Look Ahead—Planned Updates on Prisma Cloud

Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned in the 23.6.1 release. The Look Ahead announcements are for an upcoming or next release and it is not a cumulative list of all announcements.
Note that the details and functionality listed below are a preview and the actual release date is subject to change.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Rate Limit on POST /login Endpoint
Starting with 23.6.2, the POST /login endpoint will enforce rate limiting (HTTP Response Code 429).
S3 Flow Logs with Hourly Partition
If you currently ingest AWS flow logs using S3 with the 24-hour partition, you need to change it to the hourly partition before June 1, 2023.
To make this change, Configure Flow Logs to use the hourly partition and enable the required additional fields.
Impact
— VPC Flow logs with partitions set to
Every 24 hours (default)
will be disabled. As a result, you will no longer be able to monitor or receive alerts for these logs.
Access to Alerts for Deleted Assets
The ability to view resolved alerts for assets that have been deleted in cloud accounts onboarded to Prisma Cloud will be available for up to 90 days after asset deletion. After 90 days, these alerts will be permanently deleted from Prisma Cloud.
This change will be in effect starting July 1, 2023. Before July 1, if you want to export all resolved alerts older than 90 days for assets that have been deleted on the cloud account, use this API endpoint https://pan.dev/prisma-cloud/api/cspm/get-alerts-v-2/ .

New Policies

Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud System policies.

Access the Look Ahead for New Policies

To learn about the new policies that will be added in the next release:
  1. Find the Prisma Cloud policies folder on GitHub.
    The folder contains RQL based Config, Network, and Audit Event policies in JSON format. View the GitHub repo.
  2. Select the branch for which you want to review policy updates.
    The
    Master
    branch represents the current Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release.
    Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-23.6.1.
  3. Review the updates.
    Use the changelog.md file for a cumulative list of all policies that are added to a specific release. The policies are grouped by new policies and updated policies.
    Use the
    policies
    folder to review the JSON for each policy that is added or updated as listed in the changelog. The filename for each policy matches the policy name listed in the changelog. Within each policy file, the JSON field names are described aptly to help you easily identify the characteristic it represents. The JSON field named searchModel.query provides the RQL for the policy.

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates—RQL
AWS S3 bucket policy overly permissive to any principal
Changes—
The Policy RQL will be updated to consider
Block Public Access
settings configuration at account and bucket Level.
Severity—
Medium.
Impact—
Medium. Based on the Block Public Access settings at account and bucket Level, some alerts might get resolved.
AWS S3 bucket publicly writable
Changes—
The Policy RQL will be updated to also check for
Authenticated Users
access.
Severity—
High.
Impact—
Low. New alerts may be generated if Authenticated Users have Write permissions.
GCP Log metric filter and alert does not exist for VPC network route delete and insert
Changes—
The Policy RQL will be updated to verify if resource type is present in the Log metric filter.
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName:" or $.X.filter contains "protoPayload.methodName :" ) and ( $.X.filter does not contain "protoPayload.methodName!:" and $.X.filter does not contain "protoPayload.methodName !:" ) and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter contains "resource.type =" or $.X.filter contains "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName:" or $.X.filter contains "protoPayload.methodName :" ) and ( $.X.filter does not contain "protoPayload.methodName!:" and $.X.filter does not contain "protoPayload.methodName !:" ) and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for VPC network route changes
Changes—
The Policy RQL will be updated to verify if resource type is present in the Log metric filter.
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_route" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter contains "resource.type =" or $.X.filter contains "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_route" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for VPC network route patch and insert
Changes—
The Policy RQL will be updated to verify if resource type is present in the Log metric filter.
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =" ) and ( $.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=" ) and $.X.filter contains "beta.compute.routes.patch" and $.X.filter contains "beta.compute.routes.insert"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter contains "resource.type =" or $.X.filter contains "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =" ) and ( $.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=" ) and $.X.filter contains "beta.compute.routes.patch" and $.X.filter contains "beta.compute.routes.insert"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for VPC network changes
Changes—
The Policy RQL will be updated to verify if resource type is present in the Log metric filter.
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_network" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.networks.insert" and $.X.filter contains "compute.networks.patch" and $.X.filter contains "compute.networks.delete" and $.X.filter contains "compute.networks.removePeering" and $.X.filter contains "compute.networks.addPeering"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter contains "resource.type =" or $.X.filter contains "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_network" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.networks.insert" and $.X.filter contains "compute.networks.patch" and $.X.filter contains "compute.networks.delete" and $.X.filter contains "compute.networks.removePeering" and $.X.filter contains "compute.networks.addPeering"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes
Changes—
The Policy RQL will be updated to verify if resource type is present in the Log metric filter.
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gcs_bucket" and ($.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =") and ($.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=") and $.X.filter contains "storage.setIamPermissions"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter contains "resource.type =" or $.X.filter contains "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gcs_bucket" and ($.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =") and ($.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=") and $.X.filter contains "storage.setIamPermissions"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.

API Ingestions

The following API ingestion updates are planned for Prisma Cloud in 23.6.1:
SERVICE
API DETAILS
Amazon DAX
aws-dax-parameter-group
Additional permissions required:
  • dax:DescribeParameterGroups
  • dax:DescribeParameters
The Security Audit role includes the permissions.
AWS Shield
aws-shield-drt-access
Additional permission required:
  • shield:DescribeDRTAccess
The Security Audit role includes the permission.
Amazon API Gateway
aws-apigatewayv2-stage
Additional permission required:
  • apigateway:GET
The Security Audit role includes the permission.
Google Cloud DNS
gcloud-dns-resource-record-set
Additional permissions required:
  • dns.managedZones.list
  • dns.resourceRecordSets.list
The Viewer role includes the permissions.
Google Vertex AI
gcloud-vertex-ai-notebook-instance-schedule
Additional permissions required:
  • notebooks.locations.list
  • notebooks.schedules.list
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-zone-action
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.zones.list
  • dataplex.zoneActions.list
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-action
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.lakeActions.list
The Viewer role includes the permissions.
OCI Service Mesh
oci-service-mesh-ingressgateway-routetable
Additional permissions required:
  • MESH_INGRESS_GATEWAY_ROUTE​_TABLE_LIST
  • MESH_INGRESS_GATEWAY_ROUTE​_TABLE_READ
You must update the Terraform template to enable the permissions.
OCI Service Mesh
oci-service-mesh-ingressgateway
Additional permissions required:
  • MESH_INGRESS_GATEWAY​_LIST
  • MESH_INGRESS_GATEWAY​_READ
You must update the Terraform template to enable the permissions.
OCI Database
oci-database-db-node
Additional permissions required:
  • DB_SYSTEM_INSPECT
  • DB_NODE_INSPECT
  • DB_NODE_QUERY
You must update the Terraform template to enable the permissions.

Deprecation Notices

Deprecation Notice
Prisma Cloud CSPM REST API for Alerts
Some Alert API request parameters and response object properties are now deprecated.
Query parameter
risk.grade
is deprecated for the following requests:
  • GET /alert
  • GET /v2/alert
  • GET /alert/policy
Request body parameter
risk.grade
is deprecated for the following requests:
  • POST /alert
  • POST /v2/alert
  • POST /alert/policy
Response object property
riskDetail
is deprecated for the following requests:
  • GET /alert
  • POST /alert
  • GET /alert/policy
  • POST /alert/policy
  • GET /alert/{id}
  • GET /v2/alert
  • POST /v2/alert
Response object property
risk.grade.options
is deprecated for the following request:
  • GET /filter/alert/suggest

Recommended For You