on 09-30-2020 01:25 AM - edited on 02-07-2022 10:14 AM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Support for AWS Organizations on Prisma Cloud
|
If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.
|
Consolidation of Unusual User Activity / UEBA Anomaly Settings
|
The Unusual User Activity / UEBA settings are now on
Settings
Anomaly Settings
You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts.
|
Expanded Support for Roles with Just-in-Time (JIT) Provisioning
|
If you use JIT provisioning to create administrative users on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud.
The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP.
|
Rich Text Editor in Email Notification Template
|
Use the rich text editor to customize the message body in your email notification template on
Alerts
Notification Templates
|
Limited GA
|
Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.
|
API Ingestion
|
AWS
AWS Elastic Map Reduce—
aws-emr-public-access-block
Additional permissions required:
elasticmapreduce:GetBlockPublicAccessConfiguration
Azure
GCP
|
POLICY NAME
|
DESCRIPTION
|
---|---|
Saved Search Additions
|
The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:
|
Policy Updates- Metadata
|
Policy Name Update
Current Name—
Azure Security Center 'Also send email notification to subscription owners' value is not set
New Name—
Azure Security Center email notification for subscription owner is not set
|
Policy Updates—RQL
|
The RQL in the following policies are updated:
AWS Security Groups allow internet traffic to SSH port (22)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to Windows RPC port (135)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to NetBIOS port (138)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to MSQL port (4333)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to RDP port (3389)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to Telnet port (23)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to SQLServer port (1434)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to CIFS port (445)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic to ports which are not commonly used
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipv6Ranges[*].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipRanges[*] contains 0.0.0.0/0)\"
|
|
AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS Security Groups allow internet traffic from internet to NetBIOS port (137)
Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved.
config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false
|
|
AWS IAM policy allows full administrative privileges
Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='*' )].Action equals * and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"
|
|
AWS EKS cluster security group overly permissive to all traffic
Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*] contains ::/0) and $.Y.isShared is false'; show Y;
|
|
AWS RDS instance with copy tags to snapshots disabled
Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved.
config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'
|
|
Azure SQL Database with Auditing Retention less than 90 days
Updated the description, recommendation, and RQL.
Updated RQL—
config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;
|
CHANGE
|
DESCRIPTION
|
---|---|
Cloud Accounts
|
The REST API now support AWS organizations. The following have new request body parameters for this support:
|
Policies
|
The response object for the REST API request
GET /v2/policy
had included an unused field
openAlertsCount
. The response object for
GET /v2/policy
no longer includes this field. The issue ID is RLP-23362. |