Prisma Cloud Release Notes, Features Introduced in 20.10.2, October 2020
cancel
Showing results for 
Search instead for 
Did you mean: 
L3 Networker
Did you find this article helpful? Yes No
No ratings

 

Features Introduced in 20.10.2

 

New Features

 
FEATURE
DESCRIPTION
Support for CIS GKE v.1.1.0
Compliance support for CIS Google Kubernetes Engine Foundation Benchmark v.1.1.0 is added to include checks for services such as Control Plane Components/Configuration, Worker Nodes Policies, and Managed Services.
Support for NIST 800-53 Rev 5
Prisma Cloud has updated the mappings and controls for the National Institute of Standards and Technology (NIST) 800-53 revision 5 for Alibaba, AWS, Azure, and GCP clouds.
Updates to NIST 800-53 Rev 4
The NIST 800-53 Rev 4 is updated to add support for Alibaba Cloud and includes over 300 policies to check for compliance against the framework.
Support for Multi Level Protection Scheme v2.0
Prisma Cloud adds the compliance checks for Multi Level Protection Scheme (MLPS) v2.0 that network operators in Mainland China must follow to fulfil the cybersecurity obligations laid out by the Chinese Ministry of Public Security (MPS). This framework includes policies to verify compliance on AWS, Azure, and Alibaba Cloud resources deployed in Mainland China regions.
ServiceNow Integration Support for Paris
Prisma Cloud supports the ServiceNow integration with the Paris release.
Adjustable Scan Quota for Prisma Cloud Data Security
The scan quota for data stored on AWS S3 buckets is set to 10TB per tenant. If you have a large volume of data stored in AWS buckets that are monitored using Prisma Cloud, this limit allows you to manage how many Prisma Cloud credits you want to use for data security.
If you want to change the scan quota for your Prisma Cloud tenant, please contact Prisma Cloud customer support.
 

 

Enhancements for Prisma Cloud IaC Scan
The Prisma Cloud IaC scan service has API version 2 that enables you to scan templates against policies and display scan results asynchronously, for a better user experience.
All existing plugins will be updated to support the IaC Scan API v2. IaC Scan API v1 is being deprecated and will continue to work until January 31, 2021. For more information, see REST API Updates.
API Ingestion
AWS WAF
aws-waf-classic-global-web-acl-resource
Additional permissions required:
"waf:ListWebACLs"
is included with the Security Audit policy
And you must add the following permissions to a custom role:
"waf:GetWebACL"
"waf:ListTagsForResource"
"waf:waf:GetLoggingConfiguration"
Azure SQL Database
azure-sql-server-list
Updated the API to include more properties for
firewallRules
Google Compute Engine
gcloud-compute-vpn-tunnel
Additional permissions required:
compute.vpnTunnels.list
These permissions are included in the predefined Compute Network Viewer role.
Google Cloud Spanner
gcloud-cloud-spanner-instance-config
Additional permissions required:
spanner.instanceConfigs.list
These permissions are included in the predefined Compute Security Admin and Cloud Spanner Viewer role.
Update
For Google Compute Engine APIs, Prisma Cloud now retrieves data on the 
action that allows or denies traffic to your VM instances based on VPC firewall rules.This information is displayed on the Resource Explorer.
Update
 Investigate Link for Configuration Alerts is Removed
For alerts generated against configuration policies that identify access to cloud resources based on unrestricted access or unattached security group configuration, the Investigate button is removed.
Update
 Labels Used in Azure Account Onboarding
When you add an Azure account on Prisma Cloud, the labels in the onboarding flow have been updated as follows:
 
  • Application ID is Application (Client) ID
 
  • Application Key is Application Client Secret
 
  • Service Principle Object ID is Enterprise Application Object ID
 
  • Tenant ID for your Azure Active Directory is Directory (Tenant) ID
 
 
 

New Policy and Policy Updates

 

POLICY NAME
DESCRIPTION
New Policies
36 new Anomaly policies for Network Sub Type that are based on the AutoFocus threat feed information. These policies correspond to 18 AutoFocus threat tag groups, such as Worm, and Botnet. Each threat tag group introduces two policies— external and internal— to detect malicious activities that are initiated from a internal source on your network or from anexternal source.
Policy Updates—RQL and Metadata
The following policies are updated:
GCP VM instances have block project-wide SSH keys feature disabled
Updated RQL—The RQL has been updated to config where api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.kind equals "compute#metadata" and commonInstanceMetadata.items[?any(key contains "block-project-ssh-keys" and (value contains "true" or value contains "TRUE" or value contains "1"))] does not exist as X; config where api.name = 'gcloud-compute-instances-list' AND json.rule = metadata.items[*].key does not exist or metadata.items[?any(key does not contain "block-project-ssh-keys")] exists as Y; filter ' $.Y.zone contains $.X.name'; show Y;
With this change, this policy will identify Google Compute Engine instances that allows the use of project-wide SSH keys, instead of requiring instance-level SSH keys.
 
