Features Introduced in December 2022

Learn what’s new on Prisma™ Cloud in December 2022.

New Features

FEATURE
DESCRIPTION
Update
Asset Inventory
An enhanced Asset Inventory provides a consolidated view of assets discovered by Prisma Cloud. You can review all your assets on Prisma Cloud across multi-cloud deployments—public and private cloud environments. The enhanced Asset Inventory provides new capabilities to identify and prioritize remediation of security issues detected within your monitored environments.
In addition to the assets currently available in Prisma Cloud, the enhanced Asset Inventory also includes new asset types from Prisma Cloud Compute, including hosts, containers, and container images. You can view this data in a tabular format and search and filter down to specific resources or sets of resources based on your selected filters.
Improvement to Flow Logs Ingestion Time
Prisma Cloud now provides hourly partition for your AWS S3 Flow Logs. By switching to hourly partition, Prisma Cloud makes fewer calls to your S3 bucket thereby reducing cost, solving lag, and provides better ingestion performance over the existing 24-hour partition.
Create a new flow log setting with the hourly partition and enable the additional fields required on the AWS console. Some additional fields such as, tcp-flags and flow-direction configured on the AWS console are used to ensure accuracy of the Internet exposure calculation in network policies.
External ID update for AWS Cloud Account Onboarding
This change was first announced in the look ahead that was published with the 22.4.1 release.
While onboarding AWS standalone or organization accounts in Prisma Cloud Console, you cannot provide the External ID. Instead, Prisma Cloud generates an External ID and includes it in the IAM Role CFT. You can use this External ID and complete the onboarding process within 30 days. If you do not complete the onboarding within this 30-day period, you must restart the onboarding workflow.
This change is currently limited to the Prisma Cloud Console and does not impact already onboarded AWS accounts.
You can continue to use the existing cloud account onboarding APIs until the new APIs that use the External ID generated by Prisma Cloud are available (expected in February 2023). After the new APIs are available, you have 90 days to update your automation scripts for onboarding new cloud accounts.
Similarly, the CFTs in the S3 bucket that allow custom External IDs will continue to be available until the end of March 2023 for backward compatibility.

