FEATURE	DESCRIPTION
Simplified Onboarding of AWS, Azure, and GCP Cloud Accounts	Prisma Cloud now provides a simplified onboarding experience to adapt to your security priorities in a streamlined manner with support for CSPM, CWPP, Data Security, and Identity Security grouped as Foundational and/or Advanced capabilities (with a few enabled by default). The updated onboarding workflow provides a Faster First Time to Value (FTTV) by allowing you to onboard your AWS, Azure, or GCP cloud accounts and selecting the security capabilities in fewer clicks.
Support for New Regions on GCP	Prisma Cloud now ingests data for resources deployed in the Doha and Turin cloud regions on GCP. To review a list of supported regions, select Inventory Assets , and choose Cloud Region from the filter drop-down.
Addition of New IP Addresses	Prisma Cloud has added new NAT IP addresses to the existing list. Make sure to review the list and update the IP addresses in your allow lists.
`Enhancement` Intelligent Network Graph Provides Contextual View	Enhancements to Prisma Cloud’s Investigate Graph provide you with a comprehensive understanding of where your assets are deployed, potential environmental vulnerabilities and their risk level, to help you determine if further investigation is warranted. The new Intelligent Network Graph now provides a contextual view of cloud traffic patterns by automatically grouping assets based on parent relationships and creating a top-down hierarchy for every IP address associated with Prisma Cloud monitored assets. Expand the graph to the level of the asset you’re investigating and select View Details link in the sidecar to analyze specific network traffic flows. You can also download a CSV report of the traffic flow of your entire network, a node, an instance, or a specific connection between a source and a destination node. You can save Searches under My Saved Searches . Use Saved Searches to create custom policies to generate alerts when a specific pattern of network flow is detected.
`Enhancement` Adoption Advisor Thresholds	The thresholds on the Adoption Advisor are updated to give you a more accurate progress indicator for the following checks: Onboard and Configure Cloud Accounts Enable Audit Logs Enable Flow Logs Define Alert Rules Policies— Create Config Policies, Create Network Policies, and Create Audit Policies With this enhancement, your adoption progress should better reflect the checks you’re enforcing for your business needs, making it easier for you to see how well you’re doing.
`Enhancement` IsSubset method for RQL _Set function	The _Set function is enhanced to add support for the _Set.isSubset method that enables you to identify whether a specific value or comma separated list of values returned by the JSON path of the resource is fully contained within the target list. The syntax is: _Set.isSubset(<path>, <targelist>) is [ true \| false ] where <path> = JSON path <target_list> = a set of strings without any whitespace. Example: config from cloud.resource where api.name= 'aws-ec2-describe-security-groups' AND json.rule = groupName contains rql and _Set.isSubset(tags[].key,(Name,"no_value",rql**auto)) is true

API Ingestions

SERVICE	API DETAILS
Amazon Firewall Manager	aws-fms-admin-account Additional permission required: fms:GetAdminAccount You must manually add the permission or update the CFT template to enable them.
Amazon Firewall Manager	aws-fms-compliance-status Additional permissions required: fms:ListPolicies fms:ListComplianceStatus The Security Audit role includes the permissions.
Amazon Firewall Manager	aws-fms-policy Additional permissions required: fms:GetAdminAccount fms:ListPolicies fms:GetPolicy The Security Audit role only includes the permission fms:ListPolicies . You must manually add the permissions or update the CFT template to enable fms:GetPolicy and fms:GetAdminAccount .
`Update` Amazon RDS	aws-rds-db-cluster This API is updated to include a new field dBclusterParameterGroupArn in the resource JSON.
Azure CDN	azure-frontdoor-standardpremium-origin-groups Additional permissions required: Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/origingroups/read The Reader role includes the permissions.
Azure CDN	azure-frontdoor-standardpremium-security-policies Additional permissions required: Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/securitypolicies/read The Reader role includes the permissions.
`Update` Azure Event Hubs	azure-event-hub-namespace This API is updated to include the following new fields in the resource JSON: MinimumTlsVersion disableLocalAuth
`Update` Azure Service Bus	azure-service-bus-namespace This API is updated to include a new field MinimumTlsVersion in the resource JSON.
Google Cloud Function	gcloud-cloud-function-v2 Additional permissions required: cloudfunctions.locations.list cloudfunctions.functions.list cloudfunctions.functions.getIamPolicy The Viewer role includes the permissions.
Google Cloud Memorystore for Memcached	gcloud-memorystore-memcached-instance Additional permissions required: memcache.locations.list memcache.instances.list The Viewer role includes the permissions.
OCI Database	oci-database-autonomous-database Additional permission required: AUTONOMOUS_DATABASE_INSPECT You must download and execute the Terraform template from the console to enable the permission.
OCI Database	oci-database-db-home Additional permission required: DB_HOME_INSPECT You must download and execute the Terraform template from the console to enable the permission.
OCI Database	oci-database-db-home-patch Additional permission required: DB_HOME_INSPECT You must download and execute the Terraform template from the console to enable the permission.
OCI Database	oci-database-db-system-patch Additional permission required: DB_SYSTEM_INSPECT You must download and execute the Terraform template from the console to enable the permission.
OCI DataLabeling	oci-datalabeling-dataset Additional permissions required: DATA_LABELING_DATASET_INSPECT DATA_LABELING_DATASET_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI File Storage	oci-file-storage-mount-target Additional permissions required: COMPARTMENT_INSPECT MOUNT_TARGET_INSPECT MOUNT_TARGET_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI JMS	oci-jms-fleet Additional permissions required: FLEET_INSPECT FLEET_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Service Mesh	oci-service-mesh-access-policy Additional permissions required: MESH_ACCESS_POLICY_LIST MESH_ACCESS_POLICY_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Service Mesh	oci-service-mesh-virtual-deployment Additional permissions required: MESH_VIRTUAL_DEPLOYMENT_LIST MESH_VIRTUAL_DEPLOYMENT_READ MESH_VIRTUAL_DEPLOYMENT_PROXY_CONFIG_READ MESH_PROXY_DETAILS_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Service Mesh	oci-service-mesh-meshes Additional permissions required: SERVICE_MESH_LIST SERVICE_MESH_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Speech	oci-speech-transcription-job Additional permissions required: AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_INSPECT AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Vision	oci-vision-model Additional permissions required: AI_SERVICE_VISION_MODEL_INSPECT AI_SERVICE_VISION_MODEL_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Vision	oci-vision-project Additional permissions required: AI_SERVICE_VISION_PROJECT_INSPECT AI_SERVICE_VISION_PROJECT_READ You must download and execute the Terraform template from the console to enable the permissions.

New Policies

NEW POLICIES	DESCRIPTION
Workload Protection Policies	For protecting hosts and containers from runtime incidents and detecting vulnerabilities on these workloads, you have 3 new out-of-the-box policies: Serverless Functions detected with known Vulnerabilities (Workload Vulnerability) Host VM Images detected with known Vulnerabilities (Workload Vulnerability) Apps Embedded detected with Runtime Incidents (Workload Incident) To find these policies, select Policies and filter on the Policy Type Workload Incident and Workload Vulnerability. The Apps Embedded detected with Runtime Incidents policy will only work for GCP GCR and AWS Fargate, not AWS EKS and Azure ACI.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and unusual high volume data transfer activity	Identifies AWS EC2 instances which are publicly exposed, have critical or high vulnerabilities and high volume data transfer activity. The high volume data transfer could be a data exfiltration attempt. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Attackers can exploit vulnerabilities on the EC2 instance to compromise the confidentiality, integrity and availability of the affected EC2 instance and perform malicious actions. If network connectivity with remote systems known for high volume data transfer activity is observed on a publicly exposed and exploitable EC2 instance, it could indicate that the instance is already under attack or has been compromised. Immediate attention is required to investigate the high volume data transfer activity, remediate the critical or high vulnerabilities and restrict the public exposure reported for the EC2 instance as soon as possible. Policy Severity— Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and cryptomining domain request activity	Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for cryptomining domain request activities. Cryptomining domain request initiates suspicious DNS queries to domain names that are associated with known crypto-mining pools to generate new coins in cryptocurrencies such as Bitcoin and Monero. The network connectivity with remote systems known for cryptomining domain request on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and DGA domain request activity	Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for DGA domain request activities. Domain generation algorithms (DGAs) are used to generate pseudo-random domain names, typically in large numbers within the context of establishing a malicious command-and-control (C2) communications channel. The network connectivity with remote systems known for DGA domain request activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical.

Policy Updates

No Policy Updates for 23.4.2.

Changes in Existing Behavior

FEATURE	DESCRIPTION
Rate Limit Exception for GCP APIs	The API calls from Prisma Cloud now use quota from the onboarded GCP Projects instead of the GCP Project where the service account is created. This change enables Prisma Cloud to ingest resource metadata across multiple projects without exceeding the GCP API rate limits. To ensure continuous insights into all of your GCP resources and to prevent rate limit exception errors, follow the steps listed in prerequisites to onboard GCP and make sure to complete them. If you use the Terraform template provided by Prisma Cloud, the required permissions to the GCP service account are automatically enabled. Impact — Not completing the tasks may result in rate limit exception errors for Prisma Cloud’s authorized API calls to GCP.
Update for Google Compute APIs	Prisma Cloud now provides global region support, as well as a backend update to the resource ID for gcloud-compute-internal-lb-backend-service API. As a result, all resources for these APIs will be deleted and then regenerated on the management console. Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against policy violations if any. Impact —You may notice a reduced alert count. However, once the resources for gcloud-compute-internal-lb-backend-service resume ingesting data, the alert count will return to the original numbers.

REST API Updates

CHANGE	DESCRIPTION
Cloud Accounts Endpoints	The following new endpoints are now available for the Cloud Accounts API: Save Account Config With Given Attributes - POST /config/v3/account Fetch Aws Org Master Account Details - GET /config/v3/account/awsorg/:id Performs a Permissions Check for the Given PCDS Account (AWS Org) - GET /config/v3/account/awsorg/:id/status
Data Security Settings Endpoints	The following new endpoints are now available for the Data Security Settings API: Clone Data Pattern - POST /config/v3/dss-api/data-pattern/clone/dssTenantId/:dssTenantId List Data Patterns - GET /config/v3/dss-api/data-pattern/dssTenantId/:dssTenantId Add Data Pattern - POST /config/v3/dss-api/data-pattern/dssTenantId/:dssTenantId Update Data Pattern - PUT /config/v3/dss-api/data-pattern/dssTenantId/:dssTenantId/pattern-id/:patternId Delete Data Pattern - DELETE /config/v3/dss-api/data-pattern/dssTenantId/:dssTenantId/pattern-id/:patternId Get Data Pattern by Name - GET /config/v3/dss-api/data-pattern/name/dssTenantId/:dssTenantId List Data Profiles - GET /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId Update Data Profile Status - PUT /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId Add Data Profile - POST /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId Get Data Profile Details - GET /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId/id/:profileId Update Data Profile - PUT /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId/id/:profileId Clone Data Profile - POST /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId/id/:profileId Delete Data Profile - DELETE /config/v3/dss-api/data-profile/dssTenantId/:dssTenantId/id/:profileId Get Snippet Configuration - GET /config/v3/dss-api/snippets/dssTenantId/:dssTenantId Update Snippet Configuration - POST /config/v3/dss-api/snippets/dssTenantId/:dssTenantId Perform a Credit Estimation - POST /config/v3/estimated-credits Update the Resources Scan Config - PUT /config/v3/resource/configure Fetch All Resources for the PCDS Tenant - GET /config/v3/resources Generate an Azure Terraform Script for all Azure accounts under a PCDS Tenant - GET /config/v3/tenant/acl-script Fetch the Tenant Config for a PCDS Tenant - GET /config/v3/tenant/config Update the PCDS Tenant Resource Report Frequency - PUT /config/v3/tenant/resource/sizing/configure
New APIs for Onboarding GCP Cloud Accounts	The following new endpoints are now available for the Cloud Accounts API. Add GCP Cloud Account- POST /cas/v1/gcp_account Update GCP Cloud Account - PUT /cas/v1/gcp_account/:id Get GCP Cloud Account Status- POST /cas/v1/cloud_account/status/gcp Generate and Download the GCP Terraform Template- POST /cas/v1/gcp_template
New API to Get Cloud Account Deployment Types	The following new endpoint is added to get the deployment types of a cloud account. This endpoint is supported only for Alibaba account. Get Cloud Account Deployment Type - GET /cas/v1/cloud/:cloudType/deployment-type
New Parameter Added for Alibaba Account	A new parameter deployment type is added to the request or response body of the following endpoints. This parameter is supported only for Alibaba accounts. Add Cloud Account - POST /cloud/:cloud_type Update Cloud Account - PUT /cloud/:cloud_type/:id List Cloud Accounts - GET /cloud List Cloud Org Accounts - GET /cloud/:cloud_type/:id/project

Deprecation Notice

FEATURE	DESCRIPTION
`End of Support for AWS Classic EC2 Service`	The aws-ec2-classic-instance API is planned for deprecation at the end of April 2023. As AWS has announced the depreciation of the resource type, Prisma Cloud will no longer ingest the aws-ec2-classic-instance API. For more information, see Retiring EC2-Classic Networking.
`Prisma Cloud Data Security v1, v2 APIs`	The following Prisma Cloud Data Security APIs (v1, v2) for AWS cloud account onboarding, data settings, data profiles, snippets, and data patterns are deprecated: Cloud Accounts Endpoints Add Data Security Config (AWS Org) - POST /dlp/api/config/v2 Update Data Security Config (AWS Org) - PUT /dlp/api/config/v2 Check Data Security Preconditions (AWS Org) - POST /dlp/api/v1/config/awsorg/status Get Data Security Config (AWS Org) - GET /dlp/api/config/v2/:accountId Data Security Settings Endpoints List Data Resources - GET /dlp/api/v1/resource-inventory/resources Update Data Scan Config - PUT /dlp/api/config/v2/resource List Data Patterns - PUT /dlp/api/v1/dss-api/data-pattern Add Data Pattern - POST /dlp/api/v1/dss-api/data-pattern Clone Data Pattern - POST /dlp/api/v1/dss-api/data-pattern/clone Get Data Pattern Details - GET /dlp/api/v1/dss-api/data-pattern/id/:patternId Get Data Pattern By Name - GET /dlp/api/v1/dss-api/data-pattern/name Update Data Pattern - PUT /dlp/api/v1/dss-api/data-pattern/:patternId Delete Data Pattern - DELETE /dlp/api/v1/dss-api/data-pattern/:patternId List Data Profiles - GET /dlp/api/v1/dss-api/data-profile Add Data Profile - POST /dlp/api/v1/dss-api/data-profile Update Data Profile Status - PUT /dlp/api/v1/dss-api/data-profile Get Data Profile Details - GET /dlp/api/v1/dss-api/data-profile/id/:profileId Update Data Profile - PUT /dlp/api/v1/dss-api/data-profile/id/:profileId Clone Data Profile - POST /dlp/api/v1/dss-api/data-profile/id/:profileId Delete Data Profile - DELETE /dlp/api/v1/dss-api/data-profile/id/:profileId Get Snippet Configuration - GET /dlp/api/v1/dss-api/snippets Update Snippet Configuration - POST /dlp/api/v1/dss-api/snippets

New Features Introduced in 23.4.1

New Compliance Benchmarks and Updates

Changes in Existing Behavior

REST API Updates

New Features

FEATURE	DESCRIPTION
Support for New Region on AWS	Prisma Cloud now ingests data for resources deployed in the Hyderabad cloud region on AWS. To review a list of supported regions, select Inventory Assets , and choose Cloud Region from the filter drop-down.
`Enhancement` OCI Terraform File Update	Prisma Cloud now supports over 100 IAM policy statements without requiring a service limit increase from OCI. With this change, you must update your existing Terraform file to enable read permissions for all the supported services necessary for an OCI tenant on Prisma Cloud.

API Ingestions

SERVICE	API DETAILS
Azure Virtual WAN	azure-vpn-server-configurations Additional permission required: Microsoft.Network/vpnServerConfigurations/read The Reader role includes the permission.
Azure Virtual WAN	azure-p2s-vpn-gateway Additional permission required: Microsoft.Network/p2sVpnGateways/read The Reader role includes the permission.
Google Certificate Authority Service	gcloud-certificate-authority-certificate-template Additional permissions required: privateca.locations.list privateca.certificateTemplates.list privateca.certificateTemplates.getIamPolicy The Viewer role includes the permissions.
Google Traffic Director Network Service	gcloud-traffic-director-network-service-gateway Additional permissions required: networkservices.locations.list networkservices.gateways.list The Viewer role includes the permissions.
Google Traffic Director Network Service	gcloud-traffic-director-network-service-mesh Additional permissions required: networkservices.locations.list networkservices.meshes.list networkservices.meshes.getIamPolicy The Viewer role includes the permissions.

New Policies

NEW POLICIES	DESCRIPTION
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and malware activity	Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for malware activities. Malware includes viruses, trojans, worms and other types of malware that affect the popular open-source operating system. The network connectivity with remote systems known for malware activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and botnet activity	Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for botnet activities. A Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection. The network connectivity with remote systems known for botnet activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and cryptominer activity	Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for cryptominer activities. Cryptominer hides on computers or mobile devices to surreptitiously use the machine’s resources to mine cryptocurrencies. The network connectivity with remote systems known for cryptominer activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical.
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and backdoor activity	Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for backdoor activities. A backdoor allows unauthorized remote access to the instances where the malware is installed while bypassing the authentication mechanisms in place. The network connectivity with remote systems known for backdoor activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical.

Policy Updates

No Policy Updates for 23.4.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK

DESCRIPTION

Support for ISO/IEC 27001:2022

Prisma Cloud now supports the ISO/IEC 27001:2022 compliance standard.

ISO/IEC 27001:2022 provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls while taking the organization’s information security risk environment into account.

With this support, you can now view this built-in standard and the related policies on Prisma Cloud’s Compliance > Standard
page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance standard over time.

Changes in Existing Behavior

FEATURE	DESCRIPTION
Changes to Policy Severity Level `First announced in 23.2.1`	Prisma Cloud updated the system default policies to help you identify critical alerts and address them effectively. The policy severity levels for some system default policies are re-aligned to use the newly introduced Critical and Informational severities. Due to this change, the policies have five levels of severity; Critical, High, Medium, Low, and Informational. You can prioritize critical alerts first and then move on to the other levels. For more information, see the updated list of policies. Impact— Your existing open alerts associated with updated policies will have a change in their severity levels. If you have Alert rules set up based on the Policy Severity filter, there may be a decrease or increase in the number of alerts. The overall Compliance posture may change due to possible alert number changes. If you have alert rules configured for external integrations such as ServiceNow, this shift in the number of alerts may result in sending notifications for the Resolved or Open alerts. If you change a custom severity of a policy back to the default severity, the new severity update will apply. This update will not affect the severities of your custom policies or the system default policies for which you have manually changed the severities (custom severity). Also, if you have included a policy in at least one other alert rule (not based on severity filter) , there will be no change in the alert numbers. If you have any questions, contact your Prisma Cloud Customer Success Representative.
Update for Google Compute APIs	Prisma Cloud now provides global region support, as well as a backend update to the resource ID for gcloud-compute-url-maps , gcloud-compute-target-http-proxies , and gcloud-compute-target-https-proxies APIs. As a result, all resources for these APIs will be deleted and then regenerated on the management console. Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against policy violations if any. Impact —You may notice a reduced alert count. However, once the resources for gcloud-compute-url-maps , gcloud-compute-target-http-proxies , and gcloud-compute-target-https-proxies resume ingesting data, the alert count will return to the original numbers.

REST API Updates

CHANGE	DESCRIPTION
New APIs for Onboarding Azure Cloud Accounts	The following new endpoints are now available for the Cloud Accounts API. Add Azure Cloud Account- POST /cas/v1/azure_account Update Azure Cloud Account- PUT /cas/v1/azure_account/:account_id Generate and Download the Azure Terraform Template- POST /cas/v1/azure_template
New APIs for Data Security Onboarding	The following new endpoints are now available for the Data Security Onboarding API. Fetch Account Config By Storage UUID- GET /config/v3/account/storageUUID/:id Fetch Account Config By PCDS Account ID- GET /config/v3/account/:id Update the account config for the specified PCDS Account ID- PUT /config/v3/account/:id Performs a Permissions Check for the Given PCDS Account- GET /config/v3/account/:id/status Generate an Azure Terraform Script- GET /config/v3/account/:subscriptionId/acl-script Generate an Azure Terraform Script- GET /config/v3/tenant/:tenantId/:subscriptionId/terraform-script

Features Introduced in May 2023

Features Introduced in March 2023

Prisma™ Cloud Release Notes

Features Introduced in April 2023

Features Introduced in April 2023

New Features Introduced in 23.4.2

New Features

API Ingestions

New Policies

Policy Updates

Changes in Existing Behavior

REST API Updates

Deprecation Notice

New Features Introduced in 23.4.1

New Features

API Ingestions

New Policies

Policy Updates

New Compliance Benchmarks and Updates

Changes in Existing Behavior

REST API Updates

Recommended For You