Features Introduced in January 2023

Learn what’s new on Prisma™ Cloud in January 2023.

New Features

FEATURE
DESCRIPTION
Cloud Account Onboarding for more Security Coverage
Prisma Cloud provides an improved and simplified onboarding experience, by providing you with the option to select which security capabilities you want and by creating the role with the permissions required for those capabilities.
You can now enable
Agentless Workload Scanning
,
Serverless Function Scanning
,
Agent Based Workload Protection
,
Data Security
, and
Remediation
capabilities as part of the new onboarding workflow for your AWS, Azure, and GCP cloud accounts using minimal steps.
  • After you successfully onboard your cloud account on Prisma Cloud, by default, the account is automatically available in Compute and enabled for Workload Discovery and Serverless function scans.
  • The option to enable Data Security is now part of the onboarding workflow and is only available for AWS and Azure cloud accounts.
  • For previously onboarded cloud accounts, when you Edit the account and enable or disable the additional security capabilities, the permissions for the Prisma Cloud role is updated. You must download the CFT again and apply it on the Cloud Service Provider (AWS, Azure, or GCP) to apply the latest changes.
Depending on the capabilities you’ve enabled, make sure to follow the steps to configure Agentless Workload Scanning, Serverless Function Scanning, and Agent Based Workload Protection.
Ingest Audit Logs using Amazon EventBridge
By default, Prisma Cloud uses the Amazon CloudTrail service to ingest audit logs. Event assisted ingestion is an enhancement that makes the API call only if the resource configuration is changed. After onboarding your AWS account, you can now configure Amazon EventBridge on Prisma Cloud to support event assisted ingestion in near real time, which allows Prisma Cloud to reduce the total number of API calls and total time to alert.
Support for AWS GuardDuty and Inspector Malware Findings
After onboarding your AWS account on Prisma Cloud and configuring EventBridge, you can now
Configure Findings
to view vulnerability and malware findings generated by AWS GuardDuty or vulnerabilities generated by AWS Inspector on the Prima Cloud Resource page. Once enabled, if GuardDuty detects suspicious activity on a workload, it initiates a malware scan on the associated EC2 instance. If malware is detected during the scan, GuardDuty generates an additional finding. The findings provide context and can detect the malicious software that is the source of the suspicious behavior, so that you can take appropriate response actions.
GA
Recurring Reports for Adoption Advisor
You can now schedule a recurring Adoption Advisor Report to receive a summary of your adoption and improvements on our cloud security posture at regular cadence. You can schedule the report to run on a daily, weekly, or monthly intervals, and view a list of all scheduled reports under
Adoption Advisor > Reports
.
Support for AWS IAM Identity Center
Prisma Cloud now integrates with AWS IAM Identity Center, providing you complete visibility into the access privileges of users currently using AWS IAM Identity Center to log into AWS, including users and groups created in or imported into Identity Center. You can also create access policies, user alerts and remediate risky permissions for AWS IAM Identity Center users. Navigate to
Settings > Integrate > Add Integration
and select
AWS IAM Identity Center
in the
Integration Type
drop-down to get started.
Retrieval of Data Storage Size Estimates for Azure Blob Storage
Prisma Cloud now retrieves the approximate storage size of your Azure blob storage and storage for sensitive data scanning and provides an estimate credit consumption required to scan your Azure blob storage. The size of scannable data is based on file size and file type. The estimates in Azure leverages the Azure Inventory policies and creates files on a daily or weekly basis. You can choose to follow a few recommendations to lower your cost.

