Look Ahead—Planned Updates on Prisma Cloud
Review any deprecation notices and policy changes planned
in the next Prisma Cloud release.
Read this section to learn about what is planned in
the 22.6.3 release. The Look Ahead announcements are for an upcoming
or next release and it is not a cumulative list of all announcements.
Note that the details and functionality listed below are a
preview and the actual release date is subject to change.
Changes in Existing Behavior
FEATURE | DESCRIPTION |
---|---|
Access to Data for Deleted Assets | Beginning in July, the ability to view and investigate
data for assets that have been deleted in cloud accounts which are
onboarded to Prisma Cloud will be available for up to 90 days after
asset deletion. This is a change from the current behavior where
you have access to the historical data for deleted assets, starting from
the time you onboarded the account on Prisma Cloud. To align
with this change, Prisma Cloud will be limiting the time range filters
to 90 days of history. And to support use cases where further retention
is required, an exporter tool will be made available to enable the
retrieval of data on deleted assets. |
Change in Existing Behavior API
for generating External ID for AWS cloud account onboarding | While onboarding AWS standalone, organization,
or member accounts using the Prisma Cloud API, you must now use
the App Provisioner API to generate an External ID. This External
ID is required to generate the Role ARN and grant Prisma Cloud access
to your cloud account. The External ID is valid for 30 days. If
you don’t complete the onboarding flow within this 30-day period,
you must generate a new External ID and restart the onboarding workflow. The
Add Cloud Account and Update Cloud Account API endpoints will no
longer accept externalId and memberExternalId as
input parameters, to prevent confused deputy attack on AWS accounts.
You must first use the App Provisioner API to generate the External
ID and use this external ID to onboard or update a cloud account.This
change does not impact already onboarded AWS accounts, if you do
not need to update or make changes to the existing account. |
DNS as a Policy Subtype | On Policies and Alerts Overview Policy Subtype for DNS displays. Because
the DNS anomaly policies are not yet released, you will be unable
to view the policies or detect any violations against these new policies.To
see the new policies for DNS and trigger related alerts, you must
sign up for the beta program. Reach out to customer support or your
customer success representative to join the beta program. ![]() |
Important Notice- Take Action Cloud
Asset Inventory (CAI) Support | Beginning with the 22.7.1 release, Prisma
Cloud will adopt Google's Cloud Asset Inventory (CAI) service for
a few GCP services. The CAI service will reduce the number of API calls
to GCP and help speed the time to report on assets on Prisma Cloud. The
following GCP services/APIs will have CAI support on Prisma Cloud:
CAI
will be enabled by default on Prisma Cloud with 22.7.1. You must
perform the following actions before 22.7.1
If
you want to switch to CAI before 22.7.1, after you complete the
actions listed above, contact your customer success representative
so that we can enable this feature for your tenant. Impact —If
you do not enable CAI or if your service account does not include
the required permissions:
Enabling the
CAI service will not impact any existing policies or alerts. |
Crypto Key Ingestions when CAI is Disabled | Beginning with the 22.7.1 release, there will
be a change with Crypto Keys metadata in Google Cloud KMS. The gcloud-kms-keyring-list API
will no longer include the Crypto Keys metadata. This metadata will
now be available as a part of the gcloud-kms-crypto-keys-list API,
provided you have enabled Cloud Asset Inventory (CAI).Impact —All
the resources that were ingested as a part of the gcloud-kms-keyring-list API
will no longer include the Crypto Keys metadata, and all existing
alerts associated with this API will be resolved as Resource_Updated . If
you have enabled the Cloud Asset Inventory (CAI) API, the Crypto
Keys metadata will be ingested as part of the gcloud-kms-keyring-list API
and new alerts will be generated. If not, the Crypto Keys metadata will
be ingested as a part of the gcloud-kms-keyring-list API
on Prisma Cloud. |
Grant permissions for Ingesting Google
Workspace Groups Applies only if you have activated
the Code Security subscription on Prisma Cloud | When Prisma Cloud enables support for GCP
on IAM Security in July 2022, the permissions for Groups on Google
Workspace becomes relevant. After you use the cloud account onboarding
Terraform template to onboard your GCP cloud account on Prisma Cloud
and have activated IAM Security subscription, complete the instructions
in Grant permissions for Ingesting Google Workspace Groups. |
New Policies and Policy Updates
Learn about the new policies and upcoming policy changes
for new and existing Prisma Cloud System policies.
Access the Look Ahead for New Policies
To learn about the new policies that will
be added in the next release:
- Find the Prisma Cloud policies folder on GitHub.The folder contains RQL based Config, Network, and Audit Event policies in JSON format. View the GitHub repo.
- Select the branch for which you want to review policy updates.TheMasterbranch represents the current Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release.Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-22.6.3.
