Features Introduced in September 2022

Learn what's new on Prisma™ Cloud in September 2022.

New Features

FEATURE
DESCRIPTION
GA
Prisma Cloud Data Security—Support for Azure Subscription
Prisma Cloud now supports data security for your Azure Subscription accounts. After configuring Prisma Cloud Data Security for Azure, you can discover and classify data stored in Azure Blob Storage and protect accidental exposure, misuse, or sharing of sensitive data.
You can set up Forward and Backward scan to scan your Azure resources for data security issues. You can also set up a custom scan or choose to scan all objects.
Prisma Cloud supports the following file types and size for Azure:
  • For data classification scanning the file size must be less than 20MB
  • For malware scanning the file size must be less than 20MB
  • Exposure evaluation for all file types.
Prisma Cloud provides out-of-the-box policies to detect sensitive blobs exposed in public storage accounts and malware blobs in Azure Blob storage accounts.
You can also create your own customized data security policy.
API support is not currently provided for Prsima Cloud Data Security for Azure.
Update
Prisma Cloud Data Security for AWS—New File Extension Supported for Data Classification Scanning
Prisma Cloud can now scan
.tsv
types of file extensions on your storage buckets for data classification.
Update
Prisma Cloud Data Security for AWS—New Missing Permission
Prisma Cloud displays
s3:GetObject
missing permission on the
Data Security Settings
page when your AWS bucket has KMS encryption enabled and Prisma Cloud does not have access to the bucket. You can resolve the issue and then configure data security for that bucket.

API Ingestions

SERVICE
API DETAILS
AWS DataSync
aws-datasync-location
Additional permissions required:
  • datasync:DescribeLocationEfs
  • datasync:ListLocations
  • datasync:DescribeLocationSmb
  • datasync:DescribeLocationSmb
  • datasync:DescribeLocationFsxOpenZfs
  • datasync:DescribeLocationFsxWindows
  • datasync:DescribeLocationS3
  • datasync:DescribeLocationObjectStorage
  • datasync:DescribeLocationFsxOntap
  • datasync:ListTagsForResource
  • datasync:ListTasks
  • datasync:DescribeLocationHdfs
  • datasync:DescribeLocationFsxLustre
  • datasync:DescribeLocationNfs
This API will only ingest locations that the Datasync Task uses.
The Security Audit role includes this permission.
Amazon QLDB
aws-qldb-ledger
Additional permissions required:
  • qldb:ListLedgers
  • qldb:DescribeLedger
  • qldb:ListTagsForResource
Amazon Translate
aws-translate-terminology
Additional permissions required:
  • translate:ListTerminologies
  • translate:GetTerminology
The Security Audit role includes the permission:
translate:ListTerminologies
.
Azure Advisor
azure-advisor-configurations
Additional permission required:
Microsoft.Advisor/configurations/read
The Reader role includes the permission.
Azure Analysis Services
azure-analysisservices-servers
Additional permission required:
Microsoft.AnalysisServices/servers/read
The Reader role includes the permission.
Azure App Configuration
azure-appconfiguration-configuration-stores
Additional permission required:
Microsoft.AppConfiguration/configurationStores/read
The Reader role includes the permission.
Azure Automanage
azure-automanage-configuration-profiles
Additional permission required:
Microsoft.Automanage/configurationProfiles/Read
The Reader role includes the permission.
Azure Container Apps
azure-app-container-apps
Additional permission required:
microsoft.app/containerapps/read
The Reader role includes the permission.
Azure Communication
azure-communication-services
Additional permission required:
Microsoft.Communication/CommunicationServices/Read
The Reader role includes the permission.
Azure Compute
azure-cloudservices-list
Additional permission required:
Microsoft.Compute/cloudServices/read
The Reader role includes the permission.
Azure Compute
azure-cloudservices-roleinstance-publicip
Additional permissions required:
  • Microsoft.Compute/cloudServices/read
  • Microsoft.Compute/cloudServices/roleInstances/read
  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
The Reader role includes the permissions.
Azure Compute
azure-compute-dedicated-host-groups
Additional permission required:
Microsoft.Compute/hostGroups/read
The Reader role includes the permission.
Azure Hybrid Compute
azure-hybridcompute-machines
Additional permission required:
Microsoft.HybridCompute/machines/read
The Reader role includes the permission.
Azure Managed Grafana
azure-dashboard-grafana
Additional permission required:
Microsoft.Dashboard/grafana/read
The Reader role includes the permission.
Azure Stack HCI
azure-azurestackhci-clusters
Additional permission required:
Microsoft.AzureStackHCI/Clusters/Read
The Reader role includes the permission.
Azure Virtual Network
azure-network-public-ip-prefixes
Additional permission required:
Microsoft.Network/publicIPPrefixes/read
The Reader role includes the permission.
Google Dataproc Clusters
gcloud-dataproc-autoscaling-policy
Additional permissions required:
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.getIamPolicy
The Viewer role includes these permissions.
Google Dataplex
gcloud-dataplex-lake
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.lakes.getIamPolicy
The Viewer role includes these permissions.
Google Recommendation
gcloud-recommender-organization-iam-policy-lateral-movement-insight
Additional permission required:
recommender.iamPolicyLateralMovementInsights.list
The Viewer role includes this permission.

New Policies

See the look ahead updates for planned features and policy updates for 22.10.1
POLICY NAME
DESCRIPTION
GCP KMS crypto key is anonymously accessible
Identifies GCP KMS crypto keys that are anonymously accessible. Granting permissions to 'allUsers' or 'allAuthenticatedUsers' allows anyone to access the KMS key. As a security best practice, it is recommended not to bind such members to KMS IAM policy.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-kms-crypto-keys-list' AND json.rule = ((purpose does not equal ENCRYPT_DECRYPT) or (purpose equals ENCRYPT_DECRYPT and primary.state equals ENABLED)) and iamPolicy.bindings[*].members contains allUsers or iamPolicy.bindings[*].members contains allAuthenticatedUsers
GCP Cloud Run service is publicly accessible
Identifies GCP Cloud Run services that are publicly accessible. Granting Cloud Run Invoker permission to 'allUsers' or 'allAuthenticatedUsers' allows anyone to access the Cloud Run service over internet. Such access might not be desirable if sensitive data is stored at the location. As security best practice it is recommended to remove public access and assign the least privileges to the GCP Cloud Run service according to requirements.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-run-services-list' AND json.rule = status.conditions[?any(type equals Ready and status equals True)] exists and status.conditions[?any(type equals RoutesReady and status equals True)] exists and iamPolicy.bindings[?any(role equals roles/run.invoker and members is member of (allUsers, allAuthenticatedUsers))] exists

Policy Updates

POLICY NAME
DESCRIPTION
Policy Updates—RQL
Azure Function App doesn't redirect HTTP to HTTPS
Changes—
The policy RQL is enhanced to check for apps that are in the Running state and to increase accuracy of alerts.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.httpsOnly equals false'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running and kind contains functionapp and properties.httpsOnly is false
Impact—
Low. Previously generated alerts for apps in the Stopped state will be resolved as Policy_Updated.
Azure Function App doesn't use HTTP 2.0
Changes—
The policy RQL is enhanced to check for apps that are in the Running state and to increase accuracy of alerts.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.http20Enabled equals false'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running and kind contains functionapp and config.http20Enabled is false
Impact—
Low. Previously generated alerts for apps in the Stopped state will be resolved as Policy_Updated.
Azure Function App authentication is off
Changes—
The RQL has been updated to check apps with status 'RUNNING'. The recommendation steps have also been updated to match the latest UI changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.siteAuthEnabled equals false'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running and kind contains functionapp and config.siteAuthEnabled is false
Impact—
Low. Previously generated alerts for apps in the Stopped state will be resolved as Policy_Updated.
Azure Function App client certificate is disabled
Changes—
The RQL has been updated to check apps with status 'RUNNING'.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.clientCertEnabled equals false'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running and kind contains functionapp and properties.clientCertEnabled is false
Impact—
Low. Previously generated alerts for apps in the Stopped state will be resolved as Policy_Updated.
Azure Function App doesn't use latest TLS version
Changes—
The RQL has been updated to check apps with status 'RUNNING'.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.minTlsVersion does not equal 1.2'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running and kind contains functionapp and config.minTlsVersion does not equal "1.2"
Impact—
Low. Previously generated alerts for apps in the Stopped state will be resolved as Policy_Updated.
Azure Function App doesn't have a Managed Service Identity
Changes—
The RQL has been updated to check apps with status 'RUNNING'. The recommendation steps have also been updated to match the latest UI changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running and kind contains functionapp and (identity.type does not exist or identity.principalId is empty)
Impact—
Low. Previously generated alerts for apps in the Stopped state will be resolved as Policy_Updated.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for Korea-Information Security Management System (K-ISMS)
Support is now available for Korea Information Security Management System (K-ISMS). This benchmark is a certification system to assess if an enterprise's or organization's information security management system is properly established, managed, and operated.

