Features Introduced in January 2022

Learn what’s new on Prisma™ Cloud in January 2022.

New Features Introduced in 22.1.1

New Features

FEATURE
DESCRIPTION
Limited GA
Adoption Advisor
Tracking and measuring your adoption of new features and existing capabilities on Prisma Cloud just got easier!
The Adoption Advisor gives visibility into your adoption journey, identifies your unexplored features, helps you make the most of your investment, and provides guidance on where to take action.
Code Security
The all new Code Security module is here for Prisma Cloud Enterprise Edition! To proactively improve the security posture of cloud infrastructure as you create, deploy and maintain your business impacting resources using IaC templates and automation pipelines, use the Code Security module to identify and protect from vulnerabilities, misconfigurations and compliance violations in IaC templates such as Terraform, CloudFormation, Helm.
These capabilities enable you to be tightly embedded in DevOps workflows and tooling to provide fast feedback and enforce guardrails in code during the development lifecycle. Armed with a centralized view of all misconfigurations across scanned repositories on the Prisma Cloud administrative console that provides filtering and searching to find code blocks and owners, you can review and address misconfigurations or violations very quickly. See Features Introduced in 2022—Code Security for more.
Refreshed Enterprise Settings UI
The
Enterprise Settings
page is refreshed to provide a better user experience.
Length Limit for User Profile Name Fields
The number of characters in username, first name, and last name for Administrative users and Service Account names on Prisma Cloud is now set to a maximum of 300 characters for each field.
New Operator for Wildcard Support in RQL Attributes
The
like
operator is added to enable wildcard (*) support so that all available permissions in your cloud accounts are displayed.
The following example uses the
like
operator:
config from iam where dest.cloud.account LIKE 'account-dev-3'
In this example, the results displayed will match all of the available permissions in
account-dev-3
.
If you want to see the exact result for the search value, use the
=
operator.
Removal of User-Defined Time Zone Field
The
Time Zone
field is removed from the
User Profile
,
Service Account Details
, and
Add Administrative Users
pages.
API Ingestions
MDC aws-waf-classic-global-web-acl-resource and aws-waf-v2-global-web-acl-resource for Log4j vulnerability
In addition to the existing APIs for
aws-waf-classic-global-web-acl-resource
and
aws-waf-v2-global-web-acl-resource
in Classic MDC, now the following API is also ingested to protect from Log4j vulnerability:
wafv2:ListResourcesForWebACL
AWS AppSync
aws-appsync-graphql-api
Additional permissions required:
appsync:ListGraphqlApis
Amazon DAX
aws-dax-cluster
Additional permissions required:
  • dax:DescribeClusters
  • dax:ListTags
Amazon DocumentDB
aws-docdb-db-cluster-parameter-group
Additional permissions required:
  • rds:DescribeDBClusterParameters
  • rds:DescribeDBClusterParameterGroups
  • rds:ListTagsForResource
Amazon FSx
aws-fsx-file-system
Additional permissions required:
fsx:DescribeFileSystems
Amazon RDS
aws-rds-db-cluster-parameter-group
Additional permissions required:
  • rds:DescribeDBClusterParameters
  • rds:DescribeDBClusterParameterGroups
  • rds:ListTagsForResource
Amazon QuickSight
aws-quicksight-dataset
Additional permissions required:
  • quicksight:ListDataSets
  • quicksight:ListTagsForResource
Amazon QuickSight
aws-quicksight-datasource
Additional permissions required:
  • quicksight:ListDataSources
  • quicksight:ListTagsForResource
Update
AWS ECR Ingestion to ingest public repositories
The API has been updated with the following information:
New
API name:
aws-ecr-public-repositories
New permissions added to the CFT templates:
  • ecr-public:DescribeRepositories
  • ecr-public:GetRepositoryCatalogData
  • ecr-public:GetRepositoryPolicy
  • ecr-public:ListTagsForResource
Update
Amazon Cognito
The following new permission is required to ingest the
aws-cognito-identity-pool
API:
cognito-identity:DescribeIdentityPool
Without this permission, identity pool resources will not be ingested and all the existing resources will be marked as deleted.
