Features Introduced in June 2022

Learn what's new on Prisma™ Cloud in June 2022.

New Features Introduced in 22.6.2

New Features Introduced in 22.6.1

New Features Introduced in 22.6.2

New Features

New Policies and Policy Updates

REST API Updates

New Features

Feature	Description
`Change in Existing Behavior` Alert Count on Policy Violations `This change was first announced in the look ahead that was published with the 22.5.2 release.`	Earlier on Prisma Cloud, when an asset generated an alert for a policy violation, the alert was counted towards the most severe violation. For example, for an asset that had violations for low, medium, and high severity policies, the alert was only counted in the high category although it was also violating medium and low severity policies. In this method of counting alerts, when you view the total count of failed checks it adds up to the sum of all low, medium, and high severity failures. The above method of counting alerts is modified to display the total count of policy violations for each severity. So, using the same example, if an asset has violations for low, medium, and high severity policies, the alert will now be counted in each of the three categories. Therefore, when you view the total count of failed checks and compare it to the sum total of each category, the sum will be higher. This count is displayed on several places on the Prisma Cloud management console such as on the Compliance Overview , Asset Inventory (Inventory > Assets), and Alerts Overview . This change in how Prisma Cloud count assets that failed policy checks will not be updated for any compliance reports generated before your Prisma Cloud instance is upgraded to the current release. This means that the count displayed in the table on Compliance Reports is a snapshot of the previous counting method for reports generated earlier. The count for failed checks in these reports will not match the data in the Compliance Overview page when you filter for the time period for which the report was generated.
Skips API Ingestion when Cloud Billing on GCP is Disabled	When the Cloud Asset Inventory (CAI) service is enabled and if Cloud Billing is disabled for a project by default, Prisma Cloud skips the ingestion of GCP APIs. This is true when the project is onboarded as a standalone or a child project of an organization, but not for a master service account (MSA). Impact —If you do not enable CAI, Prisma Cloud will ingest all the GCP APIs even if Cloud Billing is disabled for a project.
`Change in Existing Behavior` Resolution of Undeletes for Google Cloud Resources `This change was announced in the look ahead that was published with the 22.6.1 release.`	All the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list will be deleted once and then regenerated on the management console. Existing alerts corresponding to these resources will be resolved as Resource_Updated , and new alerts will be generated against policy violations. Impact —You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for gcloud-compute-networks-subnets-list and gcloud-compute-networks-list start ingesting data again.
Prisma Cloud Data Security Download and Scan Files up to 100MB for Malware	The file size for malware scanning is now increased from 20MB to 100MB. The uncompressed file size must be less than 100MB.
Prisma Cloud Data Security Support for Big Data File Types	Prisma Cloud supports the following file types for data profile and data patterns: .avro .ORC .parquet The size of the .avro, .ORC, or .parquet files must be less than 2.5GB.
API Ingestions	Amazon Managed Workflows for Apache Airflow aws-mwaa-environment Additional permissions required: airflow:GetEnvironment airflow:ListEnvironments
	AWS Systems Manager aws-ssm-association Additional permissions required: ssm:ListAssociations ssm:DescribeAssociation The Security Audit role includes the permissions.
	Azure Batch Account azure-batch-account Additional permission required: Microsoft.Batch/batchAccounts/read The Reader role includes the permission.
	Azure Data Shares azure-data-shares-account Additional permission required: Microsoft.DataShare/accounts/read The Reader role includes the permission.
	Azure Red Hat OpenShift azure-redhat-openshift-cluster Additional permission required: Microsoft.RedHatOpenShift/openShiftClusters/read The Reader role includes the permission.
	Google Cloud Run Revision gcloud-cloud-run-revisions-list No new permissions, the Project Viewer role includes the required permissions.
	Google Data Catalog gcloud-data-catalog-taxonomy Additional permissions required: datacatalog.taxonomies.list datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.get The Viewer role includes the permissions. Multi-region resources are not supported for Asia, EU, and US.
	Google Data Catalog gcloud-data-catalog-entry-group Additional permissions required: datacatalog.entryGroups.list datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.get The Viewer role includes the permissions. Multi-region resources are not supported for Asia, EU, and US.
	Google Security Command Center gcloud-security-command-center-organization-source Additional permissions required: securitycenter.sources.list securitycenter.sources.getIamPolicy The Viewer role includes the permissions.
	OCI Compute oci-compute-vnics Additional permissions required: inspect vnic-attachments inspect vnics You must add the permissions manually.
	OCI Compute oci-compute-vnicattachments Additional permission required: inspect vnic-attachments You must add the permission manually.
	OCI Networking oci-networking-dns-tsigkeys Additional permissions required: inspect dns-tsig-keys read dns-tsig-keys You must add the permissions manually.
`Update` API Ingestion—Amazon VPC Attribute	The following API is updated with a new attribute authorizationRules which contains the authorization rules for Client VPN endpoint. aws-ec2-client-vpn-endpoint Additional permissions required: ec2:DescribeClientVpnEndpoints ec2:DescribeClientVpnAuthorizationRules The Security Audit role includes the permissions. Impact — No impact on alerts.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.6.3.

Policy Updates	Description
New Policy	AWS Lambda Function resource-based policy is overly permissive Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access. cconfig from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = policy.Statement[?any(Effect equals Allow and Principal equals "" and Condition does not exist and (Action equals "" or Action equals lambda:*))] exists
	Azure MySQL database flexible server SSL enforcement is disabled Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "OFF"
	Azure MySQL database flexible server using insecure TLS version Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "ON" and (tls_version.value does not equal ignore case "TLSV1.2" and tls_version.value does not equal ignore case "TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.2,TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.3,TLSV1.2")
Policy Updates-Metadata	AWS Lambda function communicating with ports known to mine Monero Changes —The policy description is updated for typos and the cloud is changed from ANY to AWS. Updated Description —This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only. Impact —No impact on alerts.
Policy Updates—RQL	AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled Changes —The policy RQL has been updated to check for valid ACM certificate and added remediation support. Additional permission required to remediate the alert: acm:UpdateCertificateOptions Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist)' Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist) and status equals ISSUED and _DateTime.ageInDays($.notAfter) < 1' Remediation CLI — aws acm update-certificate-options --region ${region} --certificate-arn ${certificateArn} --options CertificateTransparencyLoggingPreference=ENABLED Impact —Low. Alerts will get resolved for expired or ACM certificates which does not have status as ISSUED .
	AWS Customer Master Key (CMK) rotation is not enabled Changes —The policy RQL has been updated to check only for KMS symmetric keys. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule='keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals null)' Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT Impact —Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys.
	AWS Network Load Balancer (NLB) is not using the latest predefined security policy Changes —The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”. Updated Description —This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06)] exists Impact —Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy.
	AWS RDS Instance with copy tags to snapshots disabled Changes —The policy RQL has been updated to ignore RDS Instance with Neptune Engine. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb and engine does not contain neptune Impact —Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources.
	Azure Application Gateway allows TLSv1.1 or lower Changes —The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated. Current RQL — config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = " ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].policyType == Predefined and ['properties.sslPolicy'].policyName != AppGwSslPolicy20170401S ) or (['properties.sslPolicy'].policyType == Custom and ['properties.sslPolicy'].minProtocolVersion != TLSv1_2)" Updated RQL — config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].['policyType'] equal ignore case Predefined and (['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20150501 or ['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20170401)) or (['properties.sslPolicy'].['policyType'] equal ignore case Custom and (['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_0 or ['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_1)) Impact Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’.
	GCP Firewall rule allows all traffic on Microsoft-DS port (445) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MongoDB port (27017) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on Oracle DB port (1521) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MySQL DB port (3306) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SMTP port (25) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on PostgreSQL port (5432) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on NetBIOS-SSN port (139) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on DNS port (53) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on FTP port (21) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SSH port (22) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on RDP port (3389) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on POP3 port (110) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall with Inbound rule overly permissive to All Traffic Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[].IPProtocol equals all' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(IPProtocol equals "all")] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows inbound traffic from anywhere with no specific target set Changes —The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Impact* —Low impact on existing alerts.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

REST API Updates

No REST API updates for 22.6.2.

New Features Introduced in 22.6.1

New Features

New Policies and Policy Updates

New Compliance Benchmarks and Updates

REST API Updates

New Features

FEATURE	DESCRIPTION
API Ingestions	AWS IAM aws-iam-oidc-provider Additional permissions required: iam:ListOpenIDConnectProviders iam:GetOpenIDConnectProvider
	AWS Lambda aws-lambda-code-signing-config Additional permission required: lambda:ListCodeSigningConfigs
	AWS Lambda aws-lambda-list-functions Additional permission required: lambda:GetFunctionUrlConfig
	AWS Route53 Resolver aws-route53resolver-query-logging-config-association Additional permission required: route53resolver:ListResolverQueryLogConfigAssociations
	AWS Route53 Resolver aws-route53resolver-query-logging-config Additional permissions required: route53resolver:ListResolverQueryLogConfigs route53resolver:ListTagsForResource
	Azure HPC Cache azure-hpc-cache Additional permissions required: Microsoft.StorageCache/caches/read Microsoft.StorageCache/Subscription/caches/read
	Azure Media Service azure-media-service-account Additional permission required: Microsoft.Media/mediaservices/read
	Azure Service Fabric azure-service-fabric-cluster Additional permission required: Microsoft.ServiceFabric/clusters/read
	Azure Virtual Network azure-network-effective-nsg Additional permission required: Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
	Azure Virtual Network azure-network-effective-route-table Additional permission required: Microsoft.Network/networkInterfaces/effectiveRouteTable/action The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
	Google Certificate Authority Service gcloud-certificate-authority-revocation-lists Additional permissions required: privateca.certificateRevocationLists.list privateca.certificateRevocationLists.getIamPolicy
	Google Compute Engine gcloud-compute-backend-bucket Additional permission required: compute.backendBuckets.list
	Google Compute Engine gcloud-compute-external-backend-service Additional permission required: compute.backendServices.list
	OCI Big Data Service oci-bigdataservice-instances Additional permissions required: inspect bds-instances read bds-instances
	OCI Data Integration oci-dataintegration-workspaces Additional permissions required: inspect dis-workspaces read dis-workspaces
	OCI Data Science oci-datascience-projects Additional permissions required: inspect data-science-projects read data-science-projects
`Update` Support for Azure Virtual Network API Ingestions	To support ingestion for these Azure Virtual Network APIs: azure-network-effective-nsg azure-network-effective-route-table The Azure onboarding Terraform templates now include granular permissions for: Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action Microsoft.Network/networkInterfaces/effectiveRouteTable/action The Network Contributor role in Azure includes these two permissions, and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
Permissions in the Azure Terraform Template	The Azure Terraform template in Monitor and Monitor & Protect modes, used for onboarding Azure Subscriptions and Azure Tenant with Management Groups on Prisma Cloud includes the following permission: Microsoft.ContainerRegistry/registries/listCredentials/action This permission is required in the Prisma Cloud custom role to support the Drift Detection capabilities on Code Security.
`Change in Existing Behavior` Support for Google Cloud API Ingestions	When you onboard using granular permission, you must provide additional permissions for the following GCP APIs: Google PubSub gcloud-pubsub-subscription Additional permission required: pubsub.subscriptions.get gcloud-pubsub-topic Additional permission required: pubsub.topics.get Google Dataproc Clusters gcloud-dataproc-clusters-list Additional permission required: dataproc.clusters.get These permissions are part of the predefined Viewer role and are automatically included if they are using that primitive role.

New Policies and Policy Updates

No new policies or policy updates for 22.6.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK	DESCRIPTION
Support for Australian Energy Sector Cyber Security Framework (AESCSF)	The Australian Energy Sector Cyber Security Framework (AESCSF) provides a set of cybersecurity guidelines specifically tailored to the Australian Energy sector. This framework enables the owners and operators of energy infrastructure in Australia to assess, evaluate, prioritize, and improve their cybersecurity posture. The framework involves the analysis of two aspects: Criticality assessment Cyber security capability and maturity self-assessment
Support for Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)	The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). ISM outlines a cyber security framework that you can apply by using the risk management framework to protect information and systems from cyber threats. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers.
Support for Australian Cyber Security Centre (ACSC) Essential Eight	The Australian Cyber Security Centre’s (ACSC) Essential Eight is a risk management framework that prioritizes eight mitigation strategies taken from the recommended ACSC’s Strategies to Mitigate Cyber Security Incidents: The essential eight security controls are: Application Control — to control the execution of unauthorized software Configure Macros — to block untrusted macros Patch Application — to remediate known security vulnerabilities Application Hardening — to protect against vulnerable functionality Restrict Admin Permissions — to limit powerful access to systems Patch Operating Systems — to remediate known security vulnerabilities Multi-Factor Authentication — to protect against risk activities Daily Backups — to maintain the availability of critical data
`Update` New Zealand Information Security Manual (NZISM v3.4)	Prisma Cloud has extended the compliance support for other cloud accounts including Azure, Alibaba, GCP, OCI, along with AWS.

REST API Updates

No REST API updates for 22.6.1.

Policy Updates	Description
New Policy	AWS Lambda Function resource-based policy is overly permissive Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access. cconfig from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = policy.Statement[?any(Effect equals Allow and Principal equals "" and Condition does not exist and (Action equals "" or Action equals lambda:*))] exists
	Azure MySQL database flexible server SSL enforcement is disabled Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "OFF"
	Azure MySQL database flexible server using insecure TLS version Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "ON" and (tls_version.value does not equal ignore case "TLSV1.2" and tls_version.value does not equal ignore case "TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.2,TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.3,TLSV1.2")
Policy Updates-Metadata	AWS Lambda function communicating with ports known to mine Monero Changes —The policy description is updated for typos and the cloud is changed from ANY to AWS. Updated Description —This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only. Impact —No impact on alerts.
Policy Updates—RQL	AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled Changes —The policy RQL has been updated to check for valid ACM certificate and added remediation support. Additional permission required to remediate the alert: acm:UpdateCertificateOptions Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist)' Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist) and status equals ISSUED and _DateTime.ageInDays($.notAfter) < 1' Remediation CLI — aws acm update-certificate-options --region ${region} --certificate-arn ${certificateArn} --options CertificateTransparencyLoggingPreference=ENABLED Impact —Low. Alerts will get resolved for expired or ACM certificates which does not have status as ISSUED .
	AWS Customer Master Key (CMK) rotation is not enabled Changes —The policy RQL has been updated to check only for KMS symmetric keys. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule='keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals null)' Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT Impact —Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys.
	AWS Network Load Balancer (NLB) is not using the latest predefined security policy Changes —The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”. Updated Description —This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06)] exists Impact —Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy.
	AWS RDS Instance with copy tags to snapshots disabled Changes —The policy RQL has been updated to ignore RDS Instance with Neptune Engine. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb and engine does not contain neptune Impact —Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources.
	Azure Application Gateway allows TLSv1.1 or lower Changes —The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated. Current RQL — config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = " ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].policyType == Predefined and ['properties.sslPolicy'].policyName != AppGwSslPolicy20170401S ) or (['properties.sslPolicy'].policyType == Custom and ['properties.sslPolicy'].minProtocolVersion != TLSv1_2)" Updated RQL — config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].['policyType'] equal ignore case Predefined and (['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20150501 or ['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20170401)) or (['properties.sslPolicy'].['policyType'] equal ignore case Custom and (['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_0 or ['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_1)) Impact Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’.
	GCP Firewall rule allows all traffic on Microsoft-DS port (445) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MongoDB port (27017) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on Oracle DB port (1521) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on MySQL DB port (3306) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SMTP port (25) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on PostgreSQL port (5432) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on NetBIOS-SSN port (139) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on DNS port (53) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on FTP port (21) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on SSH port (22) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on RDP port (3389) Changes —The RQL for the policy is modified to include IPv6 checks. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Impact* —Low impact on existing alerts.
	GCP Firewall rule allows all traffic on POP3 port (110) Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall with Inbound rule overly permissive to All Traffic Changes —The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[].IPProtocol equals all' Updated RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(IPProtocol equals "all")] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on existing alerts.
	GCP Firewall rule allows inbound traffic from anywhere with no specific target set Changes —The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes. Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] contains 0.0.0.0/0 or sourceRanges[] contains ::/0) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and targetTags[] does not exist and targetServiceAccounts[] does not exist' Impact* —Low impact on existing alerts.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

Document:Prisma™ Cloud Release Notes

Features Introduced in June 2022

Table of Contents

Features Introduced in June 2022

New Features Introduced in 22.6.2

New Features

New Policies and Policy Updates

REST API Updates

New Features Introduced in 22.6.1

New Features

New Policies and Policy Updates

New Compliance Benchmarks and Updates

REST API Updates

Recommended For You

Document:Prisma™ Cloud Release Notes

Features Introduced in June 2022

Table of Contents

Features Introduced in June 2022

New Features Introduced in 22.6.2

New Features

New Policies and Policy Updates

REST API Updates

New Features Introduced in 22.6.1

New Features

New Policies and Policy Updates

New Compliance Benchmarks and Updates

REST API Updates

Recommended For You

Recommended Videos