Prisma Cloud Articles
cancel
Showing results for 
Search instead for 
Did you mean: 
Featured Article
  Features Introduced in 20.9.2       New Features New Policy and Policy Updates REST API Updates New Features                                             FEATURE DESCRIPTION License Credits Used for Non-Onboarded Cloud Accounts If you have deployed Prisma Cloud Defenders on environments that Prisma Cloud is not monitoring or protecting—such as private cloud or on-premises environments, or public cloud providers that are not supported on Prisma Cloud, or on accounts that you have not added to Prisma Cloud— you can now view the credits used to protect the associated resources on the   Licensing page.     GCP Cloud Account Onboarding Status Updates When you add your GCP account on Prisma Cloud, the status message is improved to inform you of missing permissions. The details in the message help you identify the additional permissions you need to grant to the GCP IAM service account for Prisma Cloud.     Nested Rules in Config RQL to Query Data Within JSON Arrays Nested rules extend the use of logical expressions for metadata contained within a JSON array so that you can use more than primitive operators for comparisons and a richer query format. With this enhancement, the auto completion for   json.rule =   also becomes available when you construct RQL. The enhancement allows you to rewrite RQL that was config where api.name= 'a' and json.rule = “$.path[?(@.x == true || @.y == 'str' ..)].val is false ” as config where api.name= 'a' and json.rule= "$.path[?any[<logical expression>]] exists | does not exist" As an example, if you used: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0" you can now rewrite it as: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any(grantee.typeIdentifier equals id and grantee.identifier is not empty )] exists And some more examples: config where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?any(egress is true and ruleAction contains deny)] exists or tags[?any(value contains production)] exists or tags[*] is empty config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists , where you can check when   toPort   and   cidrIp   are included within the same array element. Policy Descriptor A human readable unique policy identifier is added to Prisma Cloud Default policies of type Config, Audit event and Network. See the new   Policy Descriptor   column on the   Policies   page. This unique descriptor is an additional field, and it does not replace the existing Policy ID that is available when you use the REST API.     Support for Audit Event Logs on AWS China and Azure China Prisma Cloud tenants deployed on AWS China and Azure China regions, can now ingest events recorded in audit logs from your cloud environments. With this data, you can use   event where   RQL queries and see alerts for policies that match on audit events to identify compliance, and operational risks across your infrastructure. API Ingestion AWS Transit Gateway — aws-vpc-transit-gateway Additional permissions required: ec2:DescribeTransitGateways The permission is included with the SecurityAudit predefined role. AWS Database Migration Service — aws-dms-endpoint Additional permissions required: dms:DescribeEndpoints dms:ListTagsForResource The permissions are included with the SecurityAudit predefined role. Updated   AWS Elasticbeanstalk — aws-elasticbeanstalk-configuration-settings Additional permissions required:   s3:GetObject   for the resources on:   AWS commercial arn:aws:s3:::elasticbeanstalk-*/*"   AWS GovCloud and Fedramp arn:aws-us-gov:s3:::elasticbeanstalk-*/*   AWS China arn:aws-cn:s3:::elasticbeanstalk-*/*   The CFTs are updated to include a new policy for   PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk Azure Compute — azure-disk-list Azure Logic Apps — azure-logic-app-custom-connector Additional permissions required: Microsoft.Web/customApis/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Azure Resource Manager — azure-role-assignment Azure Virtual Network — azure-network-public-ip-address Additional permissions required: Microsoft.Network/publicIPAddresses/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Bigtable — gcloud-bigtable-table Additional permissions required: bigtable.tables.list bigtable.tables.getIamPolicy These permissions are included in the predefined Project Viewer role. Google Access Context Manager — gcloud-access-policy Additional permissions required: accesscontextmanager.accessPolicies.list accesscontextmanager.accessLevels.list accesscontextmanager.servicePerimeters.list These permissions are already part of the Project Viewer role. Alternatively, you can use the predefined role   Access Context Manager Reader . Google Compute Engine — gcloud-compute-route Additional permissions required: compute.routes.list These permissions are included in the predefined Project Viewer role. Terraform Script Updates If you are using the Terraform scripts that Prisma Cloud provides for onboarding a new GCP account on Prisma Cloud, the scripts are updated to enable additional GCP APIs and to include new permissions that are not included in the predefined Viewer role. Permissions added: storage.buckets.getIamPolicy