Azure Network Security Group allows FTP (TCP Port 21)
Updated Name—
Azure Network Security Group allows all traffic on FTP (TCP Port 21)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals ) and (destinationPortRange contains _Port.inRange(21,21) or destinationPortRanges[*] contains _Port.inRange(21,21) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22
Updated Name—
Azure Network Security Group allows all traffic on SSH port 22
Updated RQL—Updated RQL is
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationPortRange contains _Port.inRange(22,22) or destinationPortRanges[*] contains _Port.inRange(22,22) ))] exists
 
Azure Network Security Group allows Telnet (TCP Port 23)
Updated Name: 
Azure Network Security Group allows all traffic on Telnet (TCP Port 23)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(23,23) or destinationPortRanges[*] contains _Port.inRange(23,23) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allows SMTP (TCP Port 25)
Updated Name—
Azure Network Security Group allows all traffic on SMTP (TCP Port 25)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(25,25) or destinationPortRanges[*] contains _Port.inRange(25,25) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allows DNS (UDP Port 53)
Updated Name—
Azure Network Security Group allow all traffic on DNS (UDP Port 53)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(53,53) or destinationPortRanges[*] contains _Port.inRange(53,53) ))] exists
 
Azure Network Security Group allows DNS (TCP Port 53)
Updated Name—
Azure Network Security Group allow all traffic on NetBios DNS (TCP Port 53)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(53,53) or destinationPortRanges[*] contains _Port.inRange(53,53) ))] exists
 
Azure Network Security Group allows Windows RPC (TCP Port 135)
Updated Name—
Azure Network Security Group allows all traffic on Windows RPC (TCP Port 135)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(135,135) or destinationPortRanges[*] contains _Port.inRange(135,135) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allows NetBIOS (UDP Port 137)
Updated Name—
Azure Network Security Group allows all traffic on NetBIOS (UDP Port 137)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(137,137) or destinationPortRanges[*] contains _Port.inRange(137,137) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allows NetBIOS (UDP Port 138)
Updated Name—
Azure Network Security Group allow all traffic on NetBIOS (UDP Port 138)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(138,138) or destinationPortRanges[*] contains _Port.inRange(138,138) ))] exists
 
Azure Network Security Group allows Windows SMB (TCP Port 445)
Updated Name—
Azure Network Security Group allow all traffic on Windows SMB (TCP Port 445)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(445,445) or destinationPortRanges[*] contains _Port.inRange(445,445) ))] exists
 
Azure Network Security Group allows CIFS (UDP Port 445)
Updated Name—
Azure Network Security Group allow all traffic on CIFS (UDP Port 445)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(445,445) or destinationPortRanges[*] contains _Port.inRange(445,445) ))] exists
 
Azure Network Security Group allows SQL Server (TCP Port 1433)
Updated Name—
Azure Network Security Group allows all traffic on SQL Server (TCP Port 1433)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(1433,1433) or destinationPortRanges[*] contains _Port.inRange(1433,1433) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag
Updated Name—
Azure Network Security Group allow all traffic on SQL Server (UDP Port 1434)
RQL Update—Updated RQL is
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(1434,1434) or destinationPortRanges[*] contains _Port.inRange(1434,1434) ))] exists
 
Azure Network Security Group allows MySQL (TCP Port 3306)
Updated Name—
Azure Network Security Group allows all traffic on MySQL (TCP Port 3306)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(3306,3306) or destinationPortRanges[*] contains _Port.inRange(3306,3306) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group (NSG) allows traffic from internet on port 3389
Updated Name—
Azure Network Security Group allow all traffic on RDP Port 3389
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationPortRange contains _Port.inRange(3389,3389) or destinationPortRanges[*] contains _Port.inRange(3389,3389) ))] exists
 
Azure Network Security Group allows MSQL (TCP Port 4333)
Updated Name—
Azure Network Security Group allows all traffic on MSQL (TCP Port 4333)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(4333,4333) or destinationPortRanges[*] contains _Port.inRange(4333,4333) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group (NSG) allows traffic from internet on port 3389
Updated Name—
Azure Network Security Group allow all traffic on RDP Port 3389
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationPortRange contains _Port.inRange(3389,3389) or destinationPortRanges[*] contains _Port.inRange(3389,3389) ))] exists
 
