Prisma Cloud Release Notes For May 19, 2020

Showing results for 
Search instead for 
Did you mean: 
L3 Networker
Did you find this article helpful? Yes No
No ratings
Features Introduced on May 19, 2020
New Features
resource.status Attribute in Config RQL
RQL Config query adds a new attribute 
 that enables you to identify cloud resources that are in an 
 state within a specified time-range.
For example: 
config where resource.status = Deleted AND cloud.account = 'account_name' AND = 'aws-ec2-describe-route-tables'
 and specify the time range.


 attribute is supported on the 
 page only. You can also view the current status of the cloud resource on the 
Resource Explorer
. The status shows whether the resource is deleted (Deleted—True) or active (Deleted—False).


API Ingestion
APIs to ingest the following services:
  • AWS 
    The API enables you to view details about when an IAM resource (user, role, or policy) was last used to access an AWS service. To ingest the resources associated with this API, you must update the CFT and enable additional permissions: generateServiceLastAccessedDetails, getServiceLastAccessedDetails
    When enabled, the details on all roles and all users created in the AWS account, and all policies which are attached to the users/roles are ingested every 24 hours on Prisma Cloud.


    For example:
  • To query users, roles, policies with unused permissions 
    config where = 'aws-iam-service-last-accessed-details' AND json.rule = serviceLastAccesses[*].totalAuthenticatedEntities any equal "0" AND arn contains ":user"
  • To list users (or roles) who can access a specific service 
    config where = 'aws-iam-service-last-accessed-details' AND json.rule = arn contains ":user" AND serviceLastAccesses[*].serviceNamespace contains "s3"
Ingesting Tags for AWS Resources
To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:
  • aws-describe-vpc-endpoints
  • aws-ec2-describe-flow-logs
  • aws-organization
  • aws-apigateway-get-rest-apis
  • aws-apigateway-get-stages
  • aws-elasticache-snapshots
  • aws-eks-describe-cluster
     permission is required to ingest tags for the EKS service. SeeUpdate the CFT to enable the additional permissions.
Additional Context for Network Anomaly Alerts
Network anomaly alerts generated against the 
Port scan activity
Port sweep activity
 policies now include additional context based on threat feed information from sources such as Autofocus and Facebook Threat Exchange. In addition, all anomaly alerts include a tooltip that describes the threat details.


New Policies and Policy Updates
GCP VM Instance Using a Default Service Account with Full Access to all Cloud APIs
Identifies VM instances on GCP that are using a default service account with full access to all Cloud APIs. This policy enables you to prevent potential privilege escalation, and enforce the principle of least privilege when granting permissions to service accounts.
Policy Updates
The GCP CIS v1.0.0 Compliance standard, section 4.1 is updated to match on the policy 
GCP VM instance using a default service account with full access to all Cloud APIs
 instead of 
GCP VM instances with excessive service account permissions
Updated the 
AWS RDS DB cluster encryption is disabled policy
 to include the instructions for remediation.
Rate this article: