Look Ahead—Planned Updates on Prisma Cloud
Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned in the 23.6.1 release. The Look Ahead announcements are for an upcoming or next release and it is not a cumulative list of all announcements.
Note that the details and functionality listed below are a preview and the actual release date is subject to change.
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Rate Limit on POST /login Endpoint | Starting with 23.6.2, the POST /login endpoint will enforce rate limiting (HTTP Response Code 429). |
S3 Flow Logs with Hourly Partition | If you currently ingest AWS flow logs using S3 with the 24-hour partition, you need to change it to the hourly partition before June 1, 2023. To make this change, Configure Flow Logs to use the hourly partition and enable the required additional fields. Impact — VPC Flow logs with partitions set to Every 24 hours (default) will be disabled. As a result, you will no longer be able to monitor or receive alerts for these logs. |
Access to Alerts for Deleted Assets | The ability to view resolved alerts for assets that have been deleted in cloud accounts onboarded to Prisma Cloud will be available for up to 90 days after asset deletion. After 90 days, these alerts will be permanently deleted from Prisma Cloud. This change will be in effect starting July 1, 2023.
Before July 1, if you want to export all resolved alerts older than 90 days for assets that have been deleted on the cloud account, use this API endpoint https://pan.dev/prisma-cloud/api/cspm/get-alerts-v-2/ . |
New Policies
Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud System policies.
Access the Look Ahead for New Policies
To learn about the new policies that will be added in the next release:
- Find the Prisma Cloud policies folder on GitHub.The folder contains RQL based Config, Network, and Audit Event policies in JSON format. View the GitHub repo.
- Select the branch for which you want to review policy updates.TheMasterbranch represents the current Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release.Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-23.6.1.
- Review the updates.Use the changelog.md file for a cumulative list of all policies that are added to a specific release. The policies are grouped by new policies and updated policies.Use thepoliciesfolder to review the JSON for each policy that is added or updated as listed in the changelog. The filename for each policy matches the policy name listed in the changelog. Within each policy file, the JSON field names are described aptly to help you easily identify the characteristic it represents. The JSON field named searchModel.query provides the RQL for the policy.
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates—RQL | |
AWS S3 bucket policy overly permissive to any principal | Changes— The Policy RQL will be updated to consider Block Public Access settings configuration at account and bucket Level.Severity— Medium.Impact— Medium. Based on the Block Public Access settings at account and bucket Level, some alerts might get resolved. |
AWS S3 bucket publicly writable | Changes— The Policy RQL will be updated to also check for Authenticated Users access.Severity— High.Impact— Low. New alerts may be generated if Authenticated Users have Write permissions. |
GCP Log metric filter and alert does not exist for VPC network route delete and insert | Changes— The Policy RQL will be updated to verify if resource type is present in the Log metric filter.Severity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for VPC network route changes | Changes— The Policy RQL will be updated to verify if resource type is present in the Log metric filter.Severity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for VPC network route patch and insert | Changes— The Policy RQL will be updated to verify if resource type is present in the Log metric filter.Severity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for VPC network changes | Changes— The Policy RQL will be updated to verify if resource type is present in the Log metric filter.Severity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes | Changes— The Policy RQL will be updated to verify if resource type is present in the Log metric filter.Severity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
API Ingestions
The following API ingestion updates are planned for Prisma Cloud in 23.6.1:
SERVICE | API DETAILS |
Amazon DAX | aws-dax-parameter-group Additional permissions required:
The Security Audit role includes the permissions. |
AWS Shield | aws-shield-drt-access Additional permission required:
The Security Audit role includes the permission. |
Amazon API Gateway | aws-apigatewayv2-stage Additional permission required:
The Security Audit role includes the permission. |
Google Cloud DNS | gcloud-dns-resource-record-set Additional permissions required:
The Viewer role includes the permissions. |
Google Vertex AI | gcloud-vertex-ai-notebook-instance-schedule Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-zone-action Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-action Additional permissions required:
The Viewer role includes the permissions. |
OCI Service Mesh | oci-service-mesh-ingressgateway-routetable Additional permissions required:
You must update the Terraform template to enable the permissions. |
OCI Service Mesh | oci-service-mesh-ingressgateway Additional permissions required:
You must update the Terraform template to enable the permissions. |
OCI Database | oci-database-db-node Additional permissions required:
You must update the Terraform template to enable the permissions. |
Deprecation Notices
Deprecation Notice | |
|---|---|
Prisma Cloud CSPM REST API for Alerts | Some Alert API request parameters and response object properties are now deprecated. Query parameter risk.grade is deprecated for the following requests:
Request body parameter risk.grade is deprecated for the following requests:
Response object property riskDetail is deprecated for the following requests:
Response object property risk.grade.options is deprecated for the following request:
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
