Prisma Cloud Products and Customer Success Webinar Recordings   Office Hours with Prisma Cloud Product Management: MITRE Att&ck Capabilities - Prisma Cloud Enteprise - REGISTER HERE   June 15th, 2021 at 10am PT / 1pm ET   The MITRE ATT&CK® knowledge base is the most widely adopted framework for security teams across the industry. Prisma Cloud now supports MITRE ATT&CK® framework for various use cases. In this webinar, Prisma Cloud Product Management team will present an overview and hands-on demo to show how to leverage the updated ATT&CK frameworks to enhance your Cloud Security Posture Management and Cloud Workload Protection.     Office Hours with Prisma Cloud Product Management: New Threat Detection capabilities in Prisma Cloud  May 2021     In addition to providing cloud visibility, compliance and governance, Prisma Cloud has been providing Machine Learning and Threat Intelligence based threat detection for years. We recently released a new threat detection capability - anomalous compute provisioning - that can detect threats such as cryptojacking. Come and learn about this new capability as well as other existing threat detection capabilities that can detect issues such as account hijack, excessive login failures, port scan, port sweep and others. We will also discuss where we are going with our threat detection roadmap.     Office Hours with Prisma Cloud Product Management: Compute & Microsegmentation Release Update April 2021     Learn about what is new in the upcoming Prisma Cloud with respect to the Compute & Microsegmentation capabilities.      Office Hours with Prisma Cloud Product Management: Oracle Cloud (OCI) Overview March 2021     Prisma Cloud has extended its cloud security posture management to Oracle Cloud Infrastructure (OCI). The Prisma Cloud Product Management team will present an overview and hands-on demo on how cloud and security teams using Prisma Cloud on OCI can quickly get onboarded and gain comprehensive visibility for all multi- and hybrid-cloud assets in a single console to help understand their cloud attack surface. Join us to enhance the security of your cloud workloads on OCI!   Prisma Cloud Data Security Feb. 2021 Prisma Cloud Data Security is a new Prisma Cloud Module in the Cloud Security Posture Management (CSPM) pillar. Our PM team reviews the customer challenges this new module solves in addition to all of the capabilities currently available within the Data Security Module (currently AWS S3 only).   Prisma Cloud January Updates Jan. 2021 Join us this month to get insight into the latest release of Prisma Cloud Enterprise including our Cloud Security Posture Management, and Cloud Workload Protection Platforms. The Prisma Cloud Product Management team will present a overviews and hands-on demos of the new features we’ve added in the latest major release, such as Web-Application and API Security (WAAS) updates, host security, container security, and shift-left enhancements in Prisma Cloud Compute (CWPP), as well as Alarm Center updates in Prisma Cloud Enterprise (CSPM).   IAM Security Roadmap Dec. 2020 The new Prisma Cloud IAM Security module is an industry-leading CIEM solution. it automatically calculates effective permissions across cloud service providers, detects overly permissive access and suggests corrections to reach least privilege entitlements. Join the IAM PM team (Bar Schwartz, Shaked Zin) as they present a hands-on demo of the new module.   Prisma Cloud - Shift Left + CNSP Nov. 2020 New Prisma Cloud DevOps Inventory UI is coming in 20.11.2! Join us to learn to configure this UI as well as brand new "build" alert rules. In addition, we will talk about drift detection, and sign up interested customers for the upcoming design partner program. The microsegmentation private beta is released on Prisma Cloud! Join us for a walk thru of the product and how it will fit into the Cloud Network Security module. Learn how you can visualize and secure communications in kubernetes, between VMs and/or containers, using identity. We will also talk about how to identify customers that would be a good fit for the private beta.   