1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Look Ahead—Planned Updates on Prisma Cloud

    Look Ahead—Planned Updates on Prisma Cloud

    Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
    Read this section to learn about what is planned in the 22.6.3 release. The Look Ahead announcements are for an upcoming or next release and it is not a cumulative list of all announcements.
    Note that the details and functionality listed below are a preview and the actual release date is subject to change.

    Changes in Existing Behavior

    FEATURE
    DESCRIPTION
    Access to Data for Deleted Assets
    Beginning in July, the ability to view and investigate data for assets that have been deleted in cloud accounts which are onboarded to Prisma Cloud will be available for up to 90 days after asset deletion. This is a change from the current behavior where you have access to the historical data for deleted assets, starting from the time you onboarded the account on Prisma Cloud.
    To align with this change, Prisma Cloud will be limiting the time range filters to 90 days of history. And to support use cases where further retention is required, an exporter tool will be made available to enable the retrieval of data on deleted assets.
    Change in Existing Behavior
    API for generating External ID for AWS cloud account onboarding
    While onboarding AWS standalone, organization, or member accounts using the Prisma Cloud API, you must now use the App Provisioner API to generate an External ID. This External ID is required to generate the Role ARN and grant Prisma Cloud access to your cloud account. The External ID is valid for 30 days. If you don’t complete the onboarding flow within this 30-day period, you must generate a new External ID and restart the onboarding workflow.
    The Add Cloud Account and Update Cloud Account API endpoints will no longer accept
    externalId
     and
    memberExternalId
     as input parameters, to prevent confused deputy attack on AWS accounts. You must first use the App Provisioner API to generate the External ID and use this external ID to onboard or update a cloud account.
    This change does not impact already onboarded AWS accounts, if you do not need to update or make changes to the existing account.
    DNS as a Policy Subtype
    On
    Policies
     and
    Alerts
    Overview
    , a new
    Policy Subtype
     for
    DNS
     displays. Because the DNS anomaly policies are not yet released, you will be unable to view the policies or detect any violations against these new policies.
    To see the new policies for DNS and trigger related alerts, you must sign up for the beta program. Reach out to customer support or your customer success representative to join the beta program.
    .
    Important Notice- Take Action
     Cloud Asset Inventory (CAI) Support
    Beginning with the 22.7.1 release, Prisma Cloud will adopt Google's Cloud Asset Inventory (CAI) service for a few GCP services. The CAI service will reduce the number of API calls to GCP and help speed the time to report on assets on Prisma Cloud.
    The following GCP services/APIs will have CAI support on Prisma Cloud:
    • KMS (Get IAM policy, List Keyrings & Cryptokeys)
    • Pub-Sub (Get IAM policy)
    • Dataproc (Get IAM policy)
    • Cloud Function (Get IAM policy)
    • Cloud Run (Get IAM policy)
    • BigQuery (Get IAM policy, List BigQuery Datasets & Tables)
    • Compute Instance (GET IAM policy)
    CAI will be enabled by default on Prisma Cloud with 22.7.1. You must perform the following actions before 22.7.1
    • Enable Google’s Cloud Asset API
      cloudasset.googleapis.com
       on the project where the Service Account is created.
      You must enable this API so that Prisma Cloud can ingest metadata for all the services mentioned in the list above.
    • Ensure that your service account either has a Project Viewer role or the following permissions:
      cloudasset.assets.search.AllIamPolicies
       and
      cloudasset.assets.search.AllResources
    If you want to switch to CAI before 22.7.1, after you complete the actions listed above, contact your customer success representative so that we can enable this feature for your tenant.
    Impact
    —If you do not enable CAI or if your service account does not include the required permissions:
    • The KMS and BigQuery resources already ingested in Prisma Cloud will be marked as deleted, and any alerts on these resources will be automatically resolved. Prisma Cloud will also not ingest new KMS or BigQuery resources.
    • The IAM policies for resources/services listed above will be removed, and any alerts on the related resource IAM policies will be automatically resolved. Prisma Cloud will not ingest new IAM policies for these resources.
    Enabling the CAI service will not impact any existing policies or alerts.
    Crypto Key Ingestions when CAI is Disabled
    Beginning with the 22.7.1 release, there will be a change with Crypto Keys metadata in Google Cloud KMS.
    The
    gcloud-kms-keyring-list
     API will no longer include the Crypto Keys metadata. This metadata will now be available as a part of the
    gcloud-kms-crypto-keys-list
     API, provided you have enabled Cloud Asset Inventory (CAI).
    Impact
    —All the resources that were ingested as a part of the
    gcloud-kms-keyring-list
     API will no longer include the Crypto Keys metadata, and all existing alerts associated with this API will be resolved as
    Resource_Updated
    .
    If you have enabled the Cloud Asset Inventory (CAI) API, the Crypto Keys metadata will be ingested as part of the
    gcloud-kms-keyring-list
     API and new alerts will be generated. If not, the Crypto Keys metadata will be ingested as a part of the
    gcloud-kms-keyring-list
     API on Prisma Cloud.
    Grant permissions for Ingesting Google Workspace Groups
    Applies only if you have activated the Code Security subscription on Prisma Cloud
    When Prisma Cloud enables support for GCP on IAM Security in July 2022, the permissions for Groups on Google Workspace becomes relevant.
    After you use the cloud account onboarding Terraform template to onboard your GCP cloud account on Prisma Cloud and have activated IAM Security subscription, complete the instructions in Grant permissions for Ingesting Google Workspace Groups.

