Look Ahead—Planned Updates on Prisma Cloud

Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned to be included in the next release. Note that the details and functionality listed below are a preview and the actual release date is subject to change.

Policy Updates

The policy updates planned for release in the next release.
Get the JSON file and review the policy changes on GitHub-Policy Updates by Release. You can also review the changelog.
New Policies and Policy Updates
New Policies
Azure Container registries Public access to All networks is enabled
Identifies Azure Container registries that are enabled for Public access to all networks.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-registry' AND json.rule = ((properties.publicNetworkAccess equals Enabled and properties.networkRuleSet does not exist) or (properties.publicNetworkAccess equals Enabled and properties.networkRuleSet exists and properties.networkRuleSet.defaultAction equals Allow))
Azure Function App authentication is off
Identifies Azure Function Apps that have authentication disabled.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.siteAuthEnabled equals false'
Azure Function App client certificate is disabled
Identifies Azure Function Apps on which client certificates are disabled.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.clientCertEnabled equals false'
Azure Function App doesn't have a Managed Service Identity
Identifies Azure Function Apps which do not have a Managed Service Identity.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)'
Azure Function App doesn't use HTTP 2.0
Identifies Azure Function Apps which does not use HTTP 2.0.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.http20Enabled equals false'
Azure Function App doesn't use latest TLS version
Identifies Azure Function Apps which do not use the latest TLS version.
Azure Function App doesn't redirect HTTP to HTTPS
Identifies Azure Function Apps which do not redirect HTTP to HTTPS.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.httpsOnly equals false'
Policy Updates—RQL and Metadata
AWS Default Security Group does not restrict all traffic
This policy description has been updated.
Impact
—None. Does not affect any existing alerts for the policy.
The following Azure App Service policies have updated RQL that monitors the Azure webapp only, and excludes Azure Function apps:
Impact
—All open alerts for Azure Function apps that were triggered by these policies will be marked as
Resolved
.
  • Azure App Service Web app authentication is off
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.siteAuthEnabled equals false'
  • Azure App Service Web app doesn't use latest TLS version
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.minTlsVersion does not equal 1.2'
  • Azure App Service Web app client certificate is disabled
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.clientCertEnabled equals false'
  • Azure App Service Web app doesn't have a Managed Service Identity
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)
  • Azure App Service Web app doesn't redirect HTTP to HTTPS
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.httpsOnly equals false'
  • Azure App Service Web app doesn't use HTTP 2.0
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.http20Enabled equals false'
The following policies have been updated to remove the em dash
in the description or recommendation because it caused encoding issues when viewing CSV files in some text editors.
  • Azure Load Balancer diagnostics logs are disabled
  • Azure SQL Server advanced data security does not send alerts to service and co-administrators
  • AWS RDS database not encrypted using Customer Managed Key
Impact
—None. Does not affect any existing alerts for the policy.
The following policies have updated RQL:
  • GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)
  • GCP VM instances with excessive service account permissions
  • GCP VM instances have IP Forwarding enabled
The RQL is updated to filter out GKE instances and will no longer generate alerts for GKE instances, for which you cannot configure automated remediation.
Impact
—All open alerts for GKE instances that were triggered by these policies will be marked as
Resolved
.
Deleted Policies
The following policies will be deleted because the
gcloud-api-key
has been removed on the Google Cloud Platform.
  • GCP API key not rotating in every 90 days
  • GCP API key not restricting any specific API
Impact
—All open alerts triggered by these policies will marked as
Resolved
.

API Ingestion

The following Cloud Service Provider APIs are planned for ingestion on Prisma Cloud in 21.3.1:
Service
API Details
Azure Active Directory
azure-active-directory-group-members
Additional permissions required:
GroupMember.Read.All
Group.Read.All
Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.
Azure Active Directory
azure-active-directory-authorization-policy
Additional permissions required:
Policy.Read.All
Google Access Context Manager
gcloud-access-policy
Additional permission required:
accesscontextmanager.policies.list
This permission is part of the Project Viewer role, and is required to reduce the error rate for this API on GCP.
Google Web Security Scanner
gcloud-web-security-scan-config
Additional permission required:
cloudsecurityscanner.scans.list
This permission is a part of the Web Security Scanner Viewer role.
Google Compute Engine
gcloud-compute-addresses
Additional permission required:
compute.addresses.list
This permission is part of the Viewer role.

Deprecation Notice

Deprecation Notice
Deprecation Notice—Prisma Cloud CLI
The Prisma Cloud CLI is being deprecated.
Deprecation Notice—RQL query format
The
config where
,
event where
and
network where
query format is being deprecated.
  • Replace
    config where <rest of the query>
    with
    config from cloud.resource where <rest of the query>
  • Replace
    event where <rest of the query>
    with
    event from cloud.audit_logs where <rest of the query>
  • Replace
    network where <rest of the query>
    with
    network from vpc.flow_records where <rest of the query>
To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, use the new query format, because the older syntax will be removed in a future release.
Prisma Cloud Public REST APIs for Alerts
Some Alert API request parameters and response object fields are now deprecated.
Query parameter
risk.grade
is deprecated for the following requests:
  • GET /alert
  • GET /v2/alert
  • GET /alert/policy
Request body parameter
risk.grade
is deprecated for the following requests:
  • POST /alert
  • POST /v2/alert
  • POST /alert/policy
Response object field
riskDetail
is deprecated for the following requests:
  • GET /alert
  • POST /alert
  • GET /alert/policy
  • POST /alert/policy
  • GET /alert/{id}
  • GET /v2/alert
  • POST /v2/alert
Response object field
risk.grade.options
is deprecated for the following request:
  • GET /filter/alert/suggest
Prisma Cloud Public REST APIs for IaC Scan
Version 1 of the IaC Scan REST APIs is deprecated and will continue to be supported until January 31, 2021. The deprecated APIs are:
  • POST /iac/tf/v1/scan
  • POST /iac/cft/v1/scan
  • POST /iac/k8s/v1/scan
  • POST /iac_scan

Recommended For You