API Ingestions

SERVICE
API DETAILS
Amazon CodePipeline
aws-code-pipeline-pipeline
Additional permissions required:
  • codepipeline:ListPipelines
  • codepipeline:GetPipeline
  • codepipeline:ListTagsForResource
The Security Audit role includes the permissions except
codepipeline:ListTagsForResource
.
You must add the permission manually or use CFT template to update the
codepipeline:ListTagsForResource
permission.
Amazon Forecast
aws-forecast-predictor
Additional permissions required:
  • forecast:DescribePredictor
  • forecast:DescribeAutoPredictor
  • forecast:ListTagsForResource
  • forecast:ListPredictors
You must add the permissions manually or use CFT template to update the permissions.
Amazon Forecast
aws-forecast-dataset
Additional permissions required:
  • forecast:ListDatasets
  • forecast:DescribeDataset
  • forecast:ListTagsForResource
The Security Audit role only includes
forecast:ListDatasets
permission.
You must add the permissions manually or use CFT template to update the
forecast:DescribeDataset
and
forecast:ListTagsForResource
permissions.
AWS Glue DataBrew
aws-glue-data-brew-job
Additional permissions required:
  • databrew:DescribeJob
  • databrew:ListJobs
You must add the permissions manually or use CFT template to update the permissions.
Azure App Service
azure-app-service-diagnostic-settings
Additional permissions required:
  • Microsoft.Web/sites/Read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes the permissions.
Azure Compute
azure-cloudservices-roleinstance-publicip
Additional permissions required:
  • Microsoft.Compute/cloudServices/read
  • Microsoft.Compute/cloudServices/roleInstances/read
  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
The Reader role includes the permissions.
Azure Data Lake Analytics
azure-data-lake-analytics-diagnostic-settings
Additional permissions required:
  • Microsoft.DataLakeAnalytics/accounts/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes the permissions.
Azure Key Vault
azure-key-vault-diagnostic-settings
Additional permissions required:
  • Microsoft.KeyVault/vaults/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes the permissions.
Azure Key Vault
azure-key-vault-privatelinkresource
Additional permissions required:
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/privateLinkResources/read
The Reader role includes the permissions.
Azure Logic Apps
azure-logic-app-workflow-diagnostic-settings
Additional permissions required:
  • Microsoft.Logic/workflows/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes the permissions.
Azure Recovery Services
azure-recovery-service-vault-diagnostic-settings
Additional permissions required:
  • Microsoft.RecoveryServices/Vaults/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes the permissions.
Azure Subscriptions
azure-subscription-list
Additional permission required:
Microsoft.Resources/subscriptions/read
The Reader role includes the permission.
Azure Virtual Network
azure-network-private-endpoint
Additional permission required:
Microsoft.Network/privateEndpoints/read
The Reader role includes the permission.
Google Apigee X
gcloud-apigee-x-organization-shared-flow
Additional permissions required:
  • apigee.organizations.list
  • apigee.sharedflows.list
  • apigee.sharedflows.get
  • apigee.deployments.list
The Viewer role includes the permissions.
Google Apigee X
gcloud-apigee-x-organization-data-collector
Additional permissions required:
  • apigee.organizations.list
  • apigee.datacollectors.list
The Viewer role includes the permissions.
Google Apigee X
gcloud-apigee-x-organization-instance
Additional permissions required:
  • apigee.instances.list
  • apigee.instanceattachments.list
  • apigee.organizations.list
The Viewer role includes the permissions.
Google Apigee X
gcloud-apigee-x-organization-environment
Additional permissions required:
  • apigee.organizations.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.organizations.get
The Viewer role includes the permissions.
Google Apigee X
gcloud-apigee-x-organization
Additional permissions required:
  • apigee.organizations.list
  • apigee.organizations.get
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-zone-asset
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.zones.list
  • dataplex.assets.list
  • dataplex.assets.getIamPolicy
The Viewer role includes the permissions.
Google Healthcare
gcloud-healthcare-dataset
Additional permission required:
  • healthcare.datasets.get
The Viewer role includes the permission.
Google Identity and Access Management
gcloud-iam-service-accounts-keys-list
Additional permission required:
  • iam.serviceAccountKeys.get
The Viewer role includes the permission.
Google Identity and Access Management
gcloud-iam-service-accounts-list
Additional permission required:
  • iam.serviceAccounts.get
The Viewer role includes the permission.
Google Stackdriver Monitoring
gcloud-monitoring-policies-list
Additional permission required:
  • monitoring.alertPolicies.get
The Monitoring Viewer role includes the permission.
Google Compute Engine
gcloud-ssl-certificate
Additional permission required:
  • compute.sslCertificates.get
The Viewer role includes the permission.
Google Compute Engine
gcloud-compute-instance-template
Additional permission required:
  • compute.instanceTemplates.get
The Viewer role includes the permission.
Google AI Platform
gcloud-ai-platform-job
Additional permission required:
  • ml.jobs.get
The Viewer role includes the permission.
Google API Keys
gcloud-api-key
Additional permission required:
  • apikeys.keys.get
The API Keys Viewer role includes the permission.
Google API Gateway
gcloud-apigateway-gateway
Additional permission required:
  • apigateway.gateways.get
The API Gateway Viewer role includes the permission.
Google Cloud Armor
gcloud-armor-security-policy
Additional permission required:
  • compute.securityPolicies.get
The Viewer role includes the permission.
Google Cloud Composer
gcloud-composer-environment
Additional permission required:
  • composer.environments.get
The Viewer role includes the permission.
Update
Google VPC
gcloud-compute-project-firewall-policy
Additional permission required:
  • compute.regionfirewallPolicies.list
The Viewer role includes the permission.