- Review the updates.Use the changelog.md file for a cumulative list of all policies that are added to a specific release. The policies are grouped by new policies and updated policies.Use thepoliciesfolder to review the JSON for each policy that is added or updated as listed in the changelog. The filename for each policy matches the policy name listed in the changelog. Within each policy file, the JSON field names are described aptly to help you easily identify the characteristic it represents. The JSON field namedsearchModel.queryprovides the RQL for the policy.
Policy Updates
Policy Updates | Description |
---|---|
Policy Updates-Metadata | Azure Security Center system
updates monitoring is set to disabled Changes —The
policy name, description, and remediation steps have been updated
due to vendor UI setting changes.Current Name —Azure Security
Center system updates monitoring is set to disabledUpdated
Name —Azure Microsoft Defender for Cloud system updates monitoring
is set to disabledUpdated Description —Identifies the
Azure Microsoft Defender for Cloud (previously known as Azure Security
Center and Azure Defender) policies which have system updates monitoring is
set to disabled. It retrieves a daily list of available security
and critical updates from Windows Update or Windows Server Update Services.
The retrieved list depends on the service that's configured for
that virtual machine and recommends that the missing updates be
applied. For Linux systems, the policy uses the distro-provided
package management system to determine packages that have available
updates. It also checks for security and critical updates from Azure
Cloud Services virtual machines.Impact —No impact on alerts. |
Azure Security Center disk encryption
monitoring is set to disabled Changes —The
policy name, description, and remediation steps have been updated
due to vendor UI setting changes.Current Name —Azure Security
Center disk encryption monitoring is set to disabledUpdated
Name —Azure Microsoft Defender for Cloud disk encryption monitoring
is set to disabledUpdated Description —Identifies the
Azure Microsoft Defender for Cloud (previously known as Azure Security
Center and Azure Defender) policies which have disk encryption monitoring set
to disabled. Enabling disk encryption for virtual machines will
secure the data by encrypting it. It is recommended to set disk encryption
monitoring in Microsoft Defender for Cloud security policy.Impact —No
impact on alerts. | |
Azure Security Center adaptive
application controls monitoring is set to disabled Changes —The
policy name, description, and remediation steps have been updated
due to vendor UI setting changes.Current Name —Azure Security
Center adaptive application controls monitoring is set to disabledUpdated
Name —Azure Microsoft Defender for Cloud adaptive application
controls monitoring is set to disabledUpdated Description —Identifies
the Azure Microsoft Defender for Cloud (previously known as Azure
Security Center and Azure Defender) policies which have adaptive
application controls monitoring set to disabled. Adaptive Application
Controls will make sure that only certain applications can run on
your VMs in Microsoft Azure. This will prevent any malicious, unwanted,
or unsupported software on the VMs.Impact —No impact
on alerts. | |
Azure Security Center endpoint
protection monitoring is set to disabled Changes —The
policy name, description, and remediation steps have been updated
due to vendor UI setting changes.Current Name —Azure Security
Center endpoint protection monitoring is set to disabledUpdated
Name —Azure Microsoft Defender for Cloud endpoint protection
monitoring is set to disabledUpdated Description —Identifies
the Azure Microsoft Defender for Cloud (previously known as Azure
Security Center and Azure Defender) policies which have endpoint
protection monitoring set to disabled. Enabling endpoint Protection
will make sure that any issues or shortcomings in endpoint protection
for all Microsoft Windows virtual machines are identified so that
they can, in turn, be removed.Impact —No impact on alerts. | |
Azure Security Center security
configurations monitoring is set to disabled Changes —The
policy name, description, and remediation steps have been updated
due to vendor UI setting changes.Current Name —Azure Security
Center security configurations monitoring is set to disabledUpdated
Name —Azure Microsoft Defender for Cloud security configurations
monitoring is set to disabledUpdated Description —Identifies
the Azure Microsoft Defender for Cloud (previously known as Azure
Security Center and Azure Defender) policies which have security
configurations monitoring set to disabled. Security configurations
will enable the daily analysis of operating system configurations.
The rules for hardening the operating system like firewall rules,
password and audit policies are reviewed. Recommendations are made
for setting the right level of security controls.Impact —No
impact on alerts. | |
Azure Security Center JIT network
access monitoring is set to disabled Changes —The
policy name, description, and remediation steps have been updated
due to vendor UI setting changes.Current Name —Azure Security
Center JIT network access monitoring is set to disabledUpdated
Name —Azure Microsoft Defender for Cloud JIT network access monitoring
is set to disabledUpdated Description —Identifies the
Azure Microsoft Defender for Cloud (previously known as Azure Security
Center and Azure Defender) policies which have JIT network access monitoring
set to disabled. Enabling JIT Network Access will enhance the protection
of VMs by creating a Just in Time VM. The JIT VM with NSG rule will
restrict the availability of access to the ports to connect to the
VM for a pre-set time and only after checking the Role Based Access
Control permissions of the user. This feature will control the brute
force attacks on the VMs.Impact —No impact on alerts. | |
Policy Updates-RQL | Azure Microsoft Defender for
Cloud email notification for subscription owner is not set Changes —The
policy RQL has been updated to only look for subscriptions where
Defender is enabled and then check for email setting.Current
RQL —
Updated
RQL —
Impact —Low.
Previously generated alert for subscription where Defender is not
enabled will be resolved as 'Policy_Updated'. |
Azure Security Center contact
phone number not set Changes —The policy
name, description, and remediation steps have been updated due to
vendor UI setting changes. The policy RQL has been updated to consider
only defender enabled subscriptions.Current Name —Azure Security
Center contact phone number not setUpdated Name —Azure Microsoft
Defender for Cloud security contact phone number is not setUpdated Description —Identifies
Subscriptions that are not set with security contact phone number
for Azure Microsoft Defender for Cloud (previously known as Azure
Security Center and Azure Defender). It is recommended to set security
contact phone number to receive notifications when Microsoft Defender
for Cloud detects compromised resources.Current RQL —
Updated
RQL —
Impact —Low.
Previously generated alert for subscription where Defender is not
enabled will be resolved as 'Policy_Updated'. | |
GCP HTTPS Load balancer is configured
with SSL policy having TLS version 1.1 or lower Changes —The
policy is modified to make it compliant with the CIS requirement
to exclude alerting for SSL policy with profile type 'RESTRICTED'.Current
RQL —
Updated
RQL —
Impact —Low.
The alerts associated with the profile type RESTRICTED will
be resolved as 'Policy_Updated'. |
API Ingestions
The following APIs ingestion updates are planned for
Prisma Cloud in 22.6.3:
Service | API Details |
---|---|
API Ingestions | Amazon Connect aws-connect-instance Additional
permissions required:
|
Amazon EventBridge aws-events-rule Additional
permissions required:
The
Security Audit role includes these permissions. | |
Amazon Pinpoint aws-pinpoint-email-channel Additional
permissions required:
| |
Amazon Pinpoint aws-pinpoint-sms-channel Additional
permissions required:
| |
Azure Synapse Analytics azure-synapse-privatelinkhub-privatelinkresource Additional
permission required:
The
Reader role includes this permission. | |
Azure Synapse Analytics azure-synapse-privatelinkhub Additional
permission required:
The
Reader role includes this permission. | |
Azure Synapse Analytics azure-synapse-privatelinkresource Additional
permissions required:
The
Reader role includes these permissions. | |
Google Cloud IAM gcloud-iam-organization-deny-policy Additional
permissions required:
The Viewer
role includes these permissions. | |
Google Cloud IAM gcloud-iam-project-deny-policy Additional
permissions required:
The Viewer
role includes these permissions. | |
Google Security Command Center gcloud-security-command-center-organization-setting Additional
permission required:
The
Viewer role includes this permission. | |
Google Security Command Center gcloud-security-command-center-organization-notification-config Additional
permission required:
The
Viewer role includes this permission. | |
Google Security Command Center gcloud-security-command-center-organization-mute-config Additional
permission required:
The
Viewer role includes this permission. | |
OCI Web Application Firewall oci-waf-networkaddresslist Additional
permissions required:
You must add the
permissions manually. | |
OCI Web Application Firewall oci-waf-waaspolicy Additional
permissions required:
You must add the
permissions manually. | |
Update Google Compute Engine
API | Google Compute Engine gcloud-ssl-certificate This
API will be updated to remove the following fields in the resource
JSON:
|
Deprecation Notices
Deprecation Notice | |
---|---|
Deprecation of redlock.io domain | The announcement about replacing the redlock.io
domain name with prismacloud.io was first sent in July, 2019. Due
to this, the redirect from redlock.io to prismacloud.io will be
removed. If you have any SSO configuration or automation scripts
referencing the redlock.io domain, please update it to prevent disruptions to
your users before June 30, 2022. After June 30, 2022, the redlock.io
domain will be phased out. |
Prisma Cloud CSPM REST API for Alerts | Some Alert API request parameters and response
object properties are now deprecated. Query parameter risk.grade is deprecated
for the following requests:
Request
body parameter risk.grade is deprecated for the
following requests:
Response
object property riskDetail is deprecated for
the following requests:
Response object
property risk.grade.options is deprecated for
the following request:
|
Grant permissions for Ingesting Google Workspace Groups
To grant the Prisma Cloud Service Account
permissions to ingest data on groups from Google Workspace (GSuite):
You
must have administrator access to Google Workspace (GSuite) for
granting your Prisma Cloud Service Account either the predefined
role Group Reader, or a custom role with
groups:read
permission (https://admin.google.com/u/1/ac/roles)- Log in to Workspace.
- Create a new custom role or use the predefined Group Reader role.
- Assign the role to the Prisma Cloud service account.
Recommended For You
Recommended Videos
Recommended videos not found.