    New Policies and Policy Updates

    Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud System policies.

    Access the Look Ahead for New Policies

    To learn about the new policies that will be added in the next release:
    1. Find the Prisma Cloud policies folder on GitHub.
      The folder contains RQL based Config, Network, and Audit Event policies in JSON format. View the GitHub repo.
    2. Select the branch for which you want to review policy updates.
      The
      Master
       branch represents the current Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release.
      Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-22.6.3.
    3. Review the updates.
      Use the changelog.md file for a cumulative list of all policies that are added to a specific release. The policies are grouped by new policies and updated policies.
      Use the
      policies
       folder to review the JSON for each policy that is added or updated as listed in the changelog. The filename for each policy matches the policy name listed in the changelog. Within each policy file, the JSON field names are described aptly to help you easily identify the characteristic it represents. The JSON field named
      searchModel.query
       provides the RQL for the policy.

    Policy Updates

    Policy Updates
    Description
    Policy Updates-Metadata
    Azure Security Center system updates monitoring is set to disabled
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name
    —Azure Security Center system updates monitoring is set to disabled
    Updated Name
    —Azure Microsoft Defender for Cloud system updates monitoring is set to disabled
    Updated Description
    —Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have system updates monitoring is set to disabled. It retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that's configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.
    Impact
    —No impact on alerts.
    Azure Security Center disk encryption monitoring is set to disabled
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name
    —Azure Security Center disk encryption monitoring is set to disabled
    Updated Name
    —Azure Microsoft Defender for Cloud disk encryption monitoring is set to disabled
    Updated Description
    —Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have disk encryption monitoring set to disabled. Enabling disk encryption for virtual machines will secure the data by encrypting it. It is recommended to set disk encryption monitoring in Microsoft Defender for Cloud security policy.
    Impact
    —No impact on alerts.
    Azure Security Center adaptive application controls monitoring is set to disabled
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name
    —Azure Security Center adaptive application controls monitoring is set to disabled
    Updated Name
    —Azure Microsoft Defender for Cloud adaptive application controls monitoring is set to disabled
    Updated Description
    —Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have adaptive application controls monitoring set to disabled. Adaptive Application Controls will make sure that only certain applications can run on your VMs in Microsoft Azure. This will prevent any malicious, unwanted, or unsupported software on the VMs.
    Impact
    —No impact on alerts.
    Azure Security Center endpoint protection monitoring is set to disabled
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name
    —Azure Security Center endpoint protection monitoring is set to disabled
    Updated Name
    —Azure Microsoft Defender for Cloud endpoint protection monitoring is set to disabled
    Updated Description
    —Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have endpoint protection monitoring set to disabled. Enabling endpoint Protection will make sure that any issues or shortcomings in endpoint protection for all Microsoft Windows virtual machines are identified so that they can, in turn, be removed.
    Impact
    —No impact on alerts.
    Azure Security Center security configurations monitoring is set to disabled
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name
    —Azure Security Center security configurations monitoring is set to disabled
    Updated Name
    —Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled
    Updated Description
    —Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have security configurations monitoring set to disabled. Security configurations will enable the daily analysis of operating system configurations. The rules for hardening the operating system like firewall rules, password and audit policies are reviewed. Recommendations are made for setting the right level of security controls.
    Impact
    —No impact on alerts.
    Azure Security Center JIT network access monitoring is set to disabled
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name
    —Azure Security Center JIT network access monitoring is set to disabled
    Updated Name
    —Azure Microsoft Defender for Cloud JIT network access monitoring is set to disabled
    Updated Description
    —Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have JIT network access monitoring set to disabled. Enabling JIT Network Access will enhance the protection of VMs by creating a Just in Time VM. The JIT VM with NSG rule will restrict the availability of access to the ports to connect to the VM for a pre-set time and only after checking the Role Based Access Control permissions of the user. This feature will control the brute force attacks on the VMs.
    Impact
    —No impact on alerts.
    Policy Updates-RQL
    Azure Microsoft Defender for Cloud email notification for subscription owner is not set
    Changes
    —The policy RQL has been updated to only look for subscriptions where Defender is enabled and then check for email setting.
    Current RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equals Off'
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equal ignore case Off) and pricings[?any(properties.pricingTier equals Standard)] exists
    Impact
    —Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
    Azure Security Center contact phone number not set
    Changes
    —The policy name, description, and remediation steps have been updated due to vendor UI setting changes. The policy RQL has been updated to consider only defender enabled subscriptions.
    Current Name
    —Azure Security Center contact phone number not set
    Updated Name
    —Azure Microsoft Defender for Cloud security contact phone number is not set
    Updated Description
    —Identifies Subscriptions that are not set with security contact phone number for Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender). It is recommended to set security contact phone number to receive notifications when Microsoft Defender for Cloud detects compromised resources.
    Current RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists
    Impact
    —Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
    GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower
    Changes
    —The policy is modified to make it compliant with the CIS requirement to exclude alerting for SSL policy with profile type 'RESTRICTED'.
    Current RQL
    config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?(@.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
    Updated RQL
    config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && @.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
    Impact
    —Low. The alerts associated with the profile type
    RESTRICTED
     will be resolved as 'Policy_Updated'.

