Prisma Cloud Articles

Explore the new features introduced in December 2020. Here are the Prisma Cloud release notes for features introduced in 20.12.2.

Prisma Cloud Product and Customer Success: Webinar Recordings   Date Topic Details Tuesday, Jan.19th @ 10am PT / 1pm ET Office Hours With Prisma Cloud Product Management: 2021 Release Overview of Prisma Cloud Compute and Enterprise (Cloud Workload Protection Platform & Cloud Security Posture Management) - REGISTER HERE   Join us this month to get insight into the latest release of Prisma Cloud Enterprise including our Cloud Security Posture Management, and Cloud Workload Protection Platforms. The Prisma Cloud Product Management team will present a overviews and hands-on demos of the new features we’ve added in the latest major release, such as Web-Application and API Security (WAAS) updates, host security, container security, and shift-left enhancements in Prisma Cloud Compute (CWPP), as well as Alarm Center updates in Prisma Cloud Enterprise (CSPM). Dec. 2020   The new Prisma Cloud IAM Security module is an industry-leading CIEM solution. it automatically calculates effective permissions across cloud service providers, detects overly permissive access and suggests corrections to reach least privilege entitlements. Join the IAM PM team (Bar Schwartz, Shaked Zin) as they present a hands-on demo of the new module. Nov. 2020   New Prisma Cloud DevOps Inventory UI is coming in 20.11.2! Join us to learn to configure this UI as well as brand new "build" alert rules. In addition, we will talk about drift detection, and sign up interested customers for the upcoming design partner program. The microsegmentation private beta is released on Prisma Cloud! Join us for a walk thru of the product and how it will fit into the Cloud Network Security module. Learn how you can visualize and secure communications in kubernetes, between VMs and/or containers, using identity. We will also talk about how to identify customers that would be a good fit for the private beta. Oct. 2020   I ntroducing Prisma Cloud Compute 20.09, the latest update to our Cloud Workload Protection Platform. Join the Compute PM team (Aqsa Taylor, Avi Shulman, Hari Srinivasan, Tomer Spivak, and Pradnesh Patil) as they present a hands-on demo of the new features we’ve added in the latest major release, such as cluster aware radar, git repo scanning, enhanced host security, and Compute SaaS integration in Prisma Cloud Enterprise Edition. Sep. 2020 Learn about what is new in the upcoming Prisma Cloud Compute Release - Enhanced cluster awareness across the product, more integrated Cloud Account onboarding process between Compute and the Prisma Cloud platform, our first step in securing packages prior to build time with GIT repository scanning, an enhanced look to our Host security and our new and improved application firewall capability, transitioning CNAF into WAAS (Web Application and API Security). Aug. 2020  Learn about the recent releases and the product roadmap July 2020  Autofocus Integration (Network Security) & Micro-secementation Jun. 2020 Brief  preview of upcoming  Data Security module and Q&A about Data security May  2020 Learn about the recent releases and the roadmap Apr. 2020 For developers & DevOps: tools to use natively in their IDE, Git and CICD environments; and Prisma Cloud - Compute integration features Mar. 2020 Malware — Investigate and Remediate Feb. 2020 Malware — Incident and Impact Jan. 2020 Upcoming New Features in Prisma Cloud Dec. 2019 Prisma Cloud + TwistLock Integration Nov. 2019 Learning to manage alerts Oct. 2019 Learning to use RQL  

Features Introduced in 20.10.1   New Features New Policy and Policy Updates REST API Updates New Features                           FEATURE DESCRIPTION Role-Based Authentication on Amazon SQS Integration When   integrating   Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.     Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.     Trusted Source Exclusion for UEBA Anomaly Policies To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on   Settings Anomaly Settings Anomaly Trusted List . Any addresses included in this list will not generate alerts against the specified Prisma Cloud Anomaly Policies.     If you had previously specified these IP addresses on   Settings Trusted IP Addresses Trusted Alert IP Addresses , use this enhancement to delete the existing configuration and re-add the addresses to the Anomaly Trusted List. When you add the   CIDR block   to the   Anomaly Trusted List   you can specify a specific cloud account or VPC with which the addresses are associated. API Ingestion AWS Glue aws-glue-connection Additional permissions required: Permission: glue:GetConnection Azure Virtual Network is updated to include information on   loadBalancerBackendAddressPools   for: azure-network-lb-list azure-network-nic-list Azure Event Hub azure-event-hub Additional permissions required: "Microsoft.EventHub/namespaces/eventhubs/read" "Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read" If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Spanner gcloud-cloud-spanner-instance Additional permissions required: spanner.instances.list These permissions are included in the predefined Project Viewer role. Update   Risk Rating is Removed Prisma Cloud has removed Risk rating from the following places:   On   Dashboard SecOps , the   Risk Rating By Scanned Accounts   widget.   On the   Cloud Security Assessment   report, the Scanned Resources by Risk Rating chart.   On   Alerts Overview , the filter for Risk Grade.   In the   Rating   column on the Alerts details page.   Rating   column in the .csv file, when you download alerts or receive an attachment as a scheduled alert email.   The deprecation notice was published starting 20.8.2. New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                     POLICY NAME DESCRIPTION New Policies GCP SQL database is assigned with public IP —Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks. GCP VM instance with the external IP address —Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet. GCP VM instance with Shielded VM features disabled —Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. GCP SQL database instance is not configured with automated backups —Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage. AWS Network ACLs allow ingress traffic to server administration ports —Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports. Policy Updates—RQL and Metadata The following policies are updated: Azure disk is unattached and not encrypted Policy Name Updated— Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure Data disk is not encrypted Policy Name Updated— Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure disk for VM operating system is not encrypted at rest using ADE Policy Name Updated— Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK].   SQL Instances do not have SSL configured Updated RQL—The RQL has been updated to config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)" With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled. REST API Updates                   CHANGE DESCRIPTION Update   Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed The following APIs have been removed:   GET /whitelist/network   POST /whitelist/network   GET /whitelist/network/{uuid}   PUT /whitelist/network/{uuid}   POST /whitelist/network/{uuid}/cidr   PUT /whitelist/network/{uuid}/cidr/{cidrUuid}   DELETE /whitelist/network/{uuid}/cidr/{cidrUuid}   GET /ip_whitelist_login   POST /ip_whitelist_login   GET /ip_whitelist_login/{id}   PUT /ip_whitelist_login/{id}   DELETE /ip_whitelist_login/{id}   GET /ip_whitelist_login/status   PATCH /ip_whitelist_login/status   GET /ip_whitelist_login/tab   Update   Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed The enterprise settings model fields   anomalyTrainingModelThreshold   and   anomalyAlertDisposition   have been removed. These fields are no longer in:   The response object for   GET /settings/enterprise   The request body parameters for   POST /settings/enterprise   Amazon SQS integration The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:   integrationConfig.roleArn   integrationConfig.externalId   The APIs that include these new request body parameters are:   POST /integration/test   POST /integration   PUT /integration/{id}   Resource RRN The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property   idmapId . The response object for each of the following APIs includes this new property:   GET /resource   GET /resource/raw  

  Features Introduced in 20.9.2       New Features New Policy and Policy Updates REST API Updates New Features                                             FEATURE DESCRIPTION License Credits Used for Non-Onboarded Cloud Accounts If you have deployed Prisma Cloud Defenders on environments that Prisma Cloud is not monitoring or protecting—such as private cloud or on-premises environments, or public cloud providers that are not supported on Prisma Cloud, or on accounts that you have not added to Prisma Cloud— you can now view the credits used to protect the associated resources on the   Licensing page.     GCP Cloud Account Onboarding Status Updates When you add your GCP account on Prisma Cloud, the status message is improved to inform you of missing permissions. The details in the message help you identify the additional permissions you need to grant to the GCP IAM service account for Prisma Cloud.     Nested Rules in Config RQL to Query Data Within JSON Arrays Nested rules extend the use of logical expressions for metadata contained within a JSON array so that you can use more than primitive operators for comparisons and a richer query format. With this enhancement, the auto completion for   json.rule =   also becomes available when you construct RQL. The enhancement allows you to rewrite RQL that was config where api.name= 'a' and json.rule = “$.path[?(@.x == true || @.y == 'str' ..)].val is false ” as config where api.name= 'a' and json.rule= "$.path[?any[<logical expression>]] exists | does not exist" As an example, if you used: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0" you can now rewrite it as: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any(grantee.typeIdentifier equals id and grantee.identifier is not empty )] exists And some more examples: config where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?any(egress is true and ruleAction contains deny)] exists or tags[?any(value contains production)] exists or tags[*] is empty config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists , where you can check when   toPort   and   cidrIp   are included within the same array element. Policy Descriptor A human readable unique policy identifier is added to Prisma Cloud Default policies of type Config, Audit event and Network. See the new   Policy Descriptor   column on the   Policies   page. This unique descriptor is an additional field, and it does not replace the existing Policy ID that is available when you use the REST API.     Support for Audit Event Logs on AWS China and Azure China Prisma Cloud tenants deployed on AWS China and Azure China regions, can now ingest events recorded in audit logs from your cloud environments. With this data, you can use   event where   RQL queries and see alerts for policies that match on audit events to identify compliance, and operational risks across your infrastructure. API Ingestion AWS Transit Gateway — aws-vpc-transit-gateway Additional permissions required: ec2:DescribeTransitGateways The permission is included with the SecurityAudit predefined role. AWS Database Migration Service — aws-dms-endpoint Additional permissions required: dms:DescribeEndpoints dms:ListTagsForResource The permissions are included with the SecurityAudit predefined role. Updated   AWS Elasticbeanstalk — aws-elasticbeanstalk-configuration-settings Additional permissions required:   s3:GetObject   for the resources on:   AWS commercial arn:aws:s3:::elasticbeanstalk-*/*"   AWS GovCloud and Fedramp arn:aws-us-gov:s3:::elasticbeanstalk-*/*   AWS China arn:aws-cn:s3:::elasticbeanstalk-*/*   The CFTs are updated to include a new policy for   PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk Azure Compute — azure-disk-list Azure Logic Apps — azure-logic-app-custom-connector Additional permissions required: Microsoft.Web/customApis/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Azure Resource Manager — azure-role-assignment Azure Virtual Network — azure-network-public-ip-address Additional permissions required: Microsoft.Network/publicIPAddresses/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Bigtable — gcloud-bigtable-table Additional permissions required: bigtable.tables.list bigtable.tables.getIamPolicy These permissions are included in the predefined Project Viewer role. Google Access Context Manager — gcloud-access-policy Additional permissions required: accesscontextmanager.accessPolicies.list accesscontextmanager.accessLevels.list accesscontextmanager.servicePerimeters.list These permissions are already part of the Project Viewer role. Alternatively, you can use the predefined role   Access Context Manager Reader . Google Compute Engine — gcloud-compute-route Additional permissions required: compute.routes.list These permissions are included in the predefined Project Viewer role. Terraform Script Updates If you are using the Terraform scripts that Prisma Cloud provides for onboarding a new GCP account on Prisma Cloud, the scripts are updated to enable additional GCP APIs and to include new permissions that are not included in the predefined Viewer role. Permissions added: storage.buckets.getIamPolicy pubsub.topics.getIamPolicy pubsub.subscriptions.getIamPolicy pubsub.snapshots.getIamPolicy bigquery.tables.get bigquery.tables.list GCP APIs additionally enabled by default: accesscontextmanager.googleapis.com pubsub.googleapis.com run.googleapis.com appengine.googleapis.com serviceusage.googleapis.com bigtableadmin.googleapis.com dataproc.googleapis.com recommender.googleapis.com cloudfunctions.googleapis.com redis.googleapis.com Permission Updates on AWS CloudFormation Templates for Prisma Cloud Compute Workloads The AWS CFTs now have additional permissions added to ingest data on Compute workloads deployed within AWS cloud accounts that are onboarded to Prisma Cloud. PrismaCloud-ReadOnly-Policy-Compute   role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute. PrismaCloud-Remediation-Policy-Compute   role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.   If you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, for AWS accounts onboarded to Prisma Cloud, you can remove these roles from the CFT.   Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.   New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                             POLICY NAME DESCRIPTION New Policies AWS S3 Buckets Block public access setting disabled —Identifies AWS S3 buckets with the   Block public access   setting disabled. Enabling   Block public access   on publicly accessible S3 buckets enables you to ensure that data is never accidentally or maliciously exposed publicly. This policy includes the CLI for automated remediation, when you provide the permissions required. Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   AWS IAM user/role/policy has unused permissions in the last 90 days_RL   AWS S3 bucket having policy overly permissive to VPC endpoints   AWS IAM role with cross-account access_RL   Policy Updates—RQL and Metadata The RQL in the following policies are updated: Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on TCP protocol Policy Name Updated— Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol Updated RQL—The RQL has been updated to handle the traffic on protocol 'tcp' and 'any'(*) properly. With this change this policy will alert on inbound traffic using TCP. config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule="securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='Tcp' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound OR securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='*' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound"   Azure Network Security Group allows SQL Server (UDP Port 1434) Policy Name Updated— Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434)"   Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 Policy Name Updated— Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22 Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22)"   Azure Network Security Group allows ICMP (Ping) Updated RQL—The RQL has been updated to handle ICMP pings from both Source 'Any' and 'Internet' service tag. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = " securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * "   AWS Default Security Group does not restrict all traffic Updated RQL and the Recommendation instructions—The RQL is now modified to handle all the default Security groups having inbound/outbound rules irrespective of public/private IPrange attached to it. This change affects the number of alerts generated against this policy. config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))'   AWS S3 buckets are accessible to public Updated Remediation: The remediation has been removed because the RQL update requires pipelined multiline execution of CLI command, which is currently not supported on Prisma Cloud. With this change, this policy no longer   Remediable   from Prisma Cloud. Updated RQL—The RQL has been updated to check for S3 account level block access ( aws-s3control-public-access-block ) setting and to verify when the account level block access setting is not modified. With this change, any inaccurately generated