API Ingestions

SERVICE
API DETAILS
Access Analyzer
aws-access-analyzer
Additional permission required:
  • access-analyzer:GetAnalyzer
The Security Audit role includes the permission.
Amazon CloudFront
aws-cloudfront-origin-access-control
Additional permissions required:
  • cloudfront:ListOriginAccessControls
The Security Audit role includes the permissions.
Amazon Prometheus
aws-prometheus-workspace
Additional permissions required:
  • aps:DescribeLoggingConfiguration
  • aps:ListWorkspaces
No default role includes the permissions.
Azure Stream Analytics
azure-streamanalytics-streamingjobs
Additional permission required:
  • Microsoft.StreamAnalytics/streamingjobs/Read
The Reader role includes the permission.
Azure Event Grid
azure-event-grid-topic-privatelinkresource
Additional permissions required:
  • Microsoft.EventGrid/topics/read
  • Microsoft.EventGrid/topics/privateLinkResources/read
The Reader role includes the permissions.
Azure IoT Hub
azure-devices-iot-hub-privatelinkresource
Additional permissions required:
  • Microsoft.Devices/iotHubs/Read
  • Microsoft.Devices/iotHubs/privateLinkResources/Read
The Reader role includes the permissions.
Azure Event Grid
azure-event-grid-domains-privatelinkresource
Additional permissions required:
  • Microsoft.EventGrid/domains/read
  • Microsoft.EventGrid/domains/privateLinkResources/read
The Reader role includes the permissions.
Azure Storage Sync Services
azure-storage-sync-service-privatelinkresource
Additional permissions required:
  • Microsoft.StorageSync/storageSyncServices/read
  • Microsoft.StorageSync/storageSyncServices/privateLinkResources/read
The Reader role includes the permissions.
Azure Stream Analytics
azure-streamanalytics-streamingjobs-diagnostic-settings
Additional permissions required:
  • Microsoft.StreamAnalytics/streamingjobs/Read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-task
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.tasks.list
  • dataplex.tasks.getIamPolicy
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-contentitem
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.content.list
  • dataplex.tasks.getIamPolicy
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-zone-entity
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.zones.list
  • dataplex.entities.list
The Viewer role includes the permissions.

New Policies

No new policies for 23.1.2.

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates-RQL
AWS ALB attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
Changes—
The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)
Current RQL—
config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = scheme equals internet-facing and type equals application as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.resources.applicationLoadBalancer[*] contains $.X.loadBalancerArn'; show X;
Updated RQL—
config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = scheme equals internet-facing and type equals application as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = (webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesAnonymousIpList or webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesKnownBadInputsRuleSet) and NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.resources.applicationLoadBalancer[*] contains $.X.loadBalancerArn'; show X;
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
AWS API Gateway Rest API attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
Changes—
The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)
Current RQL—
config from cloud.resource where api.name = 'aws-apigateway-get-stages' AND json.rule = webAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webAclArn'; show X;
Updated RQL—
config from cloud.resource where api.name = 'aws-apigateway-get-stages' AND json.rule = webAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = (webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesAnonymousIpList or webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesKnownBadInputsRuleSet) and NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webAclArn'; show X;
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
AWS AppSync attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
Changes—
The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)
Current RQL—
config from cloud.resource where api.name = 'aws-appsync-graphql-api' AND json.rule = wafWebAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.wafWebAclArn'; show X;
Updated RQL—
config from cloud.resource where api.name = 'aws-appsync-graphql-api' AND json.rule = wafWebAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = (webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesAnonymousIpList or webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesKnownBadInputsRuleSet) and NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.wafWebAclArn'; show X;
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
Changes—
The policy RQL is updated to ignore alerting resources when firewall manager ACL rules are configured with (AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList)
Current RQL—
config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-global-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webACLId'; show X;
Updated RQL—
config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-global-web-acl-resource' AND json.rule =(webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesAnonymousIpList or webACL.postProcessFirewallManagerRuleGroups.firewallManagerStatement.name does not contain AWSManagedRulesKnownBadInputsRuleSet) and NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webACLId'; show X;
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
AWS CloudFront viewer protocol policy is not configured with HTTPS
Changes—
The policy RQL is updated to check for cacheBehavior viewer protocol policy along with defaultCacheBehavior viewer protocol policy for HTTPS configuration.
Current RQL—
config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-global-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webACLId'; show X;
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = defaultCacheBehavior.viewerProtocolPolicy contains "allow-all" or cacheBehaviors.items[?any( viewerProtocolPolicy contains "allow-all" )] exists
Impact—
Medium. New alerts will be generated for resources which have cacheBehavior viewer protocol policy not configured for HTTPS configuration.
Azure Storage accounts soft delete is disabled
Changes—
The policy RQL has been updated to exclude FileStorage accounts which do not support blobs. The recommendation steps have been updated to reflect the changes in the CSP.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = deleteRetentionPolicy.blob.enabled is false
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = deleteRetentionPolicy.blob.enabled is false and (kind does not equal ignore case FileStorage)
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Delete SQL server firewall rule does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/delete" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Create or update SQL server firewall rule does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/write" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Delete network security group does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/delete" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Create or update network security group does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/write" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Delete network security group rule does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/delete" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Create or update network security group rule does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/write" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Create policy assignment does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/write" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Create or update security solution does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/write" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Update security policy does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/policies/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/policies/write" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure Activity log alert for Delete security policy does not exist
Changes—
The policy RQL is updated to exclude resource group to report only subscriptions. The recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/delete" as X; count(X) less than 1
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
OCI MFA is disabled for IAM users
Changes—
The policy RQL has been updated to exclude alerting for Inactive and Programmatic users because programmatic users will not have MFA.
Current RQL—
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-user' AND json.rule = 'isMfaActivated is false'
Updated RQL—
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-user' AND json.rule = lifecycleState equal ignore case ACTIVE and capabilities.canUseConsolePassword is true and isMfaActivated is false
Impact—
Low. Alerts generated for programmatic user will be resolved as Policy_Updated.
Policy Updates-Metadata
Azure Activity log alert for delete policy assignment does not exist
Changes—
The recommendation steps have been updated according to the CSP changes.
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
Azure SQL Server allow access to any Azure internal resources
Changes—
The policy recommendation steps have been updated to reflect the lastest CSP changes.
Impact—
No impact on alerts.
Azure log profile not capturing activity logs for all regions
Changes—
The policy recommendation steps have been updated to reflect the lastest CSP changes.
Impact—
No impact on alerts.
Azure subscriptions with custom roles are overly permissive
Changes—
The policy description and recommendation steps have been updated to reflect the lastest CSP changes.
Updated Policy Description—
Identifies azure subscriptions with custom roles are overly permissive. Least privilege access rule should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Impact—
No impact on alerts.
Azure storage account has a blob container with public access
Changes—
The policy recommendation steps have been updated to reflect the lastest CSP changes.
Impact—
No impact on alerts.
Azure Storage Account 'Trusted Microsoft Services' access not enabled
Changes—
The policy description and recommendation steps have been updated to reflect the lastest CSP changes.
Updated Policy Description—
Identifies Storage Accounts which have 'Trusted Microsoft Services' access not enabled. Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. It is recommended to enable Trusted Microsoft Services on storage account instead of leveraging network rules.
Impact—
No impact on alerts.
Azure storage account logging for queues is disabled
Changes—
The policy recommendation steps have been updated to reflect the lastest CSP changes.
Impact—
No impact on alerts.
Storage Accounts without Secure transfer enabled
Changes—
The policy name, description, and recommendation steps have been updated to reflect the lastest CSP changes.
Current Policy Name—
Storage Accounts without Secure transfer enabled
Updated Policy Name—
Azure Storage Account without Secure transfer enabled
Updated Policy Description—
identifies Storage accounts which have Secure transfer feature disabled. The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. When 'secure transfer required' is enabled, REST APIs to access your storage accounts connect using HTTPs any requests using HTTP will be rejected. When you are using the Azure files service, connection without encryption will fail. It is highly recommended to enable secure transfer feature on your storage account.
Azure storage does not support HTTPs for custom domain names, this option is not applied when using a custom domain name.
Impact—
No impact on alerts.
Azure Storage accounts soft delete is disabled
Changes—
The policy name, description, and remediation CLI descriptions have been updated.
Current Policy Name—
Azure Storage accounts soft delete is disabled
Updated Policy Name—
Azure Storage account soft delete is disabled
Updated Policy Description—
Identifies Azure Storage accounts which has soft delete disabled. Azure Storage contains important access logs, financial data, personal and other secret information which is accidentally deleted by a user or application could cause data loss or data unavailability. It is recommended to enable soft delete setting in Azure Storage accounts.
Updated Remediation CLI Description—
This CLI command requires 'Microsoft.Storage/storageAccounts/blobServices/write' permission. Successful execution will enable soft delete for blobs on Azure Storage accounts. NOTE: As best practice we are setting delete retention days to 30 days; it can be changed based on customer requirement by cloning the policy.
Impact—
No impact on alerts.
Azure Microsoft Defender for Cloud automatic provisioning of log Analytics agent for Azure VMs is set to Off
Changes—
The policy recommendation steps have been updated to reflect the lastest CSP changes.
Impact—
No impact on alerts.

Changes in Existing Behavior

FEATURE
DESCRIPTION
‘Monitor and Protect’ renamed Remediation
With the Cloud Account Onboarding changes for more Security Coverage, the Monitor and Monitor & Protect modes are revised. For an existing account that was onboarded with Monitor & Protect mode, the Remediation security capability represents the mode.
These modes are no longer available when onboarding new cloud accounts. For the new workflow, see Cloud Account Onboarding for more Security Coverage.
Update
AWS Account Onboarding
During onboarding your AWS cloud account on Prisma Cloud, if you are already logged in to your AWS management console, you can either
Download IAM Role CFT
or
Create IAM Role
on the fly.
When you click
Create IAM Role
, Prisma Cloud creates a dynamic link that takes you directly to the
Quick create stack
page in the AWS management console.
You do not need to enter the template details manually in order to create the stack, it is auto-populated based on the
Security Capabilities and Permissions
you have selected.
Google Kubernetes Engine Container ClusterID Update
The resource ID for the
gcloud-container-describe-clusters
API in Prisma Cloud is updated in the backend. As a result, all resources for these APIs will be deleted and then regenerated on the management console.
Existing alerts for these resources are resolved as Resource_Updated, and new alerts will be generated against policy violations.
Impact
—You may notice a reduced alert count. However, once the resources for the
gcloud-container-describe-clusters
APIs resume ingesting data, the alert count will return to the original numbers.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Sarbanes-Oxley Act (SOX)
Prisma Cloud now supports the Sarbanes-Oxley Act (SOX) compliance standard.
In addition to improving the accuracy of corporate disclosures, SOX protects shareholders and the general public from accounting errors and fraudulent business practices. Corporations must save all business records, including electronic records and electronic messages, for "not less than five years" to comply with SOX. Non-compliance can result in fines, imprisonment, or both.
With this support, you can now view this built-in standard and the related policies on Prisma Cloud’s
Compliance > Standard
page. Additionally, you can generate reports for immediate viewing or download, or you can schedule recurring reports to keep track of this compliance standard over time.
CIS Google Cloud Platform Foundation Benchmark v2.0.0 (Level 1 and Level 2)
The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations. CIS Google Cloud Platform Foundation Benchmark v2.0.0 is based on the CIS Google Cloud Computing Platform Foundations Benchmark v1.0.0 published by the Center for Internet Security (CIS). The CIS benchmark provides guidance to securing the GCP environment, covering everything from network to servers to operating systems. The important sections covered in the benchmark include IAM, Logging and monitoring configuration, Virtual Network Security settings, and Kubernetes Engine configuration.
You can review this compliance standard and its associated policies on Prisma Cloud’s
Compliance > Standard
page.
CIS Google Kubernetes Engine (GKE) v1.3.0 - (Level 1 and Level 2)
The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations. CIS Google Kubernetes Engine (GKE) v1.3.0 - (Level 1 and Level 2) is a set of recommendations for configuring Kubernetes to support a strong security posture. Benchmarks are tied to specific Kubernetes releases. The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and is intended to be universally applicable. Based on the existing CIS Benchmark, this standard adds additional controls that are Google Cloud-specific.
You can review this compliance standard and its associated policies on Prisma Cloud’s
Compliance > Standard
page.

REST API Updates

CHANGE
DESCRIPTION
Update
Critical and Informational Severity Alerts Updates
The following new properties are added to the response objects of both:
  • summary
    object has two additional properties
    • informationalSeverityFailedResources
    • criticalSeverityFailedResources
  • complianceDetails
    array has two additional properties
    • informationalSeverityFailedResources
    • criticalSeverityFailedResources
The following new properties are added to the response objects of both:
  • informationalSeverityFailedResources
  • criticalSeverityFailedResources
The following new properties are added to the response objects of both:
  • summary
    object has two additional properties
    • informationalSeverityFailedResources
    • criticalSeverityFailedResources
  • groupedAggregates
    array has two additional properties
    • informationalSeverityFailedResources
    • criticalSeverityFailedResources
The following new properties are added to the response objects of both:
  • informationalSeverityFailedResources
  • criticalSeverityFailedResources
The following new properties are added to the response objects of both:
alertStatus object within the resources array has two additional properties
  • informational
  • critical
Update
Adoption Advisor API

New Features

FEATURE
DESCRIPTION
Adoption Advisor for Code to Cloud
To assist you in the process of monitoring and securing your cloud resources, the Adoption Advisor has been updated to provide guidance on foundational, intermediate, and advanced tasks throughout the application lifecycle. The Adoption Advisor includes three stages of the code to cloud application lifecycle: Code & Build, Deploy, and Runtime. You can follow these stages at your own pace, using the "walk, crawl, run" principles to gradually adopt various security capabilities.
Centralized Product Resources in Knowledge Center
The Knowledge Center integrates the resources that were in the Resource Center. You can now access all the product resources directly from the left navigation on Prisma Cloud.
Critical and Informational Severity Policies
To help you categorize and distinguish the varying degrees of severity of Prisma Cloud policies and associated alerts, two new levels of severity are being added. There are no changes to the severity of any system default policies. However, you can now modify policy severity to Critical and Informational as needed.
New Look for PDF Reports
The Compliance reports and the Cloud Security Assessment report for Alerts are updated with a new look and better visualization.
Update
Prisma Cloud Data Security-Scan .zip Files up to 2.5GB
Prisma Cloud can now scan your storage resources with .zip file extensions of up to 2.5GB for data classification and malware. The size of the uncompressed files must be:
  • less than 20MB to be supported by DSS for scanning and
  • less than 100MB to be supported by Wildfire for scanning.
Update
Change in Terraform file name for Azure and GCP accounts
The terraform files you download during onboarding Azure and GCP accounts on Prisma Cloud have new names.
  • Old Azure Terraform File Name—
    azure_template API
  • New Azure Terraform File Name—
    prisma-cloud-azure-terraform-<ts>.tf.json
  • Old GCP Terraform File Name—
    gcp_template API
  • New GCP Terraform File Name—
    prisma-cloud-gcp-terraform-<ts>.tf.json

API Ingestions

SERVICE
API DETAILS
Amazon Kendra
aws-kendra-index
Additional permissions required:
  • kendra:DescribeIndex
  • kendra:ListIndices
  • kendra:ListTagsForResource
The Security Audit role only includes the permission
kendra:ListIndices
.
You must manually add the permissions or update the CFT template to enable
kendra:DescribeIndex
and
kendra:ListTagsForResource
.
Amazon EventBridge
aws-events-eventbus
Additional permissions required:
  • events:ListTagsForResource
  • events:ListEventBuses
The Security Audit role includes these permissions.
Azure Automation Accounts
azure-automation-account-diagnostic-settings
Additional permissions required:
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Batch Account
azure-batch-account-diagnostic-settings
Additional permissions required:
  • Microsoft.Batch/batchAccounts/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Cognitive Services
azure-cognitive-search-service-diagnostic-settings
Additional permissions required:
  • Microsoft.Search/searchServices/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Cosmos DB
azure-documentdb-cassandra-clusters-diagnostic-settings
Additional permissions required:
  • Microsoft.DocumentDB/cassandraClusters/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Cosmos DB
azure-cosmos-db-diagnostic-settings
Additional permissions required:
  • Microsoft.DocumentDB/databaseAccounts/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Database for MariaDB Server
azure-database-maria-db-server-diagnostic-settings
Additional permissions required:
  • Microsoft.DBforMariaDB/servers/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Database for MySQL
azure-mysql-flexible-server-diagnostic-settings
Additional permissions required:
  • Microsoft.DBforMySQL/flexibleServers/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Database for PostgreSQL
azure-postgresql-flexible-server-diagnostic-settings
Additional permissions required:
  • Microsoft.DBforPostgreSQL/flexibleServers/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Event Hubs
azure-event-hub-namespace-diagnostic-settings
Additional permissions required:
  • Microsoft.EventHub/namespaces/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure Kubernetes Service
azure-kubernetes-cluster-diagnostic-settings
Additional permissions required:
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure SQL Database
azure-sql-db-diagnostic-settings
Additional permissions required:
  • Microsoft.Sql/servers/read
  • Microsoft.Sql/servers/databases/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Azure SQL Database
azure-sql-managed-instance-diagnostic-settings
Additional permissions required:
  • Microsoft.Sql/managedInstances/read
  • Microsoft.Insights/DiagnosticSettings/Read
The Reader role includes these permissions.
Google Apigee X
gcloud-apigee-x-organization-analytics-datastore
Additional permissions required:
  • apigee.organizations.list
  • apigee.datastores.list
The Viewer role includes these permissions.
Google Apigee X
gcloud-apigee-x-organization-api-product
Additional permissions required:
  • apigee.organizations.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
The Viewer role includes these permissions.
Google Apigee X
gcloud-apigee-x-organization-api-proxy
Additional permissions required:
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.deployments.list
The Viewer role includes these permissions.
Google Apigee X
gcloud-apigee-x-organization-report
Additional permissions required:
  • apigee.organizations.list
  • apigee.reports.list
The Viewer role includes these permissions.
Google Apigee X
gcloud-apigee-x-organization-host-security-report
Additional permissions required:
  • apigee.organizations.list
  • apigee.envgroups.list
  • apigee.hostsecurityreports.list
The Viewer role includes these permissions.
Google Apigee X
gcloud-apigee-x-organization-security-profile
Additional permissions required:
  • apigee.organizations.list
  • apigee.securityProfiles.list
The Viewer role includes these permissions.
Update
Google BigQuery API
gcloud-bigquery-table
Additional permission required:
bigquery.tables.get
You must update the Terraform template to enable this permission.
Google Cloud KMS
gcloud-kms-keyring-list
Additional permissions required:
  • cloudkms.keyRings.get
  • cloudkms.keyRings.getIamPolicy
The Viewer role includes these permissions.
Google Cloud KMS
gcloud-kms-crypto-keys-list
Additional permissions required:
  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeys.getIamPolicy
The Viewer role includes these permissions.
Google Dataproc Metastore
gcloud-dataproc-metastore-service
Additional permissions required:
  • metastore.locations.list
  • metastore.services.getIamPolicy
  • metastore.services.list
The Viewer role includes these permissions.
Google Dataplex
gcloud-dataplex-lake-zone-asset-action
Additional permissions required:
  • dataplex.lakes.list
  • dataplex.zones.list
  • dataplex.assets.list
  • dataplex.assetActions.list
The Viewer role includes these permissions.
Google Vertex AI
gcloud-vertex-ai-notebook-runtime
Additional permission required:
  • notebooks.runtimes.list
The Viewer role includes this permission.
OCI Analytics
oci-analytics-instance
Additional permissions required:
  • inspect analytics-instances
  • read analytics-instances
You must manually add these permissions.
OCI API Management
oci-apimanagement-apigateway-deployment
Additional permissions required:
  • inspect api-gateways
  • read api-gateways
  • inspect api-deployments
  • read api-deployments
You must manually add these permissions.
OCI Budgets
oci-budgets-budget
Additional permissions required:
  • inspect usage-budgets
  • read usage-budgets
You must manually add these permissions.
OCI Networking
oci-networking-ipsec-connection
Additional permission required:
  • inspect ipsec-connections
You must manually add the permission.
OCI Networking
oci-networking-networkloadbalancer
Additional permissions required:
  • inspect network-load-balancers
  • read network-load-balancers
You must manually add the permissions.

New Policies

No new policies for 23.1.1.

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates-RQL
Azure AD Users can consent to apps accessing company data on their behalf is enabled
Changes—
The policy RQL and recommendation steps have been updated according to the CSP changes.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-authorization-policy' AND json.rule = permissionGrantPolicyIdsAssignedToDefaultUserRole[*] contains microsoft-user-default-legacy
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-authorization-policy' AND json.rule = defaultUserRolePermissions.permissionGrantPoliciesAssigned[*] contains microsoft-user-default-legacy
Impact—
Low. Previously generated alerts will be resolved as Policy_Updated.
SQL servers which do not have Azure Active Directory admin configured
Changes—
The policy Name, Description, and Recommendation steps have been updated to maintain consistency across policies. The RQL has been updated with a new RQL grammar that will improve the accuracy of the results.
Current Policy Name—
SQL servers which do not have Azure Active Directory admin configured
Updated Policy Name—
Azure SQL server not configured with Active Directory admin authentication
Updated Policy Description—
Identifies Azure SQL servers that are not configured with Active Directory admin authentication. Azure Active Directory authentication is a mechanism of connecting to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. As a best practice, configure SQL servers with Active Directory admin authentication.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = '$.serverAdmins !exists or $.serverAdmins[] size equals 0 or ($.serverAdmins[].properties.administratorType exists and $.serverAdmins[].properties.administratorType does not equal ActiveDirectory and $.serverAdmins[].properties.login is not empty)'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = serverAdmins does not exist or serverAdmins[*] size equals 0 or (serverAdmins[*].properties.administratorType exists and serverAdmins[*].properties.administratorType does not equal ActiveDirectory and serverAdmins[*].properties.login is not empty)
Impact—
No impact on alerts.
Azure Virtual Network subnet is not configured with a Network Security Group
Changes—
The policy RQL has been updated to ignore the case sensitive of the parameter value.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name is not member of ("GatewaySubnet", "AzureFirewallSubnet") and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes" and ['properties.privateEndpointNetworkPolicies'] equals Enabled and ['properties.privateLinkServiceNetworkPolicies'] equals Enabled
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name does not equal ignore case "GatewaySubnet" and name does not equal ignore case "AzureFirewallSubnet" and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes" and ['properties.privateEndpointNetworkPolicies'] equals Enabled and ['properties.privateLinkServiceNetworkPolicies'] equals Enabled
Impact—
Low. Previous generated alert for gateway subnets where the name is not as GatewaySubnet will be resolved as Policy_Updated.
Policy Updates-Metadata
Azure Storage Account default network access is set to 'Allow'
Changes—
The policy description and recommendation steps have been updated to reflect the latest CSP changes.
Updated Policy Description—
Identifies Storage accounts which have default network access is set to 'Allow'. Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.
Impact—
No impact on alerts.
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
Changes—
The policy name, description, and recommendation steps have been updated to reflect the latest CSP changes.
Current Policy Name—
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
Updated Policy Name—
GCP Kubernetes Engine Clusters have Cloud Logging disabled
Updated Policy Description—
Identifies Kubernetes Engine Clusters which have disabled Cloud Logging. Enabling Cloud Logging will let the Kubernetes Engine to collect, process, and store your container and system logs in a dedicated persistent data store.
Impact—
No impact on alerts.
GCP User managed service accounts have user managed service account keys
Changes—
The policy recommendation steps have been updated to reflect the latest CSP changes.
Impact—
No impact on alerts.
GCP Kubernetes Engine Clusters have Legacy Authorization enabled
Changes—
The policy recommendation steps have been updated to reflect the latest CSP changes. The remediation CLI has been removed because there is no single cli command that can update both Zonal and Regional GKE clusters.
Impact—
Changes to recommendation steps will have no impact on existing alerts. There is no remediation support available.
GCP Kubernetes Engine Clusters have Cloud Monitoring disabled
Changes—
The policy description has been updated to reflect the latest CSP changes.
Updated Policy Description—
Identifies Kubernetes Engine Clusters which have disabled Cloud monitoring. Enabling Cloud monitoring will let the Kubernetes Engine to monitor signals and build operations in the clusters.
Impact—
No impact on alerts.
GCP Kubernetes Engine Clusters not configured with network traffic egress metering
Changes—
The policy recommendation steps have been updated to reflect the latest CSP changes.
Impact—
No impact on alerts.
GCP Log metric filter and alert does not exist for Project Ownership assignments/changes
Changes—
The policy recommendation steps have been updated to reflect the latest CSP changes.
Impact—
No impact on alerts.
Logging on the Stackdriver exported Bucket is disabled
Changes—
The policy name, description, and recommendation steps have been updated to reflect the latest CSP changes.
Current Policy Name—
Logging on the Stackdriver exported Bucket is disabled
Updated Policy Name—
GCP Bucket containing Operations Suite Logs have bucket logging disabled
Updated Policy Description—
Identifies the buckets containing Operations Suite Logs for which logging is disabled. Enabling bucket logging, logs all the requests made on the bucket which can be used for debugging and forensics. It is recommended to enable logging on the buckets containing Operations Suite Logs.
Impact—
No impact on alerts.
Policy Deletions
AWS Policies
Changes—
The following policies are deleted because the API used in it does not ingest the required fields. This policy validates the availability limit for the Subnet and Security group, which is not a security misconfiguration:
  • AWS VPC Subnets nearing availability limit
  • AWS VPC Security group nearing availability limit
Impact—
No impact on alerts. The compliance mapping for the above policy is removed due to which the compliance score can get affected. The affected compliance standards are:
NIST SP 800-171 Revision 2, PCI DSS v3.2.1, Copy of APRA (CPS 234) Information Security, NIST SP 800-172, Copy of 1Copy of Brazilian Data Protection Law (LGPD), HITRUST v.9.4.2, ACSC Information Security Manual (ISM), NIST CSF, TestCompliance, Copy of Brazilian Data Protection Law (LGPD), MAS TRM 2021, ISO/IEC 27002:2013, ISO/IEC 27017:2015, MLPS 2.0 (Level 2), CIS Controls v8, CIS Controls v7.1, HITRUST CSF v.9.6.0, Secure Controls Framework (SCF) - 2022.2.1, APRA (CPS 234) Information Security, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Brazilian Data Protection Law (LGPD), CSA CCM v.4.0.1, ISO/IEC 27018:2019
AWS EC2 instance is not configured with VPC
Changes—
AWS has deprecated the AWS classic network service. As a result, this policy is now obsolete and is deleted.
Impact—
No impact on alerts. The compliance mapping for the above policy is removed due to which the compliance score can get affected. The affected compliance standards are:
NIST SP 800-171 Revision 2, PCI DSS v3.2.1, Copy of APRA (CPS 234) Information Security, NIST SP 800-172, Copy of 1Copy of Brazilian Data Protection Law (LGPD), HITRUST v.9.4.2, ACSC Information Security Manual (ISM), NIST CSF, TestCompliance, Copy of Brazilian Data Protection Law (LGPD), MAS TRM 2021, ISO/IEC 27002:2013, ISO/IEC 27017:2015, MLPS 2.0 (Level 2), CIS Controls v8, CIS Controls v7.1, HITRUST CSF v.9.6.0, Secure Controls Framework (SCF) - 2022.2.1, APRA (CPS 234) Information Security, Cybersecurity Maturity Model Certification (CMMC) v.1.02, Brazilian Data Protection Law (LGPD), CSA CCM v.4.0.1, ISO/IEC 27018:2019

