Prisma Cloud Articles

Featured Article
Read about the Prisma Cloud release notes that details new features, including Multi-Tenant Demisto Deployments and API ingestion updates. You can also find some new and updated policies AWS and Azure. 
View full article
‎09-01-2020 01:04 PM
979 Views
0 Replies
Prisma Cloud Release Notes For April 7, 2020
View full article
‎09-01-2020 01:03 PM
683 Views
0 Replies
Features Introduced on April 21, 2020
View full article
‎09-01-2020 01:03 PM
889 Views
0 Replies
Prisma Cloud Release Notes For May 5, 2020
View full article
‎09-01-2020 01:02 PM
995 Views
0 Replies
Features Introduced on May 19, 2020 New Features New Policies and Policy Updates New Features                   FEATURE DESCRIPTION resource.status Attribute in Config RQL RQL Config query adds a new attribute   resource.status   that enables you to identify cloud resources that are in an   active   or   deleted   state within a specified time-range. For example:   config where resource.status = Deleted AND cloud.account = 'account_name' AND api.name = 'aws-ec2-describe-route-tables'   and specify the time range.     The   resource.status   attribute is supported on the   Investigate   page only. You can also view the current status of the cloud resource on the   Resource Explorer . The status shows whether the resource is deleted (Deleted—True) or active (Deleted—False).     API Ingestion APIs to ingest the following services:   AWS   aws-iam-service-last-accessed-details The API enables you to view details about when an IAM resource (user, role, or policy) was last used to access an AWS service. To ingest the resources associated with this API, you must   update the CFT   and enable additional permissions: generateServiceLastAccessedDetails, getServiceLastAccessedDetails When enabled, the details on all roles and all users created in the AWS account, and all policies which are attached to the users/roles are ingested every 24 hours on Prisma Cloud.     For example:   To query users, roles, policies with unused permissions   config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = serviceLastAccesses[*].totalAuthenticatedEntities any equal "0" AND arn contains ":user"   To list users (or roles) who can access a specific service   config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = arn contains ":user" AND serviceLastAccesses[*].serviceNamespace contains "s3"     Ingesting Tags for AWS Resources To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:   aws-describe-vpc-endpoints   aws-ec2-describe-flow-logs   aws-organization   aws-apigateway-get-rest-apis   aws-apigateway-get-stages   aws-elasticache-snapshots   aws-eks-describe-cluster The   eks:ListTagsForResource   permission is required to ingest tags for the EKS service. SeeUpdate the CFT   to enable the additional permissions.   Additional Context for Network Anomaly Alerts Network   anomaly alerts   generated against the   Port scan activity   and   Port sweep activity   policies now include additional context based on threat feed information from sources such as Autofocus and Facebook Threat Exchange. In addition, all anomaly alerts include a tooltip that describes the threat details.     New Policies and Policy Updates                 POLICY DESCRIPTION GCP VM Instance Using a Default Service Account with Full Access to all Cloud APIs Identifies VM instances on GCP that are using a default service account with full access to all Cloud APIs. This policy enables you to prevent potential privilege escalation, and enforce the principle of least privilege when granting permissions to service accounts. Policy Updates The GCP CIS v1.0.0 Compliance standard, section 4.1 is updated to match on the policy   GCP VM instance using a default service account with full access to all Cloud APIs   instead of   GCP VM instances with excessive service account permissions . Updated the   AWS RDS DB cluster encryption is disabled policy   to include the instructions for remediation.
View full article
‎09-01-2020 12:58 PM
710 Views
0 Replies
Features Introduced on June 2, 2020 New Features New Policies and Policy Updates New Features                       FEATURE DESCRIPTION Custom Header Support for Webhook Integration To enable support for additional data such as the API key or access token of your application in a   Webhook   integration, Prisma Cloud supports key-value pairs in a custom header.     If you had previously set up a Webhook integration, the Auth Token you had configured is now sent as a custom header in the payload. Business Unit Report on Open Alerts To share a report on the status of your cloud assets and how they are doing against Prisma Cloud security and compliance policy checks, you can generate an on-demand or schedule a   Business Unit Report .     The report enables your business stakeholders to keep track of the total number of assets and how many of them have passed or failed against the enabled policies, and monitor how they’re doing on a regular basis. You can opt to create a summary report which shows you how you’re doing across all your business units. The detailed report allows you to get more granular on each of the cloud account in the report. GCP Seoul Region Support Prisma Cloud can now monitor resources deployed in the Seoul region. To review the list of supported regions, use the   Cloud Region   filter on the   Asset Inventory .     API Ingestion APIs to ingest the following services:   aws-organization-ou Additional permissions required are `organizations:ListChildren, organizations:listPoliciesForTarget, organizations:DescribeOrganizationalUnit`   aws-organization-account Additional permissions required are ‘organizations:listPoliciesForTarget, organizations:DescribeAccount, organizations:ListTagsForResource`   `aws-organization-root` Additional permissions required are `organizations:ListChildren, organizations:listPoliciesForTarget, organizations:listRoots`   aws-organizations-scp Additional permissions required are `organizations:ListChildren, organizations:ListPolicies, organizations:DescribePolicy,organizations:listPoliciesForTarget`   aws-organizations-tag-policy Additional permissions required are `organizations:ListChildren, organizations:ListPolicies, organizations:DescribePolicy,organizations:listPoliciesForTarget`   Ingesting Tags for AWS Resources To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:   aws-cloudtrail-describe-trails   aws-cloudwatch-describe-alarms   aws-describe-workspace-directories   aws-dynamodb-describe-table   The   cloudwatch:ListTagsForResource   and   dynamodb:ListTagsOfResource   permission is required to ingest tags for these services. See   Update the CFT   to enable the additional permissions. If you want to grant granular permissions manually:   Cloudtrail service requires ListTags   Dynamodb service requires ListTagsOfResource   Cloudwatch service requires ListTagsForResource     Saved Search Additions Use the following   Saved Searches   to easily create a policy and generate an alert if you want to check for:   AWS IAM role with unused S3 buckets permissions_RL   AWS IAM user with unused S3 buckets permissions_RL   AWS IAM role with unused permissions_RL   AWS IAM user with unused permissions_RL   AWS EC2 instances with Marketplace AMI_RL   New Policies and Policy Updates                 POLICY DESCRIPTION Anomaly Policies to Detect Network Evasion or Resource Misuse Five new Anomaly policies are available to help you detect:   Ports or protocols that are not typically used on your network to provide or consume services. Unusual server port activity (Internal) —Identifies network activity from one (external or internal) client host to a server host inside your cloud environment, using a server port not previously seen in the VPC. Unusual server port activity (External) —Identifies network activity from a client host inside your cloud environment to an external server host, using a server port not previously seen in the VPC. Unusual protocol activity (Internal) —Identifies network activity from one (external or internal) client host to a server host inside your cloud environment, using an IP protocol not previously seen in the VPC. Unusual protocol activity (External) —Identifies network activity from a client host inside your cloud environment to an external server host, using an IP protocol not previously seen in the VPC.   Resource misuse by potential spam. Spambot activity —Identifies a host inside your cloud environment that is generating outbound SMTP traffic and for which no previous mail-related network activity has been observed. This instance may be compromised and sending out spam.       AWS MQ is publicly accessible Identifies AWS MQ brokers that are publicly accessible from the internet. As a best practice, ensure that AWS MQ brokers are not accessible from the Internet to minimize security risks and exposure of sensitive data. AWS MFA is not enabled on Root account Identifies root accounts that do not enforce Multi Factor Authentication (MFA) on the AWS public cloud. Because root accounts have privileged access to all AWS services, enabling MFA reduces the risk of root accounts credentials being compromised.This policy does not apply to AWS GovCloud accounts because you cannot enable MFA on AWS GovCloud (US) root accounts.
View full article
‎09-01-2020 12:57 PM
723 Views
0 Replies
  Features Introduced on June 16, 2020       New Features New Policy and Policy Updates New Features                     FEATURE DESCRIPTION Threat Source and Unit 42 tags in Network RQL In   Network RQL, you can now filter for search results based on threat source, such as AutoFocus or Facebook ThreatExchange.     And for AutoFocus, you can further query for specific   tag groups   using   threat.tag.group   that reference genre for malware families as categorized by the Unit 42 threat research team.     For example:   network where dest.publicnetwork IN ('Suspicious IPs') and threat.source IN ( 'AF' ) AND threat.tag.group = 'Cryptominer' Prisma Cloud Business Edition on Azure China Start using the Prisma Cloud tenant in China to   connect   to your Azure China subscriptions and monitor the resources deployed in China. Plugin Updates for scanning IaC templates The   GitHub plugin   adds support for Terraform version 0.12 and enables you to include your Prisma Cloud credentials as part of the installation process. The   Visual Studio Code plugin   adds support for Terraform version 0.12 and enables you to scan multiple files within a directory. API Ingestion   GCP IAM Recommender, which is a part of the Google Recommendations service—   gcloud-iam-policy-recommendation-list Additional permissions required are   recommender.iamPolicyRecommendations.list . For details see   permissions and roles for GCP.   Google API Key— gcloud-api-key Additional permissions required are   serviceusage.apiKeys.list . GCP has released this API as an alpha release. To use this API, you must be explicitly allowed access to the API from Google Cloud. Because Google Cloud does not provide an SLA for this alpha version, this API is also not bound by the terms of the Prisma Cloud SLA.   Saved Search Additions Use the following Saved Search to easily create a policy and generate an alert if you want to check for:   AWS IAM user with unused Key management or System manager permissions   AWS IAM role which is not set with any permission boundaries or set with excessive permission boundary permissions   New Policy and Policy Updates                     POLICY NAME DESCRIPTION AWS IAM roles with administrator access permissions Identifies AWS IAM roles with administrator access privileges. Granting least privilege access is recommended as a security best practice. AWS IAM groups with administrator access permissions Identifies AWS IAM groups with administrator access privileges. GCP SQL Server instance database flag 'cross db ownership chaining' is enabled Identifies GCP SQL Server instances that are enabled for cross database ownership, so that you can assess the security implications of this setting. GCP SQL Server instance database flag ‘contained database authentication’ is enabled Identifies SQL Server instances that are enabled for contained database authentication, as this poses a security risk because control over access to the server is no longer limited to members of the system or security administrators. Prisma Cloud Default Policies—No longer available Due to the delay in generating the associated alerts, the following Prisma Cloud default policies are no longer available:   AWS Multiple Lambda Functions using same IAM role.   AWS Log metric filter and alarm does not exist for Security group changes.   These policies are being removed to optimize performance and to address the time to alert delays due to the large volume of data that these policies parse.
View full article
‎09-01-2020 12:56 PM
725 Views
0 Replies
Features Introduced on July 14, 2020 New Features New Policy and Policy Updates Public REST API Updates New Features                                           FEATURE DESCRIPTION Support for GCP Folders When you add your GCP Organization to Prisma Cloud, you can now view all the projects or folders that are contained in the organization hierarchy and choose to add all the projects, or selectively include or exclude the projects and folders you want to monitor, or monitor and protect using Prisma Cloud.     Prisma Cloud as a PAYG Subscription on the AWS Marketplace Prisma Cloud is available as an hourly PAYG subscription on the AWS Marketplace. With this new listing, you can use the Prisma Cloud Enterprise Edition license for the first 15 days as a free trial, and then you are billed based on hourly usage; there is no long-term contract required. ( Coming Soon ) Support Domain-based Message Authentication, Reporting & Conformance (DMARC) Email notifications from Prisma Cloud will include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address noreply@paloaltonetworks.com is being replaced with noreply@prismacloud.paloaltonetworks.com. To ensure that you continue to receive emails, please replace  noreply@paloaltonetworks.com  with  noreply@prismacloud.paloaltonetworks.com  in your approved sender list. New Filters for Policies The  Policies  page has three new filters for  Category ,  Class , and  Subtype . And the table view includes these filters as new columns.  The Category filter enables you to separate incidents from risks and prioritize what you want to focus on based on your role. You can for example, use this filter to identify policies that identify incidents before policies that identify risky configurations. The Class filter logically groups policies. Use it to separate policies that affect your area of focus, and delegate as appropriate. The Subtype filter separates the various types of policies that pertain to each policy Type. For example, Anomaly policies are split into two subtypes—Network and UEBA.     Updates for Inclusive Language on Prisma Cloud Prisma Cloud has updated all references to whitelist on the API and management console.  Settings IP Whitelisting  is renamed as  Settings Trusted IP Addresses , where you can specify  Trusted Alert IP Addresses  (previously Login IP Whitelisting ) and  Trusted Login IP Addresses  (previously called Trusted IP Whitelisting)     See Public REST API Updates also. Exclusion of Trusted Sources in Anomaly Policies  To exclude trusted IP addresses that are internal or known, such as those you may use to conduct tests for PCI compliance or penetration testing on your network, you can now add these IP addresses in a CIDR format on the Trusted IP Address List on  Settings Anomaly Settings . Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly policies that detect unusual network activity such as the policies that detect port scan and port sweep activity, unusual server and port activity and Spambot.     GCP Flow Logs Update GCP flow logs are now be available for Prisma Cloud tenants deployed on https://app.prismacloud.io. You do not need to submit a special request to enable flow logs on your tenant. Amazon SQS Integration Supports a Separate IAM Role When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to use a separate IAM role to enable alert notifications to SQS. If you use the CFT to onboard your AWS account and the SQS queue belongs to the same cloud account, the Prisma Cloud IAM Role policy has the permissions required for Amazon SQS. And, by default, Prisma Cloud accesses the SQS queue with these credentials.  If this is not applicable for the SQS queue you are trying to integrate, when you add a new SQS integration, you can provide the IAM credentials (Access Key and Secret Key) associated with that role ( Settings Integrations ).     The IAM user, whose security credentials (Access and Secret Keys) you provide must have  sqs:SendMessage  and  sqs:SendMessageBatch  permissions.  API Ingestion AWS   noCloudTrailFound  attribute no longer ingested for aws-cloudtrail-describe-trails API. With this change, Prisma Cloud will no longer ingest the  noCloudTrailFound  attribute, for an AWS account that does not have CloudTrail enabled in a given region. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.   GCP   Google Compute Engine—gcloud-compute-project-info   Google Dataproc Clusters —gcloud-dataproc-clusters-list    For the  gcloud-compute-api  Prisma Cloud now includes labels assigned to your GCP project. You can use the tag attribute to find resources tagged with labels in  config where  RQL queries.   Saved Search Additions Use the following Saved Search to easily create a policy and generate an alert if you want to check for:   AWS IAM policy with unused permissions   AutoFocus saved searches are consolidated by tag groups to detect malicious activities that are initiated from a internal source on your network or from an external source.       AutoFocus Updates —Change in threat source name in RQL and access the AutoFocus from the Prisma Cloud Console. The AutoFocus threat intelligence feed was referred to as  threat.source in ( AF)  and that is now updated to be  threat.source in ( AutoFocus)  For example, the RQL should now be:  network where dest.publicnetwork IN ('Suspicious IPs') AND threat.source IN ( 'AutoFocus' ) AND threat.tag.group = 'Cryptominer' Additionally, if you have an AutoFocus license, you can now click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the  Investigate  page.     Compliance Standards in Business Unit Reports When generating the Business Unit report, you can now filter on one or more compliance standards to ensure that the report data is only for the alerts that are associated with policies which are tied to the selected compliance standards. API Ingestion APIs to ingest:   Azure custom policy definitions at the subscription level. Azure Policy —  azure-policy-definition   Updated the JSON structure for the  azure-storage-account-list  API to display the total count of containers that are accessible publicly. In addition, the data ingested displays the name of the first 1000 containers in this list.   noCloudTrailFound  attribute no longer ingested for aws-cloudtrail-describe-trails API. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.   GCP Las Vegas Region Support Prisma Cloud can now monitor resources deployed in the Las Vegas region. To review the list of supported regions, use the Cloud Region filter on the Asset  Inventory . Prisma Cloud Service for AWS China Start using the Prisma Cloud tenant in China (https://app.prismacloud.cn) to connect to your AWS China accounts deployed in the Ningxia and Beijing regions. Prisma Cloud Service in Singapore Prisma Cloud is now available in the Singapore region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace.  New Policy and Policy Updates                 POLICY NAME DESCRIPTION Alibaba Cloud RAM user with both console access and access keys Identifies Resource Access Management (RAM) users who can access both the Alibaba Cloud management console and the API. As a best practice, limit access to what the user can do to and give permissions for console access or the API. AWS policies that enable auto-remediation The following policies are updated:   AWS Customer Master Key (CMK) rotation is not enabled   AWS EKS cluster endpoint access publicly enabled   AWS RDS event subscription disabled for DB instance   AWS EKS control plane logging disabled   AWS Redshift clusters should not be publicly accessible   AWS RDS database instance is publicly accessible   AWS RDS minor upgrades not enabled   AWS RDS instance without Automatic Backup setting   The additional permissions required to enable auto-remediation for these policies are:  "kms:EnableKeyRotation", "rds:ModifyEventSubscription", "eks:UpdateClusterConfig", "rds:ModifyDBInstance", "redshift:ModifyCluster" Internet exposed instances Updated the  Internet exposed instances  policy to identify AWS Cloud workloads that are exposed to the Internet.  With this change, this policy now applies to AWS only. Public REST API Updates                       CHANGE DESCRIPTION Deprecated and replacement REST API endpoint paths The REST endpoint paths in the following list are deprecated. A new endpoint replaces each deprecated endpoint. The deprecated endpoints will be removed in the near future:   Deprecated: /ip_whitelist_login New: /ip_allow_list_login   Deprecated: /ip_whitelist_login/{id} New: /ip_allow_list_login/{id}   Deprecated: /ip_whitelist_login/status New: /ip_allow_list_login/status   Deprecated: /ip_whitelist_login/tab New: /ip_allow_list_login/tab   Deprecated: /whitelist/network New: /allow_list/network   Deprecated: /whitelist/network/{networkUuid} New: /allow_list/network/{networkUuid}   Deprecated: /whitelist/network/{networkUuid}/cidr New: /allow_list/network/{networkUuid}/cidr   Deprecated: /whitelist/network/{networkUuid}/cidr/{cirdUuid} New: /allow_list/network/{networkUuid}/cidr/{cirdUuid}   The x-redlock-status header values have been updated in a similar manner (e.g.  login_ip_whitelist_missing_field  is now  login_ip_allow_list_missing_field ). Cloud accounts and GCP Folders There are additions to the cloud account REST APIs, including additions to the request parameters to on-board cloud accounts, to support the new feature Support for GCP Folders. Anomalies Trusted List There are new REST API endpoints to support the anomalies trusted list. Amazon SQS integration The REST API for Amazon SQS integration has some new but optional request parameters. Policies There are three new read-only attributes in the Policy and Policy View models (the latter is in the response to a List Policies request) to describe the hierarchy of a policy. New policy filters exist for these attributes. Alerts Requests to list alerts by policy (GET or POST /alert/policy) no longer include alert rules in the response object. Alert rules are available through requests for individual alert information.
View full article
‎09-01-2020 12:56 PM
791 Views
0 Replies
New Features Introduced in 20.11.2 New Features Policy and Policy Updates REST API Updates New Features   FEATURE DESCRIPTION Additional Billable Resources The Prisma Cloud Visibility, Compliance, and Governance modules now count your usage of the following resources towards Prisma Cloud credits:   Azure—Azure PostgreSQL Database   Azure—SQL Managed Instance   GCP—GCP Load Balancing   GCP—Cloud NAT   With this update, the current list of resources counted towards Prisma Cloud credits are the following:   AWS EC2   RDS   Redshift   ELB   NAT gateway     Azure Virtual Machines   SQL DB   PostgreSQL   SQL Managed Instance   Load Balancer     GCP GCE   CloudSQL   Cloud Load Balancing   Cloud NAT     Alibaba Cloud ECS     RQL Syntax Updates for Extensibility The Prisma Cloud   RQL   syntax is updated to enable better visibility and support ingestion of new data sources to monitor your resources deployed across different cloud platforms. All the existing RQL queries used in Prisma Cloud default policies, custom policies, saved searches and recent searches of the Investigate page on Prisma Cloud will be automatically updated to this new syntax, and do not need any action from you. For any out-of-band policies or automation scripts using Prisma Cloud search API: https://api.<your Prisma Cloud tenant URL>/search/ , make sure to update the syntax as follows:   config where <rest of the query> to   config from cloud.resource where <rest of the query>   event where <rest of the query>   to   event from cloud.audit_logs where <rest of the query>   network where <rest of the query>   to   network from vpc.flow_records where <rest of the query>   The config where, event where and network where query format is being deprecated. To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, please use the new query format, because the older syntax will be removed in a future release. New Look   Policies Table The   Policies   page is updated with a new layout that supports a quicker page load time, better visual appeal, and it includes a new   Group By   option so you can aggregate policies using criteria that is important to you.   Jenkins Plugin for Scanning IaC Templates Try the new   Jenkins plugin   to scan your IaC templates against Prisma Cloud default policies or custom policies you define, and mitigate security or compliance risks directly in your DevOps processes. This functionality allows you to define severity-based failure criteria for your organizational needs and detect potential issues before you deploy your code to production. The failure criteria you defined is compared against the number of actual issues found to conclude a pass or fail result. The Jenkins plugin enable you to scan Terraform v.11 through v.13, AWS CFT, and Kubernetes manifests. The file extensions supported are .yaml and .json for CFT and Kubernetes, and .tf and .json for Terraform. Plugins Updates to support IaC Scan API v2 The currently available Prisma Cloud plugins or extensions for   Visual Studio Code,   Azure DevOps,   GitLab—SCM and CI/CD, and   GitHub   are updated to use the IaC Scan API v2, and the installation and set up workflows are simplified. Build Alert Rules and Resource List for IaC Scan Resource Lists   on Prisma Cloud enable visibility and the permissions to view IaC scan results on the Prisma Cloud administrative console. You can specify any tags or labels to identify cloud resources, in a   Resource List   on Prisma Cloud and define role-based access control to specific administrative users only. These users can then view the scan results, on the   DevOps Inventory , for the IaC templates that match the specified tags. For build-time checks of IaC templates, you can also now define   Build alert rules, where you choose the policies to detect security issues or misconfiguration and associate a resource list to match for specific tags.     Build alert rules do not create new alerts or notifications for policy violations, but they help you ensure all IaC template that include specific tags are consistently scanned against the same set of policies.     You can then view the scan results on the DevOps Inventory. DevOps Inventory Use   Inventory DevOps   to review the IaC scan results. The   DevOps Inventory   provides a bird’s eye view of the total number of IaC scans performed across all the Prisma Cloud IaC Scan plugins including twistcli and directly accessing the IaC Scan APIs. It also displays the results on how many scans passed or failed policy checks, and how they sort by severity for your enforcement standards. The visual dashboard provides scan trends and results grouped by the repository that hosts your source code or templates.     The tabular view includes the details such as the scan status, the user who initiated the scan, the failure criteria defined for the scan, and resource list. When a template fails the scan, the scan results displays the count of the security issues detected— sorted by severity—and the list of policies that caused the failure.         