Features Introduced in May 2022

Learn what's new on Prisma™ Cloud in May 2022.

New Features Introduced in 22.5.2

New Features Introduced in 22.5.1

New Features Introduced in 22.5.2

New Policies and Policy Updates

REST API Updates

New Features

FEATURE	DESCRIPTION
Burndown Widgets in Adoption Advisor	The Adoption Advisor now includes two new widgets for risk and incident burndown. These widgets show you the number of high severity misconfigurations or risks and incidents detected in your cloud environment, and your team’s progress on remediating these issues. The count of remediated risks and incidents includes alerts that are in the resolve, dismiss, or snoozed states.
API Ingestions	Amazon EKS aws-eks-node-group Additional permissions required: eks:ListClusters eks:DescribeNodegroup eks:ListNodegroups
	Amazon Batch aws-batch-compute-environment Additional permission required: batch:DescribeComputeEnvironments
	Amazon Lake Formation aws-lake-formation-setting Additional permission required: lakeformation:GetDataLakeSettings
	Azure App Service azure-app-service-domain Additional permission required: Microsoft.DomainRegistration/domains/Read
	Azure App Service azure-app-service-environment Additional permission required: Microsoft.Web/hostingEnvironments/Read
	Azure App Service azure-app-service-plan Additional permission required: Microsoft.Web/serverfarms/Read
	Azure Compute azure-vm-start-time No new permissions, the Reader role includes the required permissions.
	Google Stackdriver Logging gcloud-logging-bucket Additional permission required: logging.buckets.list
	Google Network Intelligence Center gcloud-network-intelligence-center-firewall-insight Additional permission required: recommender.computeFirewallInsights.list
	Google Managed Microsoft AD gcloud-managed-microsoft-ad-domain Additional permissions required: managedidentities.domains.list managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.sqlintegrations.list
	OCI Data Flow oci-dataflow-applications Additional permissions required: inspect dataflow-application read dataflow-application This API is not supported in ap-hyderabad-1 region.
	OCI Streaming oci-streaming-streampools Additional permissions required: inspect stream-pools read stream-pools
	OCI Streaming oci-streaming-streams Additional permissions required: inspect streams read streams
	`Update` Azure Storage azure-storage-account-list This API has been updated to show the following new field in the resource JSON: advancedThreatProtectionSettings Azure Advanced threat protection settings are not supported in Azure China.
`Update` gcloud-storage-buckets-list API ingestion	For new ingestion of this API, the metadata will no longer include the timeCreated attribute for the bucket. In RQL, the key will not be available in the json.rule attribute for auto completion and you cannot define custom policies based on this key. If you have any saved searches including the timeCreated attribute, they will now not return resources.

New Policies and Policy Updates

See the look ahead updates for planned changes and policy updates in 22.6.1.

POLICY UPDATES	DESCRIPTION
New Policies	Azure Virtual Desktop session host is not configured with managed identity Identifies Virtual Desktop session hosts that are not configured with managed identity. Managed identity can be used to authenticate to any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Virtual Desktop session hosts. config from cloud.resource where api.name = 'azure-virtual-desktop-session-host' AND json.rule = session-hosts[] is not empty and session-hosts[].properties.resourceId exists as X; config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = powerState equal ignore case "PowerState/running" as Y; filter '$.X.session-hosts[*].properties.resourceId equal ignore case $.Y.id and ($.Y.identity does not exist or $.Y.identity.type equal ignore case None)'; show Y;
	AWS IAM Policy permission may cause privilege escalation Identifies AWS IAM Policy which have permission that may cause privilege escalation. AWS IAM policy having weak permissions could be exploited by an attacker to elevate privileges. It is recommended to follow the principle of least privileges ensuring that AWS IAM policy does not have these sensitive permissions. config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action contains iam:CreatePolicyVersion or Action contains iam:SetDefaultPolicyVersion or Action contains iam:PassRole or Action contains iam:CreateAccessKey or Action contains iam:CreateLoginProfile or Action contains iam:UpdateLoginProfile or Action contains iam:AttachUserPolicy or Action contains iam:AttachGroupPolicy or Action contains iam:AttachRolePolicy or Action contains iam:PutUserPolicy or Action contains iam:PutGroupPolicy or Action contains iam:PutRolePolicy or Action contains iam:AddUserToGroup or Action contains iam:UpdateAssumeRolePolicy or Action contains iam:*))] exists
	Azure Spring Cloud service is not configured with virtual network Identifies Azure Spring Cloud services that are not configured with a virtual network. Spring Cloud configured with a virtual network isolates apps and service runtime from the internet on your corporate network and provides control over inbound and outbound network communications for Azure Spring Cloud. As best security practice, it is recommended to deploy Spring Cloud service in a virtual network. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-spring-cloud-service' AND json.rule = properties.powerState equals Running and sku.tier does not equal Basic and properties.networkProfile.serviceRuntimeSubnetId does not exist
Policy Updates—RQL	GCP Firewall rule allows all traffic on HTTP port (80) Changes —The RQL is modified to check if the firewall rule is disabled and includes IPv6 check. The remediation CLI is modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low.
	GCP Firewall rule allows all traffic on Telnet port (23) Changes —The RQL is modified to check if the firewall rule is disabled and includes IPv6 check. The remediation CLI is modified to disable the vulnerable firewall rule instead of deleting it. Additional permissions required: compute.firewalls.update compute.networks.updatePolicy Current RQL — config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(23,23) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists' Updated RQL* — config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[] equals ::) and allowed[?any(ports contains _Port.inRange(80,80) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists Updated CLI* — gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled Impact —Low impact on new alerts that were generated based on IP checks included in the updated RQL.

REST API Updates

CHANGE	DESCRIPTION
Last Updated Timestamps for List Alert V2 API	The lastUpdated attribute is now added to the List Alerts V2 response for the POST /v2/alert endpoint. This attribute contains a timestamp to indicate when an alert was last updated. It also includes a timestamp for resource updates, policy updates, alert rule updates, alert status changes, and so on.

New Features Introduced in 22.5.1

New Policies and Policy Updates

New Features

FEATURE	DESCRIPTION
`Update` Onboarding Cloud Accounts UI	The cloud accounts onboarding has an updated UI and Prisma Cloud displays the onboarding information in a new and improved way.
resource.state RQL Attribute	You can now use the optional source/dest.resource.state RQL attribute to find resources that are active, for example an EC2 instance that has state as running or inactive or an EC2 instance that has state as stopped on Prisma Cloud. The available values are Active or Inactive. For example: config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active' When source/dest.resource.state is not specified in the query, then the RQL query displays both Active and Inactive resources in the result.
`Change in Existing Behavior` Resolve Undeletes for Google Cloud Resources	All the resources for gcloud-container-describe-clusters , gcloud-compute-nat , and gcloud-iam-service-accounts-list will be deleted once and then regenerated on the management console. Existing alerts corresponding to these resources will be resolved as Resource_Updated and new alerts will be generated against policy violations.
API Ingestions	Amazon ECR aws-ecr-registry-scanning-configuration Additional permission required: ecr:GetRegistryScanningConfiguration
	AWS ACM Private Certificate Authority aws-acm-pca-certificate-authority Additional permissions required: acm-pca:ListTags acm-pca:GetPolicy acm-pca:ListCertificateAuthorities
	Azure Data Box Gateway azure-databox-gateway Additional permission required: Microsoft.DataBoxEdge/dataBoxEdgeDevices/read
	Azure Availability Sets azure-vm-availability-set Additional permission required: Microsoft.Compute/availabilitySets/read
	Azure Notification Hubs azure-notification-hub-namespace Additional permission required: Microsoft.NotificationHubs/Namespaces/read
	Azure Notification Hubs azure-notification-hub Additional permission required: Microsoft.NotificationHubs/Namespaces/NotificationHubs/read
	Azure Local Network Gateways azure-local-network-gateways Additional permission required: Microsoft.Network/localnetworkgateways/read
	Azure NetApp Files azure-netappfiles-account Additional permission required: Microsoft.NetApp/netAppAccounts/read
	Azure Database for PostgreSQL azure-postgresql-flexible-server Additional permissions required: Microsoft.DBforPostgreSQL/flexibleServers/read Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read Microsoft.DBforPostgreSQL/flexibleServers/configurations/read
	Azure Database for MySQL azure-mysql-flexible-server Additional permissions required: Microsoft.DBforMySQL/flexibleServers/read Microsoft.DBforMySQL/flexibleServers/firewallRules/read Microsoft.DBforMySQL/flexibleServers/configurations/read
	OCI IAM oci-iam-identityproviders Additional permission required: inspect identity-providers
	Google Essential Contacts gcloud-essential-contacts-project-contact Additional permission required: essentialcontacts.contacts.list
	Google Service Directory gcloud-service-directory-namespace Additional permissions required: servicedirectory.namespaces.list servicedirectory.namespaces.getIamPolicy
	Google Organization Policy gcloud-organization-policy-project-constraint Additional permissions required: orgpolicy.constraints.list orgpolicy.policy.get
	Google Access Approval gcloud-access-approval-org-approval-setting Additional permission required: accessapproval.settings.get
`Change in Existing Behavior` gcloud-compute-internal-lb-backend-service API Ingestion	Prisma Cloud displays the gcloud-compute-internal-lb-backend-service region on the Investigate page. This change will cause a one-time delete of resources and alerts, which will be re-opened.

New Policies and Policy Updates

POLICY UPDATES	DESCRIPTION
New Policies	AWS IAM policy overly permissive to Lambda service Identifies the IAM policies that are overly permissive to Lambda service. AWS provides serverless computational functionality through their Lambda service. Serverless functions allow organizations to run code for applications or backend services without provisioning virtual machines or management servers. It is recommended to follow the principle of least privileges, ensuring that only restricted Lambda services for restricted resources. config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action equals lambda:* or Action[] equals lambda:) and (Resource equals * or Resource[] equals ) and Condition does not exist)] exists
	AWS Lambda IAM policy overly permissive to all traffic Identifies AWS Lambda IAM policies that are overly permissive to all traffic. It is recommended that the Lambda should be granted access restrictions so that only authorized users and applications have access to the service. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any((Condition.ForAnyValue:IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0 or Condition.ForAnyValue:IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith lambda:)] exists
	AWS Lambda function communicating with ports known to mine Monero Identifies AWS Lambda function which are communicating with ports known to mine Monero. AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for minning Monero. It is highly recommended to restrict Lambda function to known hosts or services only. network from vpc.flow_record where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' , 'AWS IPs', 'Azure IPs', 'GCP IPs' ) and protocol IN ( 'TCP' ) and dest.port = 3333 and dest.resource IN ( resource where role IN ( 'AWS Lambda' ) ) and bytes > 0
	AWS RDS PostgreSQL exposed to local file read vulnerability Identifies AWS RDS PostgreSQL which are exposed to local file read vulnerability. AWS RDS PostgreSQL installed with vulnerable 'log_fdw' extension is exposed to local file read vulnerability, due to which attacker could gain access to local system files of the database instance within their account, including a file which contained credentials specific to PostgreSQL. It is highly recommended to upgrade AWS RDS PostgreSQL to the latest version. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and engine equals postgres and engineVersion is member of ('13.2','13.1','12.6','12.5','12.4','12.3','12.2','11.11','11.10','11.9','11.8','11.7','11.6','11.5','11.4','11.3','11.2','11.1','10.16','10.15','10.14','10.13','10.12','10.11','10.10','10.9','10.7','10.6','10.5','10.4','10.3','10.1','9.6.21','9.6.20','9.6.19','9.6.18','9.6.17','9.6.16','9.6.15','9.6.14','9.6.12','9.6.11','9.6.10','9.6.9','9.6.8','9.6.6','9.6.5','9.6.3','9.6.2','9.6.1','9.5','9.4','9.3')
	AWS Aurora PostgreSQL exposed to local file read vulnerability Identifies AWS Aurora PostgreSQL which are exposed to local file read vulnerability. AWS Aurora PostgreSQL installed with vulnerable 'log_fdw' extension is exposed to local file read vulnerability, due to which attacker could gain access to local system files of the database instance within their account, including a file which contained credentials specific to Aurora PostgreSQL. It is highly recommended to upgrade AWS Aurora PostgreSQL to the latest version. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and engine equals aurora-postgresql and engineVersion is member of ('10.11','10.12','10.13','11.6','11.7','11.8')
	Azure Recovery Services vault is not configured with managed identity Identifies Recovery Services vaults that are not configured with managed identity. Managed identity can be used to authenticate to any service that supports Azure AD authentication, without having credentials in your code. Storing credentials in a code increases the threat surface in case of exploitation and also managed identities eliminate the need for developers to manage credentials. So as a security best practice, it is recommended to have the managed identity to your Recovery Services vault. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-recovery-service-vault' AND json.rule = properties.provisioningState equals Succeeded and (identity does not exist or identity.type equal ignore case "None")
	GCP Firewall rule exposes GKE clusters by allowing all traffic on port 10250 Identifies GCP Firewall rule allowing all traffic on port 10250 which allows GKE full node access. The port 10250 on the kubelet is used by the kube-apiserver (running on hosts labeled as Orchestration Plane) for exec and logs. As per security best practice, port 10250 should not be exposed to the public. config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[] equals ::0 or sourceRanges[] equals 0.0.0.0 or sourceRanges[] equals 0.0.0.0/0 or sourceRanges[] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(10250,10250) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp or IPProtocol contains "all")))] exists as X; config from cloud.resource where api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING as Y; filter '$.X.network contains $.Y.networkConfig.network' ; show X; Permissions required to run the CLI: compute.firewalls.update compute.networks.updatePolicy
Policy Updates—RQL	AWS Network Load Balancer (NLB) is not using the latest predefined security policy Changes —AWS updated the recommended security policy for network load balancer configured with TLS. Due to this change, the policy RQL, description, and recommendation steps have been updated accordingly. Updated Description —Identifies Network Load Balancers (NLBs) are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. It is recommended to use the latest predefined security policy which uses only secured protocol and ciphers. It is recommended to use ELBSecurityPolicy-TLS13-1-0-2021-06 policy if you require Forward Secrecy (FS) and use ELBSecurityPolicy-2016-08 policy to meet compliance and security standards that require disabling certain TLS protocol versions or to support legacy clients that require deprecated ciphers. Current RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = 'type equals network and listeners[?any(protocol equals TLS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-FS-1-2-Res-2020-10 and sslPolicy does not contain ELBSecurityPolicy-TLS-1-2-Ext-2018-06))] exists' Updated RQL — config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists Impact —Medium. The alerts for resources which had older security policy will be resolved as ‘Policy_Updated’ and new alerts will be created if the security policy for network load balancer configured with TLS is not the same as recommended by AWS.
	GCP User managed service accounts have user managed service account keys Changes —The policy RQL is updated to exclude Prisma-cloud specific service account and the description is modified based on the updated RQL. Updated Description —Identifies user managed service accounts that use user managed service account keys instead of Google-managed. For user-managed keys, the User has to take ownership of key management activities. Even after owner precaution, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in downloads directory or accidentally leaving them on support blogs/channels. It is recommended to limit the use of User-managed service account keys and instead use Google-managed keys which can not be downloaded. This policy might alert the service accounts which are not created using Terraform for cloud account onboarding. These alerts are valid because no user-managed service account should be used for cloud account onboarding. Current RQL — config from cloud.resource where api.name = 'gcloud-iam-service-accounts-keys-list' as X; config from cloud.resource where api.name = 'gcloud-iam-service-accounts-list' as Y; filter '($.X.name contains iam.gserviceaccount.com and $.X.name contains $.Y.email and $.X.keyType contains USER_MANAGED)' ; show X; Updated RQL — config from cloud.resource where api.name = 'gcloud-iam-service-accounts-keys-list' as X; config from cloud.resource where api.name = 'gcloud-iam-service-accounts-list' as Y; filter '($.X.name does not contain prisma-cloud and $.X.name contains iam.gserviceaccount.com and $.X.name contains $.Y.email and $.X.keyType contains USER_MANAGED)' ; show X; Impact —Medium. The RQL modification will resolve alerts associated with Prisma-cloud specific service accounts.
Policy Updates—Metadata	AWS EMR cluster is not enabled with local disk encryption using CMK Changes —The policy name and description are updated. Current Name —AWS EMR cluster is not enabled with local disk encryption using CMK Updated Name —AWS EMR cluster is not enabled with local disk encryption using Custom key provider Updated Description —Identifies AWS EMR clusters that are not enabled with local disk encryption using Custom key provider. Applications using the local file system on each cluster instance for intermediate data throughout workloads, where data could be spilled to disk when it overflows memory. With Local disk encryption at place, data at rest can be protected. Impact —No impact on existing alerts.
	Azure Policies Changes —The recommendations steps for the following policies are updated as per the Azure UI changes: Azure SQL databases Defender setting is set to Off Azure SQL server Defender setting is set to Off Azure SQL Databases with disabled Email service and co-administrators for Threat Detection Azure SQL Server ADS Vulnerability Assessment 'Also send email notifications to admins and subscription owners' is disabled Azure SQL Server ADS Vulnerability Assessment is disabled Azure SQL Server ADS Vulnerability Assessment 'Send scan reports to' is not configured Azure SQL Server ADS Vulnerability Assessment Periodic recurring scans is disabled Impact —No impact on existing alerts.
Policy Deletions	Azure Policies Changes —The following policies are deleted because the Setting feature is no longer available in the Azure UI: Azure SQL Server threat logs retention is less than 91 days Azure SQL Database with Threat Retention less than or equals to 90 days Azure SQL Server threat detection alerts not enabled for all threat types Send alerts on field value on SQL Databases is misconfigured Threat Detection types on SQL databases is misconfigured Impact —Previously generated alerts will be resolved as Policy_Deleted. The compliance mapping for the above listed policies is removed due to which the compliance score can get affected. The affected compliance standards are: APRA, CMMC_1_02, CSA_CCM_V4, HITRUST942, ISO_27002_2013, ISO_27017_2015, LGPD, NIST_800_171R2, NIST_800_172, NIST_800_53_R4_AZU_LEG, NIST_800_53_R5_AZURE, NIST_CSF_V_1_1, PCIDSS_321, AZURE_CCPA, AZURE_PIPEDA, MLPS20_AZURE, AZURE_CSA_CCM_V301, AZURE_HITRUST_V93, AZURE_NIST_CSF, AZURE_SOC2, CIS_AZURE_120, CIS_AZURE_V1.1, ISO_27018_2019 Impact —Low impact on existing alerts.