alerts will get resolved. "config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = \"((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist\"" Policy Deletions The following policies are being removed from Prisma Cloud: AWS SQS does not have a dead letter queue configured Any open alerts generated against this policy will be resolved and marked   Policy Deleted . REST API Updates                 CHANGE DESCRIPTION Infrastructure-As-Code (IaC) Scan Service A new set of APIs enables you to interact with the Prisma Cloud IaC scan service to scan templates to check against policies asynchronously. The new APIs are:   POST /scans   POST /scans/{scanId}   GET /scans/{scanId}/status   GET /scans/{scanId}/results   User Role The response object for the following APIs include a new property   additionalAttributes.hasDefenderPermissions :   GET /user/role   GET /user/role/{id}   The request body parameters for the following APIs also include additionalAttributes.hasDefenderPermissions as a new parameter:   POST /user/role   PUT /user/role/{id}   Policy The response object for GET /filter/policy/suggest includes a new filter suggestion   policy.class .

  Features Introduced in 20.9.1       New Features New Policy and Policy Updates REST API Updates New Features                       FEATURE DESCRIPTION Support for AWS Organizations on Prisma Cloud If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you   add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.     Consolidation of Unusual User Activity / UEBA Anomaly Settings The   Unusual User Activity / UEBA settings   are now on   Settings Anomaly Settings   along with the Anomaly settings for policies that alert you to network-related incidents.     You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts. Expanded Support for Roles with Just-in-Time (JIT) Provisioning If you use JIT provisioning to   create administrative users   on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud. The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP. Rich Text Editor in Email Notification Template Use the rich text editor to customize the message body in your   email notification   template on   Alerts Notification Templates . And as you craft it, you can preview how the content will look on the right-hand pane.     Limited GA   Prisma Cloud Data Security Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.     API Ingestion AWS AWS Elastic Map Reduce— aws-emr-public-access-block Additional permissions required: elasticmapreduce:GetBlockPublicAccessConfiguration Azure   Azure Event Hubs— azure-event-hubs-namespace   Azure Logic Apps— azure-logic-apps-workflow   GCP   Google Compute—   gcloud-compute-image Additional permissions required: compute.images.list compute.images.getIamPolicy   Google PubSub—   gcloud-pubsub-topic Additional permissions required: pubsub.topics.getIamPolicy pubsub.topics.list   gcloud-pubsub-subscription Additional permissions required: pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list   gcloud-pubsub-snapshot Additional permissions required: pubsub.snapshots.getIamPolicy pubsub.snapshots.list     New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                                               POLICY NAME DESCRIPTION Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   GCP IAM user with overly permissive privileges   GCP IAM user not used for the last 90 days   AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions   Policy Updates- Metadata Policy Name Update Current Name— Azure Security Center 'Also send email notification to subscription owners' value is not set New Name— Azure Security Center email notification for subscription owner is not set Policy Updates—RQL The RQL in the following policies are updated: AWS Security Groups allow internet traffic to SSH port (22) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to Windows RPC port (135) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to NetBIOS port (138) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to MSQL port (4333) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to RDP port (3389) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to Telnet port (23) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to SQLServer port (1434) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to CIFS port (445) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic to ports which are not commonly used Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipv6Ranges[*].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipRanges[*] contains 0.0.0.0/0)\"   AWS Security Groups allow internet traffic from internet to SQLServer port (1433) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to NetBIOS port (137) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS IAM policy allows full administrative privileges Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='*' )].Action equals * and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"   AWS EKS cluster security group overly permissive to all traffic Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*] contains ::/0) and $.Y.isShared is false'; show Y;   AWS RDS instance with copy tags to snapshots disabled Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'   Azure SQL Database with Auditing Retention less than 90 days Updated the description, recommendation, and RQL. Updated RQL— config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X; REST API Updates               CHANGE DESCRIPTION Cloud Accounts The REST API now support AWS organizations. The following have new request body parameters for this support:   POST /cloud/{cloud_type}   PUT /cloud/{cloud_type}   POST /cloud/status/{cloud_type}   Policies The response object for the REST API request   GET /v2/policy   had included an unused field   openAlertsCount . The response object for   GET /v2/policy   no longer includes this field. The issue ID is RLP-23362.

