: Look Ahead—Planned Updates on Prisma Cloud
Focus
Focus

Look Ahead—Planned Updates on Prisma Cloud

Table of Contents

Look Ahead—Planned Updates on Prisma Cloud

Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned in the 23.10.1 release. The Look Ahead announcements are for an upcoming or next release and it is not a cumulative list of all announcements.
Note that the details and functionality listed below are a preview and the actual release date is subject to change.

New Policies

Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud System policies.

Access the Look Ahead for New Policies

To learn about the new policies that will be added in the next release:
  1. Find the Prisma Cloud policies folder on GitHub.
    The folder contains RQL based Config, Network, and Audit Event policies in JSON format. View the GitHub repo.
  2. Select the branch for which you want to review policy updates.
    The
    Master
    branch represents rrent Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release.
    Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-23.10.1
  3. Review the updates.
    Use the changelog.md file for a cumulative list of all policies that are added to a specific release. The policies are grouped by new policies and updated policies.
    Use the
    policies
    folder to review the JSON for each policy that is added or updated as listed in the changelog. The filename for each policy matches the policy name listed in the changelog. Within each policy file, the JSON field names are described aptly to help you easily identify the characteristic it represents. The JSON field named searchModel.query provides the RQL for the policy.

Policy Updates

FEATURE
DESCRIPTION
Policy Updates—RQL
Azure Activity Log Policies
Changes—
The RQL will be updated to ignore the case for the location parameter
Global
for the following policies:
  • Policy Name—
    Azure Activity log alert for Delete security solution does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/delete" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for delete policy assignment does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.scopes[*] does not contain resourceGroups and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.scopes[*] does not contain resourceGroups and properties.enabled equals true and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/delete" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Create or update SQL server firewall rule does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/write" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Create or update security solution does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/securitySolutions/write" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Create policy assignment does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Authorization/policyAssignments/write" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Create or update network security group rule does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/write" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Delete SQL server firewall rule does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Sql/servers/firewallRules/delete" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Create or update network security group does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/write" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Delete network security group does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/delete" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Update security policy does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/policies/write" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Security/policies/write" as X; count(X) less than 1
  • Policy Name—
    Azure Activity log alert for Delete network security group rule does not exist
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equals Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/delete" as X; count(X) less than 1
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-activity-log-alerts' AND json.rule = "location equal ignore case Global and properties.enabled equals true and properties.scopes[*] does not contain resourceGroups and properties.condition.allOf[?(@.field=='operationName')].equals equals Microsoft.Network/networkSecurityGroups/securityRules/delete" as X; count(X) less than 1
Severity—
Informational
Policy Type—
Config
Impact—
Medium. Existing alerts will be resolved as "Policy_Updated" and new alerts will be created.
Policy Deletions
AWS EC2 instance publicly exposed with critical/high exploitable vulnerabilities and port scan activity
This policy will be deleted from Prisma Cloud.
Severity—
Critical
Policy Type—
Attack Path
Impact—
High. Previously generated alerts will be resolved as
Policy_Deleted
.

API Ingestions

SERVICE
API DETAILS
AWS Budgets
aws-budgets-budget
Additional permission required:
  • budgets:ViewBudget
You must manually add or update the CFT template to enable the permission.
Amazon EC2
aws-ec2-launch-template
Additional permissions required:
  • ec2:DescribeLaunchTemplates
  • ec2:DescribeLaunchTemplateVersions
The Security Audit role includes the permissions.
AWS Well-Architected Tool
aws-well-architected-tool-workload
Additional permission required:
  • wellarchitected:GetWorkload
  • wellarchitected:ListWorkloads
You must manually add or update the CFT template to enable the permission.
Azure CDN
azure-frontdoor-standardpremium-afd-endpoints
Additional permissions required:
  • Microsoft.Cdn/profiles/read
  • Microsoft.Cdn/profiles/afdendpoints/read
The Reader role includes the permissions.
Azure DNS
azure-dns-privatedns-zones
Additional permission required:
  • Microsoft.Network/privateDnsZones/read
The Reader role includes the permission.
Google Certificate Manager
gcloud-certificate-manager-certificate
Additional permissions required:
  • certificatemanager.locations.list
  • certificatemanager.certs.list
The Viewer role includes the permissions.
This API will not provide the details of CLASSIC Certificates under Google Cloud Certificate Manager.
Google Certificate Manager
gcloud-certificate-manager-dns-authorization
Additional permissions required:
  • certificatemanager.locations.list
  • certificatemanager.dnsauthorizations.list
The Viewer role includes the permissions.
Google Certificate Manager
gcloud-certificate-manager-certificate-issuance-config
Additional permission required:
  • certificatemanager.certissuanceconfigs.list
The Viewer role includes the permission.
Google Certificate Manager
gcloud-certificate-manager-certificate-map
Additional permission required:
  • certificatemanager.certmaps.list
The Viewer role includes the permission.
OCI Cloud Guard
oci-cloudguard-detector-recipe
Additional permission required:
  • CG_DETECTOR_RECIPE_INSPECT,CG_DETECTOR_RECIPE_READ
You must update the Terraform template to enable the permission.

Deprecation Notices

Deprecated Endpoints or Parameters
Deprecated Release
Sunset Release
Replacement Endpoints
Prisma Cloud CSPM REST API for Cloud Accounts
The following endpoints are deprecated for the AWS, GCP, and Azure cloud types:
You can continue to use the above endpoints for the Alibaba and OCI cloud accounts.
23.6.1
23.10.2
Prisma Cloud CSPM REST API for Resources
23.9.1
23.10.1
Prisma Cloud CSPM REST API for Resources
23.9.2
24.1.1
End of Life (EOL) for Prisma Cloud Microsegmentation in 24.1.2
-
24.1.2
The Prisma Cloud Microsegmentation module was announced as End-of-Sale effective 31 August 2022. As of the 24.1.2 release planned in end January 2024, the subscription is going End of Life and will be no longer available for use.
In preparation for the EoL, make sure to uninstall all instances of the Enforcer, the Microsegmentation agent deployed in your environment, as these agents will no longer enforce any security policies on traffic on or across your hosts.
Date Filter Support
23.10.2
-
The Date filter is being deprecated on
Inventory
Assets
,
Asset Explorer
, and
Compliance
Overview
.
With the 23.10.2 release, the date filter will no longer be supported. With this change, links in Compliance reports that were generated before 23.10.2 will be removed.
Data Dashboard
23.10.2
-
The Data Dashboard is being deprecated on
Dashboards
Data
.
With the 23.10.2 release, the widgets in the
Data dashboard
will be available in a custom dashboard. To view the Data Security information, you will be able to create a custom dashboard and add the data security widgets.
Prisma Cloud CSPM REST API for Alerts
Some Alert API request parameters and response object properties are now deprecated.
Query parameter
risk.grade
is deprecated for the following requests:
  • GET /alert
  • GET /v2/alert
  • GET /alert/policy
Request body parameter
risk.grade
is deprecated for the following requests:
  • POST /alert
  • POST /v2/alert
  • POST /alert/policy
Response object property
riskDetail
is deprecated for the following requests:
  • GET /alert
  • POST /alert
  • GET /alert/policy
  • POST /alert/policy
  • GET /alert/{id}
  • GET /v2/alert
  • POST /v2/alert
Response object property
risk.grade.options
is deprecated for the following request:
  • GET /filter/alert/suggest
-
-
NA

Recommended For You