on 01-14-2021 10:06 AM - edited on 02-04-2022 01:37 PM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Iac Scan Plugin Updates to support IaC Scan API v2
|
|
API Ingestion
|
AWS Data Migration Service
aws-dms-certificate
The Security Audit role includes the required permissions.
|
|
AWS Direct Connect
aws-direct-connect-connection
The Security Audit role includes the required permissions.
|
|
Azure Virtual Network
azure-ddos-protection-plan
Additional permissions required are:
Microsoft.Network/ddosProtectionPlans/read
The Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
|
|
Google Compute Engine
gcloud-compute-instance-disk-snapshot
Additional permissions required are:
compute.snapshots.list
compute.snapshots.getIamPolicy
The Compute Network Viewer includes these permissions.
|
|
Google Cloud Source Repositories
gcloud-cloud-source-repository
source.repos.list
source.repos.getIamPolicy
The Project Viewer role and the Source Repository Reader role includes these permissions.
|
FEATURE WITH BEHAVIOR CHANGE
|
DESCRIPTION
|
---|---|
Alerts on Prisma Cloud
|
To reduce noise from alerts for accounts that are not actively monitored using Prisma Cloud, when you add a cloud account on Prisma Cloud and then disable it, you can no longer view existing alerts associated with the disabled account on Alerts Overview on Prisma Cloud.
Previously, on disabling an account, the alert status—Open, Snoozed, Dismissed, or Resolved—was retained to indicate the last known state and the Alerts Overview count included these alerts.
|
NEW POLICIES AND POLICY UPDATES
|
|
---|---|
New Policies
|
Azure app services remote debugging is enabled
Identifies Azure App Services that have remote debugging enabled, which opens up inbound ports on App Services and increases security risk.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = config.remoteDebuggingEnabled is true
|
Azure virtual machine boot diagnostics disabled
Identifies Azure Virtual Machines with boot diagnostics disabled. Boot diagnostics capture screenshots and console output at the virtual machine startup, and this helps with troubleshooting the virtual machine if it enters a non-bootable state.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.diagnosticsProfile'].bootDiagnostics.enabled is false
|
|
Azure virtual machine scale sets boot diagnostics disabled
Identifies Azure Virtual Machine scale sets with boot diagnostics disabled. When boot diagnostics is enabled for the virtual machine, it captures screenshot and console output during the virtual machine startup and helps with troubleshooting the virtual machine if it enters a non-bootable state.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-virtual-machine-scale-set' AND json.rule = properties.virtualMachineProfile.diagnosticsProfile.bootDiagnostics.enabled is false
|
|
Policy Updates—RQL and Metadata
|
Alibaba Cloud MFA is disabled for RAM user
The RQL has been updated to check for MFA device value to report disabled MFA users.
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ram-user' AND json.rule = 'MFADevice is empty'
Impact
: Previous alerts will get resolved as Policy_Updated and new alerts will be generated using the revised query. |
Alibaba Cloud Security group overly permissive to all traffic
The Policy Name and Description have been updated. The policy checks for inbound rules that allow traffic from (0.0.0.0/0) any IP address.
Impact
: This change does not affect alerts. |
|
Azure storage account logging for queues is disabled
Updated RQL
—The updated RQL isconfig from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = 'sku.tier equals Standard and loggingProperties.queue exists and (loggingProperties.queue.readEnabled is false or loggingProperties.queue.writeEnabled is false or loggingProperties.queue.deleteEnabled is false)'
The RQL has been updated to properly identify Azure Blob Storage accounts.
Impact
: This RQL fix resolves previously opened alerts and marks them as Policy_Updated. |
|
Azure storage account logging for tables is disabled
Updated RQL
—The updated RQL isconfig from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = 'sku.tier equals Standard and (loggingProperties.table.readEnabled is false or loggingProperties.table.writeEnabled is false or loggingProperties.table.deleteEnabled is false)'
The RQL has been updated to properly identify Azure Blob Storage accounts.
Impact
: This RQL fix resolves previously opened alerts and marks them as Policy_Updated. |
|
Policy Updates—Recommendation
|
AWS Elastic File System (EFS) with encryption for data at rest is disabled
The recommendation instructions in the policy is updated to replace RedShift with AWS Elastic File System (EFS).
|
CHANGE
|
DESCRIPTION
|
---|---|
Update
Rate limiting on List Alert APIs |
Prisma Cloud will now enforce rate limiting on the following APIs:
The limit is one request per second for a client session. Excess of the limit will result in an HTTP 429 error code.
Impact
—While most clients will not see any effect, if you're using automation, please plan to insert delay and retry logic to work with the new rate limits. |