Prisma Cloud Release Notes for June 6, 2019

Showing results for 
Search instead for 
Did you mean: 
Retired Member
Not applicable
Did you find this article helpful? Yes No
No ratings

New Features

Just-In-Time Provisioning for SSO Users
To successfully access the RedLock service using Single Sign-on (SSO), every user (administrator) requires a local account on Prisma Cloud. With Just-In-Time (JIT) Provisioning, you no longer are required to create the user in advance on Prisma Cloud. After successful authentication with your SSO Identity Provider (IdP), users are now automatically provisioned on Prisma Cloud with the specified role. From Settings SSO, Enable JIT Provisioning and specify the SAML attributes you configured for your users on your IdP.
Coverage for Azure Container Registry Webhooks and Azure App Service Authentication
When you onboard your Azure subscriptions to Prisma Cloud, you can now ingest additional information from the Azure Container Registry webhooks and the Azure App Service to provide more visibility and context.
Create a custom role or modify an existing role to include the following permissions:
  • Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action—
    To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to a registry, or deleted from it.
  • Microsoft.Web/sites/config/list/action—
    To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications.
    This custom role is required in addition to the Reader Role, which is adequate to ingest configuration data from the Azure App Service.
Bypass DNS Resolution for SAML
If you have deployed your IdP on an internal network, and do not need a DNS look up for the URLs defined on the SSO configuration settings, you can now disable it. To disable DNS look ups, clear the Enforce DNS resolution for RedLock Access SAML on Settings > SSO.
New API Ingestion
Prisma Cloud adds coverage for the following new services that you can use in RQL:
  • GCP—gcloud-compute-target-https-proxies
  • AWS—aws-rds-db-clusters

API Ingestion Updates

aws-iam-get-policy-version API is modified to lists all IAM users, groups, and roles that the specified managed policy is attached to. With this change, this API now retrieves information about managed policies along with all IAM users, groups, and roles attached to the policies.
The aws-rds-db-cluster-snapshots API now includes a new JSON field 
dbclusterSnapshotAttributes that provides information the attributes in an RDS database cluster snapshot.
The aws-kms-get-key-rotation-status API now includes a new JSON field 
policies. With this change, this API now retrieves KMS key rotation status along with the list of policies associated with the key.
The aws-ecr-get-repository-policy is updated to include the IAM policy statement, which provides information on the operations performed on the ECR resource. With this change the JSON structure is fully revised.
Custom Policy Uses API modify the RQL to match JSON.png
The aws-sqs-get-queue-attributes is updated to include the policy statement, which provides information on the operations performed on the SQS resource. With this change the JSON structure is fully revised.
Custom Policy with API modify RQL to JSON structure.png


This information was adapted from a TechDocs article. For more information about the release notes or to view other release notes, please visit Features Introduced on June 6, 2019.

Rate this article: