Features Introduced in May 2023
Table of Contents
Features Introduced in May 2023
Learn what’s new on Prisma™ Cloud in May 2023.
New Features Introduced in 23.5.2
New Features
FEATURE | DESCRIPTION |
Release Notes Look Ahead Displayed on Home Page | The New in Prisma Cloud section on the Home page now includes information from the Look Ahead section of the release notes.Use this information to access the release notes and stay informed on deprecation notices and changes in behavior. |
Adoption Advisor Furthers Your Code & Build Hygiene | The Adoption Advisor now includes two additional checks for enforcing hygiene in the Code & Build phase. You can Create Custom Secret Signature in the Code Policy Management category. This enables you to prevent developers from committing hard coded secrets based on custom signatures.You can Add Drift Alert Rule in the Notifications category. This enables you to trace and get notified regarding the configuration changes between the deployed cloud resources and your IaC templates in order to quickly remediate drifts. |
Attack Path Policies Displayed on Home Page, Command Center, and Alerts | Prisma Cloud Attack Path policies identify the confluence of issues that increase the likelihood of a security breach.You can now view the Attack Path policies on the Homepage, Command Center dashboard, and the Alerts page as a specific Saved View . |
API Ingestions
SERVICE | API DETAILS |
Update Amazon Translate | aws-translate-terminology This API is updated to remove the CreatedAt field in the resource JSON. |
AWS Serverless Application Repository | aws-serverlessrepo-application Additional permissions required:
The Security Audit role includes the permissions. |
AWS Transfer Family | aws-transfer-family-user Additional permissions required:
The Security Audit role includes the permissions. |
Amazon API Gateway | aws-apigatewayv2-api Additional permission required:
The Security Audit role includes the permission. |
Google Traffic Director Network Service | gcloud-traffic-director-network-service-tls-route Additional permission required:
The Viewer role includes the permission. This API will list only Global resources. |
Google Traffic Director Network Service | gcloud-traffic-director-network-service-tcp-route Additional permission required:
The Viewer role includes the permission. This API will list only Global resources. |
Google Traffic Director Network Service | gcloud-traffic-director-network-service-grpc-route Additional permission required:
The Viewer role includes the permission. This API will list only Global resources. |
Google Traffic Director Network Service | gcloud-traffic-director-network-service-http-route Additional permission required:
The Viewer role includes the permission. This API will list only Global resources. |
New Policies
NEW POLICIES | DESCRIPTION |
Azure Virtual Machine that is reachable from any untrust internet source to ports with high risk | Identifies Azure Virtual machines that are reachable from any untrust internet source to ports with high risk. Azure VMs with untrusted access to high risky ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities. Severity— HighRQL—
|
Azure SQL Server (PaaS) reachable from any untrust internet source | Identifies Azure SQL Servers (PaaS) that are reachable from any untrust internet source on TCP port. SQL Server instances with untrusted access to the internet may enable bad actors to use brute force on a system to gain unauthorised access to the entire network. As a best practice, restrict traffic from untrusted IP addresses and limit the access to known hosts, services, or specific entities. Severity— HighRQL—
|
GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) | Identifies GCP VM instances that are internet reachable with unrestricted access (0.0.0.0/0). VM instances with unrestricted access to the internet may enable bad actors to use brute force on a system to gain unauthorised access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities. Severity— HighRQL—
|
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates—RQL | |
AWS S3 bucket is not configured with MFA Delete | Changes— The policy RQL has been updated to exclude S3 buckets which are configured with bucketLifecycleConfiguration rules because MFA Delete can’t be enabled for those buckets.Severity— LowCurrent RQL—
Updated RQL—
Impact— Medium. Existing alerts for AWS S3 buckets that have bucketlifecycle configuration enabled will be resolved as Policy_Updated . |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Disabled Policy cannot be Re-enabled within 4 Hours | When you disable a policy, a message to inform you that Disabling this policy will automatically mark any open alerts as resolved. You won’t be able to enable the policy back for 4 hours. Are you sure you want to continue? is displayed. After you confirm, the policy will be disabled and that marks the start of a 4-hour window during which you cannot re-enable the policy. During this period, the button to enable the policy will be greyed out in the UI, and if you use the API to change the policy status the HTTP response will display an error.Impact— The restriction will apply to all policy types and all policy severities. |
UEBA Anomaly Policy Attribution Extended to Support Compute Instances | Alerts from UEBA anomaly policies were attributed to compute instances using their cloud IDs and not names. For example, an alert was attributed to an AWS EC2 instance by its ID i-019b8f824f4f77001 and not by its name demo-host. When such an alert was generated, you would not be able to click on the resource to see the Unified Asset Inventory (UAI) details and the Command Center also reported the instance by its ID instead of name. Prisma Cloud has now added additional checks to UEBA anomaly policies to make sure alerts are attributed to a resource by its name. Now, when you click on a resource on the Alerts page, the UAI details will be displayed. |
REST API Updates
No REST API updates for 23.5.2.
Deprecation Notice
FEATURE | DESCRIPTION |
Azure Defender for Cloud Secure Score API Ingestion | Prisma Cloud no longer ingests metadata for the azure-defender-for-cloud-secure-score API.In RQL, the key is not available in the api.name attribute auto completion.Impact— If you have a saved search or custom policies based on this API, you must delete them manually.The policy alerts will be resolved as Policy_deleted . |
New Features Introduced in 23.5.1
New Features
FEATURE | DESCRIPTION |
Recurring Reports for Cloud Security Assessment | To make sure that you are not missing anything important, you can now schedule a recurring Cloud Security Assessment Report and keep track of the risks from open alerts in your monitored cloud accounts. You can customize it to run on a daily, weekly, or monthly basis and pick an email template. Once you set it up, you can access all scheduled reports on .  |
Credit Allocation for Usage | You can now distribute the credits you have purchased for the security features on Prisma Cloud amongst your teams. When you add a credit allocation rule (Settings > Licensing > Credit Allocation), you can provide the total number of credits for an account group, and define a usage threshold % at which you want to be notified. For example, if you set the threshold to 80% for 1000 credits, an alarm is generated when the usage is at 800 credits. You can also monitor the credit usage on for a specified time range.  |
Cloud Network Analyzer Support for GCP | Prisma Cloud now supports network exposure queries on GCP cloud environments. In addition to AWS and Azure, you can now also calculate the net effective reachability of your GCP cloud resources.  |
Additional Alert Details in Asset Detail View | In Asset Inventory, to better understand the risks posed by policy violations, the alert details now also display Policy Name and Alert Time in addition to Alert ID and Severity in the asset detail view. |
Home Page Access for all | All Prisma Cloud users who log in to the administrative console can now view the Home page . Based on your permissions, you can use this page to see the urgent alerts, recommended workflows, and as a launch point for onboarding assets that you want to monitor. Release Notes and industry research from our Unit 42 team are also at your fingertips. |
Broadened Access for Adoption Advisor | The Adoption Advisor is now accessible to all Prisma Cloud users. Based on your role and access privileges, you can view a list of items and widgets that provide visibility into your operationalization journey and guidance on the next steps and remediation actions to secure your cloud infrastructure from code to cloud. |
Enhancement IAM Asset Details | Enhancements to the IAM details view provide you with greater visibility into the permissions associated with your assets. Currently, additional information is available for AWS:
 |
API Ingestions
SERVICE | API DETAILS |
AWS IoT Analytics | aws-iot-analytics-channel Additional permissions required:
You must manually add the permissions or update the CFT template to enable them. Not supported in AWS Gov. |
AWS Security Hub | aws-securityhub-enabled-standards Additional permission required:
The Security Audit role includes the permission. |
Azure Compute | azure-compute-gallery Additional permission required:
The Reader role includes the permission. |
Azure Compute | azure-compute-gallery-image Additional permissions required:
The Reader role includes the permissions. |
Azure Managed Identity | azure-managed-identity-user-assigned-identities Additional permission required:
The Reader role includes the permission. |
Update Azure Key Vault | azure-key-vault-list The resource JSON for this API now includes the following new fields under the key[*] subfield. For RSA Key:
For Elliptic Curve Key:
|
Update Azure Service Fabric | azure-service-fabric-cluster The resource JSON for this API no longer includes the properties.clusterState field. |
Google Hybrid Connectivity | gcloud-hybrid-connectivity-global-hub Additional permissions required:
The Viewer role includes the permissions. |
Google Hybrid Connectivity | gcloud-hybrid-connectivity-spoke Additional permissions required:
The Viewer role includes the permissions. |
Google Serverless VPC Access | gcloud-serverless-vpc-access-connector Additional permissions required:
The Viewer role includes the permissions. |
Google Stackdriver Logging | gcloud-logging-default-sink-exclusion Additional permission required:
The Viewer role includes the permission. |
OCI Service Mesh | oci-service-mesh-virtualservice-routetable Additional permissions required:
You must update the Terraform template to enable the permissions. |
OCI Service Mesh | oci-service-mesh-virtualservice Additional permissions required:
You must update the Terraform template to enable the permissions. |
New Policies
NEW POLICIES | DESCRIPTION |
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and port scan activity | Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for port scan activities. Port scans are a type of discovery attack where a source host is probing a target host across multiple ports, to find out what services are running and to uncover vulnerabilities associated with those services. The network connectivity with remote systems known for port scan activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical. |
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and ransomware activity | Identifies AWS EC2 instances which are publicly exposed and have exploitable vulnerabilities that are connected with remote systems known for ransomware activities. Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The network connectivity with remote systems known for ransomware activity on a publicly exposed and exploitable instance indicates that the instance could be under attack or already have been compromised. Policy Severity— Critical. |
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | |
Azure VM instance in running state that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port | Changes— The policy name and the RQL is updated to report instance configured with HTTP (80) and HTTP (443) port and instance which are in active state only.Current Name— Azure VM instance in running state that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
Updated Name— Azure Virtual Machine in running state that is internet reachable with unrestricted access (0.0.0.0/0)Updated Description— Identifies azure VM instances in running state that are internet reachable with unrestricted access (0.0.0.0/0). VM instances with unrestricted access to the internet may enable bad actors to use brute force on a system to gain unauthorised access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.Severity— HighCurrent RQL—
Updated RQL—
Impact— Medium. New alerts will be generated when instance is exposed to internet and configured where HTTP / HTTPS port. |
GCP Kubernetes Engine Clusters have Master authorized networks disabled | Changes— The policy RQL is updated to reflect the latest CSP behavior.Severity— LowCurrent RQL—
Updated RQL—
Impact— Medium. New alerts are generated for the failing resources. This includes resources where Master authorized networks were previously enabled but are now configured as disabled. |
Policy Deletions | |
GCP Policies | The following policies are deleted because GCP has deprecated basic authentication, Kubernetes dashboard, and Istio for GKE.
Impact — Low. Previously generated alerts are resolved as Policy_Deleted . The out-of-the-box compliance mappings for the above policies are removed and can affect the compliance score. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for Mitre Att&ck v12 | Prisma Cloud now supports the Mitre Att&ck v12 compliance standard. The MITRE ATTACK Framework is a curated knowledge base that tracks threat actors' cyber adversary tactics and techniques throughout the attack lifecycle. The framework is intended to be used as a tool to improve your organization’s security posture. You can now view this built-in standard and the associated policies on Prisma Cloud’s Compliance > Standard page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. |
Support for CRI Profile v.1.2.1 | Prisma Cloud now supports the CRI Profile v.1.2.1 compliance standard. This version includes a reference to cybersecurity time synchronization controls based on best practices as requested by the U.S. Department of the Treasury. You can now view this built-in standard and the associated policies on Prisma Cloud’s Compliance > Standard page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. |
Support for CIS Microsoft Azure Foundations Benchmark v2.0.0 | Prisma Cloud now supports the CIS Microsoft Azure Foundations Benchmark v2.0.0 compliance standard. This benchmark specifies best practices for configuring Azure services in accordance with industry best practices. You can now view this built-in standard and the associated policies on Prisma Cloud’s Compliance > Standard page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Critical Severity Policies Included in Auto-Enable Default Policies in Enterprise Settings | Prisma Cloud now includes Critical severity policies in the list of policies that are enabled out-of-the-box in . With this change, both critical and high severity policies (current behavior), will be enabled out-of-the-box. Impact—
|
Support for Permissions for Code Security | Prisma Cloud now includes additional read permissions for Code Security in the terraform template that you use for onboarding GCP organizations and projects. Impact— None. The additional read permissions are included by default in the terraform template. |
REST API Updates
No REST API updates for 23.5.1.