Focus

Prisma™ Cloud Release Notes

Features Introduced in June 2022

Table of Contents

Features Introduced in June 2022

Edit on GitHub

Learn what’s new on Prisma™ Cloud in June 2022.

New Features Introduced in 22.6.3

New Features Introduced in 22.6.2

New Features Introduced in 22.6.1

New Features Introduced in 22.6.3

New Features

New Policies and Policy Updates

REST API Updates

New Features

Feature	Description
API Ingestions	Amazon Connect aws-connect-instance Additional permissions required: connect:ListInstances connect:ListInstanceStorageConfigs
	Amazon EventBridge aws-events-rule Additional permissions required: events:ListRules events:ListTargetsByRule events:ListTagsForResource The Security Audit role includes these permissions.
	Amazon Pinpoint aws-pinpoint-email-channel Additional permissions required: mobiletargeting:GetEmailChannel mobiletargeting:GetApps
	Amazon Pinpoint aws-pinpoint-sms-channel Additional permissions required: mobiletargeting:GetSmsChannel mobiletargeting:GetApps
	Azure Synapse Analytics azure-synapse-privatelinkhub-privatelinkresource Additional permission required: Microsoft.Synapse/privateLinkHubs/privateLinkResources/read The Reader role includes this permission.
	Azure Synapse Analytics azure-synapse-privatelinkhub Additional permission required: Microsoft.Synapse/privateLinkHubs/read The Reader role includes this permission.
	Azure Synapse Analytics azure-synapse-privatelinkresource Additional permissions required: Microsoft.Synapse/workspaces/read Microsoft.Synapse/workspaces/privateLinkResources/read The Reader role includes these permissions.
	Google Cloud IAM gcloud-iam-organization-deny-policy Additional permissions required: iam.denypolicies.get iam.denypolicies.list The Viewer role includes these permissions.
	Google Cloud IAM gcloud-iam-project-deny-policy Additional permissions required: iam.denypolicies.get iam.denypolicies.list The Viewer role includes these permissions.
	Google Security Command Center gcloud-security-command-center-organization-setting Additional permission required: securitycenter.organizationsettings.get The Viewer role includes this permission.
	Google Security Command Center gcloud-security-command-center-organization-notification-config Additional permission required: securitycenter.notificationconfig.list The Viewer role includes this permission.
	Google Security Command Center gcloud-security-command-center-organization-mute-config Additional permission required: securitycenter.muteconfigs.list The Viewer role includes this permission.
	OCI Web Application Firewall oci-waf-networkaddresslist Additional permissions required: inspect waf-network-address-list read waf-network-address-list You must add the permissions manually.
	OCI Web Application Firewall oci-waf-waaspolicy Additional permissions required: inspect waas-policy read waas-policy You must add the permissions manually.
`Update` Google Compute Engine API	Google Compute Engine gcloud-ssl-certificate This API will be updated to remove the following fields in the resource JSON: certificate selfManaged.certificate
Decommission of redlock.io Domain `This change was first announced in the look ahead that was published with the 22.5.2 release.`	The announcement about replacing the redlock.io domain name with prismacloud.io was first sent in July, 2019. Due to this, the redirect from redlock.io to prismacloud.io is removed and no longer supported. The redlock.io domain is decommissioned.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.7.1

