: Features Introduced in June 2022
Focus
Focus

Features Introduced in June 2022

Table of Contents

Features Introduced in June 2022

Learn what’s new on Prisma™ Cloud in June 2022.

New Features

Feature
Description
API Ingestions
Amazon Connect
aws-connect-instance
Additional permissions required:
  • connect:ListInstances
  • connect:ListInstanceStorageConfigs
Amazon EventBridge
aws-events-rule
Additional permissions required:
  • events:ListRules
  • events:ListTargetsByRule
  • events:ListTagsForResource
The Security Audit role includes these permissions.
Amazon Pinpoint
aws-pinpoint-email-channel
Additional permissions required:
  • mobiletargeting:GetEmailChannel
  • mobiletargeting:GetApps
Amazon Pinpoint
aws-pinpoint-sms-channel
Additional permissions required:
  • mobiletargeting:GetSmsChannel
  • mobiletargeting:GetApps
Azure Synapse Analytics
azure-synapse-privatelinkhub-privatelinkresource
Additional permission required:
Microsoft.Synapse/privateLinkHubs/privateLinkResources/read
The Reader role includes this permission.
Azure Synapse Analytics
azure-synapse-privatelinkhub
Additional permission required:
Microsoft.Synapse/privateLinkHubs/read
The Reader role includes this permission.
Azure Synapse Analytics
azure-synapse-privatelinkresource
Additional permissions required:
  • Microsoft.Synapse/workspaces/read
  • Microsoft.Synapse/workspaces/privateLinkResources/read
The Reader role includes these permissions.
Google Cloud IAM
gcloud-iam-organization-deny-policy
Additional permissions required:
  • iam.denypolicies.get
  • iam.denypolicies.list
The Viewer role includes these permissions.
Google Cloud IAM
gcloud-iam-project-deny-policy
Additional permissions required:
  • iam.denypolicies.get
  • iam.denypolicies.list
The Viewer role includes these permissions.
Google Security Command Center
gcloud-security-command-center-organization-setting
Additional permission required:
securitycenter.organizationsettings.get
The Viewer role includes this permission.
Google Security Command Center
gcloud-security-command-center-organization-notification-config
Additional permission required:
securitycenter.notificationconfig.list
The Viewer role includes this permission.
Google Security Command Center
gcloud-security-command-center-organization-mute-config
Additional permission required:
securitycenter.muteconfigs.list
The Viewer role includes this permission.
OCI Web Application Firewall
oci-waf-networkaddresslist
Additional permissions required:
  • inspect waf-network-address-list
  • read waf-network-address-list
You must add the permissions manually.
OCI Web Application Firewall
oci-waf-waaspolicy
Additional permissions required:
  • inspect waas-policy
  • read waas-policy
You must add the permissions manually.
Update
Google Compute Engine API
Google Compute Engine
gcloud-ssl-certificate
This API will be updated to remove the following fields in the resource JSON:
  • certificate
  • selfManaged.certificate
Decommission of redlock.io Domain
This change was first announced in the look ahead that was published with the 22.5.2 release.
The announcement about replacing the redlock.io domain name with prismacloud.io was first sent in July, 2019. Due to this, the redirect from redlock.io to prismacloud.io is removed and no longer supported. The redlock.io domain is decommissioned.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.7.1
Policy Updates
Description
New Policy
AWS Lambda execution role having overly permissive inline policy
Identifies AWS Lambda Function execution role having overly permissive inline policy embedded. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
config from cloud.resource where api.name = 'aws-lambda-list-functions' as X; config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[*].policyDocument.Statement[?any(Effect equals Allow and (Action equals "*" or Action contains :* or Action[*] contains :*) and (Resource equals "*" or Resource[*] anyStartWith "*"))] exists as Y; filter '$.X.role equals $.Y.role.arn'; show Y;
AWS IAM policy attached to AWS Lambda execution role is overly permissive
Identifies Lambda Functions execution role having overly permissive IAM policy attached to it. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
config from cloud.resource where api.name = 'aws-lambda-list-functions' as X; config from cloud.resource where api.name = 'aws-iam-list-roles' as Y; config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action equals "*" or Action contains :* or Action[*] contains :*) and (Resource equals "*" or Resource[*] anyStartWith "*") and Condition does not exist)] exists as Z; filter '$.X.role equals $.Y.role.arn and $.Y.attachedPolicies[*].policyName equals $.Z.policyName'; show Z;
Azure Microsoft Defender for Cloud set to Off for DNS
Identifies Azure Microsoft Defender for Cloud which has defender setting for DNS set to Off. Enabling Azure Defender provides advanced security capabilities like providing threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Defender for DNS monitors the queries and detects suspicious activities without the need for any additional agents on your resources. It is highly recommended to enable Azure Defender for DNS.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals Dns and properties.pricingTier does not equal Standard)] exists
AWS DocumentDB Cluster is not enabled with data encryption in transit
Identifies Amazon DocumentDB Clusters for which data encryption in transit is disabled. Each DocumentDB Cluster is associated with a Cluster Parameter Group. It is highly recommended to implement in-transit encryption in order to protect data from unauthorized access as it travels through the network, between clients and the cluster.
config from cloud.resource where api.name = 'aws-docdb-db-cluster-parameter-group' AND json.rule = parameters.tls.ParameterValue equals "disabled" as X; config from cloud.resource where api.name = 'aws-docdb-db-cluster' AND json.rule = Status equals available as Y; filter '$.X.DBClusterParameterGroupName equals $.Y.DBClusterParameterGroup'; show Y;
GCP Load Balancer SSL proxy permits SSL policies with weak cipher suites
Identifies GCP SSL Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features:
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
config from cloud.resource where api.name = 'gcloud-compute-target-ssl-proxy' as X; config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as Y; filter "$.X.sslPolicy does not exist or ($.Y.sslPolicies[?(@.profile=='COMPATIBLE')].selfLink contains $.X.sslPolicy) or ($.Y.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && (@.minTlsVersion!='TLS_1_2'))].selfLink contains $.X.sslPolicy or ($.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_GCM_SHA256' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_GCM_SHA384' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy))"; show X;
GCP Load Balancer HTTPS proxy permits SSL policies with weak cipher suites
Identifies GCP HTTPS Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features:
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as X; config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as Y; filter "($.Y.sslPolicies[?(@.profile=='COMPATIBLE')].selfLink contains $.X.sslPolicy) or ($.Y.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && (@.minTlsVersion!='TLS_1_2'))].selfLink contains $.X.sslPolicy or ($.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_GCM_SHA256' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_GCM_SHA384' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy))"; show X;
Policy Updates-Metadata
Azure Security Center system updates monitoring is set to disabled
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name—
Azure Security Center system updates monitoring is set to disabled
Updated Name—
Azure Microsoft Defender for Cloud system updates monitoring is set to disabled
Updated Description—
Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have system updates monitoring is set to disabled. It retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that’s configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.
Impact—
No impact on alerts.
Azure Security Center disk encryption monitoring is set to disabled
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name—
Azure Security Center disk encryption monitoring is set to disabled
Updated Name—
Azure Microsoft Defender for Cloud disk encryption monitoring is set to disabled
Updated Description—
Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have disk encryption monitoring set to disabled. Enabling disk encryption for virtual machines will secure the data by encrypting it. It is recommended to set disk encryption monitoring in Microsoft Defender for Cloud security policy.
Impact—
No impact on alerts.
Azure Security Center adaptive application controls monitoring is set to disabled
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name—
Azure Security Center adaptive application controls monitoring is set to disabled