Update
Amazon EC2
The following new permission is required to ingest the
disableApiTermination
field in the
aws-ec2-describe-instances
API:
ec2:DescribeInstanceAttribute
Amazon Simple Email Service
aws-ses-identities
Additional permissions required:
  • ses:GetIdentityDkimAttributes
  • ses:GetIdentityPolicies
  • ses:ListIdentityPolicies
  • ses:ListIdentities
AWS Web Application Firewall (WAF) and WAFv2
aws-waf-classic-web-acl-resource
aws-waf-v2-web-acl-resource
Azure Cognitive Services
azure-cognitive-services-account
Additional permission required:
Microsoft.CognitiveServices/accounts/read
Azure Virtual Network Gateway
azure-virtual-network-gateway
Additional permission required:
Microsoft.Network/virtualNetworkGateways/read
Azure Virtual Network
azure-private-link-service
Additional permission required:
Microsoft.Network/privateLinkServices/read
Azure Virtual Network
azure-bastion-host
Additional permission required:
Microsoft.Network/bastionHosts/read
Azure Machine Learning
azure-machine-learning-workspace
Additional permission required:
Microsoft.MachineLearningServices/workspaces/read
Azure Recovery Services
azure-recovery-service-backup-protected-item
Additional permission required:
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
Azure Recovery Services
azure-recovery-service-vault
Additional permission required:
Microsoft.RecoveryServices/Vaults/read
Azure Web Application Firewall
azure-application-gateway-waf-policy
Additional permission required:
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read
Google API Key
gcloud-api-key
Additional permission required:
apikeys.keys.list
Google Cloud Data Fusion
gcloud-datafusion-instance
Additional permission required:
  • datafusion.instances.list
  • datafusion.instances.getIamPolicy
Google Container Analysis
gcloud-container-analysis-vulnerability-summary
Additional permission required:
  • containeranalysis.occurrences.list
Google Cloud Data Fusion
gcloud-datafusion-instance
Additional permission required:
  • datafusion.instances.list
  • datafusion.instances.getIamPolicy
Google Cloud Memorystore
gcloud-redis-instances-list
Additional permission required:
  • redis.instances.list
Google Compute Engine
gcloud-ssl-certificate
Additional permission required:
compute.sslCertificates.list
Google Cloud DNS
gcloud-dns-policy
Additional permission required:
dns.policies.list
Google Cloud Armor
gcloud-armor-security-policy
Additional permission required:
compute.securityPolicies.list
Google Cloud Resource Manager
gcloud-organization-project-info
Additional permission required:
resourcemanager.projects.list
Google Stackdriver Monitoring
gcloud-monitoring-notification-channel
Additional permission required:
monitoring.notificationChannels.list
Update
Google Cloud Tasks and Google Cloud Run Permissions
The
gcloud-cloud-task
and
gcloud-cloud-run-services-list
APIs now require the
cloudtasks.locations.list
and
run.locations.list permissions
.
OCI Containers And Artifacts
oci-containers-artifacts-kubernetes-cluster-nodepool
Additional permission required:
inspect cluster-node-pools
OCI Networking
oci-networking-subnet
Additional permission required:
inspect subnets

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS AppSync attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies AppSync attached with WAFv2 Web Access Control List (ACL) that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the AppSync attached with WAFv2 Web ACL with AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-appsync-graphql-api' AND json.rule = wafWebAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.wafWebAclArn'; show X;
AWS AppSync not configured with AWS Web Application Firewall v2 (AWS WAFv2)
This policy identifies AWS AppSync that is not configured with AWS Web Application Firewall (WAF). It is recommended to enable the AWS WAF service on API Gateway to protect against application layer attacks. To block malicious requests to your API Gateway, define the block criteria in the WAF Web Access Control List (ACL).
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-appsync-graphql-api' AND json.rule = wafWebAclArn does not exist
AWS API Gateway Rest API attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies AWS API Gateway Rest API attached with AWS Web Application Firewall v2 (WAFv2) Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the API Gateway Rest API attached with WAFv2 Web ACL with AWS AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-apigateway-get-stages' AND json.rule = webAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webAclArn'; show X;
AWS ALB attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies AWS Application Load Balancer (ALB) attached with WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the ALB attached with WAFv2 WebACL with AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = scheme equals internet-facing and type equals application as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.resources.applicationLoadBalancer[*] contains $.X.loadBalancerArn'; show X;
AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies the AWS CloudFront attached with WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the CloudFront attached with WAFv2 Web ACL with AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-global-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webACLId'; show X;
AWS WAF Classic (Regional) in use
This policy identifies AWS Classic that are in use. It is recommended to configure the AWS WAFv2 service to protect against application-layer attacks. To block malicious requests, define the block criteria in the WAFv2 Web ACL, which has more capability than the WAF Classic.
