Features Introduced in July 2022

Learn what's new on Prisma™ Cloud in July 2022.

New Features

Feature
Description
Runtime Security Plans
Prisma Cloud Enterprise Edition now offers two new Runtime Security plans— Runtime Security Foundations and Runtime Security Advanced. These plans offer select Prisma Cloud modules and capabilities, and are metered by virtual machines (VMs). You can add other modules, not included in these plans, using Prisma Cloud credits.
Refer to the Enterprise Edition Pricing Guide or contact your Palo Alto Networks Account Manager or Sales Representative for more information on the Runtime Security plans.
Licensing Updates
The
Licensing
page is updated for a better view of your license information and credit usage.
The
License Consumption
details table has a new tabular format that displays the average credit usage for run-time assets and build-time assets that you are monitoring with Prisma Cloud. The build-time view displays usage information only if you have activated the Code Security subscription.
The
License Information
section now displays two new fields—
Active Plan
, and
Active Plan Start Date
—to reflect the availability of the new Runtime Security plans within Prisma Cloud Enterprise Edition. As an existing Enterprise Edition customer, your default Active Plan is the
Standard
plan.
IAM Graph View
Applies only if you have activated the IAM Security subscription on Prisma Cloud
IAM graph view helps you visualize the relationships between the source, granter, and destination so that you can answer the questions such as who has access to your resource and how was the access granted?
This view enables you to review the permissions and fix any excessive access privileges. The interactive graph view also enables you to update the relationships using the visualization, and the corresponding RQL is updated automatically.
Support for GCP on IAM Security
Applies only if you have activated the IAM Security subscription on Prisma Cloud
IAM Security on Prisma Cloud now supports enhanced capabilities to calculate effective permissions, detect overly permissive access, and suggest corrections to reach the least privilege entitlements in your GCP environments. It includes out-of-the-box policies that govern IAM best practices to help you identify risky permissions and get to the ideal set of privileges for your deployment in GCP.
After you use the cloud account onboarding Terraform template to onboard your GCP cloud account on Prisma Cloud and activate the IAM Security subscription, complete the instructions in Grant permissions for Ingesting Google Workspace Groups.
Top Alerts View by MITRE ATT&CK Tactics
You can now quickly identify the most critical issues that you need to address, by leveraging the MITRE ATT&CK framework in the
Top Incidents and Risks
widget on the
Alerts Overview
. Prisma Cloud detects cloud risks (a misconfiguration with potential future impact) and incidents (an undesirable event which has happened) in real time and automatically maps every alert to the appropriate MITRE ATT&CK Tactic. Toggle
View by MITRE ATT&CK
to prioritize your incident response based on tactics instead of the default view of alerts listed with policy names.
Cloud Account Onboarding Templates—Permission Updates
To enable additional capabilities for theFeature Introduced in Compute-July 2022, the following additional permissionsare added to the onboarding templates onPrisma Cloud.
AWS
The following actions are added to the
PrismaCloud-IAM-ReadOnly-Policy
:
  • apprunner:DescribeAutoScalingConfiguration"
  • "apprunner:ListAutoScalingConfigurations"
  • "apprunner:ListTagsForResource"
  • "apprunner:ListServices""apprunner:DescribeCustomDomains"
  • apprunner:DescribeService"
To the
PrismaCloud-Remediation-Compute-Policy-AgentlessScanning
, the following statement is added:
{ "Sid": "PCCAgentlessServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*", "Condition": {"StringLike": {"iam:AWSServiceName": "spot.amazonaws.com"}}}
For AWS GovCloud, the FedRamp templates do not include these additional permissions.
Azure
Monitor andProtect mode Terraform template—
"Microsoft.ContainerRegistry/registries/listCredentials/action"
Monitor mode Terraform templates
"Microsoft.ContainerRegistry/registries/listCredentials/action"
"Microsoft.Web/sites/functions/action"
"Microsoft.ContainerInstance/containerGroups/containers/exec/action"
GCP
Artifact Registry Scanning permissions are added to both the Monitor mode, and Monitor and Protect mode Terraform templates.
And the
compute_role_permissions_org
has these additional actions
  • "iam.serviceAccounts.list"
  • "compute.instances.setLabels"
  • "compute.snapshots.create"
  • "compute.snapshots.delete"
  • "compute.snapshots.setLabels"
Change in Existing Behavior
Last Access Results
IAM Security
The number of results for last access destinations, to show when a permission was actually used, is limited to 100 when you use the RQL
config from iam where action.lastaccess.days
. Due to the high volume of data that is associated with this query, the only latest 100 results for a permission will be displayed on the
Investigate
page.
Change in Existing Behavior
Multi-region Support for CryptoKeys, KMS, and Storage Collector
Prisma Cloud enables multi-region support for CryptoKeys asset, KMS asset, and Storage Collector on GCP. Also, the resources for
gcloud-kms-keyring-list
are ingested according to actual values instead of hexadecimal values. For example, if the
gcloud-kms-ring-list
has a resource
6da26df4be06b9c68fea2f2ff83c9cb5
, it is ingested as
projects/ingestion-qa-manual-2/locations/us-central1/keyRings/bhb-key-2
Due to this, all the resources for
gcloud-kms-keyring-list
are deleted once, and then regenerated on the management console.
The existing alerts corresponding to these resources are resolved as
Resource_Updated
, and new alerts will be generated against policy violations.
Impact
—You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-kms-keyring-list
start ingesting data again.
Change in Existing Behavior
Region Support for Google App Engine
Prisma Cloud enables region support for
gcloud-app-engine-application
.
Due to this, all the resources for
gcloud-app-engine-application
are deleted once, and then regenerated on the management console.
Existing alerts corresponding to these resources are resolved as
Resource_Updated
, and new alerts will be generated against policy violations.
Impact
—You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-app-engine-application
start ingesting data again.
Change in Existing Behavior
Update Custom Policies RQL to Include Crypto Keys Metadata from the New API
This change was part of the 22.7.1 Hotfix release.
If you have created custom policies that use the
gcloud-kms-keyring-list
API in RQL to include Crypto Keys metadata, you must perform the following steps to ensure the accuracy of alerts:
  1. Clone the affected custom policy to create a new custom policy.
  2. Update the RQL of the cloned custom policy to use the new
    gcloud-kms-crypto-keys-list
    API by replacing the existing
    gcloud-kms-keyring-list
    API.
  3. Add the new custom policy with the updated RQL to the alert rule.
  4. Delete the original custom policy that was affected by the change.
If you had mapped the custom policy to any compliance standards on Prisma Cloud, this workflow ensures that the new policy is automatically mapped.
Impact
—No impact on alerts.
If you need assistance with this workflow, contact your Palo Alto Networks Account Manager or Support Representative.
API Ingestions
Amazon AppRunner
aws-apprunner-auto-scaling-configuration
Additional permissions required:
  • apprunner:DescribeAutoScalingConfiguration
  • apprunner:ListAutoScalingConfigurations
  • appstream:ListTagsForResource
Amazon AppRunner
aws-apprunner-service
Additional permissions required:
  • apprunner:ListServices
  • apprunner:DescribeCustomDomains
  • apprunner:DescribeService
  • apprunner:ListTagsForResource
Amazon IoT
aws-iot-account-audit-configuration
Additional permission required:
iot:DescribeAccountAuditConfiguration
The Security Audit role includes this permission.
Amazon IoT
aws-iot-domain-configuration
Additional permissions required:
  • iot:DescribeDomainConfiguration
  • iot:ListDomainConfigurations
  • iot:ListTagsForResource
The Security Audit role includes these permissions.
Azure Purview
azure-purview-default-account
Additional permissions required:
  • Microsoft.Purview/accounts/read
  • Microsoft.Purview/getDefaultAccount/read
  • Microsoft.Resources/subscriptions/read
The Reader role includes these permissions.
Azure Storage
azure-storage-account-blob-diagnostic-settings
Additional permissions required:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
The Reader role includes these permissions.
Azure Storage
azure-storage-account-file-diagnostic-settings
Additional permissions required:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/fileServices/read
  • Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
The Reader role includes these permissions.
Azure Storage
azure-storage-account-queue-diagnostic-settings
Additional permissions required:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/queueServices/read
  • Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
The Reader role includes these permissions.
Azure Storage
azure-storage-account-table-diagnostic-settings
Additional permissions required:
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/tableServices/read
  • Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
The Reader role includes these permissions.
Google Traffic Director
gcloud-traffic-director-authorization-policy
Additional permissions required:
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.getIamPolicy
The Viewer role includes this permission.
Google Traffic Director
gcloud-traffic-director-server-tls-policy
Additional permissions required:
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.getIamPolicy
The Viewer role includes this permission.
Google Traffic Director
gcloud-traffic-director-client-tls-policy
Additional permissions required:
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.getIamPolicy
The Viewer role includes this permission.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.8.1
Policy Updates
Description
New Policy
AWS Secret Manager Automatic Key Rotation is not enabled
Identifies AWS Secret Manager that are not enabled with key rotation. As a security best practice, it is important to rotate the keys periodically, so that if the keys are compromised, the data in the underlying service is still secure with the new keys.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-secretsmanager-describe-secret' AND json.rule = rotationEnabled is false
AWS Classic Load Balancer not configured to span multiple Availability Zones
Identifies AWS Classic Load Balancers that are not configured to span multiple Availability Zones. Classic Load Balancer would not be able to redirect traffic to targets in another Availability Zone if the sole configured Availability Zone becomes unavailable. As a best practice, it is recommended to configure Classic Load Balancer to span multiple Availability Zones.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elb-describe-load-balancers' AND json.rule = description.availabilityZones[*] size less than 2
AWS ECR Repository not configured with a lifecycle policy
Identifies AWS ECR Repositories that are not configured with a lifecycle policy. Amazon ECR lifecycle policies enable you to specify the lifecycle management of images in a repository. This helps to automate the cleanup of unused images and the expiration of images based on age or count. As a best practice, it is recommended to configure ECR repository with lifecycle policy which helps to avoid unintentionally using outdated images in your repository.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecr-get-repository-policy' AND json.rule = lifecyclePolicy does not exist
AWS Kinesis Firehose with Direct PUT as source has SSE encryption disabled
Identifies Amazon Kinesis Firehose with Direct PUT as source which has Server-side encryption (SSE) encryption disabled. Enabling Server Side Encryption allows you to meet strict regulatory requirements and enhance the security of your data at rest. As a best practice, enable SSE for the Amazon Kinesis Firehose.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-kinesis-firehose-delivery-stream' AND json.rule = deliveryStreamEncryptionConfiguration exists and deliveryStreamEncryptionConfiguration.status equals DISABLED
AWS OpenSearch attached security group overly permissive to all traffic
Identifies AWS OpenSearch attached Security group that is overly permissive to all traffic. Security group enforces IP-based access policies to OpenSearch. As a best practice, restrict traffic solely from known static IP addresses or CIDR range.
config from cloud.resource where api.name = 'aws-es-describe-elasticsearch-domain' AND json.rule = vpcoptions.securityGroupIds[*] exists as X; config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[*].ipv4Ranges[*].cidrIp equals 0.0.0.0/0 or ipPermissions[*].ipv6Ranges[*].cidrIpv6 equals ::/0) as Y; filter '$.X.vpcoptions.securityGroupIds[*] contains $.Y.groupId'; show Y;
AWS EKS cluster public endpoint access overly permissive to all traffic
Identifies EKS clusters that have an overly permissive public endpoint accessible to all traffic. When you create a new cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as kubectl). By default, this API server endpoint accepts all connections from the public internet, and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC).
Allowing all traffic to the EKS cluster may cause a bad actor to brute force their way into the system and potentially get access to the entire network. As a best practice, restrict traffic solely from known static IP addresses. Limit the access list to include known hosts, services, or specific employees only.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' AND json.rule = resourcesVpcConfig.endpointPublicAccess is true and resourcesVpcConfig.publicAccessCidrs contains "0.0.0.0/0"
AWS OpenSearch node-to-node encryption is disabled
Identifies AWS OpenSearch for which none-to-node encryption is disabled. Each OpenSearch domain resides within a dedicated VPC. By default, traffic within the VPC is unencrypted. Enabling node-to-node encryption provides an additional security layer by using TLS encryption for all communications between Amazon OpenSearch Service instances in a cluster.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-es-describe-elasticsearch-domain' AND json.rule = processing is false and (nodeToNodeEncryptionOptions.enabled is false or nodeToNodeEncryptionOptions.enabled does not exist)
Azure Automation account variables are not encrypted
Identifies Automation accounts variables that are not encrypted. Variable assets are values that are available to all runbooks and DSC configurations in your Automation account. When a variable is created, you can specify that it be stored encrypted. Azure Automation stores each encrypted variable securely. It is recommended to enable encryption of Automation account variable assets when storing sensitive data.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-automation-account' AND json.rule = variable[?any(properties.isEncrypted is false)] exists
Azure Data Factory (V2) is not configured with managed identity
Identifies Data Factories (V2) that are not configured with managed identity. Managed identity can be used to authenticate to any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Data Factory.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-data-factory-v2' AND json.rule = properties.provisioningState equal ignore case Succeeded and identity does not exist or identity.type equal ignore case "None"
Azure Data Factory (V2) configured with overly permissive network access
Identifies Data factories (V2) configured with overly permissive network access. If Data factory managed virtual network along with managed private endpoints protects against data exfiltration. It is recommended to configure the Data factory with a private endpoint; so that the Data factory is accessible only to restricted entities.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-data-factory-v2' AND json.rule = properties.provisioningState equal ignore case Succeeded and properties.publicNetworkAccess equal ignore case Enabled
Azure PostgreSQL database flexible server configured with overly permissive network access
Identifies Azure PostgreSQL database flexible servers that are configured with overly permissive network access. It is highly recommended to create PostgreSQL database flexible server with private access to help secure access to server via VNet Integration or with a Firewall rule, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-flexible-server' AND json.rule = properties.state equal ignore case Ready and properties.network.publicNetworkAccess equal ignore case Enabled and firewallRules[?any(properties.startIpAddress equals 0.0.0.0 and properties.endIpAddress equals 255.255.255.255)] exists
Azure Automation account is not configured with managed identity
Identifies Automation accounts that are not configured with managed identity. Managed identity can be used to authenticate to any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Automation account.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-automation-account' AND json.rule = identity does not exist or identity.type equal ignore case "None"
Azure Automation account configured with overly permissive network access
Identifies Automation accounts configured with overly permissive network access. It is recommended to configure the Automation account with private endpoints so that the Automation account is accessible only to restricted entities.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-automation-account' AND json.rule = properties.publicNetworkAccess does not exist or properties.publicNetworkAccess is true
Azure Virtual network not protected by DDoS Protection Standard
Identifies Virtual networks not protected by DDoS Protection Standard. Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns exhausting an application's resources, making the application unavailable to legitimate users. Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-vnet-list' AND json.rule = ['properties.provisioningState'] equals Succeeded and (['properties.ddosProtectionPlan'].['id'] does not exist or ['properties.enableDdosProtection'] is false)
Azure PostgreSQL database server deny public network access setting is not set
Identifies Azure PostgreSQL database servers that have Deny public network access setting is not set. When 'Deny public network access' is set to yes, only private endpoint connections will be allowed to access this resource. It is highly recommended to set Deny public network access setting to Yes, which would allow PostgreSQL database server to be accessed only through private endpoints.
This feature is available in all Azure regions where Azure Database for PostgreSQL - Single server supports General Purpose and Memory Optimized pricing tiers.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = properties.userVisibleState equal ignore case Ready and sku.tier does not equal ignore case Basic and properties.publicNetworkAccess equal ignore case Enabled
This change was part of the 22.7.1 Hotfix release.
GCP KMS Symmetric key not rotating in every 90 days
Identifies GCP KMS Symmetric keys that are not rotating every 90 days. A key is used to protect some corpus of data. A collection of files could be encrypted with the same key and people with decrypt permissions on that key would be able to decrypt those files. It's recommended to make sure the 'rotation period' is set to a specific time to ensure data cannot be accessed through the old key.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-kms-crypto-keys-list' AND json.rule = purpose equal ignore case "ENCRYPT_DECRYPT" and primary.state equals "ENABLED" and (rotationPeriod does not exist or rotationPeriod greater than 7776000)
See also Policy Deletion to learn about the old policy. If you have custom policies that include Crypto Keys metadata in the RQL, see Change in Existing Behaviour.
Policy Deletion
This change was part of the 22.7.1 Hotfix release.
GCP KMS encryption key not rotating in every 90 days
This policy is being replaced with a new policy
GCP KMS Symmetric key not rotating in every 90 days
because the
gcloud-kms-keyring-list
API in its RQL is no longer able to assess the Crypto Keys metadata.
The
gcloud-kms-crypto-keys-list
API in the replaced policy will be able to assess the Crypto Keys metadata to improve the accuracy of alerts.
Impact
—Previously generated alerts for
GCP KMS encryption key not rotating in every 90 days
will be resolved as Policy_Deleted.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in July 2022 for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for CIS Google Cloud Platform Foundation Benchmark v1.3.0
The CIS Benchmarks provide a foundation for establishing a strong security posture. The CIS Benchmarks are a set of recommendations and best practices to provide your organization with a baseline of configurations and policies to protect your applications, infrastructure, and data.
The Center for Internet Security (CIS) has released version 1.3.0 of Google Cloud Platform Foundation Benchmarks. The update adds 21 new benchmarks covering best practices for securing Google Cloud environments. The updates are broad in scope, with recommendations covering configurations and policies ranging from resource segregation to Compute and Storage.
Support for CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0
The Center for Internet Security (CIS) has released version 1.2.0 of Oracle Cloud Infrastructure Foundation Benchmarks.
CIS Oracle Cloud Infrastructure Foundations Benchmark provides prescriptive guidance for establishing a secure baseline configuration for the Oracle Cloud Infrastructure environment. The scope of this benchmark is to establish a base level of security for anyone utilizing the Oracle Cloud Infrastructure services.

REST API Updates

No REST API updates for 22.7.2

New Features

Feature
Description
GA
Cloud Asset Inventory (CAI) Support
Prisma Cloud has adopted Google's Cloud Asset Inventory (CAI) service for a few GCP services. The CAI service reduces the number of API calls to GCP and helps speed the time to report on assets on Prisma Cloud. CAI is enabled by default on Prisma Cloud.
The following GCP services/APIs have CAI support on Prisma Cloud:
  • KMS (Get IAM policy, List Keyrings & Cryptokeys)
  • Pub-Sub (Get IAM policy)
  • Dataproc (Get IAM policy)
  • Cloud Function (Get IAM policy)
  • Cloud Run (Get IAM policy)
  • BigQuery (Get IAM policy, List BigQuery Datasets & Tables)
  • Compute Instance (GET IAM policy)
Change in Crypto Key Ingestions when CAI is Enabled
There is a change with the ingestion of Crypto Keys metadata in Google Cloud KMS when CAI is enabled.
The
gcloud-kms-keyring-list
API no longer includes the Crypto Keys metadata. This metadata is now available as a part of the
gcloud-kms-crypto-keys-list
API.
Impact
—All the resources that were ingested as a part of the
gcloud-kms-keyring-list
API will no longer include the Crypto Keys metadata, and all existing alerts associated with this API are resolved as
Resource_Updated
.
IAM Security Checks in Adoption Advisor
The Adoption Advisor is enhanced to include Identity and Access Management (IAM) checks. After you activate the IAM Security subscription, these checks provide governance and visibility into the entitlements—various permissions and policies— across your cloud resources.
Anomaly Trusted List Support for IP-based Protocols
When creating a trusted list for anomaly policies, you can now suppress anomaly alerts depending on IP-based protocols.
From the
Settings
Anomalies
Anomaly Settings
, you can create a trusted list where you can add one or more IP-based protocol entries. You can choose the following anomaly policy types to apply to the trusted list:
  • unusual protocol activity (Internal)
  • unusual protocol activity (External)
After adding a protocol to this trusted list, subsequent anomalous activity detected on the protocol will no longer trigger an unusual protocol activity alert.
Update
in JSON Metadata for Google Cloud Resource Manager
Earlier, all the project resources for a
gcloud-organization-project-info
API were stored under a single json.
Now, all the project resources for
gcloud-organization-project-info
API are stored as separate json resources. For example, if your organization has ten GCP projects, those projects are stored as ten different resources in json instead of a single resource.
There are no changes to the permissions of this API.
Impact
—The existing alerts for these resources are resolved as
Resource_Deleted
.
Prisma Cloud Data Security—
Support for Large File Size
Prisma Cloud now supports data classification scanning of .csv, .json, and .txt files of up to 2.5GB file size.
API Ingestions
Amazon AppStream 2.0
aws-app-stream-fleet
Additional permissions required:
  • appstream:DescribeImages
  • appstream:DescribeFleets
  • appstream:ListTagsForResource
Amazon AppStream 2.0
aws-app-stream-stack
Additional permissions required:
  • appstream:DescribeStacks
  • appstream:ListTagsForResource
Amazon AppStream 2.0
aws-app-stream-usage-report-subscription
Additional permission required:
appstream:DescribeUsageReportSubscriptions
Azure Purview
azure-purview-account
Additional permissions required:
  • Microsoft.Purview/accounts/read
  • Microsoft.Purview/getDefaultAccount/read
  • Microsoft.Purview/accounts/privateEndpointConnections/read
The Reader role includes these permissions.
Azure Purview
azure-purview-privatelinkresource
Additional permission required:
Microsoft.Purview/accounts/privatelinkresources/read
The Reader role includes the permission.
Google Artifact Registry
gcloud-artifact-registry-repository
Additional permissions required:
  • artifactregistry.locations.list
  • artifactregistry.repositories.list
  • artifactregistry.repositories.getIamPolicy
The Viewer role includes these permissions.
Google Compute Engine
gcloud-compute-instances-list
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Cloud Function
gcloud-cloud-function
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Cloud Run
gcloud-cloud-run-services-list
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Datastore
gcloud-datastore-index
Additional permission required:
datastore.indexes.list
The Viewer role includes the permission.
Google Dataproc Clusters
gcloud-dataproc-clusters-list
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Pubsub
gcloud-pubsub-subscription
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Pubsub
gcloud-pubsub-topic
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Pubsub
gcloud-pubsub-snapshot
Additional permission required:
cloudasset.assets.searchAllIamPolicies
The Viewer role includes this permission.
Google Vertex AI
gcloud-vertex-ai-notebook-environment
Additional permissions required:
  • notebooks.locations.list
  • notebooks.environments.list
The Viewer role includes these permissions.
Only Zonal Resources are supported.
OCI Containers And Artifacts
oci-containers-artifacts-containerimages
Additional permissions required:
  • inspect repos
  • read repos
You must add the permissions manually.
OCI Certificate
oci-certificate-certificateauthorities
Additional permissions required:
  • inspect certificate-authorities
  • read certificate-authorities
You must add the permissions manually.
OCI Functions
oci-functions
Additional permissions required:
  • inspect fn-function
  • read fn-function
You must add the permissions manually.
OCI Web Application Firewall
oci-waf-waasaddresslist
Additional permissions required:
  • inspect waas-address-list
  • read waas-address-list
You must add the permissions manually.
Update
API Ingestion—Amazon Route53
The following API is updated with additional attributes; domain details and domain tags.
Amazon Route53
aws-route53-domain
Additional permissions required:
  • route53domains:ListDomains
  • route53domains:ListTagsForDomain
  • route53domains:GetDomainDetail
The Security Audit role includes these permissions.
Impact
—No impact on alerts.
Update
API Ingestion—Google BigQuery
Google BigQuery
All the existing permissions are replaced with the following new permissions to ingest the
gcloud-bigquery-dataset-list
and
gcloud-bigquery-table
APIs:
  • cloudasset.assets.searchAllResources
  • cloudasset.assets.searchAllIamPolicies
The Cloud Asset Viewer role includes these permissions.
Impact
—Without these permissions, the dataset and tables will not be ingested and the all existing alerts associated with this API will be resolved as
Resource_Updated
.
Update
API Ingestion—Google Cloud KMS
Google Cloud KMS
All the existing permissions are replaced with the following new permissions to ingest the
gcloud-kms-keyring-list
and
gcloud-kms-crypto-keys-list
APIs:
  • cloudasset.assets.searchAllResources
  • cloudasset.assets.searchAllIamPolicies
The Cloud Asset Viewer role includes these permissions.
Impact
—Without these permissions, the Key ring and Crypto keys will not be ingested and the all existing alerts associated with this API will be resolved as
Resource_Updated
.
Update
API Ingestion—Google Data Catalog
  • The
    gcloud-data-catalog-entry-group
    API now includes support for Multi-Region Resources in Asia, EU, and US.
  • The
    gcloud-data-catalog-taxonomy
    API now includes support for Multi-Region Resources in EU and US.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.7.2
Policy Updates
Description
New Policy
AWS S3 bucket policy does not enforce HTTPS request only
Identifies the AWS S3 bucket having a policy that does not enforce only HTTPS requests. Enforcing the S3 bucket to accept only HTTPS requests would prevent potential attackers from eavesdropping on data in-transit or manipulating network traffic using man-in-the-middle or similar attacks. It is highly recommended to explicitly deny access to HTTP requests in S3 bucket policy.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = policy.Statement[?any(Effect equals Deny and Action equals s3:* and (Principal.AWS equals * or Principal equals *) and Condition.Bool.aws:SecureTransport contains false )] does not exist
AWS S3 bucket access control lists (ACLs) in use
Identifies AWS S3 buckets which are using access control lists (ACLs). ACLs are legacy way to control access to S3 buckets. It is recommended to disable bucket ACL and instead use IAM policies or S3 bucket policies to manage access to your S3 buckets.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = ownershipControls.rules[*] does not contain BucketOwnerEnforced
AWS Lambda function managed ENI reachable from any untrust internet source
Identifies Network interfaces attached to the Lambda function that are exposed to inbound traffic from any untrust internet source. Lambda function exposed to the internet are prone to external security threats. It is highly recommended to restrict network interfaces that are attached to the Lambda function to known hosts or services only.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.network.interface.type = 'Lambda'
Policy Updates-Metadata
Nepture logging is not enabled
Changes
—The policy name has been updated to correct the typo error.
Current Name
—Nepture logging is not enabled
Updated Name
—Neptune logging is not enabled
Impact
—No impact on alerts.
Policy Updates-RQL
SQL Server Firewall rules allow access to any Azure internal resources
Changes
—The policy name, description, and recommendations have been updated according to the latest vendor UI settings. The policy RQL has been updated to include an extra check to verify if PublicNetwork is enabled or not, which increases the accuracy of results.
Current Name
—SQL Server Firewall rules allow access to any Azure internal resources
Updated Name
—Azure SQL Server allow access to any Azure internal resources
Updated Description
—Identifies SQL Servers that are configured to allow access to any Azure internal resources. Firewall settings with start IP and end IP both with ‘0.0.0.0’ represents access to all Azure internal network. When this settings is enabled, SQL server will accept connections from all Azure resources including other subscription resources as well. It is recommended to use firewall rules or VNET rules to allow access from specific network ranges or virtual networks.
Current RQL
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = "$.firewallRules.[*] size > 0 and $.firewallRules.[*].endIpAddress contains 0.0.0.0 and $.firewallRules.[*].startIpAddress contains 0.0.0.0"
Updated RQL
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = ['sqlServer'].['properties.publicNetworkAccess'] equal ignore case Enabled and firewallRules[?any(startIpAddress equals "0.0.0.0" and endIpAddress equals "0.0.0.0")] exists
Impact
—Low. Previously generated alert for public network disabled resources will be resolved as 'Policy_Updated'.
Azure PostgreSQL Database Server 'Allow access to Azure services' enabled
Changes
—The policy RQL has been updated to include an extra check to verify if PublicNetwork is enabled or not, which increases the accuracy of results.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = firewallRules.value[*].properties.startIpAddress equals 0.0.0.0 and firewallRules.value[].properties.endIpAddress equals 0.0.0.0
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = properties.publicNetworkAccess equal ignore case Enabled and firewallRules.value[*].properties.startIpAddress equals "0.0.0.0" and firewallRules.value[*].properties.endIpAddress equals "0.0.0.0"
Impact
—Low. Previously generated alert for public network disabled resources will be resolved as 'Policy_Updated'.
Azure SQL Servers Firewall rule allow access to all IPV4 address
Changes
—The policy recommendation has been updated as per latest vendor UI settings. The policy RQL has been updated to include an extra check to verify if PublicNetwork is enabled or not, which increases the accuracy of results.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = firewallRules[?any(startIpAddress equals 0.0.0.0 and endIpAddress equals 255.255.255.255)] exists
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = ['sqlServer'].['properties.publicNetworkAccess'] equal ignore case Enabled and firewallRules[?any(startIpAddress equals "0.0.0.0" and endIpAddress equals "255.255.255.255")] exists
Impact
—Low. Previously generated alert for public network disabled resources will be resolved as 'Policy_Updated'.
Azure Cosmos DB allows traffic from public Azure datacenters
Changes
—The policy RQL has been updated to enhance its accuracy.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.ipRangeFilter is not empty and properties.ipRangeFilter contains 0.0.0.0
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cosmos-db' AND json.rule = properties.provisioningState equals Succeeded and properties.ipRangeFilter is not empty and properties.ipRangeFilter startsWith 0.0.0.0 or properties.ipRangeFilter endsWith 0.0.0.0
Impact
—Low. Previously generated alert for partial matching 0.0.0.0 will be resolved as 'Policy_Updated'.