Azure Network Security Group allows MSQL (TCP Port 4333)
Updated Name—
Azure Network Security Group allows all traffic on MSQL (TCP Port 4333)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(4333,4333) or destinationPortRanges[*] contains _Port.inRange(4333,4333) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allows PostgreSQL (TCP Port 5432)
Updated Name—
Azure Network Security Group allows all traffic on PostgreSQL (TCP Port 5432)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(5432,5432) or destinationPortRanges[*] contains _Port.inRange(5432,5432) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group allows VNC Listener (TCP Port 5500)
Updated Name—
Azure Network Security Group allow all traffic on VNC Listener (TCP Port 5500)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(5500,5500) or destinationPortRanges[*] contains _Port.inRange(5500,5500) ))] exists
 
Azure Network Security Group allows VNC Server (TCP Port 5900)
Updated Name—
Azure Network Security Group allows all traffic on VNC Server (TCP Port 5900)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(5900,5900) or destinationPortRanges[*] contains _Port.inRange(5900,5900) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
 
Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol
Updated Name—
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic on TCP protocol
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and protocol equals Tcp and access equals Allow and direction equals Inbound and destinationPortRange contains *)] exists
 
Azure Network Security Group allow ICMP (Ping)
Updated Name—
Azure Network Security Group allow all traffic on ICMP (Ping)
Updated RQL—Updated RQL is
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Icmp or protocol equals *) and access equals Allow and direction equals Inbound and destinationPortRange contains *)] exists
 
Azure Network Security Group with Outbound rule to allow all traffic to any source
Updated Name—
Azure Network Security Group with overly permissive outbound rule.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Outbound and (sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationAddressPrefix equals * or destinationAddressPrefix equals Internet))] exists
With this update, the policy will now check for Network Security Groups with outbound rules that allow traffic to the internet. Because the check is for outbound rules, the number of alerts generated might increase.
 
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on any protocol
Updated Name—
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic on any protocol
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and protocol equals * and access equals Allow and destinationPortRange contains * and direction equals Inbound)] exists
With this update, the policy will now check for Network Security Groups with inbound rules that allow traffic from the internet to the resources in your Azure VNET.
 
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on UDP protocol
Updated Name—
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on UDP protocol
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and protocol equals Udp and access equals Allow and direction equals Inbound and destinationPortRange contains *)] exists
 
Azure storage accounts has blob container with public access
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = totalPublicContainers > 0 and (properties.allowBlobPublicAccess is true or properties.allowBlobPublicAccess does not exist)
With this change,the policy now checks for public access setting of the Azure storage account and the blob container.
 
Azure Storage account container storing activity logs is publicly accessible
Updated RQL—The RQL has been updated to
config where api.name = 'azure-storage-account-list' AND json.rule= publicContainersList[*] contains insights-operational-logs and (properties.allowBlobPublicAccess is true or properties.allowBlobPublicAccess does not exist) as X; config where api.name = 'azure-monitor-log-profiles-list' as Y; filter'$.X.id contains $.Y.properties.storageAccountId'; show X;
With this change, the policy now checks for public access setting of the Azure storage account and the activity logs.
Policy Deletions
 
  • Azure Network Security Group (NSG) having Inbound rule overly permissive to all TCP traffic from any source
 
  • Azure Network Security Group (NSG) having Inbound rule overly permissive to all UDP traffic from any source
 
  • Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol
 
 
 
 

REST API Updates

 

CHANGE
DESCRIPTION
Infrastructure-As-Code (IaC) Scan API Version 2
A new set of Prisma Cloud IaC scan APIs enables you to scan templates to check against policies asynchronously. The new asynchronous APIs solve timeout issues, increase the file size limit to 300MB, and include support for Terraform version 0.13.
New Licensing APIs
A new set of Licensing APIs that offers improved performance and scalability is available.
Usage Count by Cloud Type:
 
  • New: 
    POST /license/api/v1/usage
 
  • Replaces: 
    POST /usage/cloud_type
 
Resource Usage Over Time:
 
  • New: 
    POST /license/api/v1/usage/time_series
 
  • Replaces: 
    POST /timeline/usage
 
Get Usage CSV:
 
  • New: 
    POST /license/api/v1/usage
 
  • Replaces: 
    POST /v2/usage
 

 

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last update:
‎01-25-2021 10:45 AM
Updated by:
Contributors