    API Ingestions

    The following APIs ingestion updates are planned for Prisma Cloud in 22.6.3:
    Service
    API Details
    API Ingestions
    Amazon Connect
    aws-connect-instance
    Additional permissions required:
    • connect:ListInstances
    • connect:ListInstanceStorageConfigs
    Amazon EventBridge
    aws-events-rule
    Additional permissions required:
    • events:ListRules
    • events:ListTargetsByRule
    • events:ListTagsForResource
    The Security Audit role includes these permissions.
    Amazon Pinpoint
    aws-pinpoint-email-channel
    Additional permissions required:
    • mobiletargeting:GetEmailChannel
    • mobiletargeting:GetApps
    Amazon Pinpoint
    aws-pinpoint-sms-channel
    Additional permissions required:
    • mobiletargeting:GetSmsChannel
    • mobiletargeting:GetApps
    Azure Synapse Analytics
    azure-synapse-privatelinkhub-privatelinkresource
    Additional permission required:
    Microsoft.Synapse/privateLinkHubs/privateLinkResources/read
    The Reader role includes this permission.
    Azure Synapse Analytics
    azure-synapse-privatelinkhub
    Additional permission required:
    Microsoft.Synapse/privateLinkHubs/read
    The Reader role includes this permission.
    Azure Synapse Analytics
    azure-synapse-privatelinkresource
    Additional permissions required:
    • Microsoft.Synapse/workspaces/read
    • Microsoft.Synapse/workspaces/privateLinkResources/read
    The Reader role includes these permissions.
    Google Cloud IAM
    gcloud-iam-organization-deny-policy
    Additional permissions required:
    • iam.denypolicies.get
    • iam.denypolicies.list
    The Viewer role includes these permissions.
    Google Cloud IAM
    gcloud-iam-project-deny-policy
    Additional permissions required:
    • iam.denypolicies.get
    • iam.denypolicies.list
    The Viewer role includes these permissions.
    Google Security Command Center
    gcloud-security-command-center-organization-setting
    Additional permission required:
    securitycenter.organizationsettings.get
    The Viewer role includes this permission.
    Google Security Command Center
    gcloud-security-command-center-organization-notification-config
    Additional permission required:
    securitycenter.notificationconfig.list
    The Viewer role includes this permission.
    Google Security Command Center
    gcloud-security-command-center-organization-mute-config
    Additional permission required:
    securitycenter.muteconfigs.list
    The Viewer role includes this permission.
    OCI Web Application Firewall
    oci-waf-networkaddresslist
    Additional permissions required:
    • inspect waas-policy
    • read waas-policy
    You must add the permissions manually.
    OCI Web Application Firewall
    oci-waf-waaspolicy
    Additional permissions required:
    • inspect waas-policy
    • read waas-policy
    You must add the permissions manually.
    Update
    Google Compute Engine API
    Google Compute Engine
    gcloud-ssl-certificate
    This API will be updated to remove the following fields in the resource JSON:
    • certificate
    • selfManaged.certificate

    Deprecation Notices

    Deprecation Notice
    Deprecation of redlock.io domain
    The announcement about replacing the redlock.io domain name with prismacloud.io was first sent in July, 2019. Due to this, the redirect from redlock.io to prismacloud.io will be removed. If you have any SSO configuration or automation scripts referencing the redlock.io domain, please update it to prevent disruptions to your users before June 30, 2022. After June 30, 2022, the redlock.io domain will be phased out.
    Prisma Cloud CSPM REST API for Alerts
    Some Alert API request parameters and response object properties are now deprecated.
    Query parameter
    risk.grade
     is deprecated for the following requests:
    • GET /alert
    • GET /v2/alert
    • GET /alert/policy
    Request body parameter
    risk.grade
     is deprecated for the following requests:
    • POST /alert
    • POST /v2/alert
    • POST /alert/policy
    Response object property
    riskDetail
    is deprecated for the following requests:
    • GET /alert
    • POST /alert
    • GET /alert/policy
    • POST /alert/policy
    • GET /alert/{id}
    • GET /v2/alert
    • POST /v2/alert
    Response object property
    risk.grade.options
     is deprecated for the following request:
    • GET /filter/alert/suggest

    Grant permissions for Ingesting Google Workspace Groups

    To grant the Prisma Cloud Service Account permissions to ingest data on groups from Google Workspace (GSuite):
    You must have administrator access to Google Workspace (GSuite) for granting your Prisma Cloud Service Account either the predefined role Group Reader, or a custom role with
    groups:read
     permission (https://admin.google.com/u/1/ac/roles)
    1. Log in to Workspace.
    2. Create a new custom role or use the predefined Group Reader role.
    3. Assign the role to the Prisma Cloud service account.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo