Prisma Cloud Release Notes For May 19, 2020

Printer Friendly Page
Features Introduced on May 19, 2020
New Features
 
 
 
 
 
 
 
 
 
FEATURE
DESCRIPTION
resource.status Attribute in Config RQL
RQL Config query adds a new attribute 
resource.status
 that enables you to identify cloud resources that are in an 
active
 or 
deleted
 state within a specified time-range.
For example: 
config where resource.status = Deleted AND cloud.account = 'account_name' AND api.name = 'aws-ec2-describe-route-tables'
 and specify the time range.
 

 

The 
resource.status
 attribute is supported on the 
Investigate
 page only. You can also view the current status of the cloud resource on the 
Resource Explorer
. The status shows whether the resource is deleted (Deleted—True) or active (Deleted—False).
 

 

API Ingestion
APIs to ingest the following services:
 
  • AWS 
    aws-iam-service-last-accessed-details
    The API enables you to view details about when an IAM resource (user, role, or policy) was last used to access an AWS service. To ingest the resources associated with this API, you must update the CFT and enable additional permissions: generateServiceLastAccessedDetails, getServiceLastAccessedDetails
    When enabled, the details on all roles and all users created in the AWS account, and all policies which are attached to the users/roles are ingested every 24 hours on Prisma Cloud.
     

     

    For example:
     
  • To query users, roles, policies with unused permissions 
    config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = serviceLastAccesses[*].totalAuthenticatedEntities any equal "0" AND arn contains ":user"
  •  
  • To list users (or roles) who can access a specific service 
    config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = arn contains ":user" AND serviceLastAccesses[*].serviceNamespace contains "s3"
  •  
 
Ingesting Tags for AWS Resources
To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:
 
  • aws-describe-vpc-endpoints
 
  • aws-ec2-describe-flow-logs
 
  • aws-organization
 
  • aws-apigateway-get-rest-apis
 
  • aws-apigateway-get-stages
 
  • aws-elasticache-snapshots
 
  • aws-eks-describe-cluster
    The 
    eks:ListTagsForResource
     permission is required to ingest tags for the EKS service. SeeUpdate the CFT to enable the additional permissions.
 
Additional Context for Network Anomaly Alerts
Network anomaly alerts generated against the 
Port scan activity
 and 
Port sweep activity
 policies now include additional context based on threat feed information from sources such as Autofocus and Facebook Threat Exchange. In addition, all anomaly alerts include a tooltip that describes the threat details.
 

 

New Policies and Policy Updates
 
 
 
 
 
 
 
 
POLICY
DESCRIPTION
GCP VM Instance Using a Default Service Account with Full Access to all Cloud APIs
Identifies VM instances on GCP that are using a default service account with full access to all Cloud APIs. This policy enables you to prevent potential privilege escalation, and enforce the principle of least privilege when granting permissions to service accounts.
Policy Updates
The GCP CIS v1.0.0 Compliance standard, section 4.1 is updated to match on the policy 
GCP VM instance using a default service account with full access to all Cloud APIs
 instead of 
GCP VM instances with excessive service account permissions
.
Updated the 
AWS RDS DB cluster encryption is disabled policy
 to include the instructions for remediation.
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
2 of 2
Last update:
3 weeks ago
Updated by:
 
Contributors