config from cloud.resource where api.name = 'aws-waf-classic-web-acl-resource' AND json.rule = resources.apiGateway[*] exists or resources.applicationLoadBalancer[*] exists
AWS CloudFront not configured with AWS Web Application Firewall v2 (AWS WAFv2)
This policy identifies AWS CloudFront that are not configured with AWS WAFv2. It is recommended to configure the AWS WAFv2 service on CloudFront to protect against application-layer attacks. To block malicious requests to your CloudFront, define the block criteria in the WAFv2 Web ACL.
config from cloud.resource where api.name = 'aws-waf-classic-global-web-acl-resource' as X; config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as Y; filter '$.X.webACL.webACLId equals $.Y.webACLId'; show Y;
AWS API Gateway REST API not configured with AWS Web Application Firewall v2 (AWS WAFv2)
This policy identifies AWS API Gateway REST API that is not configured with AWS WAF. It is recommended to enable the AWS WAF service on API Gateway REST API to protect against application layer attacks. To block malicious requests to your API Gateway REST API, define the block criteria in the WAF Web ACL.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-apigateway-get-stages' AND json.rule = webAclArn does not exist or webAclArn does not start with arn:aws:wafv2
Azure Application Gateway Web application firewall (WAF) policy rule disabled for Remote Command Execution
This policy identifies Azure Application Gateway Web Application Firewall (WAF) policies that have the ‘Remote Command Execution’ rule disabled, which is known for Log4j vulnerability. It is recommended to define the criteria in the WAF policy with the ‘Remote Command Execution’ rule under managed rules to help detect and mitigate Log4j vulnerability.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway-waf-policy' AND json.rule = properties.policySettings.state equals Enabled and properties.managedRules.managedRuleSets is not empty and properties.managedRules.managedRuleSets[*].ruleGroupOverrides[*].rules[?any(ruleId equals 944240 and state equals Disabled)] exists and properties.applicationGateways[*] is not empty
Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is disabled
This policy identifies Azure Front Door WAF policies that have the ‘Remote Command Execution’ rule disabled, which is known for Log4j vulnerability. It is recommended to define the criteria in the WAF policy with the ‘Remote Command Execution’ rule under managed rules to help detect and mitigate Log4j vulnerability.
config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' AND json.rule = properties.policySettings.enabledState equals Enabled and properties.managedRules.managedRuleSets is not empty and properties.managedRules.managedRuleSets[*].ruleGroupOverrides[*].rules[?any(action equals Block and ruleId equals 944240 and enabledState equals Disabled)] exists as X; config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink exists and properties.provisioningState equals Succeeded as Y; filter '$.Y.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id contains $.X.name'; show X;
Azure Front Door does not have the Azure Web application firewall (WAF) enabled
This policy identifies Azure Front Doors that do not have Azure WAF enabled. It is recommended to configure the Azure WAF service on the Front Doors to protect against application-layer attacks. To block malicious requests to your Front Doors, define the block criteria in the WAF rules.
config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.provisioningState equals Succeeded as X; config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' as Y; filter '$.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id does not exist or ($.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id contains $.Y.name and $.Y.properties.policySettings.enabledState equals Disabled)'; show X;
GCP Cloud Armor rule not configured with cve-canary
This policy identifies GCP Cloud Armor rules where cve-canary is not enabled. The preconfigured
cve-canary
WAF rule can help detect and block exploit attempts of CVE-2021-44228 and CVE-2021-45046 to address the Apache Log4j vulnerability. It is recommended to create a Cloud Armor security policy with rule blocking Apache Log4j exploit attempts.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-armor-security-policy' AND json.rule = rules[*].match.expr.expression does not contain cve-canary or rules[?any(match.expr.expression contains cve-canary and action equals allow)] exists
OCI IAM policy with full administrative privileges across the tenancy to non Administrator
This policy identifies IAM policies with full administrative privileges across the tenancy to non Administrators. It is recommended to practice the principle of least privilege, which limits users' access rights strictly to only what is required to do their jobs.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-policy' AND json.rule = lifecycleState equals ACTIVE and (statements[*] contains "to manage all-resources in tenancy" or statements[*] contains "to manage all-resources IN TENANCY") and name does not contain "Tenant Admin Policy"
Policy Updates—Metadata
AWS CloudFront origin protocol policy does not enforce HTTPS-only
Changes
—The RQL has been updated to report only custom origins that supports HTTPS communication; it ignores website endpoints from S3 buckets, EC2 instances, and custom websites. The policy description has been updated with newer standards.
Current
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = (origins.items[*] contains "customOriginConfig") and (origins.items[?(@.customOriginConfig.originProtocolPolicy)] does not contain "https-only")
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = enabled is true and origins.items[*] contains customOriginConfig and origins.items[?any(customOriginConfig.originProtocolPolicy does not contain https-only and ( domainName contains ".data.mediastore." or domainName contains ".mediapackage." or domainName contains ".elb." ))] exists
Impact
—Low impact on existing alerts. Alerts with custom origins related to S3 buckets, EC2 instances, and custom websites will be resolved as Policy_Updated.
Azure Network Security Group allows all traffic on ports which are not commonly used
Changes
—The RQL has been updated to include the existence check for the
destinationPortRange
parameter which will increase the accuracy of results.
Current
config from cloud.resource where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals Udp or protocol equals Icmp or protocol equals *) and (destinationPortRange is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, ) or destinationPortRanges[*] is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *) ))] exists
Updated to
config from cloud.resource where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals Udp or protocol equals Icmp or protocol equals *) and ((destinationPortRange exists and destinationPortRange is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *)) or (destinationPortRanges is not empty and destinationPortRanges[*] is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *))) )] exists
Impact
—Previously reported alerts may be resolved as Policy_Updated.
Azure App Service Web app doesn't use latest Java version
Changes
—The RQL has been updated to consider Java 8 and Windows web app service for Java. The policy description and recommendation steps have been updated accordingly.
Updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'properties.state equals Running and ((config.isJava11VersionLatest exists and config.isJava11VersionLatest equals false) or (config.javaVersion exists and (config.javaVersion does not equal 1.8 and config.javaVersion does not equal 11)) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JAVA and config.linuxFxVersion contains 8 and config.linuxFxVersion does not contain 8-jre8) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JBOSSEAP and config.linuxFxVersion does not contain 7-java8) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains TOMCAT and config.linuxFxVersion does not contain -jre8))'
Impact
—New alerts might be triggered for Java 8 and Windows web app services that uses Java.
Azure SQL Server ADS Vulnerability Assessment is disabled
and
SQL servers which do not have Azure Active Directory admin configured
The severity of the above policies has been changed from Medium to Low.
Impact
—No impact on alerts.
SQL databases has encryption disabled
Changes
—The policy name, description, and recommendation have been updated to maintain uniformity across all policies. The RQL syntax has also been updated.
Current name
SQL databases has encryption disabled
Updated to
Azure SQL database TDE encryption disabled
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-db-list' AND json.rule = transparentDataEncryption is false
Impact
—No impact on existing alerts.
Update policy names and remediation actions for Microsoft Defender for Cloud (previously Azure Security Centre)
Changes
—The policy names and remediation actions for Microsoft Defender for Cloud (previously Azure Security Centre) have been updated for the following policies to reflect the recent changes of CIS v1.4.0:
  • Azure Security Center Defender set to Off for Servers
  • Azure Security Center Defender set to Off for App Service
  • Azure Security Center Defender set to Off for Azure SQL database servers
  • Azure Security Center Defender set to Off for SQL servers on machines
  • Azure Security Center Defender set to Off for Storage
  • Azure Security Center Defender set to Off for Kubernetes
  • Azure Security Center Defender set to Off for Container Registries
  • Azure Security Center Defender set to Off for Key Vault
  • Azure Security Center WDATP integration Disabled
  • Azure Security Center MCAS integration Disabled
  • Azure Security Center automatic provisioning of monitoring agent is set to Off
  • Azure Security Center contact email not set
  • Azure Security Center send email notifications set to 'Off'
  • Azure Security Center email notification for subscription owner is not set
GCP Kubernetes Engine Clusters Client Certificate is set to Disabled
Changes
—The policy name and RQL are modified to support the latest CIS guideline to check if the clusters are configured with the old method of authentication. The policy metadata is updated as per the latest UI.
Current Policy Name
GCP Kubernetes Engine Clusters Client Certificate is set to Disabled
Updated Policy Name
GCP Kubernetes Engine Cluster Client Certificate is not disabled
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'masterAuth.clientKey does not exist or masterAuth.clientCertificate does not exist'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING and (masterAuth.clientKey exists or masterAuth.clientCertificate exists)
Impact
—Low impact on existing alerts.
Updates to the CLI for remediable GCP firewall policies
The CLI of the following policies are updated to disable the firewall rule instead of deleting the rule:
  • GCP Firewall rule allows all traffic on SSH port (22)
  • GCP Firewall rule allows all traffic on RDP port (3389)
  • GCP Firewall rule allows inbound traffic from anywhere with no specific target set
  • GCP Default Firewall rule is overly permissive (except http and https)
Additional permissions required:
compute.firewalls.update
compute.networks.updatePolicy
Impact
—No direct impact on alerts. If you have enabled auto-remediation for the policy, alerts will be resolved as ‘Remediated’.
Updates to the RQL and CLI for GCP Firewall Policies
GCP Firewall rule allows all traffic on DNS port (53)
Change
—The RQL is modified to check if the firewall rule is disabled and include IPv6 checks. The CLI is updated to disable the firewall rule instead of deleting the rule.
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Impact
—Low impact on existing alerts.
GCP Firewall rule allows all traffic on FTP port (21)
Change
—The RQL is modified to check if the firewall rule is disabled and include IPv6 checks. The CLI is updated to disable the firewall rule instead of deleting the rule.
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
GCP storage bucket is not configured with default Event-Based Hold
Changes
—The recommendation steps are updated to be compliant with the latest UI updates on Google Cloud Platform.
Impact
—No impact on alerts as the change includes only metadata modifications.
OCI IAM policy with full administrative privileges across the tenancy to non Administrator
Update
—The policy is updated to map to OCI CIS v1.0.0 and v1.1.0 requirement 1.2.
Impact
—The compliance score will change.
Policy Deletions
AWS entities with risky permissions
This policy is being deprecated and we are adding policies that identify write permissions for different services on AWS that are risky.
Impact
—All existing alerts related to this policy will be removed. To activate all the new policies verify your global policy defaults for automatically enabling policies based on severity by selecting
Settings
Enterprise Settings
Auto enable default policies of the type
.
AWS SNS subscription is not configured with HTTPS
The policy has been deleted due to a high volume of SNS subscriptions and its impact on Time to Ingest (TTI). Support for
aws-sns-get-subscription-attribute
will be discontinued, and compliance standards referred by this policy are also deleted.
Impact
—Alerts generated for these policies will be resolved as Policy_Deleted.
New IAM Policies
Learn about the new IAM out-of-the-box (OOTB) policies.
AWS EC2 instance with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks in your AWS account by ensuring that the AWS EC2 instances provisioned in your account don't have a risky set of write permissions.
AWS Lambda Function with IAM write access level
Identifies IAM write permissions that are defined as risky permissions in your AWS account. This policy minimizes security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions.
Elasticbeanstalk Platform with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions associated with it.
ECS Task Definition with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions associated with it.
Okta User with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the Okta users in your AWS account don't have a risky set of write permissions associated with it.
IAM User with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the IAM Users in your AWS account don't have a risky set of write permissions associated with it.
AWS EC2 instance with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions associated with it.
AWS Lambda Function with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions associated with it.
Elasticbeanstalk Platform with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions associated with them.
ECS Task Definition with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions associated with them.
Okta User with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.
IAM User with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the IAM Users in your AWS account don't have a risky set of write permissions.
AWS EC2 instance with org write access level
Identifies org write access that is defined as risky permissions. This policy ensures that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions.
AWS Lambda Function with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions.
Elasticbeanstalk Platform with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions.
ECS Task Definition with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions.
Okta User with org write access level
Identifies org write access that is defined as risky permissions. This policy ensures that the Okta Users in your AWS account don't have a risky set of write permissions.
IAM User with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the IAM Users in your AWS account don't have a risky set of write permissions.
