingestion change, the policy is updated to match the API change.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-services-list' AND json.rule = services[?any( config.name contains containerscanning.googleapis.com and state contains ENABLED)] does not exist
    Updated to—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-services-list' AND json.rule = services[?any(name contains containerscanning.googleapis.com and state contains ENABLED)] does not exist
    Impact—
     Previously generated alerts will be resolved as Policy_Updated. This has a low impact on alerts.
    GCP BigQuery dataset is publicly accessible
    Changes—
     The
    gcloud-bigquery-dataset-list
     API is moved to Cloud Asset Inventory which changes the access control list to IAM binding in the JSON response. As a result of the ingestion change, the policy is modified to match the updated API response change. In addition, the recommendation steps have also been updated to reflect the latest UI updates.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-bigquery-dataset-list' AND json.rule = "acl[?(@.entity.iamMember=='allUsers' || @.entity.identifier=='allAuthenticatedUsers')] exists"
    Updated to—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-bigquery-dataset-list' AND json.rule = iamPolicy.bindings[?any(members[*] equals "allUsers" or members[*] equals "allAuthenticatedUsers")] exists
    Impact—
     No impact on existing alerts.
    16 New Anomaly Policies that Map to MITRE ATT&CK v10.0
    There are 16 new UEBA Anomaly policies to detect user activity from the TOR anonymity network. Each policy corresponds to one of the different service groups available in AWS, Azure, and GCP—for example—analytics, containers, compute, security, storage, and web. All the policies are classified as high severity and identify defense evasion and impact attack tactics listed in the MITRE ATT&CK framework. The policies are disabled by default, but customers can manually enable them according to their security needs and the cloud services used in their environments. Here’s the list of UEBA policies:
    • Suspicious activity in Security services
    • Suspicious activity in Networking services
    • Suspicious activity in Analytics services
    • Suspicious activity in Monitoring / Management services
    • Suspicious activity in Database services
    • Suspicious activity in Compute services
    • Suspicious activity in Storage services
    • Suspicious activity in Application Integration services
    • Suspicious activity in Containers services
    • Suspicious activity in AI / ML services
    • Suspicious activity in Migration services
    • Suspicious activity in Dev Tools services
    • Suspicious activity in Web services
    • Suspicious activity in IoT services
    • Suspicious activity in Media services
    • Suspicious login activity

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.