pubsub.topics.getIamPolicy pubsub.subscriptions.getIamPolicy pubsub.snapshots.getIamPolicy bigquery.tables.get bigquery.tables.list GCP APIs additionally enabled by default: accesscontextmanager.googleapis.com pubsub.googleapis.com run.googleapis.com appengine.googleapis.com serviceusage.googleapis.com bigtableadmin.googleapis.com dataproc.googleapis.com recommender.googleapis.com cloudfunctions.googleapis.com redis.googleapis.com Permission Updates on AWS CloudFormation Templates for Prisma Cloud Compute Workloads The AWS CFTs now have additional permissions added to ingest data on Compute workloads deployed within AWS cloud accounts that are onboarded to Prisma Cloud. PrismaCloud-ReadOnly-Policy-Compute   role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute. PrismaCloud-Remediation-Policy-Compute   role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.   If you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, for AWS accounts onboarded to Prisma Cloud, you can remove these roles from the CFT.   Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.   New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                             POLICY NAME DESCRIPTION New Policies AWS S3 Buckets Block public access setting disabled —Identifies AWS S3 buckets with the   Block public access   setting disabled. Enabling   Block public access   on publicly accessible S3 buckets enables you to ensure that data is never accidentally or maliciously exposed publicly. This policy includes the CLI for automated remediation, when you provide the permissions required. Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   AWS IAM user/role/policy has unused permissions in the last 90 days_RL   AWS S3 bucket having policy overly permissive to VPC endpoints   AWS IAM role with cross-account access_RL   Policy Updates—RQL and Metadata The RQL in the following policies are updated: Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on TCP protocol Policy Name Updated— Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol Updated RQL—The RQL has been updated to handle the traffic on protocol 'tcp' and 'any'(*) properly. With this change this policy will alert on inbound traffic using TCP. config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule="securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='Tcp' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound OR securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='*' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound"   Azure Network Security Group allows SQL Server (UDP Port 1434) Policy Name Updated— Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434)"   Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 Policy Name Updated— Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22 Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22)"   Azure Network Security Group allows ICMP (Ping) Updated RQL—The RQL has been updated to handle ICMP pings from both Source 'Any' and 'Internet' service tag. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = " securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * "   AWS Default Security Group does not restrict all traffic Updated RQL and the Recommendation instructions—The RQL is now modified to handle all the default Security groups having inbound/outbound rules irrespective of public/private IPrange attached to it. This change affects the number of alerts generated against this policy. config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))'   AWS S3 buckets are accessible to public Updated Remediation: The remediation has been removed because the RQL update requires pipelined multiline execution of CLI command, which is currently not supported on Prisma Cloud. With this change, this policy no longer   Remediable   from Prisma Cloud. Updated RQL—The RQL has been updated to check for S3 account level block access ( aws-s3control-public-access-block ) setting and to verify when the account level block access setting is not modified. With this change, any inaccurately generated alerts will get resolved. "config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = \"((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist\"" Policy Deletions The following policies are being removed from Prisma Cloud: AWS SQS does not have a dead letter queue configured Any open alerts generated against this policy will be resolved and marked   Policy Deleted . REST API Updates                 CHANGE DESCRIPTION Infrastructure-As-Code (IaC) Scan Service A new set of APIs enables you to interact with the Prisma Cloud IaC scan service to scan templates to check against policies asynchronously. The new APIs are:   POST /scans   POST /scans/{scanId}   GET /scans/{scanId}/status   GET /scans/{scanId}/results   User Role The response object for the following APIs include a new property   additionalAttributes.hasDefenderPermissions :   GET /user/role   GET /user/role/{id}   The request body parameters for the following APIs also include additionalAttributes.hasDefenderPermissions as a new parameter:   POST /user/role   PUT /user/role/{id}   Policy The response object for GET /filter/policy/suggest includes a new filter suggestion   policy.class .