Azure Microsoft Defender for Cloud security contact additional email is not set
Changes
—The policy RQL has been updated to consider only defender enabled subscriptions.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[*].properties.email is empty'
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.email is empty)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists
Impact
—Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
Azure Microsoft Defender for Cloud security alert email notifications is not set
Changes
—The policy RQL has been updated to consider only defender enabled subscriptions.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertNotifications equals Off'
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.email is empty and alertNotifications equal ignore case Off)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists
Impact
—Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
Azure PostgreSQL Database Server Firewall rule allow access to all IPV4 address
Changes
—The policy RQL has been updated to include an extra check to verify if PublicNetwork is enabled or not, which increases the accuracy of results.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = firewallRules.value[?any(properties.startIpAddress equals 0.0.0.0 and properties.endIpAddress equals 255.255.255.255)] exists
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = properties.publicNetworkAccess equal ignore case Enabled and firewallRules.value[?any(properties.startIpAddress equals 0.0.0.0 and properties.endIpAddress equals 255.255.255.255)] exists
Impact
—Low. Previously generated alert for public network disabled resources will be resolved as 'Policy_Updated'.
AWS IAM Groups with administrator access permissions
Changes
—The policy RQL has been updated to fix false positive alerts when the
contains
operator is used for matching.
Current RQL
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-list-groups' as X; config from cloud.resource where api.name = 'aws-iam-get-policy-version' as Y; filter "($.X.inlinePolicies[*].policyDocument.Statement[?(@.Effect=='Allow' && @.Resource=='*')].Action any equal *) or ($.X.attachedPolicies[*].policyArn contains $.Y.policyArn and $.Y.document.Statement[?(@.Effect=='Allow' && @.Resource=='*')].Action any equal *)"; show X;
Updated RQL
config from cloud.resource where api.name = 'aws-iam-list-groups' as X; config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any(Effect equals Allow and Action equals * and Resource equals * )] exists as Y; filter "($.X.inlinePolicies[*].policyDocument.Statement[?(@.Effect=='Allow' && @.Resource=='*')].Action any equal * ) or ($.X.attachedPolicies[*].policyArn intersects $.Y.policyArn)"; show X;
Impact
—Low. Previously generated alerts for AWS IAM groups resources having false positive alerts will be resolved as 'Policy_Updated'.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for PCI DSS v4.0
Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data.
PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies, and enable innovative methods to combat new threats.
Support for PCI DSS v4.0 is available on Alibaba, AWS, Azure, GCP, and OCI.
Support for Federal Financial Institutions Examination Council (FFIEC)
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body of the U.S. government made up of several financial regulatory agencies that is responsible for establishing consistent guidelines, uniform practices, and principles for financial institutions.
The FFIEC publishes guidelines for IT management, cybersecurity, and protection of consumer financial data.
Failure to comply with FFIEC guidelines can result in fines and penalties for federally-supervised financial institutions.
Support for FFIEC is available on Alibaba, AWS, Azure, GCP, and OCI.
Support for CIS CSC v7.1
The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help your organization better defend against known attacks by refining key security concepts into actionable controls to achieve significant overall cybersecurity defense.
There are 20 CIS controls in v7.1. CIS separates these controls into three categories as follows:
  • basic controls
  • foundational controls
  • organizational controls
You can use the CIS Controls to quickly establish the protections through cybersecurity actions where you can eliminate the most common attacks.
Support for CIS CSC v7.1 is available on Alibaba, AWS, Azure, GCP, and OCI.
Support for CIS CSC v8
In version 8, CIS redesigned the controls to define them better and simplify the guidelines. There are 18 CIS controls in v8. The new v8 guidelines are reordered and grouped by different cyber security activities from the v7 CIS Controls.
You can now use these controls to help your organization better apply the principles of the security controls or to transition any tools or processes that were built around version 7.1.
Support for CIS CSC v8 is available on Alibaba, AWS, Azure, GCP, and OCI.

REST API Updates

CHANGE
DESCRIPTION
New API Endpoints for AWS S3 Flow Logs
New API endpoints are available for AWS S3 onboarding for organization and standalone accounts on all supported stacks as follows:
  • GET /cloud-accounts-manager/v1/cloud-accounts/aws/{accountId}/features/aws-flow-logs/s3
    Fetches AWS S3 Flow Log feature details of the monitored account.
  • PATCH /cloud-accounts-manager/v1/cloud-accounts/aws/{accountId}/features/aws-flow-logs/s3
    Saves AWS S3 Flow Log feature details of the monitored account.
  • POST /cloud-accounts-manager/v1/cloud-accounts/aws/{accountId}/features/aws-flow-logs/s3/status
    Checks AWS S3 Flow Log status of the monitored account.

Recommended For You