Look Ahead—Planned Updates on Prisma Cloud

Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned in the 22.6.3 release. The Look Ahead announcements are for an upcoming or next release and it is not a cumulative list of all announcements.
Note that the details and functionality listed below are a preview and the actual release date is subject to change.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Access to Data for Deleted Assets
Beginning in July, the ability to view and investigate data for assets that have been deleted in cloud accounts which are onboarded to Prisma Cloud will be available for up to 90 days after asset deletion. This is a change from the current behavior where you have access to the historical data for deleted assets, starting from the time you onboarded the account on Prisma Cloud.
To align with this change, Prisma Cloud will be limiting the time range filters to 90 days of history. And to support use cases where further retention is required, an exporter tool will be made available to enable the retrieval of data on deleted assets.
Change in Existing Behavior
API for generating External ID for AWS cloud account onboarding
While onboarding AWS standalone, organization, or member accounts using the Prisma Cloud API, you must now use the App Provisioner API to generate an External ID. This External ID is required to generate the Role ARN and grant Prisma Cloud access to your cloud account. The External ID is valid for 30 days. If you don’t complete the onboarding flow within this 30-day period, you must generate a new External ID and restart the onboarding workflow.
The Add Cloud Account and Update Cloud Account API endpoints will no longer accept
externalId
and
memberExternalId
as input parameters, to prevent confused deputy attack on AWS accounts. You must first use the App Provisioner API to generate the External ID and use this external ID to onboard or update a cloud account.
This change does not impact already onboarded AWS accounts, if you do not need to update or make changes to the existing account.
DNS as a Policy Subtype
On
Policies
and
Alerts
Overview
, a new
Policy Subtype
for
DNS
displays. Because the DNS anomaly policies are not yet released, you will be unable to view the policies or detect any violations against these new policies.
To see the new policies for DNS and trigger related alerts, you must sign up for the beta program. Reach out to customer support or your customer success representative to join the beta program.
.
Important Notice- Take Action
Cloud Asset Inventory (CAI) Support
Beginning with the 22.7.1 release, Prisma Cloud will adopt Google's Cloud Asset Inventory (CAI) service for a few GCP services. The CAI service will reduce the number of API calls to GCP and help speed the time to report on assets on Prisma Cloud.
The following GCP services/APIs will have CAI support on Prisma Cloud:
  • KMS (Get IAM policy, List Keyrings & Cryptokeys)
  • Pub-Sub (Get IAM policy)
  • Dataproc (Get IAM policy)
  • Cloud Function (Get IAM policy)
  • Cloud Run (Get IAM policy)
  • BigQuery (Get IAM policy, List BigQuery Datasets & Tables)
  • Compute Instance (GET IAM policy)
CAI will be enabled by default on Prisma Cloud with 22.7.1. You must perform the following actions before 22.7.1
  • Enable Google’s Cloud Asset API
    cloudasset.googleapis.com
    on the project where the Service Account is created.
    You must enable this API so that Prisma Cloud can ingest metadata for all the services mentioned in the list above.
  • Ensure that your service account either has a Project Viewer role or the following permissions:
    cloudasset.assets.search.AllIamPolicies
    and
    cloudasset.assets.search.AllResources
If you want to switch to CAI before 22.7.1, after you complete the actions listed above, contact your customer success representative so that we can enable this feature for your tenant.
Impact
—If you do not enable CAI or if your service account does not include the required permissions:
  • The KMS and BigQuery resources already ingested in Prisma Cloud will be marked as deleted, and any alerts on these resources will be automatically resolved. Prisma Cloud will also not ingest new KMS or BigQuery resources.
  • The IAM policies for resources/services listed above will be removed, and any alerts on the related resource IAM policies will be automatically resolved. Prisma Cloud will not ingest new IAM policies for these resources.
Enabling the CAI service will not impact any existing policies or alerts.
Crypto Key Ingestions when CAI is Disabled
Beginning with the 22.7.1 release, there will be a change with Crypto Keys metadata in Google Cloud KMS.
The
gcloud-kms-keyring-list
API will no longer include the Crypto Keys metadata. This metadata will now be available as a part of the
gcloud-kms-crypto-keys-list
API, provided you have enabled Cloud Asset Inventory (CAI).
Impact
—All the resources that were ingested as a part of the
gcloud-kms-keyring-list
API will no longer include the Crypto Keys metadata, and all existing alerts associated with this API will be resolved as
Resource_Updated
.
If you have enabled the Cloud Asset Inventory (CAI) API, the Crypto Keys metadata will be ingested as part of the
gcloud-kms-keyring-list
API and new alerts will be generated. If not, the Crypto Keys metadata will be ingested as a part of the
gcloud-kms-keyring-list
API on Prisma Cloud.
Grant permissions for Ingesting Google Workspace Groups
Applies only if you have activated the Code Security subscription on Prisma Cloud
When Prisma Cloud enables support for GCP on IAM Security in July 2022, the permissions for Groups on Google Workspace becomes relevant.
After you use the cloud account onboarding Terraform template to onboard your GCP cloud account on Prisma Cloud and have activated IAM Security subscription, complete the instructions in Grant permissions for Ingesting Google Workspace Groups.