Policy Updates	Description
New Policy	AWS Lambda execution role having overly permissive inline policy Identifies AWS Lambda Function execution role having overly permissive inline policy embedded. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access. config from cloud.resource where api.name = 'aws-lambda-list-functions' as X; config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[].policyDocument.Statement[?any(Effect equals Allow and (Action equals "" or Action contains :* or Action[] contains :) and (Resource equals "" or Resource[] anyStartWith "*"))] exists as Y; filter '$.X.role equals $.Y.role.arn'; show Y;
	AWS IAM policy attached to AWS Lambda execution role is overly permissive Identifies Lambda Functions execution role having overly permissive IAM policy attached to it. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access. config from cloud.resource where api.name = 'aws-lambda-list-functions' as X; config from cloud.resource where api.name = 'aws-iam-list-roles' as Y; config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action equals "" or Action contains : or Action[] contains :) and (Resource equals "" or Resource[] anyStartWith "") and Condition does not exist)] exists as Z; filter '$.X.role equals $.Y.role.arn and $.Y.attachedPolicies[].policyName equals $.Z.policyName'; show Z;
	Azure Microsoft Defender for Cloud set to Off for DNS Identifies Azure Microsoft Defender for Cloud which has defender setting for DNS set to Off. Enabling Azure Defender provides advanced security capabilities like providing threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Defender for DNS monitors the queries and detects suspicious activities without the need for any additional agents on your resources. It is highly recommended to enable Azure Defender for DNS. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals Dns and properties.pricingTier does not equal Standard)] exists
	AWS DocumentDB Cluster is not enabled with data encryption in transit Identifies Amazon DocumentDB Clusters for which data encryption in transit is disabled. Each DocumentDB Cluster is associated with a Cluster Parameter Group. It is highly recommended to implement in-transit encryption in order to protect data from unauthorized access as it travels through the network, between clients and the cluster. config from cloud.resource where api.name = 'aws-docdb-db-cluster-parameter-group' AND json.rule = parameters.tls.ParameterValue equals "disabled" as X; config from cloud.resource where api.name = 'aws-docdb-db-cluster' AND json.rule = Status equals available as Y; filter '$.X.DBClusterParameterGroupName equals $.Y.DBClusterParameterGroup'; show Y;
	GCP Load Balancer SSL proxy permits SSL policies with weak cipher suites Identifies GCP SSL Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites. To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA config from cloud.resource where api.name = 'gcloud-compute-target-ssl-proxy' as X; config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as Y; filter "$.X.sslPolicy does not exist or ($.Y.sslPolicies[?(@.profile=='COMPATIBLE')].selfLink contains $.X.sslPolicy) or ($.Y.sslPolicies[?((@.profile=='MODERN'\|\|@.profile=='CUSTOM') && (@.minTlsVersion!='TLS_1_2'))].selfLink contains $.X.sslPolicy or ($.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_GCM_SHA256' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_GCM_SHA384' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy))"; show X;
	GCP Load Balancer HTTPS proxy permits SSL policies with weak cipher suites Identifies GCP HTTPS Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites. To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as X; config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as Y; filter "($.Y.sslPolicies[?(@.profile=='COMPATIBLE')].selfLink contains $.X.sslPolicy) or ($.Y.sslPolicies[?((@.profile=='MODERN'\|\|@.profile=='CUSTOM') && (@.minTlsVersion!='TLS_1_2'))].selfLink contains $.X.sslPolicy or ($.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_GCM_SHA256' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_GCM_SHA384' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy))"; show X;
Policy Updates-Metadata	Azure Security Center system updates monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. Current Name— Azure Security Center system updates monitoring is set to disabled Updated Name— Azure Microsoft Defender for Cloud system updates monitoring is set to disabled Updated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have system updates monitoring is set to disabled. It retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that’s configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines. Impact— No impact on alerts.
	Azure Security Center disk encryption monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. Current Name— Azure Security Center disk encryption monitoring is set to disabled Updated Name— Azure Microsoft Defender for Cloud disk encryption monitoring is set to disabled Updated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have disk encryption monitoring set to disabled. Enabling disk encryption for virtual machines will secure the data by encrypting it. It is recommended to set disk encryption monitoring in Microsoft Defender for Cloud security policy. Impact— No impact on alerts.
	Azure Security Center adaptive application controls monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. Current Name— Azure Security Center adaptive application controls monitoring is set to disabled Updated Name— Azure Microsoft Defender for Cloud adaptive application controls monitoring is set to disabled Updated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have adaptive application controls monitoring set to disabled. Adaptive Application Controls will make sure that only certain applications can run on your VMs in Microsoft Azure. This will prevent any malicious, unwanted, or unsupported software on the VMs. Impact— No impact on alerts.
	Azure Security Center endpoint protection monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. Current Name— Azure Security Center endpoint protection monitoring is set to disabled Updated Name— Azure Microsoft Defender for Cloud endpoint protection monitoring is set to disabled Updated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have endpoint protection monitoring set to disabled. Enabling endpoint Protection will make sure that any issues or shortcomings in endpoint protection for all Microsoft Windows virtual machines are identified so that they can, in turn, be removed. Impact— No impact on alerts.
	Azure Security Center security configurations monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. Current Name— Azure Security Center security configurations monitoring is set to disabled Updated Name— Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled Updated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have security configurations monitoring set to disabled. Security configurations will enable the daily analysis of operating system configurations. The rules for hardening the operating system like firewall rules, password and audit policies are reviewed. Recommendations are made for setting the right level of security controls. Impact— No impact on alerts.
	Azure Security Center JIT network access monitoring is set to disabled Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. Current Name— Azure Security Center JIT network access monitoring is set to disabled Updated Name— Azure Microsoft Defender for Cloud JIT network access monitoring is set to disabled Updated Description— Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have JIT network access monitoring set to disabled. Enabling JIT Network Access will enhance the protection of VMs by creating a Just in Time VM. The JIT VM with NSG rule will restrict the availability of access to the ports to connect to the VM for a pre-set time and only after checking the Role Based Access Control permissions of the user. This feature will control the brute force attacks on the VMs. Impact— No impact on alerts.
Policy Updates-RQL	Azure Microsoft Defender for Cloud email notification for subscription owner is not set Changes— The policy RQL has been updated to only look for subscriptions where Defender is enabled and then check for email setting. Current RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[].properties.email is empty or securityContacts[].properties.alertsToAdmins equals Off' Updated RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[].properties.email is empty or securityContacts[].properties.alertsToAdmins equal ignore case Off) and pricings[?any(properties.pricingTier equals Standard)] exists Impact— Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
	Azure Security Center contact phone number not set Changes— The policy name, description, and remediation steps have been updated due to vendor UI setting changes. The policy RQL has been updated to consider only defender enabled subscriptions. Current Name— Azure Security Center contact phone number not set Updated Name— Azure Microsoft Defender for Cloud security contact phone number is not set Updated Description— Identifies Subscriptions that are not set with security contact phone number for Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender). It is recommended to set security contact phone number to receive notifications when Microsoft Defender for Cloud detects compromised resources. Current RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists' Updated RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists Impact— Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
	GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower Changes— The policy is modified to make it compliant with the CIS requirement to exclude alerting for SSL policy with profile type 'RESTRICTED'. Current RQL— config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?(@.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y; Updated RQL— config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?((@.profile=='MODERN'\|\|@.profile=='CUSTOM') && @.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y; Impact— Low. The alerts associated with the profile type RESTRICTED will be resolved as 'Policy_Updated'.