Office Hours with Product: New Features in Prisma Cloud — host, containers & serverless security   Recording available from the Dec. 2019 customer webinar. Click here to view the recording.

New Features Introduced in 20.11.2 New Features Policy and Policy Updates REST API Updates New Features   FEATURE DESCRIPTION Additional Billable Resources The Prisma Cloud Visibility, Compliance, and Governance modules now count your usage of the following resources towards Prisma Cloud credits:   Azure—Azure PostgreSQL Database   Azure—SQL Managed Instance   GCP—GCP Load Balancing   GCP—Cloud NAT   With this update, the current list of resources counted towards Prisma Cloud credits are the following:   AWS EC2   RDS   Redshift   ELB   NAT gateway     Azure Virtual Machines   SQL DB   PostgreSQL   SQL Managed Instance   Load Balancer     GCP GCE   CloudSQL   Cloud Load Balancing   Cloud NAT     Alibaba Cloud ECS     RQL Syntax Updates for Extensibility The Prisma Cloud   RQL   syntax is updated to enable better visibility and support ingestion of new data sources to monitor your resources deployed across different cloud platforms. All the existing RQL queries used in Prisma Cloud default policies, custom policies, saved searches and recent searches of the Investigate page on Prisma Cloud will be automatically updated to this new syntax, and do not need any action from you. For any out-of-band policies or automation scripts using Prisma Cloud search API: https://api.<your Prisma Cloud tenant URL>/search/ , make sure to update the syntax as follows:   config where <rest of the query> to   config from cloud.resource where <rest of the query>   event where <rest of the query>   to   event from cloud.audit_logs where <rest of the query>   network where <rest of the query>   to   network from vpc.flow_records where <rest of the query>   The config where, event where and network where query format is being deprecated. To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, please use the new query format, because the older syntax will be removed in a future release. New Look   Policies Table The   Policies   page is updated with a new layout that supports a quicker page load time, better visual appeal, and it includes a new   Group By   option so you can aggregate policies using criteria that is important to you.   Jenkins Plugin for Scanning IaC Templates Try the new   Jenkins plugin   to scan your IaC templates against Prisma Cloud default policies or custom policies you define, and mitigate security or compliance risks directly in your DevOps processes. This functionality allows you to define severity-based failure criteria for your organizational needs and detect potential issues before you deploy your code to production. The failure criteria you defined is compared against the number of actual issues found to conclude a pass or fail result. The Jenkins plugin enable you to scan Terraform v.11 through v.13, AWS CFT, and Kubernetes manifests. The file extensions supported are .yaml and .json for CFT and Kubernetes, and .tf and .json for Terraform. Plugins Updates to support IaC Scan API v2 The currently available Prisma Cloud plugins or extensions for   Visual Studio Code,   Azure DevOps,   GitLab—SCM and CI/CD, and   GitHub   are updated to use the IaC Scan API v2, and the installation and set up workflows are simplified. Build Alert Rules and Resource List for IaC Scan Resource Lists   on Prisma Cloud enable visibility and the permissions to view IaC scan results on the Prisma Cloud administrative console. You can specify any tags or labels to identify cloud resources, in a   Resource List   on Prisma Cloud and define role-based access control to specific administrative users only. These users can then view the scan results, on the   DevOps Inventory , for the IaC templates that match the specified tags. For build-time checks of IaC templates, you can also now define   Build alert rules, where you choose the policies to detect security issues or misconfiguration and associate a resource list to match for specific tags.     Build alert rules do not create new alerts or notifications for policy violations, but they help you ensure all IaC template that include specific tags are consistently scanned against the same set of policies.     You can then view the scan results on the DevOps Inventory. DevOps Inventory Use   Inventory DevOps   to review the IaC scan results. The   DevOps Inventory   provides a bird’s eye view of the total number of IaC scans performed across all the Prisma Cloud IaC Scan plugins including twistcli and directly accessing the IaC Scan APIs. It also displays the results on how many scans passed or failed policy checks, and how they sort by severity for your enforcement standards. The visual dashboard provides scan trends and results grouped by the repository that hosts your source code or templates.     The tabular view includes the details such as the scan status, the user who initiated the scan, the failure criteria defined for the scan, and resource list. When a template fails the scan, the scan results displays the count of the security issues detected— sorted by severity—and the list of policies that caused the failure.         API Ingestion AWS Directory Service — aws-ds-directory Additional permissions required: ds:DescribeDirectories ds:ListTagsForResource AWS Web Application Firewall (v2) — aws-waf-v2-global-web-acl-resource Additional permissions required: wafv2:GetWebACL wafv2:GetLoggingConfiguration   Azure SQL Database — azure-sql-server-list The API is updated to retrieve the API lock and tag information in the JSON response.   Azure Monitor   — azure-monitor-log-profiles-list Additional permissions required: microsoft.insights/diagnosticSettings/read The azure_prisma_cloud_read_only_role.json will be updated to include this permission.   Azure Storage — azure-storage-account-list Updated the API to retrieve storage service properties for Cross-Origin Resource Sharing (CORS) metadata.     Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.   NEW POLICIES AND POLICY UPDATES New Policies The following new policies are being added: Azure Active Directory Guest users found Identifies guest user accounts added on your Azure Active Directory instance to give you visibility so that you can review these accounts and reduce risk.Note: This policy monitors Azure Active Directory instances only and does not monitor Azure Subscriptions.   Azure Cosmos DB IP range filter not configured Identifies Azure Cosmos databases where the IP range filter is empty and it does not restrict access to a defined set of IP addresses or IP range.   AWS SageMaker notebook instance is not placed in VPC Identifies SageMaker notebook instances that are not placed inside a VPC to ensure that it cannot be accessed outside a VPC network.   AWS SageMaker notebook instance not encrypted using Customer Managed Key Identifies SageMaker notebook instances that are not encrypted using Customer Managed Key to have more granular control over the data-at-rest encryption/decryption process and meet compliance requirements.   AWS SageMaker notebook instance IAM policy overly permissive to all traffic Identifies SageMaker notebook instances with IAM policies that are overly permissive to all traffic, and does not restrict access to authorized users and applications only.   GCP Kubernetes cluster node auto-upgrade configuration disabled Identifies GCP Kubernetes cluster nodes where the auto-repair configuration disabled, and therefore the nodes in your cluster are not up-to-date with the cluster master version when your master is updated.   GCP Kubernetes cluster node auto-repair configuration disabled Identifies GCP Kubernetes cluster nodes where the auto-upgrade configuration is disabled and prevents periodic checks on the health state of each node in your cluster.   GCP Kubernetes Cluster Shielded GKE Nodes feature disabled Identifies Kubernetes clusters for which Shielded GKE nodes is not enabled to harden the underlying node and protect against a host of attacks against boot and root-kits. Policy Updates—Recommendation AWS Default Security Group does not restrict all traffic Updated Recommendation—The recommendation is updated to meet the revised CIS guideline for the policy. Policy Updates—RQL and Metadata AWS Elasticsearch IAM policy allows internet traffic Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith es:)] exists With this change, the policy is enhanced to check for the IPv6 default route ::/0.. Azure Security Center email notification for subscription owner is not set Updated Metadata—Displays the timestamp for the   lastModifiedOn   attribute to indicate when the last change was made in Azure Security Center. Azure Monitor log profile does not capture all activities Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.categories[] does not contain Write or properties.categories[] does not contain Delete or properties.categories[*] does not contain Action)' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved. Azure log profile not capturing activity logs for all regions Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and properties.isCapturingLogsForAllRegions is false' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved. Activity Log Retention should not be set to less than 365 days Updated RQL—The RQL has been updated to config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))' With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved. Azure SQL Database with Auditing Retention less than 90 days Updated RQL—The RQL has been updated to config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y; With this change, the policy checks the audit policy configured for the SQL server. Some alerts may be reopened due this additional check.       REST API Updates   CHANGE DESCRIPTION Resource List APIs A new set of APIs enables you to create and manage Resource Lists in Prisma Cloud. Update   Deprecated Prisma Cloud Licensing APIs have been removed The following deprected APIs have been removed:   POST /usage/{cloud_type}   POST /timeline/usage   POST /v2/usage