Features Introduced in May 2022

Learn what's new on Prisma™ Cloud in May 2022.

New Features

FEATURE
DESCRIPTION
Burndown Widgets in Adoption Advisor
The Adoption Advisor now includes two new widgets for risk and incident burndown.
These widgets show you the number of high severity misconfigurations or risks and incidents detected in your cloud environment, and your team’s progress on remediating these issues. The count of remediated risks and incidents includes alerts that are in the resolve, dismiss, or snoozed states.
API Ingestions
Amazon EKS
aws-eks-node-group
Additional permissions required:
  • eks:ListClusters
  • eks:DescribeNodegroup
  • eks:ListNodegroups
Amazon Batch
aws-batch-compute-environment
Additional permission required:
batch:DescribeComputeEnvironments
Amazon Lake Formation
aws-lake-formation-setting
Additional permission required:
lakeformation:GetDataLakeSettings
Azure App Service
azure-app-service-domain
Additional permission required:
Microsoft.DomainRegistration/domains/Read
Azure App Service
azure-app-service-environment
Additional permission required:
Microsoft.Web/hostingEnvironments/Read
Azure App Service
azure-app-service-plan
Additional permission required:
Microsoft.Web/serverfarms/Read
Azure Compute
azure-vm-start-time
No new permissions, the Reader role includes the required permissions.
Google Stackdriver Logging
gcloud-logging-bucket
Additional permission required:
logging.buckets.list
Google Network Intelligence Center
gcloud-network-intelligence-center-firewall-insight
Additional permission required:
recommender.computeFirewallInsights.list
Google Managed Microsoft AD
gcloud-managed-microsoft-ad-domain
Additional permissions required:
  • managedidentities.domains.list
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.sqlintegrations.list
OCI Data Flow
oci-dataflow-applications
Additional permissions required:
  • inspect dataflow-application
  • read dataflow-application
This API is not supported in ap-hyderabad-1 region.
OCI Streaming
oci-streaming-streampools
Additional permissions required:
  • inspect stream-pools
  • read stream-pools
OCI Streaming
oci-streaming-streams
Additional permissions required:
  • inspect streams
  • read streams
Update
Azure Storage
azure-storage-account-list
This API has been updated to show the following new field in the resource JSON:
advancedThreatProtectionSettings
Azure Advanced threat protection settings are not supported in Azure China.
Update
gcloud-storage-buckets-list API ingestion
For new ingestion of this API, the metadata will no longer include the
timeCreated
attribute for the bucket. In RQL, the key will not be available in the json.rule attribute for auto completion and you cannot define custom policies based on this key. If you have any saved searches including the
timeCreated
attribute, they will now not return resources.

New Policies and Policy Updates

See the look ahead updates for planned changes and policy updates in 22.6.1.
POLICY UPDATES
DESCRIPTION
New Policies
Azure Virtual Desktop session host is not configured with managed identity
Identifies Virtual Desktop session hosts that are not configured with managed identity. Managed identity can be used to authenticate to any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Virtual Desktop session hosts.
config from cloud.resource where api.name = 'azure-virtual-desktop-session-host' AND json.rule = session-hosts[*] is not empty and session-hosts[*].properties.resourceId exists as X; config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = powerState equal ignore case "PowerState/running" as Y; filter '$.X.session-hosts[*].properties.resourceId equal ignore case $.Y.id and ($.Y.identity does not exist or $.Y.identity.type equal ignore case None)'; show Y;
AWS IAM Policy permission may cause privilege escalation
Identifies AWS IAM Policy which have permission that may cause privilege escalation. AWS IAM policy having weak permissions could be exploited by an attacker to elevate privileges. It is recommended to follow the principle of least privileges ensuring that AWS IAM policy does not have these sensitive permissions.
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action contains iam:CreatePolicyVersion or Action contains iam:SetDefaultPolicyVersion or Action contains iam:PassRole or Action contains iam:CreateAccessKey or Action contains iam:CreateLoginProfile or Action contains iam:UpdateLoginProfile or Action contains iam:AttachUserPolicy or Action contains iam:AttachGroupPolicy or Action contains iam:AttachRolePolicy or Action contains iam:PutUserPolicy or Action contains iam:PutGroupPolicy or Action contains iam:PutRolePolicy or Action contains iam:AddUserToGroup or Action contains iam:UpdateAssumeRolePolicy or Action contains iam:*))] exists
Azure Spring Cloud service is not configured with virtual network
Identifies Azure Spring Cloud services that are not configured with a virtual network. Spring Cloud configured with a virtual network isolates apps and service runtime from the internet on your corporate network and provides control over inbound and outbound network communications for Azure Spring Cloud. As best security practice, it is recommended to deploy Spring Cloud service in a virtual network.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-spring-cloud-service' AND json.rule = properties.powerState equals Running and sku.tier does not equal Basic and properties.networkProfile.serviceRuntimeSubnetId does not exist
Policy Updates—RQL
GCP Firewall rule allows all traffic on HTTP port (80)
Changes
—The RQL is modified to check if the firewall rule is disabled and includes IPv6 check. The remediation CLI is modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact
—Low.
GCP Firewall rule allows all traffic on Telnet port (23)
Changes
—The RQL is modified to check if the firewall rule is disabled and includes IPv6 check. The remediation CLI is modified to disable the vulnerable firewall rule instead of deleting it.
Additional permissions required:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Current RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(23,23) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated RQL
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
Updated CLI
gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
Impact
—Low impact on new alerts that were generated based on IP checks included in the updated RQL.

REST API Updates

CHANGE
DESCRIPTION
Last Updated Timestamps for List Alert V2 API
The
lastUpdated
attribute is now added to the List Alerts V2 response for the
POST /v2/alert
endpoint.
This attribute contains a timestamp to indicate when an alert was last updated. It also includes a timestamp for resource updates, policy updates, alert rule updates, alert status changes, and so on.

New Features Introduced in 22.5.1

New Features

FEATURE
DESCRIPTION
Update
Onboarding Cloud Accounts UI
The cloud accounts onboarding has an updated UI and Prisma Cloud displays the onboarding information in a new and improved way.
resource.state RQL Attribute
You can now use the optional
source/dest.resource.state
RQL attribute to find resources that are active, for example an EC2 instance that has state as running or inactive or an EC2 instance that has state as stopped on Prisma Cloud. The available values are Active or Inactive.
For example:
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active'
When
source/dest.resource.state
is not specified in the query, then the RQL query displays both Active and Inactive resources in the result.
Change in Existing Behavior
Resolve Undeletes for Google Cloud Resources
All the resources for
gcloud-container-describe-clusters
,
gcloud-compute-nat
, and
gcloud-iam-service-accounts-list
will be deleted once and then regenerated on the management console. Existing alerts corresponding to these resources will be resolved as
Resource_Updated
and new alerts will be generated against policy violations.
API Ingestions
Amazon ECR
aws-ecr-registry-scanning-configuration
Additional permission required:
ecr:GetRegistryScanningConfiguration
AWS ACM Private Certificate Authority
aws-acm-pca-certificate-authority
Additional permissions required:
  • acm-pca:ListTags
  • acm-pca:GetPolicy
  • acm-pca:ListCertificateAuthorities
Azure Data Box Gateway
azure-databox-gateway
Additional permission required:
Microsoft.DataBoxEdge/dataBoxEdgeDevices/read
Azure Availability Sets
azure-vm-availability-set
Additional permission required:
Microsoft.Compute/availabilitySets/read
Azure Notification Hubs
azure-notification-hub-namespace
Additional permission required:
Microsoft.NotificationHubs/Namespaces/read
Azure Notification Hubs
azure-notification-hub
Additional permission required:
Microsoft.NotificationHubs/Namespaces/NotificationHubs/read
Azure Local Network Gateways
azure-local-network-gateways
Additional permission required:
Microsoft.Network/localnetworkgateways/read
Azure NetApp Files
azure-netappfiles-account
Additional permission required:
Microsoft.NetApp/netAppAccounts/read
Azure Database for PostgreSQL
azure-postgresql-flexible-server
Additional permissions required:
  • Microsoft.DBforPostgreSQL/flexibleServers/read
  • Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read
  • Microsoft.DBforPostgreSQL/flexibleServers/configurations/read
Azure Database for MySQL
azure-mysql-flexible-server
Additional permissions required:
  • Microsoft.DBforMySQL/flexibleServers/read
  • Microsoft.DBforMySQL/flexibleServers/firewallRules/read
  • Microsoft.DBforMySQL/flexibleServers/configurations/read
OCI IAM
oci-iam-identityproviders
Additional permission required:
inspect identity-providers
Google Essential Contacts
gcloud-essential-contacts-project-contact
Additional permission required:
essentialcontacts.contacts.list
Google Service Directory
gcloud-service-directory-namespace
Additional permissions required:
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.getIamPolicy
Google Organization Policy
gcloud-organization-policy-project-constraint
Additional permissions required:
  • orgpolicy.constraints.list
  • orgpolicy.policy.get
Google Access Approval
gcloud-access-approval-org-approval-setting
Additional permission required:
accessapproval.settings.get
Change in Existing Behavior
gcloud-compute-internal-lb-backend-service API Ingestion
Prisma Cloud displays the
gcloud-compute-internal-lb-backend-service
region on the
Investigate
page.
This change will cause a one-time delete of resources and alerts, which will be re-opened.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS IAM policy overly permissive to Lambda service
Identifies the IAM policies that are overly permissive to Lambda service. AWS provides serverless computational functionality through their Lambda service. Serverless functions allow organizations to run code for applications or backend services without provisioning virtual machines or management servers. It is recommended to follow the principle of least privileges, ensuring that only restricted Lambda services for restricted resources.
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action equals lambda:* or Action[*] equals lambda:*) and (Resource equals * or Resource[*] equals *) and Condition does not exist)] exists
AWS Lambda IAM policy overly permissive to all traffic
Identifies AWS Lambda IAM policies that are overly permissive to all traffic. It is recommended that the Lambda should be granted access restrictions so that only authorized users and applications have access to the service.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any((Condition.ForAnyValue:IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0 or Condition.ForAnyValue:IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith lambda:)] exists
AWS Lambda function communicating with ports known to mine Monero
Identifies AWS Lambda function which are communicating with ports known to mine Monero. AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for minning Monero. It is highly recommended to restrict Lambda function to known hosts or services only.
network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' , 'AWS IPs', 'Azure IPs', 'GCP IPs' ) and protocol IN ( 'TCP' ) and dest.port = 3333 and dest.resource IN ( resource where role IN ( 'AWS Lambda' ) ) and bytes > 0
AWS RDS PostgreSQL exposed to local file read vulnerability
Identifies AWS RDS PostgreSQL which are exposed to local file read vulnerability. AWS RDS PostgreSQL installed with vulnerable 'log_fdw' extension is exposed to local file read vulnerability, due to which attacker could gain access to local system files of the database instance within their account, including a file which contained credentials specific to PostgreSQL. It is highly recommended to upgrade AWS RDS PostgreSQL to the latest version.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and engine equals postgres and engineVersion is member of ('13.2','13.1','12.6','12.5','12.4','12.3','12.2','11.11','11.10','11.9','11.8','11.7','11.6','11.5','11.4','11.3','11.2','11.1','10.16','10.15','10.14','10.13','10.12','10.11','10.10','10.9','10.7','10.6','10.5','10.4','10.3','10.1','9.6.21','9.6.20','9.6.19','9.6.18','9.6.17','9.6.16','9.6.15','9.6.14','9.6.12','9.6.11','9.6.10','9.6.9','9.6.8','9.6.6','9.6.5','9.6.3','9.6.2','9.6.1','9.5','9.4','9.3')
AWS Aurora PostgreSQL exposed to local file read vulnerability
Identifies AWS Aurora PostgreSQL which are exposed to local file read vulnerability. AWS Aurora PostgreSQL installed with vulnerable 'log_fdw' extension is exposed to local file read vulnerability, due to which attacker could gain access to local system files of the database instance within their account, including a file which contained credentials specific to Aurora PostgreSQL. It is highly recommended to upgrade AWS Aurora PostgreSQL to the latest version.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and engine equals aurora-postgresql and engineVersion is member of ('10.11','10.12','10.13','11.6','11.7','11.8')
Azure Recovery Services vault is not configured with managed identity
Identifies Recovery Services vaults that are not configured with managed identity. Managed identity can be used to authenticate to any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Recovery Services vault.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-recovery-service-vault' AND json.rule = properties.provisioningState equals Succeeded and (identity does not exist or identity.type equal ignore case "None")
GCP Firewall rule exposes GKE clusters by allowing all traffic on port 10250
Identifies GCP Firewall rule allowing all traffic on port 10250 which allows GKE full node access. The port 10250 on the kubelet is used by the kube-apiserver (running on hosts labeled as Orchestration Plane) for exec and logs. As per security best practice, port 10250 should not be exposed to the public.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(10250,10250) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp or IPProtocol contains "all")))] exists as X; config from cloud.resource where api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING as Y; filter '$.X.network contains $.Y.networkConfig.network' ; show X;
Permissions required to run the CLI:
  • compute.firewalls.update
  • compute.networks.updatePolicy
Policy Updates—RQL
AWS Network Load Balancer (NLB) is not using the latest predefined security policy
Changes
—AWS updated the recommended security policy for network load balancer configured with TLS. Due to this change, the policy RQL, description, and recommendation steps have been updated accordingly.
Updated Description
—Identifies Network Load Balancers (NLBs) are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. It is recommended to use the latest predefined security policy which uses only secured protocol and ciphers.
It is recommended to use ELBSecurityPolicy-TLS13-1-0-2021-06 policy if you require Forward Secrecy (FS) and use ELBSecurityPolicy-2016-08 policy to meet compliance and security standards that require disabling certain TLS protocol versions or to support legacy clients that require deprecated ciphers.
Current RQL
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = 'type equals network and listeners[?any(protocol equals TLS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-FS-1-2-Res-2020-10 and sslPolicy does not contain ELBSecurityPolicy-TLS-1-2-Ext-2018-06))] exists'
Updated RQL
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists
Impact
—Medium. The alerts for resources which had older security policy will be resolved as ‘Policy_Updated’ and new alerts will be created if the security policy for network load balancer configured with TLS is not the same as recommended by AWS.
GCP User managed service accounts have user managed service account keys
Changes
—The policy RQL is updated to exclude Prisma-cloud specific service account and the description is modified based on the updated RQL.
Updated Description
—Identifies user managed service accounts that use user managed service account keys instead of Google-managed. For user-managed keys, the User has to take ownership of key management activities. Even after owner precaution, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in downloads directory or accidentally leaving them on support blogs/channels. It is recommended to limit the use of User-managed service account keys and instead use Google-managed keys which can not be downloaded.
This policy might alert the service accounts which are not created using Terraform for cloud account onboarding. These alerts are valid because no user-managed service account should be used for cloud account onboarding.
Current RQL
config from cloud.resource where api.name = 'gcloud-iam-service-accounts-keys-list' as X; config from cloud.resource where api.name = 'gcloud-iam-service-accounts-list' as Y; filter '($.X.name contains iam.gserviceaccount.com and $.X.name contains $.Y.email and $.X.keyType contains USER_MANAGED)' ; show X;
Updated RQL
config from cloud.resource where api.name = 'gcloud-iam-service-accounts-keys-list' as X; config from cloud.resource where api.name = 'gcloud-iam-service-accounts-list' as Y; filter '($.X.name does not contain prisma-cloud and $.X.name contains iam.gserviceaccount.com and $.X.name contains $.Y.email and $.X.keyType contains USER_MANAGED)' ; show X;
Impact
—Medium. The RQL modification will resolve alerts associated with Prisma-cloud specific service accounts.
Policy Updates—Metadata
AWS EMR cluster is not enabled with local disk encryption using CMK
Changes
—The policy name and description are updated.
Current Name
—AWS EMR cluster is not enabled with local disk encryption using CMK
Updated Name
—AWS EMR cluster is not enabled with local disk encryption using Custom key provider
Updated Description
—Identifies AWS EMR clusters that are not enabled with local disk encryption using Custom key provider. Applications using the local file system on each cluster instance for intermediate data throughout workloads, where data could be spilled to disk when it overflows memory. With Local disk encryption at place, data at rest can be protected.
Impact
—No impact on existing alerts.
Azure Policies
Changes
—The recommendations steps for the following policies are updated as per the Azure UI changes:
  • Azure SQL databases Defender setting is set to Off
  • Azure SQL server Defender setting is set to Off
  • Azure SQL Databases with disabled Email service and co-administrators for Threat Detection
  • Azure SQL Server ADS Vulnerability Assessment 'Also send email notifications to admins and subscription owners' is disabled
  • Azure SQL Server ADS Vulnerability Assessment is disabled
  • Azure SQL Server ADS Vulnerability Assessment 'Send scan reports to' is not configured
  • Azure SQL Server ADS Vulnerability Assessment Periodic recurring scans is disabled
Impact
—No impact on existing alerts.
Policy Deletions
Azure Policies
Changes
—The following policies are deleted because the Setting feature is no longer available in the Azure UI:
  • Azure SQL Server threat logs retention is less than 91 days
  • Azure SQL Database with Threat Retention less than or equals to 90 days
  • Azure SQL Server threat detection alerts not enabled for all threat types
  • Send alerts on field value on SQL Databases is misconfigured
  • Threat Detection types on SQL databases is misconfigured
Impact
—Previously generated alerts will be resolved as Policy_Deleted.
The compliance mapping for the above listed policies is removed due to which the compliance score can get affected. The affected compliance standards are:
APRA, CMMC_1_02, CSA_CCM_V4, HITRUST942, ISO_27002_2013, ISO_27017_2015, LGPD, NIST_800_171R2, NIST_800_172, NIST_800_53_R4_AZU_LEG, NIST_800_53_R5_AZURE, NIST_CSF_V_1_1, PCIDSS_321, AZURE_CCPA, AZURE_PIPEDA, MLPS20_AZURE, AZURE_CSA_CCM_V301, AZURE_HITRUST_V93, AZURE_NIST_CSF, AZURE_SOC2, CIS_AZURE_120, CIS_AZURE_V1.1, ISO_27018_2019
Impact
—Low impact on existing alerts.

Recommended For You