REST API Updates

CHANGE	DESCRIPTION
Removal of Update Access Key API Endpoint	The following endpoint has been removed: PUT /access_keys/{id}

New Features Introduced in 22.6.2

New Features

New Policies and Policy Updates

REST API Updates

New Features

Feature	Description
`Change in Existing Behavior` Alert Count on Policy Violations `This change was first announced in the look ahead that was published with the 22.5.2 release.`	Earlier on Prisma Cloud, when an asset generated an alert for a policy violation, the alert was counted towards the most severe violation. For example, for an asset that had violations for low, medium, and high severity policies, the alert was only counted in the high category although it was also violating medium and low severity policies. In this method of counting alerts, when you view the total count of failed checks it adds up to the sum of all low, medium, and high severity failures. The above method of counting alerts is modified to display the total count of policy violations for each severity. So, using the same example, if an asset has violations for low, medium, and high severity policies, the alert will now be counted in each of the three categories. Therefore, when you view the total count of failed checks and compare it to the sum total of each category, the sum will be higher. This count is displayed on several places on the Prisma Cloud management console such as on the Compliance Overview , Asset Inventory (Inventory > Assets), and Alerts Overview . This change in how Prisma Cloud count assets that failed policy checks will not be updated for any compliance reports generated before your Prisma Cloud instance is upgraded to the current release. This means that the count displayed in the table on Compliance Reports is a snapshot of the previous counting method for reports generated earlier. The count for failed checks in these reports will not match the data in the Compliance Overview page when you filter for the time period for which the report was generated.
Skips API Ingestion when Cloud Billing on GCP is Disabled	When the Cloud Asset Inventory (CAI) service is enabled and if Cloud Billing is disabled for a project by default, Prisma Cloud skips the ingestion of GCP APIs. This is true when the project is onboarded as a standalone or a child project of an organization, but not for a master service account (MSA). Impact— If you do not enable CAI, Prisma Cloud will ingest all the GCP APIs even if Cloud Billing is disabled for a project.
`Change in Existing Behavior` Resolution of Undeletes for Google Cloud Resources `This change was announced in the look ahead that was published with the 22.6.1 release.`	All the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list will be deleted once and then regenerated on the management console. Existing alerts corresponding to these resources will be resolved as Resource_Updated , and new alerts will be generated against policy violations. Impact— You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list start ingesting data again.
Prisma Cloud Data Security Download and Scan Files up to 100MB for Malware	The file size for malware scanning is now increased from 20MB to 100MB. The uncompressed file size must be less than 100MB.
Prisma Cloud Data Security Support for Big Data File Types	Prisma Cloud supports the following file types for data profile and data patterns: .avro .ORC .parquet The size of the .avro, .ORC, or .parquet files must be less than 2.5GB.
API Ingestions	Amazon Managed Workflows for Apache Airflow aws-mwaa-environment Additional permissions required: airflow:GetEnvironment airflow:ListEnvironments
	AWS Systems Manager aws-ssm-association Additional permissions required: ssm:ListAssociations ssm:DescribeAssociation The Security Audit role includes the permissions.
	Azure Batch Account azure-batch-account Additional permission required: Microsoft.Batch/batchAccounts/read The Reader role includes the permission.
	Azure Data Shares azure-data-shares-account Additional permission required: Microsoft.DataShare/accounts/read The Reader role includes the permission.
	Azure Red Hat OpenShift azure-redhat-openshift-cluster Additional permission required: Microsoft.RedHatOpenShift/openShiftClusters/read The Reader role includes the permission.
	Google Cloud Run Revision gcloud-cloud-run-revisions-list No new permissions, the Project Viewer role includes the required permissions.
	Google Data Catalog gcloud-data-catalog-taxonomy Additional permissions required: datacatalog.taxonomies.list datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.get The Viewer role includes the permissions. Multi-region resources are not supported for Asia, EU, and US.
	Google Data Catalog gcloud-data-catalog-entry-group Additional permissions required: datacatalog.entryGroups.list datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.get The Viewer role includes the permissions. Multi-region resources are not supported for Asia, EU, and US.
	Google Security Command Center gcloud-security-command-center-organization-source Additional permissions required: securitycenter.sources.list securitycenter.sources.getIamPolicy The Viewer role includes the permissions.
	OCI Compute oci-compute-vnics Additional permissions required: inspect vnic-attachments inspect vnics You must add the permissions manually.
	OCI Compute oci-compute-vnicattachments Additional permission required: inspect vnic-attachments You must add the permission manually.
	OCI Networking oci-networking-dns-tsigkeys Additional permissions required: inspect dns-tsig-keys read dns-tsig-keys You must add the permissions manually.
`Update` API Ingestion—Amazon VPC Attribute	The following API is updated with a new attribute authorizationRules which contains the authorization rules for Client VPN endpoint. aws-ec2-client-vpn-endpoint Additional permissions required: ec2:DescribeClientVpnEndpoints ec2:DescribeClientVpnAuthorizationRules The Security Audit role includes the permissions. Impact— No impact on alerts.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.6.3.

Policy Updates	Description
New Policy	AWS Lambda Function resource-based policy is overly permissive Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access. cconfig from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = policy.Statement[?any(Effect equals Allow and Principal equals "" and Condition does not exist and (Action equals "" or Action equals lambda:*))] exists
	Azure MySQL database flexible server SSL enforcement is disabled Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "OFF"
	Azure MySQL database flexible server using insecure TLS version Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "ON" and (tls_version.value does not equal ignore case "TLSV1.2" and tls_version.value does not equal ignore case "TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.2,TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.3,TLSV1.2")
Policy Updates-Metadata	AWS Lambda function communicating with ports known to mine Monero Changes— The policy description is updated for typos and the cloud is changed from ANY to AWS. Updated Description— This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only. Impact— No impact on alerts.
Policy Updates—RQL	AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled Changes— The policy RQL has been updated to check for valid ACM certificate and added remediation support. Additional permission required to remediate the alert: acm:UpdateCertificateOptions Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist)' Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist) and status equals ISSUED and _DateTime.ageInDays($.notAfter) < 1' Remediation CLI— aws acm update-certificate-options --region ${region} --certificate-arn ${certificateArn} --options CertificateTransparencyLoggingPreference=ENABLED Impact— Low. Alerts will get resolved for expired or ACM certificates which does not have status as ISSUED .
	AWS Customer Master Key (CMK) rotation is not enabled Changes— The policy RQL has been updated to check only for KMS symmetric keys. Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule='keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals null)' Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT Impact— Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys.
	AWS Network Load Balancer (NLB) is not using the latest predefined security policy Changes— The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”. Updated Description— This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers. Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06)] exists Impact— Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy.
	AWS RDS Instance with copy tags to snapshots disabled Changes— The policy RQL has been updated to ignore RDS Instance with Neptune Engine. Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb and engine does not contain neptune Impact— Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources.
	Azure Application Gateway allows TLSv1.1 or lower Changes— The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated. Current RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = " ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].policyType == Predefined and ['properties.sslPolicy'].policyName != AppGwSslPolicy20170401S ) or (['properties.sslPolicy'].policyType == Custom and ['properties.sslPolicy'].minProtocolVersion != TLSv1_2)" Updated RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].['policyType'] equal ignore case Predefined and (['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20150501 or ['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20170401)) or (['properties.sslPolicy'].['policyType'] equal ignore case Custom and (['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_0 or ['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_1)) Impact— Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’.
	GCP Firewall rule allows all traffic on Microsoft-DS port (445) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MongoDB port (27017) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on Oracle DB port (1521) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MySQL DB port (3306) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SMTP port (25) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on PostgreSQL port (5432) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on NetBIOS-SSN port (139) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on DNS port (53) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on FTP port (21) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SSH port (22) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on RDP port (3389) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on POP3 port (110) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall with Inbound rule overly permissive to All Traffic Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[].IPProtocol equals all' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(IPProtocol equals "all")] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows inbound traffic from anywhere with no specific target set Changes— The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Impact—* Low impact on existing alerts.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022 for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

REST API Updates

No REST API updates for 22.6.2.

New Features Introduced in 22.6.1

New Features

New Policies and Policy Updates

New Compliance Benchmarks and Updates

REST API Updates

New Features

FEATURE	DESCRIPTION
API Ingestions	AWS IAM aws-iam-oidc-provider Additional permissions required: iam:ListOpenIDConnectProviders iam:GetOpenIDConnectProvider
	AWS Lambda aws-lambda-code-signing-config Additional permission required: lambda:ListCodeSigningConfigs
	AWS Lambda aws-lambda-list-functions Additional permission required: lambda:GetFunctionUrlConfig
	AWS Route53 Resolver aws-route53resolver-query-logging-config-association Additional permission required: route53resolver:ListResolverQueryLogConfigAssociations
	AWS Route53 Resolver aws-route53resolver-query-logging-config Additional permissions required: route53resolver:ListResolverQueryLogConfigs route53resolver:ListTagsForResource
	Azure HPC Cache azure-hpc-cache Additional permissions required: Microsoft.StorageCache/caches/read Microsoft.StorageCache/Subscription/caches/read
	Azure Media Service azure-media-service-account Additional permission required: Microsoft.Media/mediaservices/read
	Azure Service Fabric azure-service-fabric-cluster Additional permission required: Microsoft.ServiceFabric/clusters/read
	Azure Virtual Network azure-network-effective-nsg Additional permission required: Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
	Azure Virtual Network azure-network-effective-route-table Additional permission required: Microsoft.Network/networkInterfaces/effectiveRouteTable/action The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
	Google Certificate Authority Service gcloud-certificate-authority-revocation-lists Additional permissions required: privateca.certificateRevocationLists.list privateca.certificateRevocationLists.getIamPolicy
	Google Compute Engine gcloud-compute-backend-bucket Additional permission required: compute.backendBuckets.list
	Google Compute Engine gcloud-compute-external-backend-service Additional permission required: compute.backendServices.list
	OCI Big Data Service oci-bigdataservice-instances Additional permissions required: inspect bds-instances read bds-instances
	OCI Data Integration oci-dataintegration-workspaces Additional permissions required: inspect dis-workspaces read dis-workspaces
	OCI Data Science oci-datascience-projects Additional permissions required: inspect data-science-projects read data-science-projects
`Update` Support for Azure Virtual Network API Ingestions	To support ingestion for these Azure Virtual Network APIs: azure-network-effective-nsg azure-network-effective-route-table The Azure onboarding Terraform templates now include granular permissions for: Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action Microsoft.Network/networkInterfaces/effectiveRouteTable/action The Network Contributor role in Azure includes these two permissions, and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
Permissions in the Azure Terraform Template	The Azure Terraform template in Monitor and Monitor & Protect modes, used for onboarding Azure Subscriptions and Azure Tenant with Management Groups on Prisma Cloud includes the following permission: Microsoft.ContainerRegistry/registries/listCredentials/action This permission is required in the Prisma Cloud custom role to support the Drift Detection capabilities on Code Security.
`Change in Existing Behavior` Support for Google Cloud API Ingestions	When you onboard using granular permission, you must provide additional permissions for the following GCP APIs: Google PubSub gcloud-pubsub-subscription Additional permission required: pubsub.subscriptions.get gcloud-pubsub-topic Additional permission required: pubsub.topics.get Google Dataproc Clusters gcloud-dataproc-clusters-list Additional permission required: dataproc.clusters.get These permissions are part of the predefined Viewer role and are automatically included if they are using that primitive role.

New Policies and Policy Updates

No new policies or policy updates for 22.6.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK	DESCRIPTION
Support for Australian Energy Sector Cyber Security Framework (AESCSF)	The Australian Energy Sector Cyber Security Framework (AESCSF) provides a set of cybersecurity guidelines specifically tailored to the Australian Energy sector. This framework enables the owners and operators of energy infrastructure in Australia to assess, evaluate, prioritize, and improve their cybersecurity posture. The framework involves the analysis of two aspects: Criticality assessment Cyber security capability and maturity self-assessment
Support for Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)	The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). ISM outlines a cyber security framework that you can apply by using the risk management framework to protect information and systems from cyber threats. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers.
Support for Australian Cyber Security Centre (ACSC) Essential Eight	The Australian Cyber Security Centre’s (ACSC) Essential Eight is a risk management framework that prioritizes eight mitigation strategies taken from the recommended ACSC’s Strategies to Mitigate Cyber Security Incidents: The essential eight security controls are: Application Control — to control the execution of unauthorized software Configure Macros — to block untrusted macros Patch Application — to remediate known security vulnerabilities Application Hardening — to protect against vulnerable functionality Restrict Admin Permissions — to limit powerful access to systems Patch Operating Systems — to remediate known security vulnerabilities Multi-Factor Authentication — to protect against risk activities Daily Backups — to maintain the availability of critical data
`Update` New Zealand Information Security Manual (NZISM v3.4)	Prisma Cloud has extended the compliance support for other cloud accounts including Azure, Alibaba, GCP, OCI, along with AWS.