API Ingestion AWS Directory Service — aws-ds-directory Additional permissions required: ds:DescribeDirectories ds:ListTagsForResource AWS Web Application Firewall (v2) — aws-waf-v2-global-web-acl-resource Additional permissions required: wafv2:GetWebACL wafv2:GetLoggingConfiguration   Azure SQL Database — azure-sql-server-list The API is updated to retrieve the API lock and tag information in the JSON response.   Azure Monitor   — azure-monitor-log-profiles-list Additional permissions required: microsoft.insights/diagnosticSettings/read The azure_prisma_cloud_read_only_role.json will be updated to include this permission.   Azure Storage — azure-storage-account-list Updated the API to retrieve storage service properties for Cross-Origin Resource Sharing (CORS) metadata.     Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.   NEW POLICIES AND POLICY UPDATES New Policies The following new policies are being added: Azure Active Directory Guest users found Identifies guest user accounts added on your Azure Active Directory instance to give you visibility so that you can review these accounts and reduce risk.Note: This policy monitors Azure Active Directory instances only and does not monitor Azure Subscriptions.   Azure Cosmos DB IP range filter not configured Identifies Azure Cosmos databases where the IP range filter is empty and it does not restrict access to a defined set of IP addresses or IP range.   AWS SageMaker notebook instance is not placed in VPC Identifies SageMaker notebook instances that are not placed inside a VPC to ensure that it cannot be accessed outside a VPC network.   AWS SageMaker notebook instance not encrypted using Customer Managed Key Identifies SageMaker notebook instances that are not encrypted using Customer Managed Key to have more granular control over the data-at-rest encryption/decryption process and meet compliance requirements.   AWS SageMaker notebook instance IAM policy overly permissive to all traffic Identifies SageMaker notebook instances with IAM policies that are overly permissive to all traffic, and does not restrict access to authorized users and applications only.   GCP Kubernetes cluster node auto-upgrade configuration disabled Identifies GCP Kubernetes cluster nodes where the auto-repair configuration disabled, and therefore the nodes in your cluster are not up-to-date with the cluster master version when your master is updated.   GCP Kubernetes cluster node auto-repair configuration disabled Identifies GCP Kubernetes cluster nodes where the auto-upgrade configuration is disabled and prevents periodic checks on the health state of each node in your cluster.   GCP Kubernetes Cluster Shielded GKE Nodes feature disabled Identifies Kubernetes clusters for which Shielded GKE nodes is not enabled to harden the underlying node and protect against a host of attacks against boot and root-kits. Policy Updates—Recommendation AWS Default Security Group does not restrict all traffic Updated Recommendation—The recommendation is updated to meet the revised CIS guideline for the policy. Policy Updates—RQL and Metadata AWS Elasticsearch IAM policy allows internet traffic Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith es:)] exists With this change, the policy is enhanced to check for the IPv6 default route ::/0.. Azure Security Center email notification for subscription owner is not set Updated Metadata—Displays the timestamp for the   lastModifiedOn   attribute to indicate when the last change was made in Azure Security Center. Azure Monitor log profile does not capture all activities Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.categories[] does not contain Write or properties.categories[] does not contain Delete or properties.categories[*] does not contain Action)' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved. Azure log profile not capturing activity logs for all regions Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and properties.isCapturingLogsForAllRegions is false' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved. Activity Log Retention should not be set to less than 365 days Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved. Azure SQL Database with Auditing Retention less than 90 days Updated RQL—The RQL has been updated to config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y; With this change, the policy checks the audit policy configured for the SQL server. Some alerts may be reopened due this additional check.       REST API Updates   CHANGE DESCRIPTION Resource List APIs A new set of APIs enables you to create and manage Resource Lists in Prisma Cloud. Update   Deprecated Prisma Cloud Licensing APIs have been removed The following deprected APIs have been removed:   POST /usage/{cloud_type}   POST /timeline/usage   POST /v2/usage    
View full article
‎12-08-2020 02:45 PM
207 Views
0 Replies
Top Contributors
Top Liked Authors