1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Look Ahead—Planned Updates on Prisma Cloud

    Look Ahead—Planned Updates on Prisma Cloud

    Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
    Read this section to learn about what is planned to be included in the next release. Note that the details and functionality listed below are a preview and the actual release date is subject to change.

    Policy Updates

    The policy updates planned for release in the next release.
    Get the JSON file and review the policy changes on GitHub-Policy Updates by Release. You can also review the changelog.
    New Policies and Policy Updates
    New Policies
    Azure Container registries Public access to All networks is enabled
    Identifies Azure Container registries that are enabled for Public access to all networks.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-registry' AND json.rule = ((properties.publicNetworkAccess equals Enabled and properties.networkRuleSet does not exist) or (properties.publicNetworkAccess equals Enabled and properties.networkRuleSet exists and properties.networkRuleSet.defaultAction equals Allow))
    Azure Function App authentication is off
    Identifies Azure Function Apps that have authentication disabled.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.siteAuthEnabled equals false'
    Azure Function App client certificate is disabled
    Identifies Azure Function Apps on which client certificates are disabled. 
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.clientCertEnabled equals false'
    Azure Function App doesn't have a Managed Service Identity
    Identifies Azure Function Apps which do not have a Managed Service Identity.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)'
    Azure Function App doesn't use HTTP 2.0
    Identifies Azure Function Apps which does not use HTTP 2.0. 
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.http20Enabled equals false'
    Azure Function App doesn't use latest TLS version
    Identifies Azure Function Apps which do not use the latest TLS version.
    Azure Function App doesn't redirect HTTP to HTTPS
    Identifies Azure Function Apps which do not redirect HTTP to HTTPS.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.httpsOnly equals false'
    Policy Updates—RQL and Metadata
    AWS Default Security Group does not restrict all traffic
    This policy description has been updated.
    Impact
    —None. Does not affect any existing alerts for the policy.
    The following Azure App Service policies have updated RQL that monitors the Azure webapp only, and excludes Azure Function apps:
    Impact
    —All open alerts for Azure Function apps that were triggered by these policies will be marked as
    Resolved
    .
    • Azure App Service Web app authentication is off
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.siteAuthEnabled equals false'
    • Azure App Service Web app doesn't use latest TLS version
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.minTlsVersion does not equal 1.2'
    • Azure App Service Web app client certificate is disabled
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.clientCertEnabled equals false'
    • Azure App Service Web app doesn't have a Managed Service Identity
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)
    • Azure App Service Web app doesn't redirect HTTP to HTTPS
      Updated RQL
      config from cloud.resource where cloud.type
= 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind
starts with app and properties.httpsOnly equals false'
    • Azure App Service Web app doesn't use HTTP 2.0
      Updated RQL
      
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.http20Enabled equals false'
    The following policies have been updated to remove the em dash
     in the description or recommendation because it caused encoding issues when viewing CSV files in some text editors.
    • Azure Load Balancer diagnostics logs are disabled
    • Azure SQL Server advanced data security does not send alerts to service and co-administrators
    • AWS RDS database not encrypted using Customer Managed Key
    Impact
    —None. Does not affect any existing alerts for the policy.
    The following policies have updated RQL:
    • GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)
    • GCP VM instances with excessive service account permissions
    • GCP VM instances have IP Forwarding enabled
    The RQL is updated to filter out GKE instances and will no longer generate alerts for GKE instances, for which you cannot configure automated remediation.
    Impact
    —All open alerts for GKE instances that were triggered by these policies will be marked as
    Resolved
    .
    Deleted Policies
    The following policies will be deleted because the
    gcloud-api-key
     has been removed on the Google Cloud Platform.
    • GCP API key not rotating in every 90 days
    • GCP API key not restricting any specific API
    Impact
    —All open alerts triggered by these policies will marked as
    Resolved
    .

    API Ingestion

    The following Cloud Service Provider APIs are planned for ingestion on Prisma Cloud in 21.3.1:
    Service
    API Details
    Azure Active Directory
    azure-active-directory-group-members
    Additional permissions required: 
    GroupMember.Read.All
    Group.Read.All
    Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.
    Azure Active Directory
    azure-active-directory-authorization-policy
    Additional permissions required: 
    Policy.Read.All
    Google Access Context Manager
    gcloud-access-policy
    Additional permission required:
    accesscontextmanager.policies.list
    This permission is part of the Project Viewer role, and is required to reduce the error rate for this API on GCP.
    Google Web Security Scanner
    gcloud-web-security-scan-config
    Additional permission required:
    cloudsecurityscanner.scans.list
    This permission is a part of the Web Security Scanner Viewer role.
    Google Compute Engine
    gcloud-compute-addresses
    Additional permission required:
    compute.addresses.list
    This permission is part of the Viewer role.

    Deprecation Notice

    Deprecation Notice
    Deprecation Notice—Prisma Cloud CLI
    The Prisma Cloud CLI is being deprecated.
    Deprecation Notice—RQL query format
    The
    config where
    ,
    event where
     and
    network where
     query format is being deprecated.
    • Replace
      config where <rest of the query>
       with
      config from cloud.resource where <rest of the query>
    • Replace
      event where <rest of the query>
       with
      event from cloud.audit_logs where <rest of the query>
    • Replace
      network where <rest of the query>
       with
      network from vpc.flow_records where <rest of the query>
    To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, use the new query format, because the older syntax will be removed in a future release.
    Prisma Cloud Public REST APIs for Alerts
    Some Alert API request parameters and response object fields are now deprecated.
    Query parameter
    risk.grade
     is deprecated for the following requests:
    • GET /alert
    • GET /v2/alert
    • GET /alert/policy
    Request body parameter
    risk.grade
     is deprecated for the following requests:
    • POST /alert
    • POST /v2/alert
    • POST /alert/policy
    Response object field
    riskDetail
    is deprecated for the following requests:
    • GET /alert
    • POST /alert
    • GET /alert/policy
    • POST /alert/policy
    • GET /alert/{id}
    • GET /v2/alert
    • POST /v2/alert
    Response object field
    risk.grade.options
     is deprecated for the following request:
    • GET /filter/alert/suggest
    Prisma Cloud Public REST APIs for IaC Scan
    Version 1 of the IaC Scan REST APIs is deprecated and will continue to be supported until January 31, 2021. The deprecated APIs are:
    • POST /iac/tf/v1/scan
    • POST /iac/cft/v1/scan
    • POST /iac/k8s/v1/scan
    • POST /iac_scan

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo