Features Introduced in January 2023
Learn what’s new on Prisma™ Cloud in January 2023.
New Features Introduced in 23.1.2
New Features
FEATURE | DESCRIPTION |
Cloud Account Onboarding for more Security Coverage | Prisma Cloud provides an improved and simplified onboarding experience, by providing you with the option to select which security capabilities you want and by creating the role with the permissions required for those capabilities.
 Depending on the capabilities you have enabled, make sure to follow the steps to configure Agentless Workload Scanning, Serverless Function Scanning, and Agent Based Workload Protection. |
Ingest Audit Logs using Amazon EventBridge | By default, Prisma Cloud uses the Amazon CloudTrail service to ingest audit logs. Event assisted ingestion is an enhancement that makes the API call only if the resource configuration is changed. After onboarding your AWS account, you can now configure Amazon EventBridge on Prisma Cloud to support event assisted ingestion in near real time, which allows Prisma Cloud to reduce the total number of API calls and total time to alert.  |
Support for AWS GuardDuty and Inspector Malware Findings | After onboarding your AWS account on Prisma Cloud and configuring EventBridge, you can now Configure Findings to view vulnerability and malware findings generated by AWS GuardDuty or vulnerabilities generated by AWS Inspector on the Prima Cloud Resource page. Once enabled, if GuardDuty detects suspicious activity on a workload, it initiates a malware scan on the associated EC2 instance. If malware is detected during the scan, GuardDuty generates an additional finding. The findings provide context and can detect the malicious software that is the source of the suspicious behavior, so that you can take appropriate response actions.  |
GA Recurring Reports for Adoption Advisor | You can now schedule a recurring Adoption Advisor Report to receive a summary of your adoption and improvements on our cloud security posture at regular cadence. You can schedule the report to run on a daily, weekly, or monthly intervals, and view a list of all scheduled reports under Adoption Advisor > Reports . |
Support for AWS IAM Identity Center | Prisma Cloud now integrates with AWS IAM Identity Center, providing you complete visibility into the access privileges of users currently using AWS IAM Identity Center to log into AWS, this includes users and groups created in or imported into Identity Center. You can also create access policies, user alerts and remediate risky permissions for AWS IAM Identity Center users. Prisma Cloud does require additional permissions to support AWS IAM Identity Center integration. If you are using a CloudFormation template for AWS account onboarding no additional action is required. The required permissions are part of the CloudFormation onboarding template. You can also manually add permissions to take advantage of AWS IAM Identity Center. |
Retrieval of Data Storage Size Estimates for Azure Blob Storage | Prisma Cloud now retrieves the approximate storage size of your Azure blob storage and storage for sensitive data scanning and provides an estimate credit consumption required to scan your Azure blob storage. The size of scannable data is based on file size and file type. The estimates in Azure leverages the Azure Inventory policies and creates files on a daily or weekly basis. You can choose to follow a few recommendations to lower your cost. |
API Ingestions
SERVICE | API DETAILS |
Access Analyzer | aws-access-analyzer Additional permission required:
The Security Audit role includes the permission. |
Amazon CloudFront | aws-cloudfront-origin-access-control Additional permissions required:
The Security Audit role includes the permissions. |
Amazon Prometheus | aws-prometheus-workspace Additional permissions required:
No default role includes the permissions. |
Azure Stream Analytics | azure-streamanalytics-streamingjobs Additional permission required:
The Reader role includes the permission. |
Azure Event Grid | azure-event-grid-topic-privatelinkresource Additional permissions required:
The Reader role includes the permissions. |
Azure IoT Hub | azure-devices-iot-hub-privatelinkresource Additional permissions required:
The Reader role includes the permissions. |
Azure Event Grid | azure-event-grid-domains-privatelinkresource Additional permissions required:
The Reader role includes the permissions. |
Azure Storage Sync Services | azure-storage-sync-service-privatelinkresource Additional permissions required:
The Reader role includes the permissions. |
Azure Stream Analytics | azure-streamanalytics-streamingjobs-diagnostic-settings Additional permissions required:
The Reader role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-task Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-contentitem Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-zone-entity Additional permissions required:
The Viewer role includes the permissions. |
New Policies
No new policies for 23.1.2.
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | |
AWS ALB attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability | Changes— The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
AWS API Gateway Rest API attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability | Changes— The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
AWS AppSync attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability | Changes— The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability | Changes— The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
AWS CloudFront viewer protocol policy is not configured with HTTPS | Changes— The policy RQL is updated to check for cacheBehavior viewer protocol policy along with defaultCacheBehavior viewer protocol policy for HTTPS configuration.Current RQL—
Updated RQL—
Impact— Medium. New alerts will be generated for resources which have cacheBehavior viewer protocol policy not configured for HTTPS configuration. |
Azure Storage accounts soft delete is disabled | Changes— The policy RQL has been updated to exclude FileStorage accounts which do not support blobs. The recommendation steps have been updated to reflect the changes in the CSP.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Delete SQL server firewall rule does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Create or update SQL server firewall rule does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Delete network security group does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Create or update network security group does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Delete network security group rule does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Create or update network security group rule does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Create policy assignment does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Create or update security solution does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Update security policy does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure Activity log alert for Delete security policy does not exist | Changes— The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
OCI MFA is disabled for IAM users | Changes— The policy RQL has been updated to exclude alerting for Inactive and Programmatic users because programmatic users will not have MFA.Current RQL—
Updated RQL—
Impact— Low. Alerts generated for programmatic user will be resolved as Policy_Updated. |
Policy Updates-Metadata | |
Azure Activity log alert for delete policy assignment does not exist | Changes— The recommendation steps have been updated according to the CSP changes.Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
Azure SQL Server allow access to any Azure internal resources | Changes— The policy recommendation steps have been updated to reflect the lastest CSP changes.Impact— No impact on alerts. |
Azure log profile not capturing activity logs for all regions | Changes— The policy recommendation steps have been updated to reflect the lastest CSP changes.Impact— No impact on alerts. |
Azure subscriptions with custom roles are overly permissive | Changes— The policy description and recommendation steps have been updated to reflect the lastest CSP changes.Updated Policy Description—
Identifies azure subscriptions with custom roles are overly permissive. Least privilege access rule should be followed and only necessary privileges should be assigned instead of allowing full administrative access.Impact— No impact on alerts. |
Azure storage account has a blob container with public access | Changes— The policy recommendation steps have been updated to reflect the lastest CSP changes.Impact— No impact on alerts. |
Azure Storage Account 'Trusted Microsoft Services' access not enabled | Changes— The policy description and recommendation steps have been updated to reflect the lastest CSP changes.Updated Policy Description—
Identifies Storage Accounts which have 'Trusted Microsoft Services' access not enabled. Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. It is recommended to enable Trusted Microsoft Services on storage account instead of leveraging network rules.Impact— No impact on alerts. |
Azure storage account logging for queues is disabled | Changes— The policy recommendation steps have been updated to reflect the lastest CSP changes.Impact— No impact on alerts. |
Storage Accounts without Secure transfer enabled | Changes— The policy name, description, and recommendation steps have been updated to reflect the lastest CSP changes.Current Policy Name— Storage Accounts without Secure transfer enabled
Updated Policy Name— Azure Storage Account without Secure transfer enabledUpdated Policy Description—
identifies Storage accounts which have Secure transfer feature disabled. The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. When 'secure transfer required' is enabled, REST APIs to access your storage accounts connect using HTTPs any requests using HTTP will be rejected. When you are using the Azure files service, connection without encryption will fail. It is highly recommended to enable secure transfer feature on your storage account.Azure storage does not support HTTPs for custom domain names, this option is not applied when using a custom domain name. Impact— No impact on alerts. |
Azure Storage accounts soft delete is disabled | Changes— The policy name, description, and remediation CLI descriptions have been updated.Current Policy Name— Azure Storage accounts soft delete is disabledUpdated Policy Name— Azure Storage account soft delete is disabledUpdated Policy Description—
Identifies Azure Storage accounts which has soft delete disabled. Azure Storage contains important access logs, financial data, personal and other secret information which is accidentally deleted by a user or application could cause data loss or data unavailability. It is recommended to enable soft delete setting in Azure Storage accounts.Updated Remediation CLI Description—
This CLI command requires 'Microsoft.Storage/storageAccounts/blobServices/write' permission. Successful execution will enable soft delete for blobs on Azure Storage accounts. NOTE: As best practice we are setting delete retention days to 30 days; it can be changed based on customer requirement by cloning the policy.Impact— No impact on alerts. |
Azure Microsoft Defender for Cloud automatic provisioning of log Analytics agent for Azure VMs is set to Off | Changes— The policy recommendation steps have been updated to reflect the lastest CSP changes.Impact— No impact on alerts. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
‘Monitor and Protect’ renamed Remediation | With the Cloud Account Onboarding changes for more Security Coverage, the Monitor and Monitor & Protect modes are revised. For an existing account that was onboarded with Monitor & Protect mode, the Remediation security capability represents the mode.  These modes are no longer available when onboarding new cloud accounts. For the new workflow, see Cloud Account Onboarding for more Security Coverage. |
Update AWS Account Onboarding | During onboarding your AWS cloud account on Prisma Cloud, if you are already logged in to your AWS management console, you can either Download IAM Role CFT or Create IAM Role on the fly. When you click Create IAM Role , Prisma Cloud creates a dynamic link that takes you directly to the Quick create stack page in the AWS management console. You do not need to enter the template details manually in order to create the stack, it is auto-populated based on the Security Capabilities and Permissions you have selected. |
Google Kubernetes Engine Container ClusterID Update | The resource ID for the gcloud-container-describe-clusters API in Prisma Cloud is updated in the backend. As a result, all resources for these APIs will be deleted and then regenerated on the management console.Existing alerts for these resources are resolved as Resource_Updated, and new alerts will be generated against policy violations. Impact —You may notice a reduced alert count. However, once the resources for the gcloud-container-describe-clusters APIs resume ingesting data, the alert count will return to the original numbers. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Sarbanes-Oxley Act (SOX) | Prisma Cloud now supports the Sarbanes-Oxley Act (SOX) compliance standard. In addition to improving the accuracy of corporate disclosures, SOX protects shareholders and the general public from accounting errors and fraudulent business practices. Corporations must save all business records, including electronic records and electronic messages, for "not less than five years" to comply with SOX.
Non-compliance can result in fines, imprisonment, or both. With this support, you can now view this built-in standard and the related policies on Prisma Cloud’s Compliance > Standard page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance standard over time. |
CIS Google Cloud Platform Foundation Benchmark v2.0.0 (Level 1 and Level 2) | The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations. CIS Google Cloud Platform Foundation Benchmark v2.0.0 is based on the CIS Google Cloud Computing Platform Foundations Benchmark v1.0.0 published by the Center for Internet Security (CIS). The CIS benchmark provides guidance to securing the GCP environment, covering everything from network to servers to operating systems. The important sections covered in the benchmark include IAM, Logging and monitoring configuration, Virtual Network Security settings, and Kubernetes Engine configuration. You can review this compliance standard and its associated policies on Prisma Cloud’s Compliance > Standard page. |
CIS Google Kubernetes Engine (GKE) v1.3.0 - (Level 1 and Level 2) | The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations. CIS Google Kubernetes Engine (GKE) v1.3.0 - (Level 1 and Level 2) is a set of recommendations for configuring Kubernetes to support a strong security posture. Benchmarks are tied to specific Kubernetes releases. The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and is intended to be universally applicable. Based on the existing CIS Benchmark, this standard adds additional controls that are Google Cloud-specific. You can review this compliance standard and its associated policies on Prisma Cloud’s Compliance > Standard page. |
REST API Updates
CHANGE | DESCRIPTION |
Update Critical and Informational Severity Alerts Updates | The following new properties are added to the response objects of both:
The following new properties are added to the response objects of both:
The following new properties are added to the response objects of both:
The following new properties are added to the response objects of both:
The following new properties are added to the response objects of both: alertStatus object within the resources array has two additional properties
|
Update Adoption Advisor API | The following new endpoints are available for the Adoption Advisor API:
|
New Features Introduced in 23.1.1
New Features
FEATURE | DESCRIPTION |
Adoption Advisor for Code to Cloud | To assist you in the process of monitoring and securing your cloud resources, the Adoption Advisor has been updated to provide guidance on foundational, intermediate, and advanced tasks throughout the application lifecycle. The Adoption Advisor includes three stages of the code to cloud application lifecycle: Code & Build, Deploy, and Runtime. You can follow these stages at your own pace, using the "walk, crawl, run" principles to gradually adopt various security capabilities.  |
Centralized Product Resources in Knowledge Center | The Knowledge Center integrates the resources that were in the Resource Center. You can now access all the product resources directly from the left navigation on Prisma Cloud.  |
Critical and Informational Severity Policies | To help you categorize and distinguish the varying degrees of severity of Prisma Cloud policies and associated alerts, two new levels of severity are being added. There are no changes to the severity of any system default policies. However, you can now modify policy severity to Critical and Informational as needed.  |
New Look for PDF Reports | The Compliance reports and the Cloud Security Assessment report for Alerts are updated with a new look and better visualization.  |
Update Prisma Cloud Data Security-Scan .zip Files up to 2.5GB | Prisma Cloud can now scan your storage resources with .zip file extensions of up to 2.5GB for data classification and malware. The size of the uncompressed files must be:
|
Update Change in Terraform file name for Azure and GCP accounts | The terraform files you download during onboarding Azure and GCP accounts on Prisma Cloud have new names.