AWS Lambda Layer Version that is publicly accessible through IAM policies
Identifies the AWS Lambda Layer Version resources which are publicly accessible through IAM policies. This policy prevents the exposure of sensitive data by ensuring that the AWS Lambda Layer Version resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS ECR Repository that is publicly accessible through IAM policies
Identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS Lambda Function that is publicly accessible through IAM policies
Identifies the AWS Lambda Function resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS Lambda Function resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS S3 bucket that is publicly accessible through IAM policies
Identifies the AWS S3 bucket resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS S3 bucket resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS SQS Queue that is publicly accessible through IAM policies
Identifies the AWS SQS Queue resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS SQS Queue resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS SNS Topic that is publicly accessible through IAM policies
Identifies the AWS SNS Topic resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS SNS Topic resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS Secret Manager Secret that is publicly accessible through IAM policies
Identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS KMS Key that is publicly accessible through IAM policies
Identifies the AWS KMS Key resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS KMS Key resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS EC2 with IAM wildcard resource access
Identifies AWS EC2 instances with the AWS resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS Lambda Function with IAM wildcard resource access
Identifies AWS IAM permissions that contain an asterisk (
*
) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don't have an asterisk in the resource section of the policy statement.
AWS Elasticbeanstalk Platform with IAM wildcard resource access
Identifies AWS IAM permissions that contain an asterisk (
*
) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don't have an asterisk in the resource section of the policy statement.
AWS ECS Task Definition with IAM wildcard resource access
Identifies AWS IAM permissions that contain an asterisk (
*
) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don't have an asterisk in the resource section of the policy statement.
Okta User with IAM wildcard resource access
Identifies Okta Users with AWS IAM permissions that contain an apostrophe (
''
) in the resource section of the policy statement. The policy will identify those apostrophes only in case using an apostrophe is not mandatory; this ensure that the AWS policies don't have an apostrophe in the resource section of the policy statement.
IAM User with IAM wildcard resource access
Identifies IAM Users with AWS IAM permissions that contain an apostrophe
''
in the resource section of the policy statement. The policy will identify those apostrophes only in case using an apostrophe is not mandatory; this ensures that the AWS policies don't have an apostrophe in the resource section of the policy statement.
Azure AD user with effective permissions to create AWS IAM users
Identifies Azure AD users that can create an AWS IAM user as this can lead to a backdoor in the cloud environment. This policy ensure that Azure AD users have the least privilege access by granting only the permissions required to perform a task, instead of providing excessive permissions.

New Compliance Benchmarks and Updates

See the look ahead updates for planned features and policy updates for 22.1.2.
COMPLIANCE BENCHMARK
DESCRIPTION
NIST_800_53_R4
,
NIST_800_53_R5
, and
NIST_CSF
The
AWS CloudFormation stack configured without SNS topic
policy has been removed from
NIST_800_53_R4
,
NIST_800_53_R5
, and
NIST_CSF
compliance benchmarks because it was incorrectly mapped.
Impact
—The compliance score will change.
CIS Azure v1.4.0
Prisma Cloud provides compliance support for CIS Microsoft Azure Foundations Benchmark v1.4.0. The CIS Azure v1.4.0 has 9 sections with 115 requirements and Prisma Cloud supports 86 requirements across all sections.

REST API Updates

CHANGE
DESCRIPTION
Length Limit for Some User Profile API Request Body Parameters
A 300-character limit now applies to request parameters for user and account service names. This limit affects the request body parameters for the User Profile API endpoints shown below. The affected request body parameters are listed after each endpoint:
  • PUT /user/me
    • firstName
    • lastName
  • POST /v3/user
    • firstName
    • lastName
    • username
  • PUT /v3/user
    • firstName
    • lastName
    • username
  • POST /v2/user
    • firstName
    • lastName
  • PUT /v2/user
    • firstName
    • lastName
New Integration and Notification Template API Endpoints
New Integration API endpoints are available to replace the endpoints that have been deprecated for all integrations except Okta, Qualys, and Tenable.
New Notification Template API endpoints are also available to replace some of the deprecated Notification Template endpoints.
Response Property for Some Resource and Search API Endpoints Removed
The property
ResourceMetaModel.hasAlert
has been removed. This property no longer appears in the response objects for the following requests:
  • POST /resource
  • POST /search/config
  • POST /search/config/page
Resource Discovery Timestamp Available Through Search API Endpoints
A new property
ResourceMetaModel.createTs
identifies the timestamp when Prisma Cloud first discovered a given resource. This property is available in the response objects for the following requests:
  • POST /search/config
  • POST /search/config/page

Recommended For You