New Policies and Policy Updates

Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud System policies.

Access the Look Ahead for New Policies

To learn about the new policies that will be added in the next release:
  1. Find the Prisma Cloud policies folder on GitHub.
    The folder contains RQL based Config, Network, and Audit Event policies in JSON format. View the GitHub repo.
  2. Select the branch for which you want to review policy updates.
    The
    Master
    branch represents the current Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release.
    Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-22.6.3.
  3. Review the updates.
    Use the changelog.md file for a cumulative list of all policies that are added to a specific release. The policies are grouped by new policies and updated policies.
    Use the
    policies
    folder to review the JSON for each policy that is added or updated as listed in the changelog. The filename for each policy matches the policy name listed in the changelog. Within each policy file, the JSON field names are described aptly to help you easily identify the characteristic it represents. The JSON field named
    searchModel.query
    provides the RQL for the policy.

Policy Updates

Policy Updates
Description
Policy Updates-Metadata
Azure Security Center system updates monitoring is set to disabled
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name
—Azure Security Center system updates monitoring is set to disabled
Updated Name
—Azure Microsoft Defender for Cloud system updates monitoring is set to disabled
Updated Description
—Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have system updates monitoring is set to disabled. It retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that's configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.
Impact
—No impact on alerts.
Azure Security Center disk encryption monitoring is set to disabled
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name
—Azure Security Center disk encryption monitoring is set to disabled
Updated Name
—Azure Microsoft Defender for Cloud disk encryption monitoring is set to disabled
Updated Description
—Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have disk encryption monitoring set to disabled. Enabling disk encryption for virtual machines will secure the data by encrypting it. It is recommended to set disk encryption monitoring in Microsoft Defender for Cloud security policy.
Impact
—No impact on alerts.
Azure Security Center adaptive application controls monitoring is set to disabled
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name
—Azure Security Center adaptive application controls monitoring is set to disabled
Updated Name
—Azure Microsoft Defender for Cloud adaptive application controls monitoring is set to disabled
Updated Description
—Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have adaptive application controls monitoring set to disabled. Adaptive Application Controls will make sure that only certain applications can run on your VMs in Microsoft Azure. This will prevent any malicious, unwanted, or unsupported software on the VMs.
Impact
—No impact on alerts.
Azure Security Center endpoint protection monitoring is set to disabled
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name
—Azure Security Center endpoint protection monitoring is set to disabled
Updated Name
—Azure Microsoft Defender for Cloud endpoint protection monitoring is set to disabled
Updated Description
—Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have endpoint protection monitoring set to disabled. Enabling endpoint Protection will make sure that any issues or shortcomings in endpoint protection for all Microsoft Windows virtual machines are identified so that they can, in turn, be removed.
Impact
—No impact on alerts.
Azure Security Center security configurations monitoring is set to disabled
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name
—Azure Security Center security configurations monitoring is set to disabled
Updated Name
—Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled
Updated Description
—Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have security configurations monitoring set to disabled. Security configurations will enable the daily analysis of operating system configurations. The rules for hardening the operating system like firewall rules, password and audit policies are reviewed. Recommendations are made for setting the right level of security controls.
Impact
—No impact on alerts.
Azure Security Center JIT network access monitoring is set to disabled
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
Current Name
—Azure Security Center JIT network access monitoring is set to disabled
Updated Name
—Azure Microsoft Defender for Cloud JIT network access monitoring is set to disabled
Updated Description
—Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have JIT network access monitoring set to disabled. Enabling JIT Network Access will enhance the protection of VMs by creating a Just in Time VM. The JIT VM with NSG rule will restrict the availability of access to the ports to connect to the VM for a pre-set time and only after checking the Role Based Access Control permissions of the user. This feature will control the brute force attacks on the VMs.
Impact
—No impact on alerts.
Policy Updates-RQL
Azure Microsoft Defender for Cloud email notification for subscription owner is not set
Changes
—The policy RQL has been updated to only look for subscriptions where Defender is enabled and then check for email setting.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equals Off'
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equal ignore case Off) and pricings[?any(properties.pricingTier equals Standard)] exists
Impact
—Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
Azure Security Center contact phone number not set
Changes
—The policy name, description, and remediation steps have been updated due to vendor UI setting changes. The policy RQL has been updated to consider only defender enabled subscriptions.
Current Name
—Azure Security Center contact phone number not set
Updated Name
—Azure Microsoft Defender for Cloud security contact phone number is not set
Updated Description
—Identifies Subscriptions that are not set with security contact phone number for Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender). It is recommended to set security contact phone number to receive notifications when Microsoft Defender for Cloud detects compromised resources.
Current RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
Updated RQL
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists
Impact
—Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower
Changes
—The policy is modified to make it compliant with the CIS requirement to exclude alerting for SSL policy with profile type 'RESTRICTED'.
Current RQL
config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?(@.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
Updated RQL
config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && @.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
Impact
—Low. The alerts associated with the profile type
RESTRICTED
will be resolved as 'Policy_Updated'.

API Ingestions

The following APIs ingestion updates are planned for Prisma Cloud in 22.6.3:
Service
API Details
API Ingestions
Amazon Connect
aws-connect-instance
Additional permissions required:
  • connect:ListInstances
  • connect:ListInstanceStorageConfigs
Amazon EventBridge
aws-events-rule
Additional permissions required:
  • events:ListRules
  • events:ListTargetsByRule
  • events:ListTagsForResource
The Security Audit role includes these permissions.
Amazon Pinpoint
aws-pinpoint-email-channel
Additional permissions required:
  • mobiletargeting:GetEmailChannel
  • mobiletargeting:GetApps
Amazon Pinpoint
aws-pinpoint-sms-channel
Additional permissions required:
  • mobiletargeting:GetSmsChannel
  • mobiletargeting:GetApps
Azure Synapse Analytics
azure-synapse-privatelinkhub-privatelinkresource
Additional permission required:
Microsoft.Synapse/privateLinkHubs/privateLinkResources/read
The Reader role includes this permission.
Azure Synapse Analytics
azure-synapse-privatelinkhub
Additional permission required:
Microsoft.Synapse/privateLinkHubs/read
The Reader role includes this permission.
Azure Synapse Analytics
azure-synapse-privatelinkresource
Additional permissions required:
  • Microsoft.Synapse/workspaces/read
  • Microsoft.Synapse/workspaces/privateLinkResources/read
The Reader role includes these permissions.
Google Cloud IAM
gcloud-iam-organization-deny-policy
Additional permissions required:
  • iam.denypolicies.get
  • iam.denypolicies.list
The Viewer role includes these permissions.
Google Cloud IAM
gcloud-iam-project-deny-policy
Additional permissions required:
  • iam.denypolicies.get
  • iam.denypolicies.list
The Viewer role includes these permissions.
Google Security Command Center
gcloud-security-command-center-organization-setting
Additional permission required:
securitycenter.organizationsettings.get
The Viewer role includes this permission.
Google Security Command Center
gcloud-security-command-center-organization-notification-config
Additional permission required:
securitycenter.notificationconfig.list
The Viewer role includes this permission.
Google Security Command Center
gcloud-security-command-center-organization-mute-config
Additional permission required:
securitycenter.muteconfigs.list
The Viewer role includes this permission.
OCI Web Application Firewall
oci-waf-networkaddresslist
Additional permissions required:
  • inspect waas-policy
  • read waas-policy
You must add the permissions manually.
OCI Web Application Firewall
oci-waf-waaspolicy
Additional permissions required:
  • inspect waas-policy
  • read waas-policy
You must add the permissions manually.
Update
Google Compute Engine API
Google Compute Engine
gcloud-ssl-certificate
This API will be updated to remove the following fields in the resource JSON:
  • certificate
  • selfManaged.certificate

Deprecation Notices

Deprecation Notice
Deprecation of redlock.io domain
The announcement about replacing the redlock.io domain name with prismacloud.io was first sent in July, 2019. Due to this, the redirect from redlock.io to prismacloud.io will be removed. If you have any SSO configuration or automation scripts referencing the redlock.io domain, please update it to prevent disruptions to your users before June 30, 2022. After June 30, 2022, the redlock.io domain will be phased out.
Prisma Cloud CSPM REST API for Alerts
Some Alert API request parameters and response object properties are now deprecated.
Query parameter
risk.grade
is deprecated for the following requests:
  • GET /alert
  • GET /v2/alert
  • GET /alert/policy
Request body parameter
risk.grade
is deprecated for the following requests:
  • POST /alert
  • POST /v2/alert
  • POST /alert/policy
Response object property
riskDetail
is deprecated for the following requests:
  • GET /alert
  • POST /alert
  • GET /alert/policy
  • POST /alert/policy
  • GET /alert/{id}
  • GET /v2/alert
  • POST /v2/alert
Response object property
risk.grade.options
is deprecated for the following request:
  • GET /filter/alert/suggest

Grant permissions for Ingesting Google Workspace Groups

To grant the Prisma Cloud Service Account permissions to ingest data on groups from Google Workspace (GSuite):
You must have administrator access to Google Workspace (GSuite) for granting your Prisma Cloud Service Account either the predefined role Group Reader, or a custom role with
groups:read
permission (https://admin.google.com/u/1/ac/roles)
  1. Log in to Workspace.
  2. Create a new custom role or use the predefined Group Reader role.
  3. Assign the role to the Prisma Cloud service account.

Recommended For You