Prisma Cloud - Compute Workload Protection (CWP) Oct. 2020 Introducing Prisma Cloud Compute 20.09, the latest update to our Cloud Workload Protection Platform. Join the Compute PM team (Aqsa Taylor, Avi Shulman, Hari Srinivasan, Tomer Spivak, and Pradnesh Patil) as they present a hands-on demo of the new features we’ve added in the latest major release, such as cluster aware radar, git repo scanning, enhanced host security, and Compute SaaS integration in Prisma Cloud Enterprise Edition.   Roadmap Session - Prisma Cloud Compute Sept. 2020 Learn about what is new in the upcoming Prisma Cloud Compute Release - Enhanced cluster awareness across the product, more integrated Cloud Account onboarding process between Compute and the Prisma Cloud platform, our first step in securing packages prior to build time with GIT repository scanning, an enhanced look to our Host security and our new and improved application firewall capability, transitioning CNAF into WAAS (Web Application and API Security).   Product Update Aug. 2020 Learn about the recent releases and the product roadmap.   Network Security and Micro-segmentation July 2020 Autofocus Integration (Network Security) & Micro-segmentation   Sneak Preview of Prisma Cloud Data Security (DLP) June 2020 Brief preview of upcoming  Data Security module and Q&A about Data security   Prisma Cloud Product Update May 2020 Learn about the recent releases and the roadmap.   Shift Left + Prisma Cloud Compute SaaS Integration Phase 2 Apr. 2020 For developers & DevOps: tools to use natively in their IDE, Git and CICD environments; and Prisma Cloud - Compute integration features.   Office Hours with Customer Success - Incident Response Case Study (Part 2) Mar. 2020 Malware — Investigate and Remediate.   Office Hours with Customer Success - Incident Response Case Study (Part 1) Feb. 2020 Malware — Incident and Impact.   Prisma Cloud Product Roadmap Jan. 2020 Upcoming New Features in Prisma Cloud.   Prisma Cloud - TwistLock/PureSec Integration Dec. 2019  Prisma Cloud + TwistLock Integration   Alert Burndown Nov. 2019 Learning to manage alerts.   RQL Deep Dive Oct. 2019 Learning to use RQL.    

The Prisma Certified Cloud Security Engineer (PCCSE) certification validates the knowledge, skills and abilities required to onboard, deploy and administer all aspects of Prisma Cloud.

Explore the new features introduced in December 2020. Here are the Prisma Cloud release notes for features introduced in 20.12.1.

Explore the new features introduced in November 2020. Here are the Prisma Cloud release notes for features introduced in 20.11.2.

Explore the new features introduced in November 2020. Here are the Prisma Cloud release notes for features introduced in 20.11.1.

Explore the new features introduced in October 2020. Here are the Prisma Cloud release notes for features introduced in 20.10.2.

Explore the new features introduced in October 2020. Here are the Prisma Cloud release notes for features introduced in 20.10.1.

Prisma Cloud provides comprehensive visibility and threat detection for cloud workload in Google Cloud. Prisma Cloud software consists of two components: Console and Defender. Console is Prisma Cloud’s management interface. It lets you define policy and monitor your environment. For the Prisma Cloud SaaS edition, the Console is hosted by Palo Alto Networks. Defender is deployed to Google Cloud environment to secure  the cloud workload. Defender protects your environment according to the policies set in Console. There are a number of Defender types , Host Defender utilizes Prisma Cloud’s model-based approach for protecting hosts that do not run containers.   Please visit Host Defender Auto Deployment from SaaS based Prisma Cloud User Guide here.

Explore the new features introduced in December 2020. Here are the Prisma Cloud release notes for features introduced in 20.12.2.