|
API Ingestions
SERVICE | API DETAILS |
Amazon Kendra | aws-kendra-index Additional permissions required:
The Security Audit role only includes the permission . You must manually add the permissions or update the CFT template to enable and . |
Amazon EventBridge | aws-events-eventbus Additional permissions required:
The Security Audit role includes these permissions. |
Azure Automation Accounts | azure-automation-account-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Batch Account | azure-batch-account-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Cognitive Services | azure-cognitive-search-service-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Cosmos DB | azure-documentdb-cassandra-clusters-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Cosmos DB | azure-cosmos-db-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Database for MariaDB Server | azure-database-maria-db-server-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Database for MySQL | azure-mysql-flexible-server-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Database for PostgreSQL | azure-postgresql-flexible-server-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Event Hubs | azure-event-hub-namespace-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure Kubernetes Service | azure-kubernetes-cluster-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure SQL Database | azure-sql-db-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Azure SQL Database | azure-sql-managed-instance-diagnostic-settings Additional permissions required:
The Reader role includes these permissions. |
Google Apigee X | gcloud-apigee-x-organization-analytics-datastore Additional permissions required:
The Viewer role includes these permissions. |
Google Apigee X | gcloud-apigee-x-organization-api-product Additional permissions required:
The Viewer role includes these permissions. |
Google Apigee X | gcloud-apigee-x-organization-api-proxy Additional permissions required:
The Viewer role includes these permissions. |
Google Apigee X | gcloud-apigee-x-organization-report Additional permissions required:
The Viewer role includes these permissions. |
Google Apigee X | gcloud-apigee-x-organization-host-security-report Additional permissions required:
The Viewer role includes these permissions. |
Google Apigee X | gcloud-apigee-x-organization-security-profile Additional permissions required:
The Viewer role includes these permissions. |
Update Google BigQuery API | gcloud-bigquery-table Additional permission required:
You must update the Terraform template to enable this permission. |
Google Cloud KMS | gcloud-kms-keyring-list Additional permissions required:
The Viewer role includes these permissions. |
Google Cloud KMS | gcloud-kms-crypto-keys-list Additional permissions required:
The Viewer role includes these permissions. |
Google Dataproc Metastore | gcloud-dataproc-metastore-service Additional permissions required:
The Viewer role includes these permissions. |
Google Dataplex | gcloud-dataplex-lake-zone-asset-action Additional permissions required:
The Viewer role includes these permissions. |
Google Vertex AI | gcloud-vertex-ai-notebook-runtime Additional permission required:
The Viewer role includes this permission. |
OCI Analytics | oci-analytics-instance Additional permissions required:
You must manually add these permissions. |
OCI API Management | oci-apimanagement-apigateway-deployment Additional permissions required:
You must manually add these permissions. |
OCI Budgets | oci-budgets-budget Additional permissions required:
You must manually add these permissions. |
OCI Networking | oci-networking-ipsec-connection Additional permission required:
You must manually add the permission. |
OCI Networking | oci-networking-networkloadbalancer Additional permissions required:
You must manually add the permissions. |
New Policies
No new policies for 23.1.1.
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | |
Azure AD Users can consent to apps accessing company data on their behalf is enabled | Changes— The policy RQL and recommendation steps have been updated according to the CSP changes.Current RQL—
Updated RQL—
Impact— Low. Previously generated alerts will be resolved as Policy_Updated. |
SQL servers which do not have Azure Active Directory admin configured | Changes— The policy Name, Description, and Recommendation steps have been updated to maintain consistency across policies. The RQL has been updated with a new RQL grammar that will improve the accuracy of the results.Current Policy Name— SQL servers which do not have Azure Active Directory admin configured
Updated Policy Name— Azure SQL server not configured with Active Directory admin authenticationUpdated Policy Description—
Identifies Azure SQL servers that are not configured with Active Directory admin authentication. Azure Active Directory authentication is a mechanism of connecting to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. As a best practice, configure SQL servers with Active Directory admin authentication.Current RQL—
Updated RQL—
Impact— No impact on alerts. |
Azure Virtual Network subnet is not configured with a Network Security Group | Changes— The policy RQL has been updated to ignore the case sensitive of the parameter value.Current RQL—
Updated RQL—
Impact— Low. Previous generated alert for gateway subnets where the name is not as GatewaySubnet will be resolved as Policy_Updated. |
Policy Updates-Metadata | |
Azure Storage Account default network access is set to 'Allow' | Changes— The policy description and recommendation steps have been updated to reflect the latest CSP changes.Updated Policy Description—
Identifies Storage accounts which have default network access is set to 'Allow'. Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.Impact— No impact on alerts. |
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled | Changes— The policy name, description, and recommendation steps have been updated to reflect the latest CSP changes.Current Policy Name— GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
Updated Policy Name— GCP Kubernetes Engine Clusters have Cloud Logging disabledUpdated Policy Description—
Identifies Kubernetes Engine Clusters which have disabled Cloud Logging. Enabling Cloud Logging will let the Kubernetes Engine to collect, process, and store your container and system logs in a dedicated persistent data store.Impact— No impact on alerts. |
GCP User managed service accounts have user managed service account keys | Changes— The policy recommendation steps have been updated to reflect the latest CSP changes.Impact— No impact on alerts. |
GCP Kubernetes Engine Clusters have Legacy Authorization enabled | Changes— The policy recommendation steps have been updated to reflect the latest CSP changes. The remediation CLI has been removed because there is no single cli command that can update both Zonal and Regional GKE clusters.Impact— Changes to recommendation steps will have no impact on existing alerts. There is no remediation support available. |
GCP Kubernetes Engine Clusters have Cloud Monitoring disabled | Changes— The policy description has been updated to reflect the latest CSP changes.Updated Policy Description—
Identifies Kubernetes Engine Clusters which have disabled Cloud monitoring. Enabling Cloud monitoring will let the Kubernetes Engine to monitor signals and build operations in the clusters.Impact— No impact on alerts. |
GCP Kubernetes Engine Clusters not configured with network traffic egress metering | Changes— The policy recommendation steps have been updated to reflect the latest CSP changes.Impact— No impact on alerts. |
GCP Log metric filter and alert does not exist for Project Ownership assignments/changes | Changes— The policy recommendation steps have been updated to reflect the latest CSP changes.Impact— No impact on alerts. |
Logging on the Stackdriver exported Bucket is disabled | Changes— The policy name, description, and recommendation steps have been updated to reflect the latest CSP changes.Current Policy Name— Logging on the Stackdriver exported Bucket is disabled
Updated Policy Name— GCP Bucket containing Operations Suite Logs have bucket logging disabledUpdated Policy Description—
Identifies the buckets containing Operations Suite Logs for which logging is disabled. Enabling bucket logging, logs all the requests made on the bucket which can be used for debugging and forensics. It is recommended to enable logging on the buckets containing Operations Suite Logs.Impact— No impact on alerts. |
Policy Deletions | |
AWS Policies | Changes— The following policies are deleted because the API used in it does not ingest the required fields. This policy validates the availability limit for the Subnet and Security group, which is not a security misconfiguration:
Impact— No impact on alerts. The compliance mapping for the above policy is removed due to which the compliance score can get affected. The affected compliance standards are:NIST SP 800-171 Revision 2, PCI DSS v3.2.1, Copy of APRA (CPS 234) Information Security, NIST SP 800-172, Copy of 1Copy of Brazilian Data Protection Law (LGPD), HITRUST v.9.4.2, ACSC Information Security Manual (ISM), NIST CSF, TestCompliance, Copy of Brazilian Data Protection Law (LGPD), MAS TRM 2021, ISO/IEC 27002:2013, ISO/IEC 27017:2015, MLPS 2.0 (Level 2), CIS Controls v8, CIS Controls v7.1, HITRUST CSF v.9.6.0, Secure Controls Framework (SCF) - 2022.2.1, APRA (CPS 234) Information Security, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Brazilian Data Protection Law (LGPD), CSA CCM v.4.0.1, ISO/IEC 27018:2019 |
AWS EC2 instance is not configured with VPC | Changes— AWS has deprecated the AWS classic network service. As a result, this policy is now obsolete and is deleted.Impact— No impact on alerts. The compliance mapping for the above policy is removed due to which the compliance score can get affected. The affected compliance standards are:NIST SP 800-171 Revision 2, PCI DSS v3.2.1, Copy of APRA (CPS 234) Information Security, NIST SP 800-172, Copy of 1Copy of Brazilian Data Protection Law (LGPD), HITRUST v.9.4.2, ACSC Information Security Manual (ISM), NIST CSF, TestCompliance, Copy of Brazilian Data Protection Law (LGPD), MAS TRM 2021, ISO/IEC 27002:2013, ISO/IEC 27017:2015, MLPS 2.0 (Level 2), CIS Controls v8, CIS Controls v7.1, HITRUST CSF v.9.6.0, Secure Controls Framework (SCF) - 2022.2.1, APRA (CPS 234) Information Security, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Brazilian Data Protection Law (LGPD), CSA CCM v.4.0.1, ISO/IEC 27018:2019 |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Monitor and Protect renamed Remediation | With the Cloud Account Onboarding changes for more Security Coverage, the Monitor and Monitor & Protect modes are revised. For an existing account that was onboarded with Monitor & Protect mode, the Remediation security capability represents the mode. These modes are no longer available when onboarding new cloud accounts. For the new workflow, see Cloud Account Onboarding for More Security Coverage . |
Update AWS Account Onboarding | During onboarding your AWS cloud account on Prsima Cloud, if you are already logged in to your AWS management console, you can either Download IAM Role CFT or Create IAM Role on the fly.When you click Create IAM Role , Prisma Cloud creates a dynamic link that takes you directly to the Quick create stack page in the AWS management console. You do not need to enter the template details manually in order to create the stack, it is auto-populated based on the Security Capabilities and Permissions you’ve selected. |
Google BigQuery API Resource ID Update | The resource ID for the gcloud-bigquery-dataset-list in Prisma Cloud is updated in the backend. As a result, all resources for gcloud-bigquery-dataset-list API will be deleted and then regenerated on the management console.Existing alerts corresponding to these resources is resolved as Resource_Updated, and new alerts will be generated against policy violations. Impact —You may notice a reduced count for the number of alerts. However, once the resources for the gcloud-bigquery-dataset-list API resumes ingesting data, the alert count will return to the original numbers. |
Near Zero Rate Limit Exception for GCP APIs | You must enable the following GCP APIs for each project that the Prisma Cloud service account accesses to monitor and protect your GCP resources. If you have onboarded your GCP account at the Organization level, this configuration ensures that the API rate limit quota is applied to each GCP project that is part of the onboarded GCP Organization, and not counted entirely towards the project where the service account is created.
Impact —No impact on alerts. |
REST API Updates
CHANGE | DESCRIPTION |
Update Asset Explorer API | The following new query parameters are added to the existing GET/resource/scan_info endpoint:
This API has been updated to show the following new fields in the JSON response body for GET/resource/scan_info and POST/resource/scan_info endpoints:
|
Update Asset Inventory API | The following new query parameters are added to the existing GET/v2/inventory endpoint:
|
Changes to the Get Asset Endpoint Response Object | The structure of the Get Asset (POST /uai/v1/asset) response object has been modified. All the properties of the data object are now included under a new asset object. The asset object is included in the data object. |