New Policies

NEW POLICIES
DESCRIPTION
Azure Cosmos DB (PaaS) instance reachable from untrust internet source
Identifies Azure Cosmos DB (PaaS) instances that are internet reachable from untrust internet source. Cosmos DB (PaaS) instances with untrusted access to the internet may enable bad actors to use brute force on a system to gain unauthorised access to the entire network. As a best practice, restrict traffic from untrusted IP addresses and limit the access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'PaaS' and dest.cloud.type = 'AZURE' and dest.paas.service.type in ('MicrosoftDocumentDBDatabaseAccount')
Instance affected by Spring Cloud Function SpringShell vulnerability is exposed to network traffic from the internet (CVE-2022-22963)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with the Spring Cloud Function version that are vulnerable to arbitrary code execution CVE-2022-22963, and exposed to network traffic from the internet. As a best practice, upgrade to the latest Spring Cloud Function version and limit internet exposure.
network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-22963')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by OpenSSL X.509 email address 4-Byte BOF (Spooky SSL) vulnerability is exposed to network traffic from the internet (CVE-2022-3602)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with OpenSSL version vulnerable for Spooky SSL: OpenSSL X.509 email address 4-Byte buffer overflow vulnerability CVE-2022-3602 and exposed to network traffic from the internet. As a best practice, upgrade the OpenSSL version to the latest version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-3602') ) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Text4shell RCE vulnerability is exposed to network traffic from the internet (CVE-2022-42889)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with Apache Commons Text project code version vulnerable for CVE-2022-42889 and exposed to network traffic from the internet. As a best practice, upgrade the Apache Commons Text project code version to the latest version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-42889') ) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Apache Log4j JDBC Appender remote code execution vulnerability is exposed to network traffic from the internet (CVE-2021-44832)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with Apache Log4j JDBC Appender version vulnerable for CVE-2021-44832. As a best practice, upgrade the Apache Log4j JDBC Appender version to the latest version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-44832')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Apache Log4j Thread Context Map remote code execution vulnerability is exposed to network traffic from the internet (CVE-2021-45046)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with Apache Log4j Thread Context Map version vulnerable for CVE-2021-45046 and exposed to network traffic from the internet. As a best practice, upgrade the Apache Log4j Thread Context Map version to the latest version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-45046')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Apache Log4j denial of service vulnerability is exposed to network traffic from the internet (CVE-2021-45105)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with Apache Log4j version vulnerable for CVE-2021-45105 and exposed to network traffic from the internet. As a best practice, update the Apache Log4j version to the latest version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-45105')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Argo CD vulnerability is exposed to network traffic from the internet (CVE-2022-24348)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with Argo CD vulnerability for CVE-2022-24348 and exposed to network traffic from the internet. As a best practice, upgrade to the latest version of Argo CD and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-24348')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Linux kernel Dirty Pipe vulnerability is exposed to network traffic from the internet (CVE-2022-0847)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with Dirty Pipe vulnerability for CVE-2022-0847 and exposed to network traffic from the internet. As a best practice, upgrade to the latest version of Dirty Pipe Linux kernel and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-0847')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Java Psychic Signatures vulnerability is exposed to network traffic from the internet (CVE-2022-21449)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with with Oracle Java SE versions vulnerable for CVE-2022-21449 and exposed to network traffic from the internet. As a best practice, upgrade to the latest Java Psychic Signatures Oracle Java SE version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-21449')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Linux kernel container escape vulnerability is exposed to network traffic from the internet (CVE-2022-0185)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with with Linux kernel container escape version vulnerable for CVE-2022-0185 and exposed to network traffic from the internet. As a best practice, upgrade to the latest Oracle Java SE version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-0185')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by DCE/RPC remote code execution vulnerability is exposed to network traffic from the internet (CVE-2022-26809)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies instances installed with SMB DCE/RPC remote code execution version vulnerability for CVE-2022-26809 and exposed to network traffic from the internet. As a best practice, upgrade to the latest SMB DCE/RPC remote code execution version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-26809')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Instance affected by Samba vfs_fruit module remote code execution vulnerability is exposed to network traffic from the internet (CVE-2021-44142)
Requires the Compute subscription to generate alerts on Prisma Cloud.
Identifies network facing instances installed with Samba vfs_fruit module remote code execution version vulnerability for CVE-2022-44142 and exposed to network traffic from the internet. As a best practice, upgrade to the latest Samba vfs_fruit module remote code execution version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND dest.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-44142')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in December 2022 for details on new Configuration Build policies.

Policy Updates

See Prisma Cloud Known Issues for a policy status change issue that may affect you.
POLICY UPDATES
DESCRIPTION
Policy Updates-RQL
Instance affected by Apache Log4j vulnerability is exposed to network traffic from the internet (CVE-2021-44228)
Changes—
The policy RQL has been updated to enhance the scope of network traffic direction.
Current RQL—
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Updated RQL—
network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2021-44228')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Impact—
Low. New alerts will be generated if there any vulnerable resources.
Instance affected by OMIGOD vulnerability is exposed to network traffic from the internet
Changes—
The policy name and RQL have been updated to enhance the scope of network traffic direction.
Current Policy Name—
Instance affected by OMIGOD vulnerability is exposed to network traffic from the internet
Updated Policy Name—
Instance affected by OMIGOD vulnerability is exposed to network traffic from the internet [CVE-2021-38647]
Current RQL—
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-38647')) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Updated RQL—
network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2021-38647')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Impact—
Low. New alerts will be generated if there any vulnerable resources.
Instance affected by SpringShell vulnerability is exposed to network traffic from the internet
Requires the Compute subscription to generate alerts on Prisma Cloud.
Changes-
The policy name, description, and RQL are updated to enhance the scope of network traffic direction.
Current Policy Name—
Instance affected by SpringShell vulnerability is exposed to network traffic from the internet
Updated Policy Name—
Instance affected by Spring Framework SpringShell vulnerability is exposed to network traffic from the internet [CVE-2022-22965]
Updated Policy Description—
Identifies Instances installed with the Java Spring Framework version vulnerable to arbitrary code execution CVE-2022-22965 and exposed to network traffic from the internet. As a best practice, upgrade the Java Spring Framework version to the latest version and limit exposure to the internet.
Current RQL—
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965')) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Updated RQL—
network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Impact—
Low. New alerts will be generated if there any vulnerable resources.
AWS Customer Master Key (CMK) rotation is not enabled
Changes—
The policy RQL has been updated to only report custom keys generated by KMS that have the automatic key rotation feature.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and keyMetadata.origin equals AWS_KMS and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT
Impact—
Medium. Existing alerts will be resolved as Policy_Updated for KMS resources configured with asymmetric keys.
Azure App Service Web app doesn’t use latest Java version
Changes—
The policy RQL has been updated to check the updated Java version supported by the vendor.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'properties.state equals Running and ((config.isJava11VersionLatest exists and config.isJava11VersionLatest equals false) or (config.javaVersion exists and (config.javaVersion does not equal 1.8 and config.javaVersion does not equal 11)) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JAVA and config.linuxFxVersion contains 8 and config.linuxFxVersion does not contain 8-jre8) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JBOSSEAP and config.linuxFxVersion does not contain 7-java8) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains TOMCAT and config.linuxFxVersion does not contain -jre8))'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'properties.state equals Running and ((config.javaVersion exists and config.javaVersion does not equal 1.8 and config.javaVersion does not equal 11 and config.javaVersion does not equal 17) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JAVA and (config.linuxFxVersion contains 8 or config.linuxFxVersion contains 11 or config.linuxFxVersion contains 17) and config.linuxFxVersion does not contain 8-jre8 and config.linuxFxVersion does not contain 11-java11 and config.linuxFxVersion does not contain 17-java17) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JBOSSEAP and config.linuxFxVersion does not contain 7-java8 and config.linuxFxVersion does not contain 7-java11 and config.linuxFxVersion does not contain 7-java17) or (config.linuxFxVersion contains TOMCAT and config.linuxFxVersion does not end with 10.0-jre8 and config.linuxFxVersion does not end with 9.0-jre8 and config.linuxFxVersion does not end with 8.5-jre8 and config.linuxFxVersion does not end with 10.0-java11 and config.linuxFxVersion does not end with 9.0-java11 and config.linuxFxVersion does not end with 8.5-java11 and config.linuxFxVersion does not end with 10.0-java17 and config.linuxFxVersion does not end with 9.0-java17 and config.linuxFxVersion does not end with 8.5-java17))'
Impact—
Low. Alerts generated for Java version 17 will be resolved as Policy_Updated.
Policy Updates—Metadata
GCP Log metric filter and alert does not exist for VPC network changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for IAM custom role changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for VPC network route changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for Audit Configuration changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for SQL instance configuration changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for VPC Network Firewall rule changes
Changes—
The policy recommendation steps have been updated to reflect the CSP changes.
Impact—
No impact on alerts.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Global Region Support for Google Compute Engine
Prisma Cloud now provides global region support for
gcloud-compute-instance-template
API. Due to this, all the resources will be deleted once, and then regenerated on the management console. Existing alerts corresponding to these resources are resolved as Resource_Updated, and new alerts will be generated against the policy violations.
Impact—
You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-compute-instance-template
start ingesting data again.
Region Support for Google Cloud Load Balancing APIs
Prisma Cloud can now store regional resources as well as global resources for
gcloud-compute-target-http-proxies
and
gcloud-compute-target-https-proxies
APIs. Due to this, new alerts will be generated against policy violations.
Impact—
You may notice an increased count in the number of alerts for
gcloud-compute-target-http-proxies
and
gcloud-compute-target-https-proxies
APIs.
Alerts for Audit Events
To make your experience with audit event alerts consistent with configuration alerts for custom policies, the policy evaluation for audit events is updated to use the alert rule configuration. The targets for the cloud accounts and cloud regions for which you want to trigger alerts are now only inherited from the alert rule.
Earlier, when you run an audit event query on the
Investigate
page, and save the query as a saved search and then use this saved search query as match criteria in a policy, the matched issues that trigger alerts used inputs from both the alert rule configuration and saved search.
As an example, if you had created a saved search that includes the RQL for cloud.account, cloud.accountgroup, or cloud.region, such as
event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ('DeleteAccessKey')
the cloud.account, and cloud.region attributes will now be ignored for custom and existing policies and their associated alerts.
Only, the target cloud accounts and cloud regions that you specify in the alert rule configuration will be used to scope when alerts are generated for the custom Audit Event policy.
Impact—
The change in how the targets for generating alerts scoped may result in a larger number of alerts than before. This change will be rolled out gradually over multiple phases.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Multi-Level Protection Scheme 2.0 (Level 2)
Prisma Cloud now supports the Multi-Level Protection Scheme 2.0 (Level 2) compliance standard. This level of information security is based on the compliance standard that nearly all domestic and foreign companies operating in China must follow.
With this support, you can now view this built-in standard and the related policies On Prisma Cloud’s
Compliance
Standard
page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance over time.
Secure Controls Framework (SCF) - 2022.2.1 standards
Prisma Cloud now supports the Secure Controls Framework (SCF) - 2022.2.1 standards. The Secure Controls Framework (SCF) is a meta-framework that corresponds to more than 100 industry frameworks and laws related to cybersecurity and privacy.
The SCF is concerned with internal controls. These are the cybersecurity and privacy policies, standards, procedures, and other processes designed to provide assurance that business objectives will be met and unwanted events will be prevented, detected, and corrected.
With this support, you can now view this built-in standard and the related policies On Prisma Cloud’s
Compliance
Standard
page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance over time.

REST API Updates

CHANGE
DESCRIPTION
Asset Explorer API
The following new endpoint returns detailed information for the asset with the given id:

Recommended For You