The Adoption Advisor dashboard and report now provide valuable insights on your workload defense coverage through both agentless scanning and Defenders. In addition to the information on how many hosts and cloud accounts are protected with Defenders, you can now review how many hosts are scanned using agentless security. This way, you’ll have a comprehensive picture of the total number of hosts that are protected and scanned using Prisma Cloud.

API Ingestions

SERVICE	API DETAILS
Amazon VPC	aws-ec2-traffic-mirroring Additional permission required: ec2:DescribeTrafficMirrorSessions The Security Audit role includes the permission.
Amazon VPC	aws-ec2-customer-gateway Additional permission required: ec2:DescribeCustomerGateways The Security Audit role includes the permission.
AWS Support	aws-support-case Additional permission required: support:DescribeCases You must manually add the permission or update the CFT template to enable it.
Azure Log Analytics	azure-log-analytics-linked-storage-accounts Additional permissions required: Microsoft.OperationalInsights/workspaces/read Microsoft.OperationalInsights/workspaces/storageinsightconfigs/read The Reader role includes the permissions.
Azure SQL Database	azure-sql-db-long-term-retention-policies Additional permissions required: Microsoft.Sql/servers/read Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/read The Reader role includes the permissions.
Azure Synapse Analytics	azure-synapse-workspace-managed-sql-server-vulnerability-assessments Additional permissions required: Microsoft.Synapse/workspaces/read Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/read The Reader role includes the permissions.
Google Cloud Billing	gcloud-billing-project-billing-info Additional permission required: resourcemanager.projects.get The Viewer role includes the permission.
Google Cloud Identity Platform	gcloud-identity-platform-tenant-idp-configuration Additional permissions required: firebaseauth.configs.get identitytoolkit.tenants.list identitytoolkit.tenants.get The Viewer role includes the permissions.
Google Cloud Identity Platform	gcloud-identity-platform-project-idp-configuration Additional permission required: firebaseauth.configs.get The Viewer role includes the permission.
Google Stackdriver Logging	gcloud-logging-project-setting Additional permission required: logging.cmekSettings.get You must manually add the permission or update the Terraform template to enable it.

New Policies

NEW POLICIES	DESCRIPTION
AWS Lambda function URL having overly permissive cross-origin resource sharing permissions	Identifies AWS Lambda functions which have overly permissive cross-origin resource sharing (CORS) permissions. Overly permissive CORS settings (allowing wildcards) can potentially expose the Lambda function to unwarranted requests and cross-site scripting attacks. It is highly recommended to specify the exact domains (in 'allowOrigins') and HTTP methods (in 'allowMethods') that should be allowed to interact with your function to ensure a secure setup. Policy Severity— Medium Policy Type— Config config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-lambda-list-functions' AND json.rule = cors exists and cors.allowOrigins[] contains "" and cors.allowMethods[] contains ""
AWS Auto Scaling group launch configuration has public IP address assignment enabled	Identifies the autoscaling group launch configuration that is configured to assign a public IP address. Auto Scaling groups assign a public IP address to the group’s ec2 instances if its associated launch configuration is configured to assign a public IP address. Amazon EC2 instances should only be accessible from behind a load balancer instead of being directly exposed to the internet. It is recommended that the Amazon EC2 instances in an autoscaling group launch configuration do not have an associated public IP address except for limited edge cases. Policy Severity— Medium Policy Type— Config config from cloud.resource where api.name = 'aws-ec2-autoscaling-launch-configuration' AND json.rule = associatePublicIpAddress exists and associatePublicIpAddress is true
AWS Auto Scaling group launch configuration configured with Instance Metadata Service hop count greater than 1	Identifies the autoscaling group launch configuration where the Instance Metadata Service network hops count is set to greater than 1. A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances. With the metadata response hop limit count for the IMDS greater than 1, the PUT response that contains the secret token can travel outside the EC2 instance. Only metadata with a limited hop count for all your EC2 instances is recommended. Policy Severity— Medium Policy Type— Config config from cloud.resource where api.name = 'aws-ec2-autoscaling-launch-configuration' AND json.rule = metadataOptions.httpEndpoint exists and metadataOptions.httpEndpoint equals "enabled" and metadataOptions.httpPutResponseHopLimit greater than 1 as X; config from cloud.resource where api.name = 'aws-describe-auto-scaling-groups' as Y; filter ' $.X.launchConfigurationName equal ignore case $.Y.launchConfigurationName'; show X;
AWS Auto Scaling group launch configuration not configured with Instance Metadata Service v2 (IMDSv2)	Identifies the autoscaling group launch configuration where IMDSv2 is set to optional. A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances. With IMDSv2, every request is now protected by session authentication. Version 2 of the IMDS adds new protections that weren’t available in IMDSv1 to further safeguard your EC2 instances created by the autoscaling group. It is recommended to use only IMDSv2 for all your EC2 instances. Policy Severity— Medium Policy Type— Config config from cloud.resource where api.name = 'aws-ec2-autoscaling-launch-configuration' AND json.rule = (metadataOptions.httpEndpoint does not exist) or (metadataOptions.httpEndpoint equals "enabled" and metadataOptions.httpTokens equals "optional") as X; config from cloud.resource where api.name = 'aws-describe-auto-scaling-groups' as Y; filter ' $.X.launchConfigurationName equal ignore case $.Y.launchConfigurationName'; show X;
Azure Database for MySQL server not configured private endpoint	Identifies Azure MySQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Policy Severity— Medium Policy Type— Config config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-server' AND json.rule = properties.userVisibleState equal ignore case Ready and properties.privateEndpointConnections[*] is empty
Azure Cache for Redis not configured with data in-transit encryption	Identifies Azure Cache for Redis which are not configured with data encryption in transit. Enforcing an SSL connection helps prevent unauthorized users from reading sensitive data that is intercepted as it travels through the network, between clients/applications and cache servers, known as data in transit. Policy Severity— Medium Policy Type— Config config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cache-redis' AND json.rule = properties provisioningState equal ignore case Succeeded and properties.enableNonSslPort is true
Azure PostgreSQL servers not configured private endpoint	Identifies Azure PostgreSQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure PostgreSQL database. Policy Severity— Medium Policy Type— Config config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-postgresql-server' AND json.rule = properties.userVisibleState equal ignore case Ready and properties.privateEndpointConnections[*] is empty
Azure SQL Database server not configured private endpoint	Identifies Azure SQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for SQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure SQL database. Policy Severity— Medium Policy Type— Config config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = properties.userVisibleState equal ignore case Ready and properties.privateEndpointConnections[*] is empty
Azure Database for MariaDB not configured private endpoint	Identifies Azure MariaDB database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure MariaDB database. Policy Severity— Medium Policy Type— Config config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-database-maria-db-server' AND json.rule = properties.userVisibleState equal ignore case Ready and properties.privateEndpointConnections[*] is empty

Policy Updates

POLICY UPDATES	DESCRIPTION
Updates to Attack Path Policy Names	All Attack Path policy names are being revised to use a new format to help you identify the risks and impact better. Impact— No impact since only the policy names are updated.
Policy Updates—RQL
AWS CloudTrail is not enabled with multi trail and not capturing all management events	Changes— The policy RQL is updated to check if logging all management events has been enabled via basic or advanced event selectors. Severity— Informational Policy Type— Config Current RQL— config from cloud.resource where api.name= 'aws-cloudtrail-describe-trails' AND json.rule = 'isMultiRegionTrail is true and includeGlobalServiceEvents is true' as X; config from cloud.resource where api.name= 'aws-cloudtrail-get-trail-status' AND json.rule = 'status.isLogging equals true' as Y; config from cloud.resource where api.name= 'aws-cloudtrail-get-event-selectors' AND json.rule = 'eventSelectors[].readWriteType contains All' as Z; filter '($.X.trailARN equals $.Z.trailARN) and ($.X.name equals $.Y.trail)'; show X; count(X) less than 1 Updated RQL—* config from cloud.resource where api.name= 'aws-cloudtrail-describe-trails' AND json.rule = 'isMultiRegionTrail is true and includeGlobalServiceEvents is true' as X; config from cloud.resource where api.name= 'aws-cloudtrail-get-trail-status' AND json.rule = 'status.isLogging equals true' as Y; config from cloud.resource where api.name= 'aws-cloudtrail-get-event-selectors' AND json.rule = '(eventSelectors[].readWriteType contains All and eventSelectors[].includeManagementEvents equal ignore case true) or (advancedEventSelectors[].fieldSelectors[].equals contains "Management" and advancedEventSelectors[].fieldSelectors[].field does not contain "readOnly" and advancedEventSelectors[].fieldSelectors[].field does not contain "eventSource")' as Z; filter '($.X.trailARN equals $.Z.trailARN) and ($.X.name equals $.Y.trail)'; show X; count(X) less than 1 Impact— Medium. Alerts will be generated when the logging of all management events are not enabled by default through advanced selectors. Existing alerts where the logging of all management events was enabled via advanced selectors will be resolved.
GCP VM instances have block project-wide SSH keys feature disabled	Changes— The policy RQL is updated to check for enabling OS login for the GCP VM instances. Severity— Low Policy Type— Config Current RQL— config from cloud.resource where api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.kind equals "compute#metadata" and commonInstanceMetadata.items[?any(key contains "block-project-ssh-keys" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] does not exist as X; config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = status equals RUNNING and (metadata.items[?any(key exists and key contains "block-project-ssh-keys" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] does not exist and name does not start with "gke-") as Y; filter '$.Y.zone contains $.X.name'; show Y; Updated RQL— config from cloud.resource where api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.kind equals "compute#metadata" and commonInstanceMetadata.items[?any(key contains "enable-oslogin" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] does not exist and commonInstanceMetadata.items[?any(key contains "ssh-keys")] exists as X; config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = status equals RUNNING and ( metadata.items[?any(key exists and key contains "block-project-ssh-keys" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] does not exist and metadata.items[?any(key exists and key contains "enable-oslogin" and (value contains "Yes" or value contains "Y" or value contains "True" or value contains "true" or value contains "TRUE" or value contains "1"))] does not exist and name does not start with "gke-") as Y; filter '$.Y.zone contains $.X.name'; show Y; Impact— Low. Alerts will be generated where the enable OS-login is not enabled for the GCP VM instances. Existing alerts where the block-project-ssh-keys are disabled at the project level are resolved as Policy_Updated .
Policy Updates—Metadata
Updates to Azure Policy Names	Changes— The policy names are revised as follows: Current Policy Name— Azure storage account logging for tables is disabled Updated Policy Name— Azure storage account logging (Classic Diagnostic Setting) for tables is disabled Current Policy Name— Azure storage account logging for blobs is disabled Updated Policy Name— Azure storage account logging (Classic Diagnostic Setting) for blobs is disabled Current Policy Name— Azure storage account logging for queues is disabled Updated Policy Name— Azure storage account logging (Classic Diagnostic Setting) for queues is disabled Severity— Informational Policy Type— Config Impact— No impact since only the policy names are updated.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK

DESCRIPTION

Support for CIS AWS Foundations Benchmark v2.0.0

Prisma Cloud now supports the CIS AWS Foundations Benchmark v2.0.0 compliance standard. This benchmark specifies best practices for configuring AWS services in accordance with industry best practices.

You can now view this built-in standard and the associated policies on the

Compliance

Standard

page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time.

Changes in Existing Behavior

FEATURE	DESCRIPTION
Code Security has a New Name	Cloud Application Security is the new name for the combination of the Cloud Code Security capabilities and the newly introduced CI/CD Security module. CI/CD Security is available as a standard a-la-carte option or as an add-on with the Prisma Cloud Runtime Security Foundations or Advanced bundles.
`Update` Amazon Inspector API	Prisma Cloud will no longer ingest metadata for aws-inspector-v2-finding API. Due to this change, you will no longer be able to view the list the assets on the Investigate page and perform an RQL search query for this API. Impact—All the resources that were ingested as a part of the aws-inspector-v2-finding API will be removed, and all existing alerts associated with the API will be resolved as Resource_Deleted .

REST API Updates

No REST API updates for 23.8.2.

New Features Introduced in 23.8.1

Changes in Existing Behavior

REST API Updates

New Features

FEATURE	DESCRIPTION
Attack Path Analysis and Visualization	Prisma Cloud now includes attack path analysis and visualization that identifies attack paths and presents them in a graph view, offering valuable security context to protect against high-risk threats. It is an automated process that identifies the exposed vulnerable assets and indicates the likelihood of a breach which often requires immediate action. Whenever there is a policy violation, the attack path policy generates an alert as long as there is a matching alert rule. You can see additional information in the graph view by clicking on the node. Additionally, the asset detail view displays the finding types and vulnerabilities. To review these policies, select Policies and filter by Policy Type Attack Path . Attack Path policies are not available in China and Government regions.
Credit Requirements Updates	Starting August 1 2023, Prisma Cloud Enterprise Edition will reduce the number of credits required. Visibility, Compliance, and Governance (for CSPM use cases) will only require 1 credit per virtual machine (AWS EC2s, Azure Virtual Machines and Virtual Machine Scale Sets, Google Cloud Google Compute Engine (GCE), Oracle Cloud (OCI) Compute, Alibaba Cloud ECS). Load Balancers, NAT gateways, Databases and Data Warehouse cloud resources will no longer require credits. IAM Security (for CIEM use cases) will only require 0.25 credit per virtual machine. Load Balancers, NAT gateways, Databases and Data Warehouse cloud resources will no longer require credits. Host Security credit requirements reduce from 1 to 0.5 credit per Host Defender. Container Security credit requirements reduce from 7 to 5 credits per Container Defender. Web Application and API Security credit requirements reduce from 30 to 2 credits per Defender performing inline protection. The Prisma Cloud Enterprise Edition Licensing Guide will reflect these changes on August 1, 2023.
Support for New Region on AWS	Prisma Cloud now ingests data for resources deployed in the Spain region on AWS. To review a list of supported regions, select Inventory Assets , and choose Cloud Region from the filter drop-down.
`Enhancement` Tenant-Level Opt-Out for Prisma Cloud Chronicles	For greater control and flexibility for system administrators within your organization, you can now opt-out all your administrators from receiving the Prisma Cloud Chronicles at the tenant level Settings Enterprise Settings Unsubscribe from Prisma Cloud Chronicles . An email is sent to all administrators notifying them that a System Administrator has opted them out. Each administrator who wants to receive the latest weekly updates can edit their preference on their Prisma Cloud user profile to opt-in to receive the newsletter.

API Ingestions

SERVICE	API DETAILS
AWS Cost Explorer	aws-costexplorer-cost-and-usage Additional permission required: ce:GetCostAndUsage You must manually add the permission or update the CFT template to enable the permission.
Amazon ElastiCache	aws-elasticache-user Additional permission required: elasticache:DescribeUsers The Security Audit role includes the permission.
Amazon Macie	aws-macie2-administrator-account Additional permission required: macie2:ListOrganizationAdminAccounts You must manually add the permission or update the CFT template to enable the permission.
`Update` Amazon Simple Email Service	aws-ses-identities Additional permission required: ses:GetIdentityVerificationAttributes
`Update` Amazon VPC	aws-ec2-describe-flow-logs The resource JSON for this API will be updated to include the DeliverLogStatus field.
Azure Data Lake Store Gen1	azure-data-lake-store-gen1-diagnostic-settings Additional permissions required: Microsoft.DataLakeStore/accounts/read Microsoft.Insights/DiagnosticSettings/Read The Reader role includes the permissions.
Azure IoT Hub	azure-devices-iot-hub-resource-diagnostic-settings Additional permissions required: Microsoft.Devices/iotHubs/Read Microsoft.Insights/DiagnosticSettings/Read The Reader role includes the permissions.
Azure Key Vault	azure-key-vault-managed-hsms-diagnostic-settings Additional permissions required: Microsoft.KeyVault/managedHSMs/read Microsoft.Insights/DiagnosticSettings/Read The Reader role includes the permissions.
Azure Key Vault	azure-key-vault-managed-hsms Additional permission required: Microsoft.KeyVault/managedHSMs/read The Reader role includes the permissions.
Google Firebase App Distribution	gcloud-firebase-app-distribution-tester Additional permissions required: resourcemanager.projects.get firebaseappdistro.testers.list The Viewer role includes the permissions.
Google Cloud Identity Platform	gcloud-identity-platform-tenant-configuration Additional permissions required: identitytoolkit.tenants.list identitytoolkit.tenants.getIamPolicy The Viewer role includes the permissions.
Google Cloud Identity Platform	gcloud-identity-platform-project-user-account Additional permission required: firebaseauth.users.get The Viewer role includes the permission.
Google Cloud Identity Platform	gcloud-identity-platform-tenant-user-account Additional permissions required: identitytoolkit.tenants.list firebaseauth.users.get The Viewer role includes the permissions.
Google Cloud Identity Platform	gcloud-identity-platform-project-configuration Additional permission required: firebaseauth.configs.get The Viewer role includes the permission.
OCI Block Storage	oci-block-storage-boot-volume Additional permissions required: COMPARTMENT_INSPECT VOLUME_INSPECT You must download and execute the Terraform template from the console to enable the permissions.
OCI Block Storage	oci-block-storage-boot-volume-attachment Additional permissions required: COMPARTMENT_INSPECT VOLUME_ATTACHMENT_INSPECT VOLUME_ATTACHMENT_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Networking	oci-networking-private-ip Additional permissions required: SUBNET_READ PRIVATE_IP_READ You must download and execute the Terraform template from the console to enable the permissions.
OCI Networking	oci-networking-public-ip Additional permission required: PUBLIC_IP_READ You must download and execute the Terraform template from the console to enable the permission.
`Update` OCI Database	oci-oracledatabase-databases The resource JSON for this API has been updated to include new fields: nsgIds psubnetId backupNetworkNsgIds backupSubnetId

New Policies

NEW POLICIES	DESCRIPTION
Unusual Usage of Workload Credentials Anomaly Policies	Two new anomaly policies are now available in Prisma Cloud. Unusual usage of Workload Credentials from outside the Cloud Unusual usage of Workload Credentials from inside the Cloud The policies detect the use of a credential assigned to a compute resource from a different resource, which could be outside or inside the cloud service provider. This is typically a sign of an attack or a very unusual use of resource credentials. The policies will be triggered based on whether the anomalous IP address is outside or inside the cloud provider’s IP address range. You can configure the Unusual usage of Workload Credentials from inside the Cloud policy from the new Identity section that is available in the anomaly settings. Severity—Medium. These two policies require the IAM security (CIEM) module to be enabled.
AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk associated with AWS Elastic Beanstalk Instance	Identifies AWS Route53 Hosted Zones which have dangling DNS records with subdomain takeover risk. A Route53 Hosted Zone having a CNAME entry pointing to a non-existing Elastic Beanstalk (EBS) will have a risk of these dangling domain entries being taken over by an attacker by creating a similar Elastic beanstalk (EBS) in any AWS account which the attacker owns / controls. Attackers can use this domain to do phishing attacks, spread malware and other illegal activities. As a best practice, it is recommended to delete dangling DNS records entry from your AWS Route 53 hosted zones. config from cloud.resource where api.name = 'aws-route53-list-hosted-zones' AND json.rule = hostedZone.config.privateZone is false and resourceRecordSet[?any( type equals CNAME and resourceRecords[].value contains elasticbeanstalk.com)] exists as X; config from cloud.resource where api.name = 'aws-elasticbeanstalk-environment' as Y; filter 'not (X.resourceRecordSet[].resourceRecords[].value intersects $.Y.cname)'; show X; Policy Type—* Config Severity— High
Azure App Service web apps with public network access	Identifies Azure App Service web apps that are publicly accessible. Publicly accessible web apps could allow malicious actors to remotely exploit if any vulnerabilities and could. It is recommended to configure the App Service web apps with private endpoints so that the web apps hosted are accessible only to restricted entities. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.state equal ignore case running and properties.publicNetworkAccess exists and properties.publicNetworkAccess equal ignore case Enabled and config.ipSecurityRestrictions[?any(action equals Allow and ipAddress equals Any)] exists' Policy Type— Config Severity— Medium
Azure Function app configured with public network access	Identifies Azure Function apps that are configured with public network access. Publicly accessible web apps could allow malicious actors to remotely exploit any vulnerabilities and could. It is recommended to configure the App Service web apps with private endpoints so that the functions hosted are accessible only to restricted entities. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = kind starts with functionapp and properties.state equal ignore case running and properties.publicNetworkAccess exists and properties.publicNetworkAccess equal ignore case ENABLED Policy Type— Config Severity— Medium
Azure Data Explorer cluster double encryption is disabled	Identifies Azure Data Explorer clusters in which double encryption is disabled. Double encryption adds a second layer of encryption using service-managed keys. It is recommended to enable infrastructure double encryption on Data Explorer clusters so that encryption can be implemented at the layer closest to the storage device or network wires. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kusto-clusters' AND json.rule = properties.state equal ignore case Running and properties.enableDoubleEncryption is false Policy Type— Config Severity— Informational
Azure Data Explorer cluster disk encryption is disabled	Identifies Azure Data Explorer clusters in which disk encryption is disabled. Enabling encryption at rest on your cluster provides data protection for stored data. It is recommended to enable disk encryption on Data Explorer clusters. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kusto-clusters' AND json.rule = properties.state equal ignore case Running and properties.enableDiskEncryption is false Policy Type— Config Severity— Medium

Policy Updates

POLICY UPDATES

DESCRIPTION

Policy Updates—RQL

GCP VPC Flow logs for the subnet is set to Off

Changes—
The policy RQL has been updated to exclude checking for proxy-only subnets in the policy as VPC flow logs are not supported for proxy-only subnets.

Severity—
Informational

Policy Type—
Config

Current RQL—

config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-networks-subnets-list' AND json.rule = purpose does not contain INTERNAL_HTTPS_LOAD_BALANCER and (enableFlowLogs is false or enableFlowLogs does not exist)

Updated RQL—

config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-networks-subnets-list' AND json.rule = purpose does not contain INTERNAL_HTTPS_LOAD_BALANCER and purpose does not contain "REGIONAL_MANAGED_PROXY" and (enableFlowLogs is false or enableFlowLogs does not exist)

Impact—
Low. Alerts generated for proxy-only subnets will be resolved as Policy_updated
.

IAM Policy Updates

Prisma Cloud has updated the IAM policy as follows:

CURRENT POLICY NAME

UPDATED POLICY NAME

CURRENT RQL

UPDATED RQL

EC2 with IAM role attached has s3:GetObject permission

EC2 with IAM role attached has s3:GetObject and s3:ListBucket permissions

config from iam where dest.cloud.type = 'AWS' AND action.name IN ('s3:ListBucket') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'

config from iam where dest.cloud.type = 'AWS' AND action.name CONTAINS ALL ('s3:ListBucket', 's3:GetObject') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'

Changes in Existing Behavior

FEATURE	DESCRIPTION
Microsegmentation EoS	With the 23.8.1 release, the credit usage for Microsegmentation is no longer displayed on Settings Licensing . This change follows the announcement of the Microsegmentation capabilities as End-of-Sale effective August 31, 2022. To retrieve your credit consumption for Microsegmentation, you can use the POST /license/api/v1/usage API.

REST API Updates

No REST API updates for 23.8.1.

Features Introduced in September 2023

Features Introduced in July 2023

Prisma™ Cloud Release Notes

Features Introduced in August 2023

Features Introduced in August 2023

New Features Introduced in 23.8.2

New Features

API Ingestions

New Policies

Policy Updates

New Compliance Benchmarks and Updates

Changes in Existing Behavior

REST API Updates

New Features Introduced in 23.8.1

New Features

API Ingestions

New Policies

Policy Updates

IAM Policy Updates

Changes in Existing Behavior

REST API Updates

Recommended For You