View full article
Features Introduced in 20.10.1   New Features New Policy and Policy Updates REST API Updates New Features                           FEATURE DESCRIPTION Role-Based Authentication on Amazon SQS Integration When   integrating   Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.     Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.     Trusted Source Exclusion for UEBA Anomaly Policies To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on   Settings Anomaly Settings Anomaly Trusted List . Any addresses included in this list will not generate alerts against the specified Prisma Cloud Anomaly Policies.     If you had previously specified these IP addresses on   Settings Trusted IP Addresses Trusted Alert IP Addresses , use this enhancement to delete the existing configuration and re-add the addresses to the Anomaly Trusted List. When you add the   CIDR block   to the   Anomaly Trusted List   you can specify a specific cloud account or VPC with which the addresses are associated. API Ingestion AWS Glue aws-glue-connection Additional permissions required: Permission: glue:GetConnection Azure Virtual Network is updated to include information on   loadBalancerBackendAddressPools   for: azure-network-lb-list azure-network-nic-list Azure Event Hub azure-event-hub Additional permissions required: "Microsoft.EventHub/namespaces/eventhubs/read" "Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read" If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Spanner gcloud-cloud-spanner-instance Additional permissions required: spanner.instances.list These permissions are included in the predefined Project Viewer role. Update   Risk Rating is Removed Prisma Cloud has removed Risk rating from the following places:   On   Dashboard SecOps , the   Risk Rating By Scanned Accounts   widget.   On the   Cloud Security Assessment   report, the Scanned Resources by Risk Rating chart.   On   Alerts Overview , the filter for Risk Grade.   In the   Rating   column on the Alerts details page.   Rating   column in the .csv file, when you download alerts or receive an attachment as a scheduled alert email.   The deprecation notice was published starting 20.8.2. New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                     POLICY NAME DESCRIPTION New Policies GCP SQL database is assigned with public IP —Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks. GCP VM instance with the external IP address —Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet. GCP VM instance with Shielded VM features disabled —Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. GCP SQL database instance is not configured with automated backups —Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage. AWS Network ACLs allow ingress traffic to server administration ports —Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports. Policy Updates—RQL and Metadata The following policies are updated: Azure disk is unattached and not encrypted Policy Name Updated— Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure Data disk is not encrypted Policy Name Updated— Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure disk for VM operating system is not encrypted at rest using ADE Policy Name Updated— Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK].   SQL Instances do not have SSL configured Updated RQL—The RQL has been updated to config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)" With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled. REST API Updates                   CHANGE DESCRIPTION Update   Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed The following APIs have been removed:   GET /whitelist/network   POST /whitelist/network   GET /whitelist/network/{uuid}   PUT /whitelist/network/{uuid}   POST /whitelist/network/{uuid}/cidr   PUT /whitelist/network/{uuid}/cidr/{cidrUuid}   DELETE /whitelist/network/{uuid}/cidr/{cidrUuid}   GET /ip_whitelist_login   POST /ip_whitelist_login   GET /ip_whitelist_login/{id}   PUT /ip_whitelist_login/{id}   DELETE /ip_whitelist_login/{id}   GET /ip_whitelist_login/status   PATCH /ip_whitelist_login/status   GET /ip_whitelist_login/tab   Update   Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed The enterprise settings model fields   anomalyTrainingModelThreshold   and   anomalyAlertDisposition   have been removed. These fields are no longer in:   The response object for   GET /settings/enterprise   The request body parameters for   POST /settings/enterprise   Amazon SQS integration The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:   integrationConfig.roleArn   integrationConfig.externalId   The APIs that include these new request body parameters are:   POST /integration/test   POST /integration   PUT /integration/{id}   Resource RRN The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property   idmapId . The response object for each of the following APIs includes this new property:   GET /resource   GET /resource/raw  
View full article
Explore the new features introduced in October 2020. Here are the Prisma Cloud release notes for features introduced in 20.10.1.
View full article
Explore the new features introduced in October 2020. Here are the Prisma Cloud release notes for features introduced in 20.10.2.
View full article
Explore the new features introduced in November 2020. Here are the Prisma Cloud release notes for features introduced in 20.11.1.
View full article
Explore the new features introduced in December 2020. Here are the Prisma Cloud release notes for features introduced in 20.12.1.
View full article
Top Contributors
Top Liked Authors