Change in Existing Behavior

FEATURE
DESCRIPTION
Access to Data for Deleted Assets
First announced in 22.4.1 and updated in 22.8.1 to list the new API.
The ability to view and investigate data for assets that have been deleted in cloud accounts which are onboarded to Prisma Cloud will be available for up to
90 days
after asset deletion. This is a change from the current behavior where you had access to the historical data for deleted assets, starting from the time you onboarded the account on Prisma Cloud.
To align with this change, Prisma Cloud will limit the time range filters to 90 days of history. To support use cases where further retention is required, a new API end point is available to Prisma Cloud users with the System Admin role to retrieve deleted asset records. For API details, see GET/config/api/v1/tenant/{prisma_id}/archiveList.

REST API Updates

CHANGE
DESCRIPTION
Prisma Cloud Code Security
The following new APIs are available for Code Security that allow you to retrieve the code review and integrated VCS repositories metadata, list of affected resources for suppression, BOM report and checkov version details, single repository and tag rule details, and enforcement rules.

New Features

FEATURE
DESCRIPTION
Top Priority Security Risks View with Command Center
The Command Center Dashboard provides you with a unified view of the top cloud security incidents and risks discovered across all the assets monitored by Prisma Cloud, grouped by the following threat vectors:
  • Incidents
  • Misconfigurations
  • Exposures
  • Identity Risks
  • Data Risks
Customizable filters allow you to isolate threat activity by time range, asset and account groups for further investigation. Now your security team has the actionable insight you need to resolve the highest priority incidents, and risks across all your cloud resources.
IAM Security Supports AWS Permission Boundaries
Prisma Cloud’s IAM security module algorithm now supports AWS Permission Boundaries in the Net Effective Permissions calculations, to help you better identify when a permission was last used.
Cloud Network Analyzer Support for Azure
Prisma Cloud now supports network exposure queries on Azure cloud environments. You can now calculate the net effective reachability for virtual machines or PaaS service in Azure.
Update
Azure Onboarding Permission
If you are using Custom role while onboarding your Azure account, as per Microsoft’s recommendation, you need to add
Microsoft.Network/networkWatchers/queryFlowLogStatus/*
in order to provide read-only permission to query flow log status in Network Watcher.

API Ingestions

SERVICE
API DETAILS
AWS Amplify
aws-amplify-app
Additional permission required:
amplify:ListApps
AWS Global Accelerator
aws-global-accelerator-accelerator
Additional permissions required:
  • globalaccelerator:ListTagsForResource
  • globalaccelerator:ListAccelerators
  • globalaccelerator:DescribeAcceleratorAttributes
The Security Audit role includes this permission.
Amazon Route53
aws-route53-query-logging-config
Additional permission required:
route53:ListQueryLoggingConfigs
The Security Audit role includes this permission.
Azure HDInsight
azure-hdinsight-applications
Additional permissions required:
  • Microsoft.HDInsight/clusters/read
  • Microsoft.HDInsight/clusters/applications/read
The Reader role includes the permissions.
Azure Subscriptions
azure-subscription-tenantpolicy
Additional permission required:
Microsoft.Subscription/Policies/default/read
The Reader role includes the permission.
Google Cloud Data Loss Prevention
gcloud-dlp-project-stored-infotype
Additional permission required:
dlp.storedInfoTypes.list
The Viewer role includes this permission.
Google Recommendation
gcloud-recommender-project-iam-policy-lateral-movement-insight
Additional permission required:
recommender.iamPolicyLateralMovementInsights.list
The Viewer role includes this permission.
Google Dataproc Clusters
gcloud-dataproc-workflow-template
Additional permission required:
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.getIamPolicy
The Viewer role includes this permission.
OCI MySQL
oci-mysql-dbsystems
Additional permissions required:
  • read mysql-insta
  • inspect mysql-instances
You must add these permissions manually.

New Policies

See the look ahead updates for planned features and policy updates for 22.9.2.
POLICY NAME
DESCRIPTION
AWS SQS Queue not configured with server side encryption
Identifies AWS SQS queues which are not configured with server side encryption. Enabling server side encryption would encrypt all messages that are sent to the queue and the messages are stored in encrypted form. Amazon SQS decrypts a message only when it is sent to an authorized consumer. It is recommended to enable server side encryption for AWS SQS queues in order to protect sensitive data in the event of a data breach or malicious users gaining access to the data.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sqs-get-queue-attributes' AND json.rule = attributes.KmsMasterKeyId does not exist and attributes.SqsManagedSseEnabled is false
Azure PostgreSQL (PaaS) instance reachable from untrust internet source on TCP port 5432
Identifies Azure PostgreSQL (PaaS) instances that are internet reachable from an untrust internet source on TCP port 5432. PostgreSQL (PaaS) instances with untrusted access to the internet may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from untrusted IP addresses and limit access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'PaaS' and dest.cloud.type = 'AZURE' and dest.paas.service.type in ( 'MicrosoftDBforPostgreSQLFlexibleServers', 'MicrosoftDBforPostgreSQLServers' ) and protocol.ports = 'tcp/5432'
Azure MySQL (PaaS) instance reachable from untrust internet source on TCP port 3306
Identifies Azure MySQL (PaaS) instances that are internet reachable from an untrust internet source on TCP port 3306. MySQL (PaaS) instances with untrusted access to the internet may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from untrusted IP addresses and limit access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'PaaS' and dest.cloud.type = 'AZURE' and dest.paas.service.type in ( 'MicrosoftDBforMySQLFlexibleServers', 'MicrosoftDBforMySQLServers' ) and protocol.ports = 'tcp/3306'
Azure VM instance in running state that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
Identifies Azure VM instances in running state that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port. VM instances with unrestricted access to the internet may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
The HTTP-80 and HTTPs-443 web ports are excluded as these are internet-facing ports with legitimate traffic.
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AZURE' and protocol.ports in ( 'tcp/0:79', 'tcp/81:442', 'tcp/444:65535' ) and dest.resource.state = 'Active'
GCP BigQuery Dataset not configured with default CMEK
Identifies BigQuery Datasets that are not configured with default CMEK. Setting a Default Customer-Managed Encryption Key (CMEK) for a data set ensures any tables created in the future will use the specified CMEK if none other is provided. It is recommended to configure all BigQuery Datasets with default CMEK.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-bigquery-dataset-list' AND json.rule = defaultEncryptionConfiguration.kmsKeyName does not exist
GCP Cloud Function is publicly accessible
Identifies GCP Cloud Functions that are publicly accessible. Allowing 'allusers' / 'allAuthenticatedUsers' to cloud functions can lead to unauthorized invocation of the functions or unwanted access to sensitive information. It is recommended to follow the least privileged access policy and grant access restrictively.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and iamPolicy.bindings[?any(members[*] is member of ("allAuthenticatedUsers","allUsers"))] exists
IAM Security
New Policies
Azure Managed Identity (user assigned or system assigned) with the Azure built-in roles of Owner
Managed identities provide an automatic way for applications to connect to resources that support Azure Active Directory (Azure AD) authentication. Using the Azure built-in role of Owner with managed identities provides broad permissions sets for a non-human identity that can lead to privilege escalation. A few examples are: virtual machine lateral movement (like running commands on other VMs), storage account access, and configuration access.
config from iam where source.cloud.type = 'Azure' AND grantedby.cloud.entity.type IN ( 'System Assigned', 'User Assigned' ) AND grantedby.cloud.policy.type = 'Built-in Role' AND grantedby.cloud.policy.name = 'Owner'
Azure Managed Identity (user assigned or system assigned) with the Azure built-in roles of Contributor
Managed identities provide an automatic way for applications to connect to resources that support Azure Active Directory (Azure AD) authentication. Using the Azure built-in role of Contributor with managed identities provides broad permissions sets for a non-human identity that can lead to privilege escalation. A few examples are, virtual machine lateral movement (like running commands on other VMs), storage account access, and configuration access.
config from iam where source.cloud.type = 'Azure' AND grantedby.cloud.entity.type IN ( 'System Assigned', 'User Assigned' ) AND grantedby.cloud.policy.type = 'Built-in Role' AND grantedby.cloud.policy.name = 'Contributor'
Azure Managed Identity (user assigned or system assigned) with the Azure built-in roles of Reader
Managed identities provide an automatic way for applications to connect to resources that support Azure Active Directory (Azure AD) authentication. Using the Azure built-in role of Reader with managed identities provides broad permissions sets for a non-human identity that can lead to several scenarios of subscription information enumeration.
config from iam where source.cloud.type = 'Azure' AND grantedby.cloud.entity.type IN ( 'System Assigned', 'User Assigned' ) AND grantedby.cloud.policy.type = 'Built-in Role' AND grantedby.cloud.policy.name = 'Reader'
Azure Managed Identity (user assigned or system assigned) with Key Vault access
Managed identities provide an automatic way for applications to connect to resources that support Azure Active Directory (Azure AD) authentication. Providing Key Vault access lets non-human identities query key vaults for credential and secret data.
config from iam where source.cloud.type = 'Azure' AND grantedby.cloud.entity.type IN ( 'System Assigned', 'User Assigned' ) AND dest.cloud.service.name = 'Microsoft.KeyVault'
Azure Managed Identity with permissions to manage Azure permissions broadly that was unused in the last 90 days
Managed identities provide an automatic way for applications to connect to resources that support Azure Active Directory (Azure AD) authentication. Managed identity with the ability to change Azure permissions through role assignments are risky permission that can lead to privilege escalation.
config from iam where source.cloud.type = 'Azure' AND grantedby.cloud.entity.type IN ( 'System Assigned', 'User Assigned' ) AND dest.cloud.resource.name = '*' AND action.name STARTS WITH 'Microsoft.Authorization/roleAssignments/' AND action.lastaccess.days > 90
Azure Managed Identity with permissions to other subscriptions
Identifies the Azure resources which can be accessed from another subscription (cross-account) through IAM policies.
config from iam where source.cloud.type = 'Azure' AND source.cloud.account != dest.cloud.account AND source.cloud.resource.type != 'user'
Azure AD user with the Azure built-in roles of Owner
Using the Azure built-in role of Owner with Azure AD users provides broad permissions sets that can lead to privilege escalation. A few examples are virtual machine lateral movement (like running commands on other VMs), storage account access and configuration access.
config from iam where source.cloud.type = 'Azure' AND source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Built-in Role' AND grantedby.cloud.policy.name = 'Owner'
Azure AD user with the Azure built-in roles of Contributor
Using the Azure built-in role of Contributor with Azure AD users provides broad permissions sets that can lead to privilege escalation. A few examples are virtual machine lateral movement (like running commands on other VMs), storage account access and configuration access.
config from iam where source.cloud.type = 'Azure' AND source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Built-in Role' AND grantedby.cloud.policy.name = 'Contributor'
Azure AD user with the Azure built-in roles of Reader
Using the Azure built-in role of Reader with Azure AD users provides broad permissions sets that can lead to several scenarios of subscription information enumeration.
config from iam where source.cloud.type = 'Azure' AND source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Built-in Role' AND grantedby.cloud.policy.name = 'Reader'
Azure AD users with Key Vault access
Providing Key Vault access lets users query key vaults for credential and secret data. The least privilege model should be enforced and unused sensitive permissions should be revoked.
config from iam where source.cloud.type = 'Azure' AND source.cloud.resource.type = 'user' AND dest.cloud.service.name = 'Microsoft.KeyVault'
Azure AD user with permissions to manage Azure permissions broadly that was not used in the last 90 days
Azure AD users with the ability to change Azure permissions through role assignments are risky permission that can lead to privilege escalation.
config from iam where source.cloud.type = 'Azure' AND source.cloud.resource.type = 'user' AND dest.cloud.resource.name = '*' AND action.name STARTS WITH 'Microsoft.Authorization/roleAssignments/' AND action.lastaccess.days > 90

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates—RQL
AWS ElastiCache Redis with in-transit encryption disabled (Non-replication group)
Changes—
The policy RQL has been updated to report only AWS Redis resources. Due to the ingestion of Memcached clusters, the policy was listing Memcached resources along with AWS ElastiCache Redis, which did not have in-transit encryption enabled and resulted in false positive alerts.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = transitEncryptionEnabled is false and replicationGroupId does not exist
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = engine equals redis and transitEncryptionEnabled is false and replicationGroupId does not exist
Impact—
Low. The existing alerts that were reporting for Memcached clusters are resolved with resolution status as Policy_Updated.
AWS RDS minor upgrades not enabled
Changes—
The policy RQL has been updated to ignore false positive alerts for AWS DocumentDB and NeptuneDB.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
Impact—
Low. The existing alerts for AWS DocumentDB and NeptuneDB resources are resolved with resolution status as Policy_Updated.
AWS SNS topic policy overly permissive for publishing
Changes—
The policy RQL has been updated to ignore condition statement check in the RQL.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and (Action contains SNS:Publish or Action contains sns:Publish) and Condition does not exist)] exists
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and (Action contains SNS:Publish or Action contains sns:Publish) and (Condition does not exist or Condition all empty))] exists
Impact—
Medium. New alerts are generated for AWS SNS topics with condition statements and Policy actions with
SNS:Publish
permissions.
AWS CloudFront web distribution that allow TLS versions 1.0 or lower
Changes—
The policy name, description, and RQL are updated to match latest recommended TLS version.
Current Policy Name—
AWS CloudFront web distribution that allow TLS versions 1.0 or lower
Updated Policy Name—
AWS CloudFront web distribution using insecure TLS version
Updated Description—
Identifies AWS CloudFront web distributions which are configured with TLS versions for HTTPS communication between viewers and CloudFront. As a best practice, use recommended TLSv1.2_2021 as the minimum protocol version in your CloudFront distribution security policies.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = 'viewerCertificate.certificateSource does not contain cloudfront and (viewerCertificate.minimumProtocolVersion equals TLSv1 or viewerCertificate.minimumProtocolVersion equals TLSv1_2016)'
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = viewerCertificate.certificateSource does not contain cloudfront and viewerCertificate.minimumProtocolVersion does not equal TLSv1.2_2021
Impact—
Medium. New alerts are generated for AWS CloudFront where new recommended TLS version policy is not met.
AWS ElastiCache Redis with in-transit encryption disabled (Non-replication group)
Changes—
The policy RQL has been updated to report only AWS Redis resources. Due to the ingestion of Memcached clusters, the policy was listing Memcached resources along with AWS ElastiCache Redis, which did not have in-transit encryption enabled and resulted in false positive alerts.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = transitEncryptionEnabled is false and replicationGroupId does not exist
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = engine equals redis and transitEncryptionEnabled is false and replicationGroupId does not exist
Impact—
Low. The existing alerts that were reporting for Memcached clusters are resolved with resolution status as Policy_Updated.
AWS RDS minor upgrades not enabled
Changes—
The policy RQL has been updated to ignore false positive alerts for AWS DocumentDB and NeptuneDB.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
Impact—
Low. The existing alerts for AWS DocumentDB and NeptuneDB resources are resolved with resolution status as Policy_Updated.
AWS SNS topic policy overly permissive for publishing
Changes—
The policy RQL has been updated to ignore condition statement check in the RQL.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and (Action contains SNS:Publish or Action contains sns:Publish) and Condition does not exist)] exists
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and (Action contains SNS:Publish or Action contains sns:Publish) and (Condition does not exist or Condition all empty))] exists
Impact—
Medium. New alerts are generated for AWS SNS topics with condition statements and Policy actions with
SNS:Publish
permissions.
AWS CloudFront web distribution that allow TLS versions 1.0 or lower
Changes—
The policy name, description, and RQL are updated to match latest recommended TLS version.
Current Policy Name—
AWS CloudFront web distribution that allow TLS versions 1.0 or lower
Updated Policy Name—
AWS CloudFront web distribution using insecure TLS version
Updated Description—
Identifies AWS CloudFront web distributions which are configured with TLS versions for HTTPS communication between viewers and CloudFront. As a best practice, use recommended TLSv1.2_2021 as the minimum protocol version in your CloudFront distribution security policies.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = 'viewerCertificate.certificateSource does not contain cloudfront and (viewerCertificate.minimumProtocolVersion equals TLSv1 or viewerCertificate.minimumProtocolVersion equals TLSv1_2016)'
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = viewerCertificate.certificateSource does not contain cloudfront and viewerCertificate.minimumProtocolVersion does not equal TLSv1.2_2021
Impact—
Medium. New alerts are generated for AWS CloudFront where new recommended TLS version policy is not met.
AWS ElastiCache Redis with in-transit encryption disabled (Non-replication group)
Changes—
The policy RQL has been updated to report only AWS Redis resources. Due to the ingestion of Memcached clusters, the policy was listing Memcached resources along with AWS ElastiCache Redis, which did not have in-transit encryption enabled and resulted in false positive alerts.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = transitEncryptionEnabled is false and replicationGroupId does not exist
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elasticache-cache-clusters' AND json.rule = engine equals redis and transitEncryptionEnabled is false and replicationGroupId does not exist
Impact—
Low. The existing alerts that were reporting for Memcached clusters are resolved with resolution status as Policy_Updated.
AWS RDS minor upgrades not enabled
Changes—
The policy RQL has been updated to ignore false positive alerts for AWS DocumentDB and NeptuneDB.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = autoMinorVersionUpgrade is false and engine does not contain docdb and engine does not contain neptune
Impact—
Low. The existing alerts for AWS DocumentDB and NeptuneDB resources are resolved with resolution status as Policy_Updated.
Policy Updates—Metadata
GCP PostgreSQL instance database flag log_connections is disabled
Changes—
The policy recommendation steps have been updated to reflect the latest CSP changes.
Impact—
No impact on existing alerts.
GCP Kubernetes Engine Clusters have Binary authorization disabled
Changes—
Updated policy recommendation steps to reflect the latest CSP changes.
Impact—
No impact on existing alerts.
GCP Log bucket retention policy is not configured using bucket lock
Changes—
Updated policy recommendation steps to reflect the latest CSP changes.
Impact—
No impact on existing alerts.

Change in Existing Behavior

FEATURE
DESCRIPTION
Region Support for Google Compute Engine
Region support for
gcp-compute-disk-list
API is enabled on Prisma Cloud.
Due to this, all the resources for
gcp-compute-disk-list
are deleted once and then regenerated on the management console.
Existing alerts corresponding to these resources are resolved as
Resource_Updated
, and new alerts are generated against policy violations.
Impact
—You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcp-compute-disk-list
start ingesting data again.

REST API Updates

CHANGE
DESCRIPTION
Licensing APIs
The following new endpoints are available for Licensing APIs:
  • Usage Count By Cloud Type V2
    - POST /license/api/v2/usage - This is a new Licensing API that allows you to get paginated usage data in the response object for the selected cloud types.
  • Resource Usage Over Time V2
    - POST /license/api/v2/time_series - This is a new Licensing API that allows you to get a breakdown of resource usage over time.
Alert Rules APIs
The following Alert Rules APIs are updated with a new filter called
Alert Rule Policy Filter
, which allows you to filter alerts based on policy severity, policy label, cloud type, and compliance standard:

Recommended For You