REST API Updates

No REST API updates for 22.6.1.

Features Introduced in July 2022

Features Introduced in May 2022

Policy Updates	Description
New Policy	AWS Lambda Function resource-based policy is overly permissive Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access. cconfig from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = policy.Statement[?any(Effect equals Allow and Principal equals "" and Condition does not exist and (Action equals "" or Action equals lambda:*))] exists
	Azure MySQL database flexible server SSL enforcement is disabled Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "OFF"
	Azure MySQL database flexible server using insecure TLS version Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "ON" and (tls_version.value does not equal ignore case "TLSV1.2" and tls_version.value does not equal ignore case "TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.2,TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.3,TLSV1.2")
Policy Updates-Metadata	AWS Lambda function communicating with ports known to mine Monero Changes— The policy description is updated for typos and the cloud is changed from ANY to AWS. Updated Description— This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only. Impact— No impact on alerts.
Policy Updates—RQL	AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled Changes— The policy RQL has been updated to check for valid ACM certificate and added remediation support. Additional permission required to remediate the alert: acm:UpdateCertificateOptions Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist)' Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist) and status equals ISSUED and _DateTime.ageInDays($.notAfter) < 1' Remediation CLI— aws acm update-certificate-options --region ${region} --certificate-arn ${certificateArn} --options CertificateTransparencyLoggingPreference=ENABLED Impact— Low. Alerts will get resolved for expired or ACM certificates which does not have status as ISSUED .
	AWS Customer Master Key (CMK) rotation is not enabled Changes— The policy RQL has been updated to check only for KMS symmetric keys. Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule='keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals null)' Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT Impact— Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys.
	AWS Network Load Balancer (NLB) is not using the latest predefined security policy Changes— The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”. Updated Description— This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers. Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06)] exists Impact— Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy.
	AWS RDS Instance with copy tags to snapshots disabled Changes— The policy RQL has been updated to ignore RDS Instance with Neptune Engine. Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb and engine does not contain neptune Impact— Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources.
	Azure Application Gateway allows TLSv1.1 or lower Changes— The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated. Current RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = " ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].policyType == Predefined and ['properties.sslPolicy'].policyName != AppGwSslPolicy20170401S ) or (['properties.sslPolicy'].policyType == Custom and ['properties.sslPolicy'].minProtocolVersion != TLSv1_2)" Updated RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].['policyType'] equal ignore case Predefined and (['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20150501 or ['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20170401)) or (['properties.sslPolicy'].['policyType'] equal ignore case Custom and (['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_0 or ['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_1)) Impact— Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’.
	GCP Firewall rule allows all traffic on Microsoft-DS port (445) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MongoDB port (27017) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on Oracle DB port (1521) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MySQL DB port (3306) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SMTP port (25) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on PostgreSQL port (5432) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on NetBIOS-SSN port (139) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows all traffic on DNS port (53) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on FTP port (21) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SSH port (22) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on RDP port (3389) Changes— The RQL for the policy is modified to include IPv6 checks. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact—* Low impact on existing alerts.
	GCP Firewall rule allows all traffic on POP3 port (110) Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall with Inbound rule overly permissive to All Traffic Changes— The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[].IPProtocol equals all' Updated RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(IPProtocol equals "all")] exists Updated CLI—* gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact— Low impact on existing alerts.
	GCP Firewall rule allows inbound traffic from anywhere with no specific target set Changes— The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes. Current RQL— config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Updated RQL—* config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Impact—* Low impact on existing alerts.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022 for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

Prisma™ Cloud Release Notes

Features Introduced in June 2022

Features Introduced in June 2022

New Features Introduced in 22.6.3

New Features

New Policies and Policy Updates

REST API Updates

New Features Introduced in 22.6.2

New Features

New Policies and Policy Updates

REST API Updates

New Features Introduced in 22.6.1

New Features

New Policies and Policy Updates

New Compliance Benchmarks and Updates

REST API Updates

Recommended For You