Prisma Cloud Release Notes, Features Introduced in 20.9.1, September, 2020

ENwankwo1 · ‎09-30-2020

Features Introduced in 20.9.1

New Features

FEATURE	DESCRIPTION
Support for AWS Organizations on Prisma Cloud	If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.
Consolidation of Unusual User Activity / UEBA Anomaly Settings	The Unusual User Activity / UEBA settings are now on Settings Anomaly Settings along with the Anomaly settings for policies that alert you to network-related incidents. You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts.
Expanded Support for Roles with Just-in-Time (JIT) Provisioning	If you use JIT provisioning to create administrative users on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud. The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP.
Rich Text Editor in Email Notification Template	Use the rich text editor to customize the message body in your email notification template on Alerts Notification Templates . And as you craft it, you can preview how the content will look on the right-hand pane.
Limited GA Prisma Cloud Data Security	Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.
API Ingestion	AWS AWS Elastic Map Reduce— aws-emr-public-access-block Additional permissions required: elasticmapreduce:GetBlockPublicAccessConfiguration Azure Azure Event Hubs— azure-event-hubs-namespace Azure Logic Apps— azure-logic-apps-workflow GCP Google Compute— gcloud-compute-image Additional permissions required: compute.images.list compute.images.getIamPolicy Google PubSub— gcloud-pubsub-topic Additional permissions required: pubsub.topics.getIamPolicy pubsub.topics.list gcloud-pubsub-subscription Additional permissions required: pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list gcloud-pubsub-snapshot Additional permissions required: pubsub.snapshots.getIamPolicy pubsub.snapshots.list

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.

POLICY NAME	DESCRIPTION
Saved Search Additions	The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for: GCP IAM user with overly permissive privileges GCP IAM user not used for the last 90 days AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions
Policy Updates- Metadata	Policy Name Update Current Name— Azure Security Center 'Also send email notification to subscription owners' value is not set New Name— Azure Security Center email notification for subscription owner is not set
Policy Updates—RQL	The RQL in the following policies are updated: AWS Security Groups allow internet traffic to SSH port (22) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 \|\| @.fromPort == 22)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 \|\| @.fromPort == 22)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to Windows RPC port (135) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 \|\| @.fromPort == 135)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 \|\| @.fromPort == 135)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to NetBIOS port (138) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 \|\| @.fromPort == 138)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 \|\| @.fromPort == 138)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to MSQL port (4333) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 \|\| @.fromPort == 4333)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 \|\| @.fromPort == 4333)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to RDP port (3389) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 \|\| @.fromPort == 3389)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 \|\| @.fromPort == 3389)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to Telnet port (23) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 \|\| @.fromPort == 23)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 \|\| @.fromPort == 23)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 \|\| @.fromPort == 5500)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 \|\| @.fromPort == 5500)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to SQLServer port (1434) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 \|\| @.fromPort == 1434)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 \|\| @.fromPort == 1434)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to CIFS port (445) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 \|\| @.fromPort == 445)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 \|\| @.fromPort == 445)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic to ports which are not commonly used Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' \|\| @.ipProtocol=='icmp' \|\| @.ipProtocol=='icmpv6' \|\| @.ipProtocol=='udp')].ipv6Ranges[].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' \|\| @.ipProtocol=='icmp' \|\| @.ipProtocol=='icmpv6' \|\| @.ipProtocol=='udp')].ipRanges[] contains 0.0.0.0/0)\"
	AWS Security Groups allow internet traffic from internet to SQLServer port (1433) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 \|\| @.fromPort == 1433)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 \|\| @.fromPort == 1433)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to NetBIOS port (137) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 \|\| @.fromPort == 137)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 \|\| @.fromPort == 137)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS IAM policy allows full administrative privileges Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='' )].Action equals and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"
	AWS EKS cluster security group overly permissive to all traffic Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[].ipv4Ranges[] contains 0.0.0.0/0 or $.Y.ipPermissions[].ipv6Ranges[] contains ::/0) and $.Y.isShared is false'; show Y;
	AWS RDS instance with copy tags to snapshots disabled Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
	Azure SQL Database with Auditing Retention less than 90 days Updated the description, recommendation, and RQL. Updated RQL— config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;

REST API Updates

CHANGE	DESCRIPTION
Cloud Accounts	The REST API now support AWS organizations. The following have new request body parameters for this support: POST /cloud/{cloud_type} PUT /cloud/{cloud_type} POST /cloud/status/{cloud_type}
Policies	The response object for the REST API request GET /v2/policy had included an unused field openAlertsCount . The response object for GET /v2/policy no longer includes this field. The issue ID is RLP-23362.

POLICY NAME	DESCRIPTION
Saved Search Additions	The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for: GCP IAM user with overly permissive privileges GCP IAM user not used for the last 90 days AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions
Policy Updates- Metadata	Policy Name Update Current Name— Azure Security Center 'Also send email notification to subscription owners' value is not set New Name— Azure Security Center email notification for subscription owner is not set
Policy Updates—RQL	The RQL in the following policies are updated: AWS Security Groups allow internet traffic to SSH port (22) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 \|\| @.fromPort == 22)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 \|\| @.fromPort == 22)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to Windows RPC port (135) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 \|\| @.fromPort == 135)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 \|\| @.fromPort == 135)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to NetBIOS port (138) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 \|\| @.fromPort == 138)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 \|\| @.fromPort == 138)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to MSQL port (4333) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 \|\| @.fromPort == 4333)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 \|\| @.fromPort == 4333)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to RDP port (3389) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 \|\| @.fromPort == 3389)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 \|\| @.fromPort == 3389)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to Telnet port (23) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 \|\| @.fromPort == 23)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 \|\| @.fromPort == 23)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 \|\| @.fromPort == 5500)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 \|\| @.fromPort == 5500)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to SQLServer port (1434) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 \|\| @.fromPort == 1434)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 \|\| @.fromPort == 1434)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to CIFS port (445) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 \|\| @.fromPort == 445)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 \|\| @.fromPort == 445)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic to ports which are not commonly used Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' \|\| @.ipProtocol=='icmp' \|\| @.ipProtocol=='icmpv6' \|\| @.ipProtocol=='udp')].ipv6Ranges[].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' \|\| @.ipProtocol=='icmp' \|\| @.ipProtocol=='icmpv6' \|\| @.ipProtocol=='udp')].ipRanges[] contains 0.0.0.0/0)\"
	AWS Security Groups allow internet traffic from internet to SQLServer port (1433) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 \|\| @.fromPort == 1433)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 \|\| @.fromPort == 1433)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS Security Groups allow internet traffic from internet to NetBIOS port (137) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 \|\| @.fromPort == 137)].ipRanges[] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 \|\| @.fromPort == 137)].ipv6Ranges[].cidrIpv6 contains ::/0))) and isShared is false
	AWS IAM policy allows full administrative privileges Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='' )].Action equals and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"
	AWS EKS cluster security group overly permissive to all traffic Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[].ipv4Ranges[] contains 0.0.0.0/0 or $.Y.ipPermissions[].ipv6Ranges[] contains ::/0) and $.Y.isShared is false'; show Y;
	AWS RDS instance with copy tags to snapshots disabled Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
	Azure SQL Database with Auditing Retention less than 90 days Updated the description, recommendation, and RQL. Updated RQL— config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;

Network Security

Cloud Security

Security Operations

Prisma Cloud Release Notes, Features Introduced in 20.9.1, September, 2020

Prisma Cloud Release Notes, Features Introduced in 20.9.1, September, 2020