Changes in Existing Behavior

FEATURE
DESCRIPTION
Google BigQuery API Resource ID Update
The resource ID for the
gcloud-bigquery-dataset-list
in Prisma Cloud is updated in the backend. As a result, all resources for
gcloud-bigquery-dataset-list
API will be deleted and then regenerated on the management console.
Existing alerts corresponding to these resources is resolved as Resource_Updated, and new alerts will be generated against policy violations.
Impact
—You may notice a reduced count for the number of alerts. However, once the resources for the
gcloud-bigquery-dataset-list
API resumes ingesting data, the alert count will return to the original numbers.
Near Zero Rate Limit Exception for GCP APIs
You must enable the following GCP APIs for each project that the Prisma Cloud service account accesses to monitor and protect your GCP resources. If you have onboarded your GCP account at the Organization level, this configuration ensures that the API rate limit quota is applied to each GCP project that is part of the onboarded GCP Organization, and not counted entirely towards the project where the service account is created.
  • bigtableadmin.googleapis.com
  • container.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • pubsub.googleapis.com
  • serviceusage.googleapis.com
  • firebaserules.googleapis.com
Impact
—No impact on alerts.

REST API Updates

CHANGE
DESCRIPTION
Update
Asset Explorer API
The following new query parameters are added to the existing GET/resource/scan_info endpoint:
  • asset.severity
  • vulnerability.severity
  • includeEventForeignEntities
This API has been updated to show the following new fields in the JSON response body for GET/resource/scan_info and POST/resource/scan_info endpoints:
  • resourceConfigJsonAvailable
  • resourceDetailsAvailable
  • unifiedAssetId
  • vulnerabilityStatus
  • assetType
Update
Asset Inventory API
The following new query parameters are added to the existing GET/v2/inventory endpoint:
  • asset.severity
  • vulnerability.severity
Changes to the Get Asset Endpoint Response Object
The structure of the Get Asset (POST /uai/v1/asset) response object has been modified. All the properties of the data object are now included under a new asset object. The asset object is included in the data object.

Recommended For You