Features Introduced in 20.10.1   New Features New Policy and Policy Updates REST API Updates New Features                           FEATURE DESCRIPTION Role-Based Authentication on Amazon SQS Integration When   integrating   Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.     Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.     Trusted Source Exclusion for UEBA Anomaly Policies To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on   Settings Anomaly Settings Anomaly Trusted List . Any addresses included in this list will not generate alerts against the specified Prisma Cloud Anomaly Policies.     If you had previously specified these IP addresses on   Settings Trusted IP Addresses Trusted Alert IP Addresses , use this enhancement to delete the existing configuration and re-add the addresses to the Anomaly Trusted List. When you add the   CIDR block   to the   Anomaly Trusted List   you can specify a specific cloud account or VPC with which the addresses are associated. API Ingestion AWS Glue aws-glue-connection Additional permissions required: Permission: glue:GetConnection Azure Virtual Network is updated to include information on   loadBalancerBackendAddressPools   for: azure-network-lb-list azure-network-nic-list Azure Event Hub azure-event-hub Additional permissions required: "Microsoft.EventHub/namespaces/eventhubs/read" "Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read" If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Spanner gcloud-cloud-spanner-instance Additional permissions required: spanner.instances.list These permissions are included in the predefined Project Viewer role. Update   Risk Rating is Removed Prisma Cloud has removed Risk rating from the following places:   On   Dashboard SecOps , the   Risk Rating By Scanned Accounts   widget.   On the   Cloud Security Assessment   report, the Scanned Resources by Risk Rating chart.   On   Alerts Overview , the filter for Risk Grade.   In the   Rating   column on the Alerts details page.   Rating   column in the .csv file, when you download alerts or receive an attachment as a scheduled alert email.   The deprecation notice was published starting 20.8.2. New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                     POLICY NAME DESCRIPTION New Policies GCP SQL database is assigned with public IP —Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks. GCP VM instance with the external IP address —Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet. GCP VM instance with Shielded VM features disabled —Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. GCP SQL database instance is not configured with automated backups —Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage. AWS Network ACLs allow ingress traffic to server administration ports —Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports. Policy Updates—RQL and Metadata The following policies are updated: Azure disk is unattached and not encrypted Policy Name Updated— Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure Data disk is not encrypted Policy Name Updated— Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].   Azure disk for VM operating system is not encrypted at rest using ADE Policy Name Updated— Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK . Updated RQL—The RQL has been updated to config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey' With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK].   SQL Instances do not have SSL configured Updated RQL—The RQL has been updated to config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)" With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled. REST API Updates                   CHANGE DESCRIPTION Update   Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed The following APIs have been removed:   GET /whitelist/network   POST /whitelist/network   GET /whitelist/network/{uuid}   PUT /whitelist/network/{uuid}   POST /whitelist/network/{uuid}/cidr   PUT /whitelist/network/{uuid}/cidr/{cidrUuid}   DELETE /whitelist/network/{uuid}/cidr/{cidrUuid}   GET /ip_whitelist_login   POST /ip_whitelist_login   GET /ip_whitelist_login/{id}   PUT /ip_whitelist_login/{id}   DELETE /ip_whitelist_login/{id}   GET /ip_whitelist_login/status   PATCH /ip_whitelist_login/status   GET /ip_whitelist_login/tab   Update   Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed The enterprise settings model fields   anomalyTrainingModelThreshold   and   anomalyAlertDisposition   have been removed. These fields are no longer in:   The response object for   GET /settings/enterprise   The request body parameters for   POST /settings/enterprise   Amazon SQS integration The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:   integrationConfig.roleArn   integrationConfig.externalId   The APIs that include these new request body parameters are:   POST /integration/test   POST /integration   PUT /integration/{id}   Resource RRN The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property   idmapId . The response object for each of the following APIs includes this new property:   GET /resource   GET /resource/raw  

  Features Introduced in 20.9.2       New Features New Policy and Policy Updates REST API Updates New Features                                             FEATURE DESCRIPTION License Credits Used for Non-Onboarded Cloud Accounts If you have deployed Prisma Cloud Defenders on environments that Prisma Cloud is not monitoring or protecting—such as private cloud or on-premises environments, or public cloud providers that are not supported on Prisma Cloud, or on accounts that you have not added to Prisma Cloud— you can now view the credits used to protect the associated resources on the   Licensing page.     GCP Cloud Account Onboarding Status Updates When you add your GCP account on Prisma Cloud, the status message is improved to inform you of missing permissions. The details in the message help you identify the additional permissions you need to grant to the GCP IAM service account for Prisma Cloud.     Nested Rules in Config RQL to Query Data Within JSON Arrays Nested rules extend the use of logical expressions for metadata contained within a JSON array so that you can use more than primitive operators for comparisons and a richer query format. With this enhancement, the auto completion for   json.rule =   also becomes available when you construct RQL. The enhancement allows you to rewrite RQL that was config where api.name= 'a' and json.rule = “$.path[?(@.x == true || @.y == 'str' ..)].val is false ” as config where api.name= 'a' and json.rule= "$.path[?any[<logical expression>]] exists | does not exist" As an example, if you used: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0" you can now rewrite it as: config where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = acl.grants[?any(grantee.typeIdentifier equals id and grantee.identifier is not empty )] exists And some more examples: config where api.name = 'aws-ec2-describe-network-acls' AND json.rule = entries[?any(egress is true and ruleAction contains deny)] exists or tags[?any(value contains production)] exists or tags[*] is empty config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = ipPermissionsEgress[?any( toPort greater than 22 and ipv4Ranges[?any( cidrIp does not contain "0.0" )] exists )] exists , where you can check when   toPort   and   cidrIp   are included within the same array element. Policy Descriptor A human readable unique policy identifier is added to Prisma Cloud Default policies of type Config, Audit event and Network. See the new   Policy Descriptor   column on the   Policies   page. This unique descriptor is an additional field, and it does not replace the existing Policy ID that is available when you use the REST API.     Support for Audit Event Logs on AWS China and Azure China Prisma Cloud tenants deployed on AWS China and Azure China regions, can now ingest events recorded in audit logs from your cloud environments. With this data, you can use   event where   RQL queries and see alerts for policies that match on audit events to identify compliance, and operational risks across your infrastructure. API Ingestion AWS Transit Gateway — aws-vpc-transit-gateway Additional permissions required: ec2:DescribeTransitGateways The permission is included with the SecurityAudit predefined role. AWS Database Migration Service — aws-dms-endpoint Additional permissions required: dms:DescribeEndpoints dms:ListTagsForResource The permissions are included with the SecurityAudit predefined role. Updated   AWS Elasticbeanstalk — aws-elasticbeanstalk-configuration-settings Additional permissions required:   s3:GetObject   for the resources on:   AWS commercial arn:aws:s3:::elasticbeanstalk-*/*"   AWS GovCloud and Fedramp arn:aws-us-gov:s3:::elasticbeanstalk-*/*   AWS China arn:aws-cn:s3:::elasticbeanstalk-*/*   The CFTs are updated to include a new policy for   PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk Azure Compute — azure-disk-list Azure Logic Apps — azure-logic-app-custom-connector Additional permissions required: Microsoft.Web/customApis/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Azure Resource Manager — azure-role-assignment Azure Virtual Network — azure-network-public-ip-address Additional permissions required: Microsoft.Network/publicIPAddresses/read If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json. Google Cloud Bigtable — gcloud-bigtable-table Additional permissions required: bigtable.tables.list bigtable.tables.getIamPolicy These permissions are included in the predefined Project Viewer role. Google Access Context Manager — gcloud-access-policy Additional permissions required: accesscontextmanager.accessPolicies.list accesscontextmanager.accessLevels.list accesscontextmanager.servicePerimeters.list These permissions are already part of the Project Viewer role. Alternatively, you can use the predefined role   Access Context Manager Reader . Google Compute Engine — gcloud-compute-route Additional permissions required: compute.routes.list These permissions are included in the predefined Project Viewer role. Terraform Script Updates If you are using the Terraform scripts that Prisma Cloud provides for onboarding a new GCP account on Prisma Cloud, the scripts are updated to enable additional GCP APIs and to include new permissions that are not included in the predefined Viewer role. Permissions added: storage.buckets.getIamPolicy pubsub.topics.getIamPolicy pubsub.subscriptions.getIamPolicy pubsub.snapshots.getIamPolicy bigquery.tables.get bigquery.tables.list GCP APIs additionally enabled by default: accesscontextmanager.googleapis.com pubsub.googleapis.com run.googleapis.com appengine.googleapis.com serviceusage.googleapis.com bigtableadmin.googleapis.com dataproc.googleapis.com recommender.googleapis.com cloudfunctions.googleapis.com redis.googleapis.com Permission Updates on AWS CloudFormation Templates for Prisma Cloud Compute Workloads The AWS CFTs now have additional permissions added to ingest data on Compute workloads deployed within AWS cloud accounts that are onboarded to Prisma Cloud. PrismaCloud-ReadOnly-Policy-Compute   role—CFT used for Monitor mode, includes additional permissions associated with this new role to enable monitoring of resources that are onboarded for Prisma Cloud Compute. PrismaCloud-Remediation-Policy-Compute   role—CFT used for Monitor & Protect mode, includes additional permissions associated with this new role to enable read-write access for monitoring and remediating resources that are onboarded for Prisma Cloud Compute.   If you do not use the host, serverless functions, and container capabilities enabled with Prisma Cloud Compute, for AWS accounts onboarded to Prisma Cloud, you can remove these roles from the CFT.   Prisma Cloud checks whether Compute permissions are enabled only if you have one or more compute workloads deployed on the AWS cloud accounts that are onboarded. And the cloud status transitions from green to amber only when you have compute workloads deployed and the additional permissions are not enabled for monitor, or monitor and protect modes.   New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                             POLICY NAME DESCRIPTION New Policies AWS S3 Buckets Block public access setting disabled —Identifies AWS S3 buckets with the   Block public access   setting disabled. Enabling   Block public access   on publicly accessible S3 buckets enables you to ensure that data is never accidentally or maliciously exposed publicly. This policy includes the CLI for automated remediation, when you provide the permissions required. Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   AWS IAM user/role/policy has unused permissions in the last 90 days_RL   AWS S3 bucket having policy overly permissive to VPC endpoints   AWS IAM role with cross-account access_RL   Policy Updates—RQL and Metadata The RQL in the following policies are updated: Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on TCP protocol Policy Name Updated— Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol Updated RQL—The RQL has been updated to handle the traffic on protocol 'tcp' and 'any'(*) properly. With this change this policy will alert on inbound traffic using TCP. config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule="securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='Tcp' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound OR securityRules[?(@.sourceAddressPrefix=='Internet' && @.protocol=='*' && @.access=='Allow' && @.destinationAddressPrefix=='*' && @.destinationPortRange=='*')].direction contains Inbound"   Azure Network Security Group allows SQL Server (UDP Port 1434) Policy Name Updated— Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Udp' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(1434,1434)"   Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 Policy Name Updated— Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22 Updated RQL—The RQL has been updated. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = "securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == 'Tcp' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRange contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == '*' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22) or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.sourceAddressPrefix == 'Internet' && @.protocol == '*' )].destinationPortRanges[*] contains _Port.inRange(22,22)"   Azure Network Security Group allows ICMP (Ping) Updated RQL—The RQL has been updated to handle ICMP pings from both Source 'Any' and 'Internet' service tag. This change affects the number of alerts generated against this policy. config where api.name= 'azure-network-nsg-list' AND json.rule = " securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == '*' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == '*' )].destinationPortRange contains * or securityRules[?(@.access == 'Allow' && @.direction == 'Inbound' && @.protocol == 'Icmp' && @.sourceAddressPrefix == 'Internet' )].destinationPortRange contains * "   AWS Default Security Group does not restrict all traffic Updated RQL and the Recommendation instructions—The RQL is now modified to handle all the default Security groups having inbound/outbound rules irrespective of public/private IPrange attached to it. This change affects the number of alerts generated against this policy. config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((groupName == default) and (ipPermissions[*] is not empty or ipPermissionsEgress[*] is not empty))'   AWS S3 buckets are accessible to public Updated Remediation: The remediation has been removed because the RQL update requires pipelined multiline execution of CLI command, which is currently not supported on Prisma Cloud. With this change, this policy no longer   Remediable   from Prisma Cloud. Updated RQL—The RQL has been updated to check for S3 account level block access ( aws-s3control-public-access-block ) setting and to verify when the account level block access setting is not modified. With this change, any inaccurately generated alerts will get resolved. "config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = \"((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist\"" Policy Deletions The following policies are being removed from Prisma Cloud: AWS SQS does not have a dead letter queue configured Any open alerts generated against this policy will be resolved and marked   Policy Deleted . REST API Updates                 CHANGE DESCRIPTION Infrastructure-As-Code (IaC) Scan Service A new set of APIs enables you to interact with the Prisma Cloud IaC scan service to scan templates to check against policies asynchronously. The new APIs are:   POST /scans   POST /scans/{scanId}   GET /scans/{scanId}/status   GET /scans/{scanId}/results   User Role The response object for the following APIs include a new property   additionalAttributes.hasDefenderPermissions :   GET /user/role   GET /user/role/{id}   The request body parameters for the following APIs also include additionalAttributes.hasDefenderPermissions as a new parameter:   POST /user/role   PUT /user/role/{id}   Policy The response object for GET /filter/policy/suggest includes a new filter suggestion   policy.class .

  Features Introduced in 20.9.1       New Features New Policy and Policy Updates REST API Updates New Features                       FEATURE DESCRIPTION Support for AWS Organizations on Prisma Cloud If you use AWS Organizations to centrally govern and manage access to services and resources on AWS, you can now add the AWS Organization to Prisma Cloud. When you   add the AWS Organization, all the member accounts included within the hierarchy will be onboarded to Prisma Cloud in one streamlined workflow.     Consolidation of Unusual User Activity / UEBA Anomaly Settings The   Unusual User Activity / UEBA settings   are now on   Settings Anomaly Settings   along with the Anomaly settings for policies that alert you to network-related incidents.     You can now set the thresholds for machine learning—number of days and events—and alert disposition—what vectors to use for identifying unusual —for the policies that detect usual user activity and the account hijacking attempts. Expanded Support for Roles with Just-in-Time (JIT) Provisioning If you use JIT provisioning to   create administrative users   on Prisma Cloud, when a user whose profile is mapped with multiple roles on the IdP logs in for the first time on Prisma Cloud, that user is provisioned with multiple roles on Prisma Cloud. The number of roles supported with JIT provisioning has increased from one to five, and the first one is assigned as the default role on Prisma Cloud. On each subsequent log in, the roles are evaluated again and the access permissions are adjusted locally according to the roles assigned to the user on the IdP. Rich Text Editor in Email Notification Template Use the rich text editor to customize the message body in your   email notification   template on   Alerts Notification Templates . And as you craft it, you can preview how the content will look on the right-hand pane.     Limited GA   Prisma Cloud Data Security Prisma Cloud introduces the Prisma Cloud Data Security capabilities as a Limited GA for selected Prisma Cloud Enterprise Edition customers. With Prisma Cloud Data Security, you can protect data stored on AWS S3 buckets and gain visibility on the scan results directly in the Prisma Cloud dashboard. The data security capabilities include predefined data policies and associated data classification profiles such as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket to identify exposure—how sensitive information is kept private, or exposed or shared externally, or allows unauthorized access. It also uses the WildFire service to detect known and unknown malware in these objects.     API Ingestion AWS AWS Elastic Map Reduce— aws-emr-public-access-block Additional permissions required: elasticmapreduce:GetBlockPublicAccessConfiguration Azure   Azure Event Hubs— azure-event-hubs-namespace   Azure Logic Apps— azure-logic-apps-workflow   GCP   Google Compute—   gcloud-compute-image Additional permissions required: compute.images.list compute.images.getIamPolicy   Google PubSub—   gcloud-pubsub-topic Additional permissions required: pubsub.topics.getIamPolicy pubsub.topics.list   gcloud-pubsub-subscription Additional permissions required: pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list   gcloud-pubsub-snapshot Additional permissions required: pubsub.snapshots.getIamPolicy pubsub.snapshots.list     New Policy and Policy Updates See   Look Ahead—Planned Updates on Prisma Cloud   to learn what’s coming soon.                                               POLICY NAME DESCRIPTION Saved Search Additions The following Saved Searches enable you to easily create a policy and generate an alert if you want to check for:   GCP IAM user with overly permissive privileges   GCP IAM user not used for the last 90 days   AWS IAM policy not configured with fine-grained access control, such as such as IP address, Time Of Day, and MFA restrictions   Policy Updates- Metadata Policy Name Update Current Name— Azure Security Center 'Also send email notification to subscription owners' value is not set New Name— Azure Security Center email notification for subscription owner is not set Policy Updates—RQL The RQL in the following policies are updated: AWS Security Groups allow internet traffic to SSH port (22) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 22 && @.fromPort < 22)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 22 || @.fromPort == 22)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to Windows RPC port (135) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 135 && @.fromPort < 135)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 135 || @.fromPort == 135)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to NetBIOS port (138) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 138 && @.fromPort < 138)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 138 || @.fromPort == 138)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to MSQL port (4333) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 4333 && @.fromPort < 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 4333 || @.fromPort == 4333)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to RDP port (3389) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 3389 && @.fromPort < 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 3389 || @.fromPort == 3389)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to Telnet port (23) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 23 && @.fromPort < 23)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 23 || @.fromPort == 23)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 5500 && @.fromPort < 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 5500 || @.fromPort == 5500)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to SQLServer port (1434) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1434 && @.fromPort < 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1434 || @.fromPort == 1434)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to CIFS port (445) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 445 && @.fromPort < 445)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 445 || @.fromPort == 445)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic to ports which are not commonly used Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = \"(isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipv6Ranges[*].cidrIpv6 contains ::/0) or (isShared is false and ipPermissions[?(@.toPort != 80 && @.toPort != 443 && @.toPort != 22 && @.toPort != 23 && @.toPort != 3389 && @.toPort != 20 && @.toPort != 21 && @.toPort != 25 && @.toPort != 53 && @.toPort != 135 && @.toPort != 137 && @.toPort != 138 && @.toPort != 139 && @.toPort != 445 && @.toPort !=3306 && @.toPort != 1433 && @.toPort != 1434 && @.toPort != 4333 && @.toPort != 5432 && @.fromPort != 80 && @.fromPort != 443 && @.fromPort != 22 && @.fromPort != 23 && @.fromPort != 3389 && @.fromPort != 20 && @.fromPort != 21 && @.fromPort != 25 && @.fromPort != 53 && @.fromPort != 135 && @.fromPort != 137 && @.fromPort != 138 && @.fromPort != 139 && @.fromPort != 445 && @.fromPort !=3306 && @.fromPort != 1433 && @.fromPort != 1434 && @.fromPort != 4333 && @.fromPort != 5432 && @.ipProtocol=='tcp' || @.ipProtocol=='icmp' || @.ipProtocol=='icmpv6' || @.ipProtocol=='udp')].ipRanges[*] contains 0.0.0.0/0)\"   AWS Security Groups allow internet traffic from internet to SQLServer port (1433) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 1433 && @.fromPort < 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 1433 || @.fromPort == 1433)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS Security Groups allow internet traffic from internet to NetBIOS port (137) Updated RQL—The RQL has been updated to exclude shared security groups across accounts. With this change, duplicate alerts for shared security groups will be resolved. config where cloud.type = 'aws' AND api.name='aws-ec2-describe-security-groups' AND json.rule = (((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipRanges[*] contains 0.0.0.0/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipRanges[*] contains 0.0.0.0/0)) or ((ipPermissions[?(@.toPort > 137 && @.fromPort < 137)].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissions[?(@.toPort == 137 || @.fromPort == 137)].ipv6Ranges[*].cidrIpv6 contains ::/0))) and isShared is false   AWS IAM policy allows full administrative privileges Updated RQL—The RQL has been updated toexclude AdministratorAccess policies in AWS GovCloud accounts. With this change, open alerts for AWS GovCloud resources that were incorrectly identified will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = \"document.Statement[?(@.Resource=='*' )].Action equals * and document.Statement[*].Effect equals Allow and policyArn exists and policyArn does not contain iam::aws:policy\/AdministratorAccess\"   AWS EKS cluster security group overly permissive to all traffic Updated RQL—The RQL has been updated to exclude security groups across accounts. With this change, duplicate alerts for shared security groups on EKS clusters will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-eks-describe-cluster' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.resourcesVpcConfig.securityGroupIds contains $.Y.groupId and ($.Y.ipPermissions[*].ipv4Ranges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*] contains ::/0) and $.Y.isShared is false'; show Y;   AWS RDS instance with copy tags to snapshots disabled Updated RQL—The RQL has been updated to exclude the Aurora database. With this change, any open alerts for the Aurora database will be resolved. config where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = '(copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora'   Azure SQL Database with Auditing Retention less than 90 days Updated the description, recommendation, and RQL. Updated RQL— config where api.name = 'azure-sql-db-list' as X; config where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X; REST API Updates               CHANGE DESCRIPTION Cloud Accounts The REST API now support AWS organizations. The following have new request body parameters for this support:   POST /cloud/{cloud_type}   PUT /cloud/{cloud_type}   POST /cloud/status/{cloud_type}   Policies The response object for the REST API request   GET /v2/policy   had included an unused field   openAlertsCount . The response object for   GET /v2/policy   no longer includes this field. The issue ID is RLP-23362.

Office Hours with Product: New Features in Prisma Cloud — host, containers & serverless security   Recording available from the Dec. 2019 customer webinar. Click here to view the recording.