Updated Name—
Azure Microsoft Defender for Cloud adaptive application controls monitoring is set to disabled
Updated Description—
Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have adaptive application controls monitoring set to disabled. Adaptive Application Controls will make sure that only certain applications can run on your VMs in Microsoft Azure. This will prevent any malicious, unwanted, or unsupported software on the VMs.
Impact—
No impact on alerts.
Azure Security Center endpoint protection monitoring is set to disabled
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name—
Azure Security Center endpoint protection monitoring is set to disabled
Updated Name—
Azure Microsoft Defender for Cloud endpoint protection monitoring is set to disabled
Updated Description—
Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have endpoint protection monitoring set to disabled. Enabling endpoint Protection will make sure that any issues or shortcomings in endpoint protection for all Microsoft Windows virtual machines are identified so that they can, in turn, be removed.
Impact—
No impact on alerts.
Azure Security Center security configurations monitoring is set to disabled
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name—
Azure Security Center security configurations monitoring is set to disabled
Updated Name—
Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled
Updated Description—
Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have security configurations monitoring set to disabled. Security configurations will enable the daily analysis of operating system configurations. The rules for hardening the operating system like firewall rules, password and audit policies are reviewed. Recommendations are made for setting the right level of security controls.
Impact—
No impact on alerts.
Azure Security Center JIT network access monitoring is set to disabled
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name—
Azure Security Center JIT network access monitoring is set to disabled
Updated Name—
Azure Microsoft Defender for Cloud JIT network access monitoring is set to disabled
Updated Description—
Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have JIT network access monitoring set to disabled. Enabling JIT Network Access will enhance the protection of VMs by creating a Just in Time VM. The JIT VM with NSG rule will restrict the availability of access to the ports to connect to the VM for a pre-set time and only after checking the Role Based Access Control permissions of the user. This feature will control the brute force attacks on the VMs.
Impact—
No impact on alerts.
Policy Updates-RQL
Azure Microsoft Defender for Cloud email notification for subscription owner is not set
Changes—
The policy RQL has been updated to only look for subscriptions where Defender is enabled and then check for email setting.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equals Off'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equal ignore case Off) and pricings[?any(properties.pricingTier equals Standard)] exists
Impact—
Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
Azure Security Center contact phone number not set
Changes—
The policy name, description, and remediation steps have been updated due to vendor UI setting changes. The policy RQL has been updated to consider only defender enabled subscriptions.
Current Name—
Azure Security Center contact phone number not set
Updated Name—
Azure Microsoft Defender for Cloud security contact phone number is not set
Updated Description—
Identifies Subscriptions that are not set with security contact phone number for Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender). It is recommended to set security contact phone number to receive notifications when Microsoft Defender for Cloud detects compromised resources.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists
Impact—
Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower
Changes—
The policy is modified to make it compliant with the CIS requirement to exclude alerting for SSL policy with profile type 'RESTRICTED'.
Current RQL—
config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?(@.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
Updated RQL—
config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && @.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
Impact—
Low. The alerts associated with the profile type
RESTRICTED
will be resolved as 'Policy_Updated'.

REST API Updates

CHANGE
DESCRIPTION
Removal of Update Access Key API Endpoint
The following endpoint has been removed:
PUT /access_keys/{id}

New Features

Feature
Description
Change in Existing Behavior
Alert Count on Policy Violations
This change was first announced in the look ahead that was published with the 22.5.2 release.
Earlier on Prisma Cloud, when an asset generated an alert for a policy violation, the alert was counted towards the most severe violation. For example, for an asset that had violations for low, medium, and high severity policies, the alert was only counted in the high category although it was also violating medium and low severity policies. In this method of counting alerts, when you view the total count of failed checks it adds up to the sum of all low, medium, and high severity failures.
The above method of counting alerts is modified to display the total count of policy violations for each severity. So, using the same example, if an asset has violations for low, medium, and high severity policies, the alert will now be counted in each of the three categories. Therefore, when you view the total count of failed checks and compare it to the sum total of each category, the sum will be higher. This count is displayed on several places on the Prisma Cloud management console such as on the
Compliance
Overview
,
Asset Inventory
(Inventory > Assets), and
Alerts
Overview
.
This change in how Prisma Cloud count assets that failed policy checks will not be updated for any compliance reports generated before your Prisma Cloud instance is upgraded to the current release. This means that the count displayed in the table on
Compliance
Reports
is a snapshot of the previous counting method for reports generated earlier. The count for failed checks in these reports will not match the data in the
Compliance
Overview
page when you filter for the time period for which the report was generated.
Skips API Ingestion when Cloud Billing on GCP is Disabled
When the Cloud Asset Inventory (CAI) service is enabled and if Cloud Billing is disabled for a project by default, Prisma Cloud skips the ingestion of GCP APIs. This is true when the project is onboarded as a standalone or a child project of an organization, but not for a master service account (MSA).
Impact—
If you do not enable CAI, Prisma Cloud will ingest all the GCP APIs even if Cloud Billing is disabled for a project.
Change in Existing Behavior
Resolution of Undeletes for Google Cloud Resources
This change was announced in the look ahead that was published with the 22.6.1 release.
All the resources for
gcloud-compute-networks-subnets-list
and
gcloud-compute-networks-list
will be deleted once and then regenerated on the management console.
Existing alerts corresponding to these resources will be resolved as
Resource_Updated
, and new alerts will be generated against policy violations.
Impact—
You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-compute-networks-subnets-list
and
gcloud-compute-networks-list
start ingesting data again.
Prisma Cloud Data Security
Download and Scan Files up to 100MB for Malware
The file size for malware scanning is now increased from 20MB to 100MB. The uncompressed file size must be less than 100MB.
Prisma Cloud Data Security
Support for Big Data File Types
Prisma Cloud supports the following file types for data profile and data patterns:
  • .avro
  • .ORC
  • .parquet
The size of the .avro, .ORC, or .parquet files must be less than 2.5GB.
API Ingestions
Amazon Managed Workflows for Apache Airflow
aws-mwaa-environment
Additional permissions required:
  • airflow:GetEnvironment
  • airflow:ListEnvironments
AWS Systems Manager
aws-ssm-association
Additional permissions required:
  • ssm:ListAssociations
  • ssm:DescribeAssociation
The Security Audit role includes the permissions.
Azure Batch Account
azure-batch-account
Additional permission required:
Microsoft.Batch/batchAccounts/read
The Reader role includes the permission.
Azure Data Shares
azure-data-shares-account
Additional permission required:
Microsoft.DataShare/accounts/read
The Reader role includes the permission.
Azure Red Hat OpenShift
azure-redhat-openshift-cluster
Additional permission required:
Microsoft.RedHatOpenShift/openShiftClusters/read
The Reader role includes the permission.
Google Cloud Run Revision
gcloud-cloud-run-revisions-list
No new permissions, the Project Viewer role includes the required permissions.
Google Data Catalog
gcloud-data-catalog-taxonomy
Additional permissions required:
  • datacatalog.taxonomies.list
  • datacatalog.taxonomies.getIamPolicy
  • datacatalog.taxonomies.get
The Viewer role includes the permissions.
Multi-region resources are not supported for Asia, EU, and US.
Google Data Catalog
gcloud-data-catalog-entry-group
Additional permissions required:
  • datacatalog.entryGroups.list
  • datacatalog.entryGroups.getIamPolicy
  • datacatalog.entryGroups.get
The Viewer role includes the permissions.
Multi-region resources are not supported for Asia, EU, and US.
Google Security Command Center
gcloud-security-command-center-organization-source
Additional permissions required:
  • securitycenter.sources.list
  • securitycenter.sources.getIamPolicy
The Viewer role includes the permissions.
OCI Compute
oci-compute-vnics
Additional permissions required:
  • inspect vnic-attachments
  • inspect vnics
You must add the permissions manually.
OCI Compute
oci-compute-vnicattachments
Additional permission required:
inspect vnic-attachments
You must add the permission manually.
OCI Networking
oci-networking-dns-tsigkeys
Additional permissions required:
  • inspect dns-tsig-keys
  • read dns-tsig-keys
You must add the permissions manually.
Update
API Ingestion—Amazon VPC Attribute
The following API is updated with a new attribute
authorizationRules
which contains the authorization rules for Client VPN endpoint.
aws-ec2-client-vpn-endpoint
Additional permissions required:
  • ec2:DescribeClientVpnEndpoints
  • ec2:DescribeClientVpnAuthorizationRules
The Security Audit role includes the permissions.
Impact—
No impact on alerts.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.6.3.
Policy Updates
Description
New Policy
AWS Lambda Function resource-based policy is overly permissive
Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
cconfig from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = policy.Statement[?any(Effect equals Allow and Principal equals "*" and Condition does not exist and (Action equals "*" or Action equals lambda:*))] exists
Azure MySQL database flexible server SSL enforcement is disabled
Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "OFF"
Azure MySQL database flexible server using insecure TLS version
Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "ON" and (tls_version.value does not equal ignore case "TLSV1.2" and tls_version.value does not equal ignore case "TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.2,TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.3,TLSV1.2")
Policy Updates-Metadata
AWS Lambda function communicating with ports known to mine Monero
Changes—
The policy description is updated for typos and the cloud is changed from ANY to AWS.
Updated Description—
This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only.
Impact—
No impact on alerts.
Policy Updates—RQL
AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled
Changes—
The policy RQL has been updated to check for valid ACM certificate and added remediation support.
Additional permission required to remediate the alert:
acm:UpdateCertificateOptions
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist)'
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist) and status equals ISSUED and _DateTime.ageInDays($.notAfter) < 1'
Remediation CLI—
aws acm update-certificate-options --region ${region} --certificate-arn ${certificateArn} --options CertificateTransparencyLoggingPreference=ENABLED
Impact—
Low. Alerts will get resolved for expired or ACM certificates which does not have status as
ISSUED
.
AWS Customer Master Key (CMK) rotation is not enabled
Changes—
The policy RQL has been updated to check only for KMS symmetric keys.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule='keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals null)'
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT
Impact—
Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys.
AWS Network Load Balancer (NLB) is not using the latest predefined security policy
Changes—
The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”.
Updated Description—
This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06)] exists
Impact—
Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy.
AWS RDS Instance with copy tags to snapshots disabled
Changes—
The policy RQL has been updated to ignore RDS Instance with Neptune Engine.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb and engine does not contain neptune
Impact—
Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources.
Azure Application Gateway allows TLSv1.1 or lower
Changes—
The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = " ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].policyType == Predefined and ['properties.sslPolicy'].policyName != AppGwSslPolicy20170401S ) or (['properties.sslPolicy'].policyType == Custom and ['properties.sslPolicy'].minProtocolVersion != TLSv1_2)"
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].['policyType'] equal ignore case Predefined and (['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20150501 or ['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20170401)) or (['properties.sslPolicy'].['policyType'] equal ignore case Custom and (['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_0 or ['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_1))
Impact—
Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’.
GCP Firewall rule allows all traffic on Microsoft-DS port (445)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on MongoDB port (27017)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on Oracle DB port (1521)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on MySQL DB port (3306)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on SMTP port (25)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on PostgreSQL port (5432)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on NetBIOS-SSN port (139)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on DNS port (53)
Changes—
The RQL for the policy is modified to include IPv6 checks.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on FTP port (21)
Changes—
The RQL for the policy is modified to include IPv6 checks.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on SSH port (22)
Changes—
The RQL for the policy is modified to include IPv6 checks.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on RDP port (3389)
Changes—
The RQL for the policy is modified to include IPv6 checks.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on POP3 port (110)
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall with Inbound rule overly permissive to All Traffic
Changes—
The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[*].IPProtocol equals all'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(IPProtocol equals "all")] exists
Updated CLI—
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact—
Low impact on existing alerts.
GCP Firewall rule allows inbound traffic from anywhere with no specific target set
Changes—
The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[*] exists and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
Impact—
Low impact on existing alerts.
If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022 for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

REST API Updates

No REST API updates for 22.6.2.

New Features

FEATURE
DESCRIPTION
API Ingestions
AWS IAM
aws-iam-oidc-provider
Additional permissions required:
  • iam:ListOpenIDConnectProviders
  • iam:GetOpenIDConnectProvider
AWS Lambda
aws-lambda-code-signing-config
Additional permission required:
lambda:ListCodeSigningConfigs
AWS Lambda
aws-lambda-list-functions
Additional permission required:
lambda:GetFunctionUrlConfig
AWS Route53 Resolver
aws-route53resolver-query-logging-config-association
Additional permission required:
route53resolver:ListResolverQueryLogConfigAssociations
AWS Route53 Resolver
aws-route53resolver-query-logging-config
Additional permissions required:
  • route53resolver:ListResolverQueryLogConfigs
  • route53resolver:ListTagsForResource
Azure HPC Cache
azure-hpc-cache
Additional permissions required:
  • Microsoft.StorageCache/caches/read
  • Microsoft.StorageCache/Subscription/caches/read
Azure Media Service
azure-media-service-account
Additional permission required:
Microsoft.Media/mediaservices/read
Azure Service Fabric
azure-service-fabric-cluster
Additional permission required:
Microsoft.ServiceFabric/clusters/read
Azure Virtual Network
azure-network-effective-nsg
Additional permission required:
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
Azure Virtual Network
azure-network-effective-route-table
Additional permission required:
Microsoft.Network/networkInterfaces/effectiveRouteTable/action
The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
Google Certificate Authority Service
gcloud-certificate-authority-revocation-lists
Additional permissions required:
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.getIamPolicy
Google Compute Engine
gcloud-compute-backend-bucket
Additional permission required:
compute.backendBuckets.list
Google Compute Engine
gcloud-compute-external-backend-service
Additional permission required:
compute.backendServices.list
OCI Big Data Service
oci-bigdataservice-instances
Additional permissions required:
  • inspect bds-instances
  • read bds-instances
OCI Data Integration
oci-dataintegration-workspaces
Additional permissions required:
  • inspect dis-workspaces
  • read dis-workspaces
OCI Data Science
oci-datascience-projects
Additional permissions required:
  • inspect data-science-projects
  • read data-science-projects
Update
Support for Azure Virtual Network API Ingestions
To support ingestion for these Azure Virtual Network APIs:
azure-network-effective-nsg
azure-network-effective-route-table
The Azure onboarding Terraform templates now include granular permissions for:
  • Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
  • Microsoft.Network/networkInterfaces/effectiveRouteTable/action
The Network Contributor role in Azure includes these two permissions, and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
Permissions in the Azure Terraform Template
The Azure Terraform template in
Monitor
and
Monitor & Protect
modes, used for onboarding Azure Subscriptions and Azure Tenant with Management Groups on Prisma Cloud includes the following permission:
Microsoft.ContainerRegistry/registries/listCredentials/action
This permission is required in the Prisma Cloud custom role to support the Drift Detection capabilities on Code Security.
Change in Existing Behavior
Support for Google Cloud API Ingestions
When you onboard using granular permission, you must provide additional permissions for the following GCP APIs:
  • Google PubSub
    gcloud-pubsub-subscription
    Additional permission required:
    pubsub.subscriptions.get
    gcloud-pubsub-topic
    Additional permission required:
    pubsub.topics.get
  • Google Dataproc Clusters
    gcloud-dataproc-clusters-list
    Additional permission required:
    dataproc.clusters.get
These permissions are part of the predefined Viewer role and are automatically included if they are using that primitive role.

New Policies and Policy Updates

No new policies or policy updates for 22.6.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for Australian Energy Sector Cyber Security Framework (AESCSF)
The Australian Energy Sector Cyber Security Framework (AESCSF) provides a set of cybersecurity guidelines specifically tailored to the Australian Energy sector. This framework enables the owners and operators of energy infrastructure in Australia to assess, evaluate, prioritize, and improve their cybersecurity posture.
The framework involves the analysis of two aspects:
  • Criticality assessment
  • Cyber security capability and maturity self-assessment
Support for Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). ISM outlines a cyber security framework that you can apply by using the risk management framework to protect information and systems from cyber threats.
The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers.
Support for Australian Cyber Security Centre (ACSC) Essential Eight
The Australian Cyber Security Centre’s (ACSC) Essential Eight is a risk management framework that prioritizes eight mitigation strategies taken from the recommended ACSC’s Strategies to Mitigate Cyber Security Incidents:
The essential eight security controls are:
  • Application Control — to control the execution of unauthorized software
  • Configure Macros — to block untrusted macros
  • Patch Application — to remediate known security vulnerabilities
  • Application Hardening — to protect against vulnerable functionality
  • Restrict Admin Permissions — to limit powerful access to systems
  • Patch Operating Systems — to remediate known security vulnerabilities
  • Multi-Factor Authentication — to protect against risk activities
  • Daily Backups — to maintain the availability of critical data
Update
New Zealand Information Security Manual (NZISM v3.4)
Prisma Cloud has extended the compliance support for other cloud accounts including Azure, Alibaba, GCP, OCI, along with AWS.

REST API Updates

No REST API updates for 22.6.1.

Recommended For You