Prisma™ Cloud Release Notes

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2023-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
August 18, 2023

Prisma™ Cloud Release Notes 2 ©2023 Palo Alto Networks, Inc.

Table of Contents
Prisma™ Cloud Release Information............................................................. 7
Features Introduced in 2023.................................................................................................... 8
Features Introduced in August 2023.......................................................................... 8
Features Introduced in July 2023............................................................................. 33
Features Introduced in June 2023............................................................................ 56
Features Introduced in May 2023.............................................................................76
Features Introduced in April 2023............................................................................ 94
Features Introduced in March 2023...................................................................... 115
Features Introduced in February 2023..................................................................143
Features Introduced in January 2023.................................................................... 167
Features Introduced in 2022............................................................................................... 216
Features Introduced in December 2022............................................................... 216
Features Introduced in November 2022...............................................................240
Features Introduced in October 2022................................................................... 257
Features Introduced in September 2022.............................................................. 273
Features Introduced in August 2022..................................................................... 309
Features Introduced in July 2022........................................................................... 328
Features Introduced in June 2022..........................................................................365
Features Introduced in May 2022.......................................................................... 413
Features Introduced in April 2022..........................................................................434
Features Introduced in March 2022...................................................................... 458
Features Introduced in February 2022..................................................................477
Features Introduced in January 2022.................................................................... 496
Limited GA Features on Prisma Cloud.............................................................................. 536
LGA Features................................................................................................................536
Look Ahead—Planned Updates on Prisma Cloud........................................................... 537
New Policies................................................................................................................. 537
Policy Updates............................................................................................................. 538
IAM Policy Updates.................................................................................................... 540
API Ingestions...............................................................................................................542
Deprecation Notices...................................................................................................543
Prisma Cloud Known Issues.................................................................................................546

Prisma Cloud Compute Release Information......................................... 551

Features Introduced in August 2023.................................................................................553
Defender Upgrade...................................................................................................... 553
New Features in Prisma Cloud Compute.............................................................. 553
Deprecation Notice.....................................................................................................554

Prisma™ Cloud Release Notes 3 ©2023 Palo Alto Networks, Inc.

Table of Contents

API Changes..................................................................................................................556
Features Introduced in July 2023...................................................................................... 557
New Features in Prisma Cloud Compute.............................................................. 557
API Changes..................................................................................................................560
Features Introduced in June 2023..................................................................................... 562
New Features in Prisma Cloud Compute.............................................................. 562
API Changes..................................................................................................................564
Breaking Changes in API........................................................................................... 564
Deprecation Notice.....................................................................................................566
Features Introduced in May 2023......................................................................................568
New Features in Prisma Cloud Compute.............................................................. 568
API Changes..................................................................................................................569
End of Support Notifications....................................................................................570
Features Introduced in April 2023..................................................................................... 571
New Features in Prisma Cloud Compute.............................................................. 571
API Changes..................................................................................................................576
Breaking Changes in API........................................................................................... 576
DISA STIG Scan Findings and Justifications......................................................... 577
Backward Compatibility for New Features...........................................................577
End of Support Notifications....................................................................................577
Changes in Existing Behavior................................................................................... 577
Features Introduced in March 2023..................................................................................579
New Features in Prisma Cloud Compute.............................................................. 579
Features Introduced in February 2023............................................................................. 581
New Features in Prisma Cloud Compute.............................................................. 581
Features Introduced in January 2023............................................................................... 585
New Features in Prisma Cloud Compute.............................................................. 585
API Changes..................................................................................................................601
Addressed Issues......................................................................................................... 606
Backward Compatibility for New Features...........................................................608
Features Introduced in December 2022...........................................................................611
Addressed Issues......................................................................................................... 611
Features Introduced in November 2022.......................................................................... 612
Addressed Issues......................................................................................................... 612
Features Introduced in September 2022..........................................................................614
New Features in Prisma Cloud Compute.............................................................. 614
Addressed Issues......................................................................................................... 615
Supported Host Operating Systems and Orchestrators.................................... 616
End of Support Notifications....................................................................................616
Breaking Change Notification.................................................................................. 617
Features Introduced in July 2022...................................................................................... 618

Prisma™ Cloud Release Notes 4 ©2023 Palo Alto Networks, Inc.

Table of Contents

New Features in Prisma Cloud Compute.............................................................. 618

DISA STIG Scan Findings and Justifications......................................................... 634
API Changes..................................................................................................................634
Addressed Issues......................................................................................................... 636
Supported Host Operating Systems and Orchestrators.................................... 638
Changes in Existing Behavior................................................................................... 639
End of Support and Deprecation Notifications....................................................641
Backward Compatibility for New Features...........................................................642
Features Introduced in June 2022..................................................................................... 645
Features Introduced in March 2022..................................................................................646
New Features in Prisma Cloud Compute.............................................................. 646
Features Introduced in February 2022............................................................................. 647
New Features in Prisma Cloud Compute.............................................................. 647
Look Ahead — Planned Updates on Prisma Cloud Compute....................................... 659
Prisma Cloud Compute Known Issues...............................................................................660

Prisma Cloud Code Security Release Information................................ 665

Features Introduced in 2023—Code Security..................................................................666
Features Introduced in August 2023..................................................................... 666
Features Introduced in July 2023........................................................................... 667
Features Introduced in June 2023..........................................................................670
Features Introduced in May 2023.......................................................................... 671
Features Introduced in April 2023..........................................................................674
Features Introduced in March 2023...................................................................... 677
Features Introduced in February 2023..................................................................681
Features Introduced in January 2023.................................................................... 688
Features Introduced in 2022—Code Security..................................................................694
Features Introduced in December 2022............................................................... 694
Features Introduced in September 2022.............................................................. 694
Features Introduced in August 2022..................................................................... 700
Features Introduced in July 2022........................................................................... 702
Features Introduced in June 2022..........................................................................707
Features Introduced in May 2022.......................................................................... 712
Features Introduced in April 2022..........................................................................713
Features Introduced in March 2022...................................................................... 714
Features Introduced in January 2022.................................................................... 716
Look Ahead—Planned Updates on Prisma Cloud Code Security.................................718
Changes in Existing Behavior................................................................................... 718
Policy Updates............................................................................................................. 719
Deprecation Notices...................................................................................................720

Prisma™ Cloud Release Notes 5 ©2023 Palo Alto Networks, Inc.

Table of Contents

Get Help...........................................................................................................723
Related Documentation.........................................................................................................724
Request Support......................................................................................................................725
Contact Information....................................................................................................725

Prisma™ Cloud Release Notes 6 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release
Information
Edit on GitHub
Review the Prisma Cloud release notes to learn about all the exciting new features and known
issues.
Prisma™ Cloud is an API-based integration that provides security at all stages of the software
delivery process. It provides visibility in to your resources deployed across different environments,
and checks your adherence to compliance standards and security best practices for your assets at
runtime, and the IaC templates, and images even before the resources are deployed.
Prisma Cloud monitors your resources deployed on the Public cloud environments—AWS,
Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Alibaba Cloud—for
cloud security and compliance risks. As the service automatically discovers new resources that
are deployed in your cloud environment, it enables you to implement policy guardrails to ensure
resource configurations adhere to industry standards and integrate configuration change alerts
into DevOps and SecOps workflows to automatically resolve issues. This capability streamlines
the process of identifying issues, detecting and responding to a list of prioritized risks to maintain
an agile development process and operational efficiency.
To view the current operational status of Palo Alto Networks cloud services, see https://
status.paloaltonetworks.com/.
Before you begin using Prisma Cloud, make sure you review the following information:
• Features Introduced in 2023
• Features Introduced in 2022
• Limited GA Features on Prisma Cloud
• Look Ahead—Planned Updates on Prisma Cloud
• Prisma Cloud Known Issues

7
Prisma™ Cloud Release Information

Features Introduced in 2023

Edit on GitHub
Stay informed on the new capabilities and policies added to Prisma Cloud in 2023.
The following topics provide a snapshot of new features introduced for Prisma™ Cloud in 2023.
Refer to the Prisma™ Cloud Administrator’s Guide for more information on how to use the
service.
• Features Introduced in August 2023
• Features Introduced in July 2023
• Features Introduced in June 2023
• Features Introduced in May 2023
• Features Introduced in April 2023
• Features Introduced in March 2023
• Features Introduced in February 2023
• Features Introduced in January 2023
Refer to the Limited GA Features on Prisma Cloud for features that have limited general
availability (LGA).

Features Introduced in August 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in August 2023.
• New Features Introduced in 23.8.2
• New Features Introduced in 23.8.1

New Features Introduced in 23.8.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 8 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Updates to Workload Defense Metrics on The Adoption Advisor dashboard and report
Adoption Advisor now provide valuable insights on your
workload defense coverage through both
agentless scanning and Defenders. In addition
to the information on how many hosts and
cloud accounts are protected with Defenders,
you can now review how many hosts are
scanned using agentless security. This way,
you’ll have a comprehensive picture of the
total number of hosts that are protected and
scanned hosts using Prisma Cloud.

Prisma™ Cloud Release Notes 9 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

API Ingestions

SERVICE API DETAILS

Amazon VPC aws-ec2-traffic-mirroring

Prisma™ Cloud Release Notes 10 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Additional permission required:

• ec2:DescribeTrafficMirrorSess
ions

The Security Audit role includes the

permission.

Amazon VPC aws-ec2-customer-gateway

Additional permission required:
• ec2:DescribeCustomerGateways

The Security Audit role includes the

permission.

AWS Support aws-support-case

Additional permission required:
• support:DescribeCases

You must manually add the permission or

update the CFT template to enable it.

Azure Log Analytics azure-log-analytics-linked-storage-accounts

Additional permissions required:
• Microsoft.OperationalInsights
/workspaces/read

• Microsoft.OperationalInsights
/workspaces/storageinsightcon
figs/read

The Reader role includes the permissions.

Azure SQL Database azure-sql-db-long-term-retention-policies

Additional permissions required:
• Microsoft.Sql/servers/read

• Microsoft.Sql/servers/databas
es/read

• Microsoft.Sql/servers/databas
es/backupLongTermRetentionPol
icies/read

The Reader role includes the permissions.

Prisma™ Cloud Release Notes 11 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Azure Synapse Analytics azure-synapse-workspace-managed-sql-

server-vulnerability-assessments
Additional permissions required:
• Microsoft.Synapse/workspaces/
read

• Microsoft.Synapse/workspaces/
sqlPools/vulnerabilityAssessm
ents/read

The Reader role includes the permissions.

Google Cloud Billing gcloud-billing-project-billing-info

Additional permission required:
• resourcemanager.projects.get

The Viewer role includes the permission.

Google Cloud Identity Platform gcloud-identity-platform-tenant-idp-

configuration
Additional permissions required:
• firebaseauth.configs.get

• identitytoolkit.tenants.list

• identitytoolkit.tenants.get

The Viewer role includes the permissions.

Google Cloud Identity Platform gcloud-identity-platform-project-idp-

configuration
Additional permission required:
• firebaseauth.configs.get

The Viewer role includes the permission.

Google Stackdriver Logging gcloud-logging-project-setting

Additional permission required:
• logging.cmekSettings.get

You must manually add the permission or

update the Terraform template to enable it.

Prisma™ Cloud Release Notes 12 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

New Policies

NEW POLICIES DESCRIPTION

AWS Lambda function URL having overly Identifies AWS Lambda functions which
permissive cross-origin resource sharing have overly permissive cross-origin resource
permissions sharing (CORS) permissions. Overly
permissive CORS settings (allowing wildcards)
can potentially expose the Lambda function to
unwarranted requests and cross-site scripting
attacks. It is highly recommended to specify
the exact domains (in 'allowOrigins') and
HTTP methods (in 'allowMethods') that should
be allowed to interact with your function to
ensure a secure setup.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where cloud.type = 'aws'
AND api.name= 'aws-
lambda-list-functions' AND
json.rule = cors exists and
cors.allowOrigins[*] contains
"*" and cors.allowMethods[*]
contains "*"

AWS Auto Scaling group launch configuration Identifies the autoscaling group launch
has public IP address assignment enabled configuration that is configured to assign
a public IP address. Auto Scaling groups
assign a public IP address to the group’s ec2
instances if its associated launch configuration
is configured to assign a public IP address.
Amazon EC2 instances should only be
accessible from behind a load balancer instead
of being directly exposed to the internet. It is
recommended that the Amazon EC2 instances
in an autoscaling group launch configuration
do not have an associated public IP address
except for limited edge cases.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where api.name = 'aws-
ec2-autoscaling-launch-
configuration' AND json.rule =
associatePublicIpAddress exists

Prisma™ Cloud Release Notes 13 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

and associatePublicIpAddress is
true

AWS Auto Scaling group launch configuration Identifies the autoscaling group launch
configured with Instance Metadata Service configuration where the Instance Metadata
hop count greater than 1 Service network hops count is set to greater
than 1. A launch configuration is an instance
configuration template that an Auto Scaling
group uses to launch EC2 instances. With
the metadata response hop limit count for
the IMDS greater than 1, the PUT response
that contains the secret token can travel
outside the EC2 instance. Only metadata with
a limited hop count for all your EC2 instances
is recommended.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where api.name = 'aws-
ec2-autoscaling-launch-
configuration' AND json.rule =
metadataOptions.httpEndpoint
exists and
metadataOptions.httpEndpoint
equals "enabled" and
metadataOptions.httpPutResponseHopLimit
greater than 1 as X; config
from cloud.resource where
api.name = 'aws-describe-auto-
scaling-groups' as Y; filter
' $.X.launchConfigurationName
equal ignore case
$.Y.launchConfigurationName';
show X;

AWS Auto Scaling group launch configuration Identifies the autoscaling group launch
not configured with Instance Metadata configuration where IMDSv2 is set to
Service v2 (IMDSv2) optional. A launch configuration is an instance
configuration template that an Auto Scaling
group uses to launch EC2 instances. With
IMDSv2, every request is now protected by
session authentication. Version 2 of the IMDS
adds new protections that weren’t available
in IMDSv1 to further safeguard your EC2
instances created by the autoscaling group. It
is recommended to use only IMDSv2 for all
your EC2 instances.
Policy Severity— Medium

Prisma™ Cloud Release Notes 14 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Policy Type— Config

config from cloud.resource

where api.name = 'aws-
ec2-autoscaling-launch-
configuration' AND json.rule =
(metadataOptions.httpEndpoint
does not exist) or
(metadataOptions.httpEndpoint
equals "enabled" and
metadataOptions.httpTokens
equals "optional") as X; config
from cloud.resource where
api.name = 'aws-describe-auto-
scaling-groups' as Y; filter
' $.X.launchConfigurationName
equal ignore case
$.Y.launchConfigurationName';
show X;

Azure Database for MySQL server not Identifies Azure MySQL database servers
configured private endpoint that are not configured with private endpoint.
Private endpoint connections enforce
secure communication by enabling private
connectivity to Azure Database for MySQL.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-mysql-
server' AND json.rule =
properties.userVisibleState
equal ignore case Ready and
properties.privateEndpointConnections[*]
is empty

Azure Cache for Redis not configured with Identifies Azure Cache for Redis which are
data in-transit encryption not configured with data encryption in transit.
Enforcing an SSL connection helps prevent
unauthorized users from reading sensitive
data that is intercepted as it travels through
the network, between clients/applications and
cache servers, known as data in transit.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-cache-redis'

Prisma™ Cloud Release Notes 15 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

AND json.rule = properties

provisioningState equal
ignore case Succeeded and
properties.enableNonSslPort is
true

Azure PostgreSQL servers not configured Identifies Azure PostgreSQL database

private endpoint servers that are not configured with private
endpoint. Private endpoint connections
enforce secure communication by enabling
private connectivity to Azure Database for
PostgreSQL. Configuring a private endpoint
enables access to traffic coming from only
known networks and prevents access from
malicious or unknown IP addresses which
includes IP addresses within Azure. It is
recommended to create private endpoint
for secure communication for your Azure
PostgreSQL database.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-postgresql-
server' AND json.rule =
properties.userVisibleState
equal ignore case Ready and
properties.privateEndpointConnections[*]
is empty

Azure SQL Database server not configured Identifies Azure SQL database servers that
private endpoint are not configured with private endpoint.
Private endpoint connections enforce
secure communication by enabling private
connectivity to Azure Database for SQL.
Configuring a private endpoint enables
access to traffic coming from only known
networks and prevents access from malicious
or unknown IP addresses which includes IP
addresses within Azure. It is recommended
to create private endpoint for secure
communication for your Azure SQL database.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-sql-

Prisma™ Cloud Release Notes 16 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

server-list' AND json.rule =

properties.userVisibleState
equal ignore case Ready and
properties.privateEndpointConnections[*]
is empty

Azure Database for MariaDB not configured Identifies Azure MariaDB database servers
private endpoint that are not configured with private endpoint.
Private endpoint connections enforce
secure communication by enabling private
connectivity to Azure Database for MariaDB.
Configuring a private endpoint enables
access to traffic coming from only known
networks and prevents access from malicious
or unknown IP addresses which includes IP
addresses within Azure. It is recommended
to create private endpoint for secure
communication for your Azure MariaDB
database.
Policy Severity— Medium
Policy Type— Config

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-database-
maria-db-server' AND json.rule
= properties.userVisibleState
equal ignore case Ready and
properties.privateEndpointConnections[*]
is empty

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

AWS CloudTrail is not enabled with multi trail Changes— The policy RQL is updated to check
and not capturing all management events if logging all management events has been
enabled via basic or advanced event selectors.
Severity— Informational
Policy Type— Config
Current RQL—

config from cloud.resource where

api.name= 'aws-cloudtrail-
describe-trails' AND json.rule

Prisma™ Cloud Release Notes 17 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

= 'isMultiRegionTrail is true
and includeGlobalServiceEvents
is true' as X; config from
cloud.resource where api.name=
'aws-cloudtrail-get-trail-
status' AND json.rule =
'status.isLogging equals
true' as Y; config from
cloud.resource where api.name=
'aws-cloudtrail-get-event-
selectors' AND json.rule =
'eventSelectors[*].readWriteType
contains All' as Z; filter
'($.X.trailARN equals
$.Z.trailARN) and ($.X.name
equals $.Y.trail)'; show X;
count(X) less than 1

Updated RQL—

config from cloud.resource where

api.name= 'aws-cloudtrail-
describe-trails' AND json.rule
= 'isMultiRegionTrail is true
and includeGlobalServiceEvents
is true' as X; config from
cloud.resource where api.name=
'aws-cloudtrail-get-trail-
status' AND json.rule =
'status.isLogging equals
true' as Y; config from
cloud.resource where api.name=
'aws-cloudtrail-get-event-
selectors' AND json.rule =
'(eventSelectors[].readWriteType
contains All and
eventSelectors[].includeManagementEvents
equal ignore case true) or
(advancedEventSelectors[].fieldSelectors[]
contains "Management" and
advancedEventSelectors[].fieldSelectors[].
does not contain "readOnly" and
advancedEventSelectors[].fieldSelectors[].
does not contain
"eventSource")' as Z;
filter '($.X.trailARN equals
$.Z.trailARN) and ($.X.name
equals $.Y.trail)'; show X;
count(X) less than 1

Impact— Medium. Alerts will be generated

when the logging of all management events
are not enabled by default through advanced
selectors. Existing alerts where the logging

Prisma™ Cloud Release Notes 18 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

of all management events was enabled via

advanced selectors will be resolved.

GCP VM instances have block project-wide Changes— The policy RQL is updated to
SSH keys feature disabled check for enabling OS login for the GCP VM
instances.
Severity— Low
Policy Type— Config
Current RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
project-info' AND json.rule =
commonInstanceMetadata.kind
equals "compute#metadata" and
commonInstanceMetadata.items[?
any(key contains "block-project-
ssh-keys" and (value contains
"Yes" or value contains "Y"
or value contains "True"
or value contains "true"
or value contains "TRUE" or
value contains "1"))] does
not exist as X; config from
cloud.resource where api.name =
'gcloud-compute-instances-list'
AND json.rule = status equals
RUNNING and (metadata.items[?
any(key exists and key contains
"block-project-ssh-keys" and
(value contains "Yes" or value
contains "Y" or value contains
"True" or value contains "true"
or value contains "TRUE" or
value contains "1"))] does
not exist and name does not
start with "gke-") as Y; filter
'$.Y.zone contains $.X.name';
show Y;

Updated RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
project-info' AND json.rule =
commonInstanceMetadata.kind
equals "compute#metadata" and
commonInstanceMetadata.items[?
any(key contains "enable-
oslogin" and (value contains
"Yes" or value contains
"Y" or value contains
"True" or value contains

Prisma™ Cloud Release Notes 19 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

"true" or value contains

"TRUE" or value contains
"1"))] does not exist and
commonInstanceMetadata.items[?
any(key contains "ssh-keys")]
exists as X; config from
cloud.resource where api.name =
'gcloud-compute-instances-list'
AND json.rule = status equals
RUNNING and ( metadata.items[?
any(key exists and key contains
"block-project-ssh-keys" and
(value contains "Yes" or value
contains "Y" or value contains
"True" or value contains "true"
or value contains "TRUE" or
value contains "1"))] does
not exist and metadata.items[?
any(key exists and key contains
"enable-oslogin" and (value
contains "Yes" or value
contains "Y" or value contains
"True" or value contains "true"
or value contains "TRUE" or
value contains "1"))] does
not exist and name does not
start with "gke-") as Y; filter
'$.Y.zone contains $.X.name';
show Y;

Impact— Low. Alerts will be generated where

the enable OS-login is not enabled for the
GCP VM instances. Existing alerts where the
block-project-ssh-keys are disabled at the
project level are resolved as Policy_Updated.

Policy Updates—Metadata

Updates to Azure Policy Names Changes— The policy names are revised as
follows:
Current Policy Name— Azure storage account
logging for tables is disabled
Updated Policy Name— Azure storage
account logging (Classic Diagnostic Setting)
for tables is disabled
Current Policy Name— Azure storage account
logging for blobs is disabled
Updated Policy Name— Azure storage
account logging (Classic Diagnostic Setting)
for blobs is disabled

Prisma™ Cloud Release Notes 20 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Current Policy Name— Azure storage account

logging for queues is disabled
Updated Policy Name— Azure storage
account logging (Classic Diagnostic Setting)
for queues is disabled
Severity— Informational
Policy Type— Config
Impact— No impact since only the policy
names are updated.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for CIS AWS Foundations Prisma Cloud now supports the CIS AWS
Benchmark v2.0.0 Foundations Benchmark v2.0.0 compliance
standard. This benchmark specifies best
practices for configuring AWS services in
accordance with industry best practices.
You can now view this built-in standard and
the associated policies on the Compliance >
Standard page with this support. You can also
generate reports for immediate viewing or
download, or schedule recurring reports to
track this compliance standard over time.

Changes in Existing Behavior

FEATURE DESCRIPTION

Code Security has a New Name Cloud Application Security is the new name
for the combination of the Cloud Code
Security capabilities and the newly introduced
CI/CD Security module. CI/CD Security is
available as a standard a-la-carte option or
as an add-on with the Prisma Cloud Runtime
Security Foundations or Advanced bundles.

Update Amazon Inspector API Prisma Cloud will no longer ingest metadata
for aws-inspector-v2-finding API. Due
to this change, you will no longer be able to
view the list the assets on the Investigate
page and perform an RQL search query for
this API.

Prisma™ Cloud Release Notes 21 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Impact—All the resources that were ingested

as a part of the aws-inspector-v2-
finding API will be removed, and all existing
alerts associated with the API will be resolved
as Resource_Deleted.

REST API Updates

No REST API updates for 23.8.2.

New Features Introduced in 23.8.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• IAM Policy Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Attack Path Analysis and Visualization Prisma Cloud now includes attack path
analysis and visualization that identifies attack
paths and presents them in a graph view,
offering valuable security context to protect
against high-risk threats. It is an automated
process that identifies the exposed vulnerable
assets and indicates the likelihood of a breach
which often requires immediate action.
Whenever there is a policy violation, the
attack path policy generates an alert as long
as there is a matching alert rule. You can see
additional information in the graph view by
clicking on the node. Additionally, the asset
detail view displays the finding types and
vulnerabilities. To review these policies, select
Policies and filter by Policy Type Attack Path.
Attack Path policies are not available in China
and Government regions.

Prisma™ Cloud Release Notes 22 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Credit Requirements Updates Starting August 1 2023, Prisma Cloud

Enterprise Edition will reduce the number of
credits required.
Visibility, Compliance, and Governance (for
CSPM use cases) will only require 1 credit
per virtual machine (AWS EC2s, Azure Virtual
Machines and Virtual Machine Scale Sets,
Google Cloud Google Compute Engine
(GCE), Oracle Cloud (OCI) Compute, Alibaba
Cloud ECS). Load Balancers, NAT gateways,
Databases and Data Warehouse cloud
resources will no longer require credits.
IAM Security (for CIEM use cases) will only
require 0.25 credit per virtual machine. Load
Balancers, NAT gateways, Databases and
Data Warehouse cloud resources will no
longer require credits.
Host Security credit requirements reduce
from 1 to 0.5 credit per Host Defender.
Container Security credit requirements reduce
from 7 to 5 credits per Container Defender.
Web Application and API Security credit
requirements reduce from 30 to 2 credits per
Defender performing inline protection.
The Prisma Cloud Enterprise Edition Licensing
Guide will reflect these changes on August 1,
2023.

Support for New Region on AWS Prisma Cloud now ingests data for resources
deployed in the Spain region on AWS.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

Prisma™ Cloud Release Notes 23 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Enhancement Tenant-Level Opt-Out for For greater control and flexibility for system
Prisma Cloud Chronicles administrators within your organization, you
can now opt-out all your administrators from
receiving the Prisma Cloud Chronicles at the
tenant level Settings > Enterprise Settings >
Unsubscribe from Prisma Cloud Chronicles.
An email is sent to all administrators notifying
them that a System Administrator has opted
them out. Each administrator who wants to
receive the latest weekly updates can edit
their preference on their Prisma Cloud user
profile to opt-in to receive the newsletter.

API Ingestions

SERVICE API DETAILS

AWS Cost Explorer aws-costexplorer-cost-and-usage

Additional permission required:
• ce:GetCostAndUsage

You must manually add the permission or

update the CFT template to enable the
permission.

Prisma™ Cloud Release Notes 24 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Amazon ElastiCache aws-elasticache-user

Additional permission required:
• elasticache:DescribeUsers

The Security Audit role includes the

permission.

Amazon Macie aws-macie2-administrator-account

Additional permission required:
• macie2:ListOrganizationAdminA
ccounts

You must manually add the permission or

update the CFT template to enable the
permission.

Update Amazon Simple Email Service aws-ses-identities

Additional permission required:
• ses:GetIdentityVerificationAt
tributes

Update Amazon VPC aws-ec2-describe-flow-logs

The resource JSON for this API will be
updated to include the

DeliverLogStatus

field.

Azure Data Lake Store Gen1 azure-data-lake-store-gen1-diagnostic-

settings
Additional permissions required:
• Microsoft.DataLakeStore/accou
nts/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure IoT Hub azure-devices-iot-hub-resource-diagnostic-

settings

Prisma™ Cloud Release Notes 25 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Additional permissions required:

• Microsoft.Devices/iotHubs/Rea
d

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure Key Vault azure-key-vault-managed-hsms-diagnostic-

settings
Additional permissions required:
• Microsoft.KeyVault/managedHSM
s/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure Key Vault azure-key-vault-managed-hsms

Additional permission required:
• Microsoft.KeyVault/managedHSM
s/read

The Reader role includes the permissions.

Google Firebase App Distribution gcloud-firebase-app-distribution-tester

Additional permissions required:
• resourcemanager.projects.get

• firebaseappdistro.testers.lis
t

The Viewer role includes the permissions.

Google Cloud Identity Platform gcloud-identity-platform-tenant-

configuration
Additional permissions required:
• identitytoolkit.tenants.list

• identitytoolkit.tenants.getIa
mPolicy

Prisma™ Cloud Release Notes 26 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

The Viewer role includes the permissions.

Google Cloud Identity Platform gcloud-identity-platform-project-user-

account
Additional permission required:
• firebaseauth.users.get

The Viewer role includes the permission.

Google Cloud Identity Platform gcloud-identity-platform-tenant-user-

account
Additional permissions required:
• identitytoolkit.tenants.list

• firebaseauth.users.get

The Viewer role includes the permissions.

Google Cloud Identity Platform gcloud-identity-platform-project-

configuration
Additional permission required:
• firebaseauth.configs.get

The Viewer role includes the permission.

OCI Block Storage oci-block-storage-boot-volume

Additional permissions required:
• COMPARTMENT_INSPECT

• VOLUME_INSPECT

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Block Storage oci-block-storage-boot-volume-attachment

Additional permissions required:
• COMPARTMENT_INSPECT

• VOLUME_ATTACHMENT_INSPECT

• VOLUME_ATTACHMENT_READ

Prisma™ Cloud Release Notes 27 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Networking oci-networking-private-ip

Additional permissions required:
• SUBNET_READ

• PRIVATE_IP_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Networking oci-networking-public-ip

Additional permission required:
• PUBLIC_IP_READ

You must download and execute the

Terraform template from the console to
enable the permission.

Update OCI Database oci-oracledatabase-databases

The resource JSON for this API has been
updated to include new fields:
• nsgIds

• psubnetId

• backupNetworkNsgIds

• backupSubnetId

New Policies

NEW POLICIES DESCRIPTION

Unusual Usage of Workload Credentials Two new anomaly policies are now available
Anomaly Policies on the Policies page in Prisma Cloud.
• Unusual usage of Workload Credentials
from outside the Cloud

Prisma™ Cloud Release Notes 28 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• Unusual usage of Workload Credentials

from inside the Cloud
The policies detect the use of a credential
assigned to a compute resource from a
different resource, which could be outside
or inside the cloud service provider. This is
typically a sign of an attack or a very unusual
use of resource credentials. The policies will
be triggered based on whether the anomalous
IP address is outside or inside the cloud
provider’s IP address range.
In addition to these policies, this release
includes a new Identity section in the anomaly
settings to configure the unusual usage of
workload credentials from inside the Cloud
policy.
Severity—Medium.

AWS Route53 Hosted Zone having dangling Identifies AWS Route53 Hosted Zones which
DNS record with subdomain takeover risk have dangling DNS records with subdomain
associated with AWS Elastic Beanstalk takeover risk. A Route53 Hosted Zone having
Instance a CNAME entry pointing to a non-existing
Elastic Beanstalk (EBS) will have a risk of
these dangling domain entries being taken
over by an attacker by creating a similar
Elastic beanstalk (EBS) in any AWS account
which the attacker owns / controls. Attackers
can use this domain to do phishing attacks,
spread malware and other illegal activities. As
a best practice, it is recommended to delete
dangling DNS records entry from your AWS
Route 53 hosted zones.

config from cloud.resource where

api.name = 'aws-route53-list-
hosted-zones' AND json.rule =
hostedZone.config.privateZone
is false and
resourceRecordSet[?
any( type equals CNAME and
resourceRecords[*].value
contains elasticbeanstalk.com)]
exists as X; config from
cloud.resource where api.name
= 'aws-elasticbeanstalk-
environment' as Y; filter 'not
(X.resourceRecordSet[*].resourceRecords[*]
intersects $.Y.cname)'; show X;

Policy Type— Config

Prisma™ Cloud Release Notes 29 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Severity— High

Azure App Service web apps with public Identifies Azure App Service web apps that
network access are publicly accessible. Publicly accessible
web apps could allow malicious actors to
remotely exploit if any vulnerabilities and
could. It is recommended to configure the
App Service web apps with private endpoints
so that the web apps hosted are accessible
only to restricted entities.

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-app-service'
AND json.rule = 'kind starts
with app and properties.state
equal ignore case running and
properties.publicNetworkAccess
exists and
properties.publicNetworkAccess
equal ignore case Enabled and
config.ipSecurityRestrictions[?
any(action equals Allow and
ipAddress equals Any)] exists'

Policy Type— Config

Severity— Medium

Azure Function app configured with public Identifies Azure Function apps that are
network access configured with public network access.
Publicly accessible web apps could allow
malicious actors to remotely exploit any
vulnerabilities and could. It is recommended
to configure the App Service web apps with
private endpoints so that the functions hosted
are accessible only to restricted entities.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-app-
service' AND json.rule = kind
starts with functionapp
and properties.state equal
ignore case running and
properties.publicNetworkAccess
exists and
properties.publicNetworkAccess
equal ignore case ENABLED

Policy Type— Config

Severity— Medium

Prisma™ Cloud Release Notes 30 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Azure Data Explorer cluster double Identifies Azure Data Explorer clusters
encryption is disabled in which double encryption is disabled.
Double encryption adds a second layer of
encryption using service-managed keys. It
is recommended to enable infrastructure
double encryption on Data Explorer clusters
so that encryption can be implemented at the
layer closest to the storage device or network
wires.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-kusto-
clusters' AND json.rule
= properties.state equal
ignore case Running and
properties.enableDoubleEncryption
is false

Policy Type— Config

Severity— Informational

Azure Data Explorer cluster disk encryption is Identifies Azure Data Explorer clusters in
disabled which disk encryption is disabled. Enabling
encryption at rest on your cluster provides
data protection for stored data. It is
recommended to enable disk encryption on
Data Explorer clusters.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-kusto-
clusters' AND json.rule
= properties.state equal
ignore case Running and
properties.enableDiskEncryption
is false

Policy Type— Config

Severity— Medium

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

Prisma™ Cloud Release Notes 31 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

GCP VPC Flow logs for the subnet is set to Changes— The policy RQL has been updated
Off to exclude checking for proxy-only subnets in
the policy as VPC flow logs are not supported
for proxy-only subnets.
Severity— Informational
Policy Type— Config
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-compute-networks-
subnets-list' AND json.rule
= purpose does not contain
INTERNAL_HTTPS_LOAD_BALANCER
and (enableFlowLogs is false or
enableFlowLogs does not exist)

Updated RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-compute-networks-
subnets-list' AND json.rule
= purpose does not contain
INTERNAL_HTTPS_LOAD_BALANCER
and purpose does not contain
"REGIONAL_MANAGED_PROXY" and
(enableFlowLogs is false or
enableFlowLogs does not exist)

Impact— Low. Alerts generated for proxy-only

subnets will be resolved as Policy_updated.

IAM Policy Updates

Prisma Cloud has updated the IAM policy as follows:

CURRENT UPDATED CURRENT RQL UPDATED RQL

POLICY NAME POLICY NAME

EC2 with EC2 with config from config from

IAM role IAM role iam where iam where
attached has attached has dest.cloud.type dest.cloud.type
s3:GetObject s3:GetObject = 'AWS' AND = 'AWS' AND
permission and action.name IN action.name
s3:ListBucket ('s3:ListBucket') CONTAINS ALL
permissions AND ('s3:ListBucket',
source.cloud.service.name
's3:GetObject')
= 'ec2' AND AND
source.cloud.service.name

Prisma™ Cloud Release Notes 32 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

source.cloud.resource.type
= 'ec2' AND
= 'instance' source.cloud.resource.type
= 'instance'

Changes in Existing Behavior

FEATURE DESCRIPTION

Microsegmentation EoS With the 23.8.1 release, the credit usage for
Microsegmentation is no longer displayed
on Settings > Licensing. This change follows
the announcement of the Microsegmentation
capabilities as End-of-Sale effective August
31, 2022. To retrieve your credit consumption
for Microsegmentation, you can use the
POST /license/api/v1/usage API.

REST API Updates

No REST API updates for 23.8.1.

Features Introduced in July 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in July 2023.
• New Features Introduced in 23.7.2
• New Features Introduced in 23.7.1

New Features Introduced in 23.7.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• IAM Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 33 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Integrated View of Run and Build details for To help you as a Cloud Security Engineer
Alerts investigate issues from code to cloud, the
alert details now include information to trace
and attribute which build-time resource
has caused a policy violation for a runtime
resource deployed in your cloud account.
The alert details overview includes the IaC
resource details and information on the
build time resource. The new Traceability
information helps you connect an alert from
the production environment back to the origin
templates in your upstream development
environment.
To view the build-time details in an alert:
• You must enable a Configuration policy
with the subtype Run, Build and attach it to
an alert rule on Prisma Cloud.
• Your IaC templates must be onboarded
through a VCS integration.
• Terraform resources must include the
yor_trace tag so that your IaC resources
are tagged with a unique UUID for
tracing the relationship between the code
resource and the runtime resource that is
deployed from it. This is not necessary for
CloudFormation.

Prisma™ Cloud Release Notes 34 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Prisma Cloud Data Security - Asset Level There is usually several TB or PB of data
Scan stored in your organization’s S3 buckets. In
order to reduce the cost associated with the
scanning of a large volume of data and to
provide you with more value, Prisma Cloud
Data Security now provides you the option
of Asset Level Scan. When you select this
option (default) while configuring a scan,
Prisma Cloud randomly scans 10% of objects
or maximum of 1TB (whichever is lower)
and sends the data for analysis. It stops the
scan as soon as it detects an object with
sensitive data and triggers a 'Storage Asset
with sensitive data found' policy.
Asset Level Scan only applies when you
select the Backward Scan mode and does
exposure analysis and data classification and
not malware scanning. It is only available
when you’re configuring a data security scan
for your AWS cloud accounts.

Prisma™ Cloud Release Notes 35 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

API Ingestions

SERVICE API DETAILS

Amazon Inspector aws-inspector-v2-coverage

Additional permission required:
• inspector2:ListCoverage

The Security Audit role includes the

permission.

Amazon Inspector aws-inspector-v2-finding

Additional permission required:
• inspector2:ListFindings

The Security Audit role includes the

permission.

Amazon Inspector aws-inspector-v2-filter

Additional permission required:
• inspector2:ListFilters

The Security Audit role includes the

permission.

Amazon Inspector aws-inspector-v2-permission

Additional permission required:
• inspector2:ListAccountPermiss
ions

The Security Audit role includes the

permission.

Prisma™ Cloud Release Notes 36 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Azure Virtual Network azure-bastion-diagnostic-settings

Additional permissions required:
• Microsoft.Network/bastionHost
s/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Google Deployment Manager gcloud-deployment-manager-deployment

Additional permissions required:
• deploymentmanager.deployments
.list

• deploymentmanager.deployments
.getIamPolicy

The Viewer role only includes the permission

deploymentmanager.deployments.l
ist

.
You must manually add the permission or
update the Terraform template to enable

deploymentmanager.deployments.ge
tIamPolicy

Google Deployment Manager gcloud-deployment-manager-deployment-

manifest
Additional permissions required:
• deploymentmanager.deployments
.list

• deploymentmanager.manifests.l
ist

The Viewer role only includes the permissions.

Google Stackdriver Monitoring gcloud-monitoring-group

Additional permission required:

Prisma™ Cloud Release Notes 37 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• monitoring.groups.list

The Viewer role only includes the permission.

Google Stackdriver Monitoring gcloud-monitoring-snooze

Additional permission required:
• monitoring.snoozes.list

The Viewer role only includes the permission.

Google Cloud Translation gcloud-translation-model

Additional permissions required:
• cloudtranslate.locations.list

• cloudtranslate.customModels.l
ist

The Viewer role includes the permissions.

Google Cloud Translation gcloud-translation-native-dataset

Additional permissions required:
• cloudtranslate.locations.list

• cloudtranslate.datasets.list

The Viewer role includes the permissions.

Legacy Datasets are not ingested

as part of this API.

New Policies
No new policies for 23.7.2.

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

AWS Secret Manager Automatic Key Changes— The policy description and RQL
Rotation is not enabled are updated. The policy RQL is updated to
exclude the secrets managed by owning
services.

Prisma™ Cloud Release Notes 38 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Updated Description— Identifies AWS

Secret Manager that are not enabled with
key rotation. As a security best practice, it is
important to rotate the keys periodically so
that if the keys are compromised, the data in
the underlying service is still secure with the
new keys.

This policy does not include secret

manager which are managed
by some of the AWS services
that store AWS Secrets Manager
secrets on your behalf.

Policy Severity— Low

Policy Type— Config
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-secretsmanager-
describe-secret' AND json.rule =
rotationEnabled is false

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-secretsmanager-
describe-secret' AND json.rule
= rotationEnabled is false
and owningService is not
member of (appflow, databrew,
datasync, directconnect,
events, opsworks-cm, rds,
sqlworkbench)

Impact— Low. Existing alerts are resolved

as Policy_Updated for secrets managed by
owning services such as appflow, databrew,
datasync, directconnect, events, opsworks-
cm, rds, and sqlworkbench.

AWS Elastic Load Balancer v2 (ELBv2) with Changes— The policy RQL is updated to
listener TLS/SSL is not configured exclude the NLBs which are forwarding to
ALB using TCP as a listener as per the AWS
limitation.
Policy Severity— Low
Policy Type— Config

Prisma™ Cloud Release Notes 39 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule =
'state.code contains active and
((listeners[*].protocol equals
HTTPS or listeners[*].protocol
equals TLS) and
listeners[*].certificates[*].certificateAr
does not exist) or
listeners[*].protocol equals
HTTP or listeners[*].protocol
equals TCP or
listeners[*].protocol equals
UDP or listeners[*].protocol
equals TCP_UDP'

Updated RQL—

config from cloud.resource where

api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= state.code contains active
and listeners[?any( protocol
equals HTTP or protocol equals
TCP or protocol equals UDP
or protocol equals TCP_UDP )]
exists as X; config from
cloud.resource where api.name
= 'aws-elbv2-target-group' AND
json.rule = targetType does
not equal alb and protocol
exists and protocol is not
member of ('TLS', 'HTTPS')
as Y; filter '$.X.listeners[?
any( protocol equals HTTP or
protocol equals UDP or protocol
equals TCP_UDP )] exists or
( $.X.listeners[*].protocol
equals TCP and
$.X.listeners[*].defaultActions[*].targetG
contains $.Y.targetGroupArn)';
show X;

Impact— Low. Alerts that are generated for

NLBs which are using ALB as listener via TCP
will be resolved as Policy_Updated.

OCI Block Storage Block Volume does not Changes— The policy description and RQL are
have backup enabled updated. The RQL is updated to exclude the
Block volumes which are attached to volume
groups.

Prisma™ Cloud Release Notes 40 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Updated Description— Identifies the OCI

Block Storage Volumes that do not have
backup enabled. It is recommended to have
block volume backup policies on each block
volume so that the block volume can be
restored during data loss events.
Note: This Policy is not applicable for block
volumes that are added to volume groups.
Policy Severity— Low
Policy Type— Config
Current RQL—

config from cloud.resource

where cloud.type = 'oci'
AND api.name = 'oci-block-
storage-volume' AND json.rule =
volumeBackupPolicyAssignment[*]
size equals 0

Updated RQL—

config from cloud.resource

where cloud.type = 'oci'
AND api.name = 'oci-block-
storage-volume' AND json.rule =
volumeBackupPolicyAssignment[*]
size equals 0 and volumeGroupId
equal ignore case "null"

Impact— Low. Alerts that are generated for

block volumes added to volume groups will be
resolved as Policy_Updated.

Policy Updates—Metadata

AWS Route53 Hosted Zone having dangling Changes— The policy name and description
DNS record with subdomain takeover risk are updated to reflect the association of
this risk with S3 Buckets, providing a more
accurate representation of the associated
service.
Current Policy Name— AWS Route53 Hosted
Zone having dangling DNS record with
subdomain takeover risk
Updated Policy Name— AWS Route53
Hosted Zone having dangling DNS record
with subdomain takeover risk associated with
AWS S3 Bucket

Prisma™ Cloud Release Notes 41 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Updated Description— Identifies AWS

Route53 Hosted Zones which have dangling
DNS records with subdomain takeover risk
associated with AWS S3 Bucket. A Route53
Hosted Zone having a CNAME entry pointing
to a non-existing S3 bucket will have a risk
of these dangling domain entries being taken
over by an attacker by creating a similar
S3 bucket in any AWS account which the
attacker owns / controls. Attackers can use
this domain to do phishing attacks, spread
malware and other illegal activities. As a best
practice, it is recommended to delete dangling
DNS records entry from your AWS Route 53
hosted zones.
Policy Severity— High
Policy Type— Config
Impact— None.

IAM Policy Updates

Prisma Cloud has updated the following AWS IAM out-of-the-box (OOTB) policies as follows:

POLICY NAME CURRENT RQL UPDATED RQL CURRENT UPDATED

SEVERITY SEVERITY

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
CloudFormation ( ‘iam:PassRole', ( 'iam:PassRole',
stack 'cloudformation:CreateStack',
'cloudformation:CreateStack',
permissions 'cloudformation:DescribeStacks')
'cloudformation:DescribeStacks')
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
Lambda create ( 'iam:PassRole', ( 'iam:PassRole',
Function & 'lambda:CreateEventSourceMapping',
'lambda:CreateEventSourceMapping',

Prisma™ Cloud Release Notes 42 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Event source 'lambda:CreateFunction')

'lambda:CreateFunction')
mapping AND AND
permissions dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

Medium AWS config from config from High Medium

IAM policy iam where iam where
allows Privilege action.name action.name
escalation via CONTAINS ALL CONTAINS ALL
PassRole & ( 'iam:PassRole', ( 'iam:PassRole',
SageMaker 'sagemaker:CreateTrainingJob'
'sagemaker:CreateTrainingJob'
) )
create training AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
job permissions
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation action.name action.name
via PassRole CONTAINS ALL CONTAINS ALL
& CodeStar ( 'iam:PassRole', ( 'iam:PassRole',
project 'codestar:CreateProject'
'codestar:CreateProject'
) )
permissions AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
Lambda create ( 'iam:PassRole', ( 'iam:PassRole',
Function & add 'lambda:AddPermission',
'lambda:AddPermission',
permissions 'lambda:CreateFunction')
'lambda:CreateFunction')
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')

Prisma™ Cloud Release Notes 43 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

does not does not

exist exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
CodeBuild ( 'iam:PassRole', ( 'iam:PassRole',
permissions 'codebuild:CreateProject',
'codebuild:CreateProject',
'codebuild:StartBuild',
'codebuild:StartBuild',
'codebuild:StartBuildBatch')
'codebuild:StartBuildBatch')
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
SageMaker ( 'iam:PassRole', ( 'iam:PassRole',
create notebook 'sagemaker:CreateNotebookInstance',
'sagemaker:CreateNotebookInstance',
permissions 'sagemaker:CreatePresignedNotebookInstanceUrl'
'sagemaker:CreatePresignedNotebookInstanceUrl'
)
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
SageMaker ( 'iam:PassRole', ( 'iam:PassRole',
create 'sagemaker:CreateProcessingJob'
'sagemaker:CreateProcessingJob'
) )
processing job AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
permissions
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
exist

Prisma™ Cloud Release Notes 44 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

does not
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
EC2 Instance CONTAINS ALL CONTAINS ALL
Connect ( 'ec2:DescribeInstances',
( 'ec2:DescribeInstances',
permissions 'ec2- 'ec2-
instance- instance-
connect:SendSSHPublicKey',
connect:SendSSHPublicKey',
'ec2- 'ec2-
instance- instance-
connect:SendSerialConsoleSSHPublicKey'
connect:SendSerialConsoleSSHPublicKey'
) )
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH '*’ = true

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & EC2 CONTAINS ALL CONTAINS ALL
permissions ( 'iam:PassRole', ( 'iam:PassRole',
'ec2:RunInstances''ec2:RunInstances'
) )
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
Data Pipeline ( 'iam:PassRole', ( 'iam:PassRole',
permissions 'datapipeline:ActivatePipeline',
'datapipeline:ActivatePipeline',
'datapipeline:CreatePipeline',
'datapipeline:CreatePipeline',
'datapipeline:PutPipelineDefinition')
'datapipeline:PutPipelineDefinition')
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where

Prisma™ Cloud Release Notes 45 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

escalation via action.name action.name

PassRole & Glue CONTAINS ALL CONTAINS ALL
development ( 'iam:PassRole', ( 'iam:PassRole',
'glue:CreateDevEndpoint',
'glue:CreateDevEndpoint',
endpoint
'glue:GetDevEndpoint')
'glue:GetDevEndpoint')
permissions AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
Glue create job ( 'iam:PassRole', ( 'iam:PassRole',
permissions 'glue:CreateJob' )'glue:CreateJob' )
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
PassRole & CONTAINS ALL CONTAINS ALL
Glue update job ( 'iam:PassRole', ( 'iam:PassRole',
permissions 'glue:UpdateJob' )'glue:UpdateJob' )
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')
('iam:PassedToService')
does not
does not exist
exist

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation action.name action.name
via Glue Dev CONTAINS ALL CONTAINS ALL
Endpoint ( 'glue:UpdateDevEndpoint',
( 'glue:UpdateDevEndpoint',
permissions 'glue:GetDevEndpoint'
'glue:GetDevEndpoint'
) )
AND AND

Prisma™ Cloud Release Notes 46 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH '*’ = true

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation action.name action.name
via Codestar CONTAINS ALL CONTAINS ALL
create project ( 'codestar:CreateProject',
( 'codestar:CreateProject',
and associate 'codestar:AssociateTeamMember'
'codestar:AssociateTeamMember'
) )
team member AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
permissions
ENDS WITH '*’ = true

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
EC2 describe CONTAINS ALL CONTAINS ALL
and SSM list and ( 'ec2:DescribeInstances',
( 'ec2:DescribeInstances',
send command 'ssm:listCommands',
'ssm:listCommands',
permissions 'ssm:listCommandInvocations',
'ssm:listCommandInvocations',
'ssm:sendCommand')'ssm:sendCommand')
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH '*’ = true

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation via action.name action.name
EC2 describe CONTAINS ALL CONTAINS ALL
and SSM session ( 'ec2:DescribeInstances',
( 'ec2:DescribeInstances',
permissions 'ssm:StartSession',
'ssm:StartSession',
'ssm:DescribeSessions',
'ssm:DescribeSessions',
'ssm:GetConnectionStatus',
'ssm:GetConnectionStatus',
'ssm:DescribeInstanceProperties',
'ssm:DescribeInstanceProperties',
'ssm:TerminateSession',
'ssm:TerminateSession',
'ssm:ResumeSession'
'ssm:ResumeSession'
) )
AND AND
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH '*’ = true

AWS IAM policy config from config from High Medium

allows Privilege iam where iam where
escalation action.name action.name
via PassRole CONTAINS ALL CONTAINS ALL
& Lambda ( 'iam:PassRole', ( 'iam:PassRole',
create & invoke 'lambda:InvokeFunction',
'lambda:InvokeFunction',
Function 'lambda:CreateFunction')
'lambda:CreateFunction')
AND AND
permissions
dest.cloud.resource.name
dest.cloud.wildcardscope
ENDS WITH = true and
'*’ and grantedby.cloud.policy.condition
grantedby.cloud.policy.condition
('iam:PassedToService')

Prisma™ Cloud Release Notes 47 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

('iam:PassedToService')
does not
does not exist
exist

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

MLPS Level 3 Controls Prisma Cloud now supports Multi-Level

Protection Scheme (MLPS) Level 3 controls.
Access control, data encryption, network
segmentation, intrusion detection, and
incident response are among the security
measures outlined in the MLPS framework.
Based on the MLPS classifications, you can
assess the security risks associated with
your information systems and implement the
appropriate controls.
You can review this compliance standard and
its associated policies on the Compliance >
Standard page.

Changes in Existing Behavior

No changes in existing behavior for 23.7.2.

REST API Updates

CHANGE DESCRIPTION

New API to Get Resource The following new endpoint is added to get the latest
Snapshot resource snapshot by using the Restricted Resource
Name(rrn).
• Get Resource Snapshot - GET /das/api/v1/resource

New Features Introduced in 23.7.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

Prisma™ Cloud Release Notes 48 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

New Features

FEATURE DESCRIPTION

Support for New Regions on AWS Prisma Cloud now ingests data for resources
deployed in the Zurich and Melbourne regions
on AWS.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

Prisma Cloud Data Security Support for Prisma Cloud Data Security is now available
Singapore on the app.sg stack for all Prisma Cloud
customers in Singapore. The data scans and
data will remain within Singapore.

Least Privilege Access Enforcement Streamline access management and promote

secure and efficient permissions configuration
with the least privilege access suggestions.
Solve for over-privileged access issues that
arise when you manage Identity Access
through Groups or/and Roles rather than
individual identities. You can now remediate
over-permissive permissions effectively
at the Group/Role level by creating new
policies containing only the permissions
applicable to all members. Alternatively, you
can leverage existing policies by retaining
only the permissions applicable to the entire
Group/Role and removing any excessive
permissions.

API Ingestions

SERVICE API DETAILS

AWS CloudHSM aws-cloudhsm-cluster

Additional permission required:
• cloudhsm:DescribeClusters

Prisma™ Cloud Release Notes 49 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

You must manually add the permission or

update the CFT template to enable it.

Amazon VPC aws-ec2-vpc-endpoint-service-permission

Additional permission required:
• ec2:DescribeVpcEndpointServic
ePermissions

The Security Audit role includes the

permission.

Google Cloud Translation gcloud-translation-glossary

Additional permissions required:
• cloudtranslate.locations.list

• cloudtranslate.glossaries.lis
t

The Viewer role includes the permissions.

OCI Compute oci-compute-image

Additional permissions required:
• INSTANCE_IMAGE_INSPECT

• INSTANCE_IMAGE_READ

You must update the Terraform template to

enable the permissions.

Update OCI Compute Instance oci-compute-instance

The resource JSON for this API has been
updated to include a new field vnicIds.
Additional permission required:
• VNIC_ATTACHMENT_READ

You must update the Terraform template to

enable the permission.

New Policies

NEW POLICIES DESCRIPTION

Prisma™ Cloud Release Notes 50 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Azure SQL on Virtual Machine (Linux) with Identifies Azure Virtual Machines that are
basic authentication hosted with SQL on them and have basic
authentication.
Azure Virtual Machines with basic
authentication could allow attackers to
brute force and gain access to SQL database
hosted on it, which might lead to sensitive
information leakage. It is recommended to use
SSH keys for authentication to avoid brute
force attacks on SQL database hosted virtual
machines.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
vm-list' AND json.rule =
powerState equal ignore case
"PowerState/running" and
['properties.storageProfile'].
['imageReference'].
['publisher'] equal ignore
case microsoftsqlserver and
(['properties.osProfile'].
['linuxConfiguration'] exists
and ['properties.osProfile'].
['linuxConfiguration'].
['disablePasswordAuthentication']
is false)

Policy Type— Config

Severity— Low

AWS Route53 Hosted Zone having dangling Identifies AWS Route53 Hosted Zones which
DNS record with subdomain takeover risk have dangling DNS records with subdomain
takeover risk. A Route53 Hosted Zone
having a CNAME entry pointing to a non-
existing S3 bucket will have a risk of these
dangling domain entries being taken over by
an attacker by creating a similar S3 bucket in
any AWS account which the attacker owns /
controls. Attackers can use this domain to
do phishing attacks, spread malware and
other illegal activities. As a best practice, it is
recommended to delete dangling DNS records
entry from your AWS Route 53 hosted zones.

config from cloud.resource where

api.name = 'aws-route53-list-
hosted-zones' AND json.rule =
hostedZone.config.privateZone
is false and

Prisma™ Cloud Release Notes 51 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

resourceRecordSet[?
any( type equals CNAME and
resourceRecords[*].value
contains s3-website )]
exists as X; config from
cloud.resource where api.name
= 'aws-s3api-get-bucket-
acl' as Y; filter 'not
($.X.resourceRecordSet[*].name
intersects $.Y.bucketName)';
show X;

Policy Type— Config

Severity— High

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

AWS Application Load Balancer (ALB) is not Changes— The policy description
using the latest predefined security policy and recommendation steps have
been updated. The policy RQL has
been updated to check for the latest
security policy ELBSecurityPolicy-
TLS13-1-2-2021-06
Updated Description— Identifies Application
Load Balancers (ALBs) are not using the latest
predefined security policy. A security policy
is a combination of protocols and ciphers.
The protocol establishes a secure connection
between a client and a server and ensures
that all data passed between the client and
your load balancer is private. A cipher is an
encryption algorithm that uses encryption
keys to create a coded message. So it is
recommended to use the latest predefined
security policy which uses only secured
protocol and ciphers.
We recommend using ELBSecurityPolicy-
TLS13-1-2-2021-06 policy to meet
compliance and security standards that
require disabling certain TLS protocol versions
or to support legacy clients that require
deprecated ciphers.
Severity— Low

Prisma™ Cloud Release Notes 52 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Policy Type— Config

Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= type equals application and
listeners[?any(protocol equals
HTTPS and sslPolicy exists and
(sslPolicy does not contain
ELBSecurityPolicy-FS-1-2-
Res-2020-10 and sslPolicy does
not contain ELBSecurityPolicy-
TLS-1-2-Ext-2018-06))] exists

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= type equals application
and listeners[?any(protocol
equals HTTPS and sslPolicy
exists and (sslPolicy does
not contain ELBSecurityPolicy-
TLS13-1-2-2021-06))] exists

Impact— Medium. New alerts will be

generated in case ALB is not configured
to use the latest security policy. Existing
alerts for resources that are already using
the latest security policy are resolved as
Policy_updated.

AWS EC2 instance that is reachable from Changes— Policy RQL is updated to check and
untrust internet source to ports with high risk report EC2 instance which are in active state.
Severity— High
Policy Type— Config
Current RQL—

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'Instance'
and dest.cloud.type =
'AWS' and protocol.ports
in ( 'tcp/20:21', 'tcp/23',
'tcp/25', 'tcp/110', 'tcp/135',
'tcp/143', 'tcp/445',
'tcp/1433:1434', 'tcp/3000',

Prisma™ Cloud Release Notes 53 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

'tcp/3306', 'tcp/4333',
'tcp/5000', 'tcp/5432',
'tcp/5500', 'tcp/5601',
'tcp/8080', 'tcp/8088',
'tcp/8888', 'tcp/9200',
'tcp/9300' )

Updated RQL—

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AWS'
and dest.resource.state =
'Active' and protocol.ports
in ( 'tcp/20:21', 'tcp/23',
'tcp/25', 'tcp/110', 'tcp/135',
'tcp/143', 'tcp/445',
'tcp/1433:1434', 'tcp/3000',
'tcp/3306', 'tcp/4333',
'tcp/5000', 'tcp/5432',
'tcp/5500', 'tcp/5601',
'tcp/8080', 'tcp/8088',
'tcp/8888', 'tcp/9200',
'tcp/9300' )

Impact— Low. Alerts will be resolved for EC2

instances which are in inactive state.

Azure SQL Server ADS Vulnerability Changes— The policy description and
Assessment is disabled recommendation steps have been updated.
The policy RQL has been updated according
to new express configuration to check if ADS
vulnerability assessment is disabled.
Updated Decsription— Identifies Azure
SQL Server which has ADS Vulnerability
Assessment setting disabled. Advanced Data
Security - Vulnerability Assessment service
scans SQL databases for known security
vulnerabilities and highlight deviations from
best practices, such as misconfigurations,
excessive permissions, and unprotected
sensitive data. It is recommended to enable
ADS - VA service.
Severity— Medium
Policy Type— Config
Current RQL—

config from cloud.resource

where cloud.type = 'azure'

Prisma™ Cloud Release Notes 54 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

AND api.name = 'azure-sql-

server-list' AND json.rule =
vulnerabilityAssessments[*].properties.sto
does not exist

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-sql-
server-list' AND json.rule =
vulnerabilityAssessments[*].type
does not exist

Impact— Medium. New alerts will be

generated if vulnerability assessment is
disabled. Existing alerts will be resolved
are resolved as Policy_updated when
vulnerabilityAssessments[*].properties.stora
does not exist.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Otoritas Jasa Keuangan (OJK) 38/ Prisma Cloud now supports Otoritas Jasa
POJK.03/2016 Keuangan (OJK) 38/POJK.03/20 regulations.
The regulation provides specific guidance on
the contents of the outsourcing agreement,
due diligence, monitoring performance,
contingency planning, audit, and information
access rights.
You can review this compliance standard
and its associated policies on Prisma Cloud’s
Compliance > Standard page.

Changes in Existing Behavior

FEATURE DESCRIPTION

Access to Alerts for Deleted Assets The ability to view resolved alerts for assets
that have been deleted in cloud accounts
This change was first announced in the Look
onboarded to Prisma Cloud will be available
Ahead that was published with the 23.5.2
for up to 90 days after asset deletion. After
release
90 days, these alerts will be permanently
deleted from Prisma Cloud.

Prisma™ Cloud Release Notes 55 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

This change will be in effect starting July 1,

2023. Before July 1, if you want to export all
resolved alerts older than 90 days for assets
that have been deleted on the cloud account,
use this API endpoint https://pan.dev/prisma-
cloud/api/cspm/get-alerts-v-2/ .

REST API Updates

No REST API updates for 23.7.1.

Features Introduced in June 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in June 2023.
• New Features Introduced in 23.6.2
• New Features Introduced in 23.6.1

New Features Introduced in 23.6.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

IAM Security metrics included in Cloud Implement least-privileged access by

Security Report powered by Adoption quantifying and sharing key IAM security
Advisor Enhancement metrics, such as unused over-privileged
permissions, now available in the Prisma
Cloud Cloud Security report powered by
Adoption Advisor. These newly surfaced KPIs
allow you to minimize the attack surface by
restricting excessive permissions that may
pose a significant security risk.
Navigate to Adoption Advisor > Create
Report from the Prisma Cloud administrative
console to explore the latest available IAM
security metrics.

Prisma™ Cloud Release Notes 56 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

API Ingestions

SERVICE API DETAILS

Amazon API Gateway aws-apigatewayv2-route

Additional permission required:
• apigateway:GET

The Security Audit role includes the

permission.

Amazon Route53 Update aws-route53-list-hosted-zones

The resource JSON for this API will be
updated to remove a “.”(dot) at the end from
the field.

resourceRecordSet[*].name

AWS WAF aws-waf-v2-rule-group

Additional permission required:
• wafv2:ListRuleGroups

The Security Audit role includes the

permission.

OCI Block Storage oci-block-storage-volume-group

Additional permission required:
• VOLUME_GROUP_INSPECT

You must update the Terraform template to

enable the permission.

OCI Database oci-database-keystore

Additional permission required:
• KEY_STORE_INPSECT

You must update the Terraform template to

enable the permission.

Prisma™ Cloud Release Notes 57 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

New Policies

NEW POLICIES DESCRIPTION

GCP VM instance that is reachable from Identifies GCP VM instances that are
untrust internet source to ports with high risk reachable from untrusted internet sources
to ports with high risk. VM instances with
unrestricted access to the internet for high
risky port may enable bad actors to use brute
force on a system to gain unauthorized access
to the entire network. As a best practice,
restrict traffic from unknown IP addresses
and limit access to known hosts, services, or
specific entities.

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'Instance'
and dest.cloud.type = 'GCP'
and dest.resource.state =
'Active' and protocol.ports
in ( 'tcp/20:21', 'tcp/23',
'tcp/25', 'tcp/110', 'tcp/135',
'tcp/143', 'tcp/445',
'tcp/1433:1434', 'tcp/3000',
'tcp/3306', 'tcp/4333',
'tcp/5000', 'tcp/5432',
'tcp/5500', 'tcp/5601',
'tcp/8080', 'tcp/8088',
'tcp/8888', 'tcp/9200',
'tcp/9300' )

Policy Type— Network

Severity— High

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-Metadata

AWS S3 bucket policy overly permissive to Changes— Updating Policy Name, and
any principal Description
Policy Type— Config
Severity— Medium

Prisma™ Cloud Release Notes 58 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Policy Name— AWS S3 buckets are accessible

to public
Updated Policy Name— AWS S3 buckets are
accessible to public via ACL
Description- The policy name, description,
and recommendation steps are updated to
be specific on the criteria through which
the S3 bucket is made public. Amazon S3
often stores highly sensitive enterprise
data, allowing public access to S3 buckets
through ACL results in sensitive data being
compromised. It is highly recommended to
disable ACL configuration for all S3 buckets
and use resource based policies to allow
access to S3 buckets.
Impact— No impact, as this is a metadata
change.

New Compliance Benchmarks and Updates

No new compliance benchmarks and updates for 23.6.2.

Changes in Existing Behavior

FEATURE DESCRIPTION

Rate Limit on POST /login Endpoint The POST /login endpoint will enforce rate
limiting (HTTP Response Code 429).
This change was first announced in the look
ahead that was published with the 23.5.1
release.

REST API Updates

No REST API updates for 23.6.2.

New Features Introduced in 23.6.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

Prisma™ Cloud Release Notes 59 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

New Features

FEATURE DESCRIPTION

Trendline for Critical Severity in Adoption The Assets With Urgent Alerts, Incident
Advisor Widgets Burndown, and Risk Burndown widgets have
a trendline for critical severity alerts and
assets to help you quickly review the trends
for the most critical issues.
For Assets With Urgent Alerts, you can
see the critical and high severity asset data
points in all the 30, 60, and 90 day time series
starting June 2023.

API Ingestions

SERVICE API DETAILS

Amazon DAX aws-dax-parameter-group

Additional permissions required:
• dax:DescribeParameterGroups

• dax:DescribeParameters

The Security Audit role includes the

permissions.

AWS Shield aws-shield-drt-access

Additional permission required:
• shield:DescribeDRTAccess

The Security Audit role includes the

permission.

Amazon API Gateway aws-apigatewayv2-stage

Additional permission required:
• apigateway:GET

The Security Audit role includes the

permission.

Prisma™ Cloud Release Notes 60 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Google Cloud DNS gcloud-dns-resource-record-set

Additional permissions required:
• dns.managedZones.list

• dns.resourceRecordSets.list

The Viewer role includes the permissions.

Google Vertex AI gcloud-vertex-ai-notebook-instance-

schedule
Additional permissions required:
• notebooks.locations.list

• notebooks.schedules.list

The Viewer role includes the permissions.

Google Dataplex gcloud-dataplex-lake-zone-action

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.zones.list

• dataplex.zoneActions.list

The Viewer role includes the permissions.

Google Dataplex gcloud-dataplex-lake-action

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.lakeActions.list

The Viewer role includes the permissions.

OCI Service Mesh oci-service-mesh-ingressgateway-routetable

Additional permissions required:

Prisma™ Cloud Release Notes 61 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• MESH_INGRESS_GATEWAY_ROUTE_TA
BLE_LIST

• MESH_INGRESS_GATEWAY_ROUTE_TA
BLE_READ

You must update the Terraform template to

enable the permissions.

OCI Service Mesh oci-service-mesh-ingressgateway

Additional permissions required:
• MESH_INGRESS_GATEWAY_LIST

• MESH_INGRESS_GATEWAY_READ

You must update the Terraform template to

enable the permissions.

OCI Database oci-database-db-node

Additional permissions required:
• DB_SYSTEM_INSPECT

• DB_NODE_INSPECT

• DB_NODE_QUERY

You must update the Terraform template to

enable the permissions.

New Policies

NEW POLICIES DESCRIPTION

AWS EC2 instance that is internet reachable Identifies AWS EC2 instances that are
with unrestricted access (0.0.0.0/0) to Admin internet reachable with unrestricted access
ports (0.0.0.0/0) to Admin ports (22 / 3389). EC2
instances with unrestricted access to the
internet for admin ports may enable bad
actors to use brute force on a system to gain
unauthorized access to the entire network. As
a best practice, restrict traffic from unknown

Prisma™ Cloud Release Notes 62 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

IP addresses and limit access to known hosts,

services, or specific entities.

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AWS'
and dest.resource.state =
'Active' and protocol.ports in
( 'tcp/22', 'tcp/3389' )

Policy Type— Network

Severity— High.

AWS EC2 instance that is reachable from Identifies AWS EC2 instances that are
untrust internet source to ports with high risk internet reachable with untrust internet
source to ports with high risk. EC2 instances
with unrestricted access to the internet for
high risky port may enable bad actors to use
brute force on a system to gain unauthorized
access to the entire network. As a best
practice, restrict traffic from unknown IP
addresses and limit the access to known
hosts, services, or specific entities.

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'Instance'
and dest.cloud.type =
'AWS' and protocol.ports
in ( 'tcp/20:21', 'tcp/23',
'tcp/25', 'tcp/110', 'tcp/135',
'tcp/143', 'tcp/445',
'tcp/1433:1434', 'tcp/3000',
'tcp/3306', 'tcp/4333',
'tcp/5000', 'tcp/5432',
'tcp/5500', 'tcp/5601',
'tcp/8080', 'tcp/8088',
'tcp/8888', 'tcp/9200',
'tcp/9300' )

Policy Type— Network

Severity— High.

Azure Virtual Machine that is internet Identifies Azure Virtual Machines that are
reachable with unrestricted access (0.0.0.0/0) internet reachable with unrestricted access
to Admin ports (0.0.0.0/0) to admin ports. Azure VMs with
unrestricted internet access to admin ports
may enable bad actors to use brute force

Prisma™ Cloud Release Notes 63 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

on a system to gain unauthorized access

to the entire network. As a best practice,
restrict traffic from unknown IP addresses and
limit the access to known hosts, services, or
specific entities.

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'Azure'
and protocol.ports in
('tcp/22','tcp/3389' ) and
dest.resource.state = 'Active'

Policy Type— Network

Severity— High.

GCP VM instance that is internet reachable Identifies GCP VM instances that are internet
with unrestricted access (0.0.0.0/0) to Admin reachable with unrestricted access (0.0.0.0/0)
ports to Admin ports (22 / 3389). VM instances
with unrestricted internet access to admin
ports may enable bad actors to use brute
force on a system to gain unauthorized access
to the entire network. As a best practice,
restrict traffic from unknown IP addresses
and limit access to known hosts, services, or
specific entities.

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'GCP'
and dest.resource.state =
'Active' and protocol.ports in
( 'tcp/22', 'tcp/3389' )

Policy Type— Network

Severity— High.

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

Prisma™ Cloud Release Notes 64 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

AWS S3 bucket policy overly permissive to Changes— The policy description and RQL are
any principal updated. The RQL now considers Block public
access settings configuration at account and
bucket Level.
Updated Description— Identifies the S3
buckets that have a bucket policy overly
permissive to any principal and don’t have
Block public and cross-account access to
buckets and objects through any public
bucket or access point policies enabled. It is
recommended to follow the principle of least
privileges ensuring that the only restricted
entities have permission on S3 operations
instead of any anonymous.
Policy Type— Config
Severity— Medium.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name='aws-s3api-get-
bucket-acl' AND json.rule
= policy.Statement[?
any(Effect equals Allow and
Action anyStartWith s3: and
(Principal.AWS contains *
or Principal equals *) and
Condition does not exist)]
exists

Updated RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name='aws-s3api-get-
bucket-acl' AND json.rule =
( ( publicAccessBlockConfiguration.restric
is false and
accountLevelPublicAccessBlockConfiguration
does not exist ) or
( publicAccessBlockConfiguration
does not exist and
accountLevelPublicAccessBlockConfiguration
is false ) or
( publicAccessBlockConfiguration.restrictP
is false and
accountLevelPublicAccessBlockConfiguration
is false ) or
( publicAccessBlockConfiguration
does not exist and
accountLevelPublicAccessBlockConfiguration

Prisma™ Cloud Release Notes 65 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

does not exist ) )AND

policy.Statement[?any(Effect
equals Allow and Action
anyStartWith s3: and
(Principal.AWS contains *
or Principal equals *) and
(Condition does not exist
or Condition[*] is empty) )]
exists

Impact— Medium. Based on the Block Public

Access settings at account and bucket Level,
some alerts might get resolved.

AWS S3 bucket publicly writable Changes— The policy remediation steps and
RQL are updated. The policy RQL now checks
for Authenticated Users access.
Policy Type— Config
Severity— High.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-s3api-get-
bucket-acl' AND json.rule =
((((publicAccessBlockConfiguration.ignoreP
is false and
accountLevelPublicAccessBlockConfiguration
does not exist) or
(publicAccessBlockConfiguration
does not exist and
accountLevelPublicAccessBlockConfiguration
is false) or
(publicAccessBlockConfiguration.ignorePubl
is false and
accountLevelPublicAccessBlockConfiguration
is false)) and
acl.grantsAsList[?any(grantee
equals AllUsers and
permission is member of
(WriteAcp,Write,FullControl))]
exists) or
((policyStatus.isPublic
is true and
((publicAccessBlockConfiguration.restrictP
is false and
accountLevelPublicAccessBlockConfiguration
does not exist) or
(publicAccessBlockConfiguration
does not exist and
accountLevelPublicAccessBlockConfiguration
is false) or
(publicAccessBlockConfiguration.restrictPu

Prisma™ Cloud Release Notes 66 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

is false and
accountLevelPublicAccessBlockConfiguration
is false))) and
(policy.Statement[?any(Effect
equals Allow and (Principal
equals * or Principal.AWS
equals *) and (Action contains
s3:* or Action contains
s3:Put or Action contains
s3:Create or Action contains
s3:Replicate or Action contains
s3:Update or Action contains
s3:Delete) and (Condition does
not exist))] exists))) and
websiteConfiguration does not
exist

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-s3api-get-
bucket-acl' AND json.rule =
((((publicAccessBlockConfiguration.ignoreP
is false and
accountLevelPublicAccessBlockConfiguration
does not exist) or
(publicAccessBlockConfiguration
does not exist and
accountLevelPublicAccessBlockConfiguration
is false) or
(publicAccessBlockConfiguration.ignorePubl
is false and
accountLevelPublicAccessBlockConfiguration
is false)) and
(acl.grantsAsList[?
any(grantee equals AllUsers
and permission is member of
(WriteAcp,Write,FullControl))]
exists or acl.grantsAsList[?
any(grantee equals
AuthenticatedUsers and
permission is member of
(WriteAcp,Write,FullControl))]
exists)) or
((policyStatus.isPublic
is true and
((publicAccessBlockConfiguration.restrictP
is false and
accountLevelPublicAccessBlockConfiguration
does not exist) or
(publicAccessBlockConfiguration
does not exist and
accountLevelPublicAccessBlockConfiguration
is false) or
(publicAccessBlockConfiguration.restrictPu

Prisma™ Cloud Release Notes 67 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

is false and
accountLevelPublicAccessBlockConfiguration
is false))) and
(policy.Statement[?any(Effect
equals Allow and (Principal
equals * or Principal.AWS
equals *) and (Action contains
s3:* or Action contains
s3:Put or Action contains
s3:Create or Action contains
s3:Replicate or Action contains
s3:Update or Action contains
s3:Delete) and (Condition does
not exist))] exists))) and
websiteConfiguration does not
exist

Impact— Low. New alerts may be generated if

Authenticated Users have Write permissions.

GCP Log metric filter and alert does not exist Changes— The Policy RQL is updated to verify
for VPC network route delete and insert if resource type is present in the Log metric
filter.
Policy Type— Config
Severity— Informational.
Current RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
( $.X.filter does not
contain "resource.type
=" or $.X.filter does not
contain "resource.type=" )
and ( $.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=" ) and
$.X.filter contains "gce_route"
and ( $.X.filter contains
"protoPayload.methodName:"
or $.X.filter contains
"protoPayload.methodName :" )
and ( $.X.filter
does not contain
"protoPayload.methodName!:"
and $.X.filter does not contain
"protoPayload.methodName !:" )

Prisma™ Cloud Release Notes 68 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

and $.X.filter contains

"compute.routes.delete"
and $.X.filter contains
"compute.routes.insert"'; show
X; count(X) less than 1

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
( $.X.filter contains
"resource.type =" or $.X.filter
contains "resource.type=" )
and ( $.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=" ) and
$.X.filter contains "gce_route"
and ( $.X.filter contains
"protoPayload.methodName:"
or $.X.filter contains
"protoPayload.methodName :" )
and ( $.X.filter
does not contain
"protoPayload.methodName!:"
and $.X.filter does not contain
"protoPayload.methodName !:" )
and $.X.filter contains
"compute.routes.delete"
and $.X.filter contains
"compute.routes.insert"'; show
X; count(X) less than 1

Impact— Low. New alerts will be generated

against the policy violations.

GCP Log metric filter and alert does not exist Changes— The Policy RQL is updated to verify
for VPC network route changes if resource type is present in the Log metric
filter.
Policy Type— Config
Severity— Informational.
Current RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where

Prisma™ Cloud Release Notes 69 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
($.X.filter does not
contain "resource.type
=" or $.X.filter does not
contain "resource.type=")
and ($.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=") and
$.X.filter contains "gce_route"
and ($.X.filter contains
"jsonPayload.event_subtype="
or $.X.filter contains
"jsonPayload.event_subtype
=") and ($.X.filter
does not contain
"jsonPayload.event_subtype!="
and $.X.filter does not contain
"jsonPayload.event_subtype !
=") and $.X.filter contains
"compute.routes.delete"
and $.X.filter contains
"compute.routes.insert"'; show
X; count(X) less than 1

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
($.X.filter contains
"resource.type =" or $.X.filter
contains "resource.type=")
and ($.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=") and
$.X.filter contains "gce_route"
and ($.X.filter contains
"jsonPayload.event_subtype="
or $.X.filter contains
"jsonPayload.event_subtype
=") and ($.X.filter
does not contain
"jsonPayload.event_subtype!="
and $.X.filter does not contain
"jsonPayload.event_subtype !
=") and $.X.filter contains

Prisma™ Cloud Release Notes 70 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

"compute.routes.delete"
and $.X.filter contains
"compute.routes.insert"'; show
X; count(X) less than 1

Impact— Low. New alerts will be generated

against the policy violations.

GCP Log metric filter and alert does not exist Changes— The Policy RQL is updated to verify
for VPC network route patch and insert if resource type is present in the Log metric
filter.
Policy Type— Config
Severity— Informational.
Current RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
( $.X.filter does not
contain "resource.type
=" or $.X.filter does not
contain "resource.type=" )
and ( $.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=" ) and
$.X.filter contains "gce_route"
and ( $.X.filter contains
"protoPayload.methodName="
or $.X.filter contains
"protoPayload.methodName
=" ) and ( $.X.filter
does not contain
"protoPayload.methodName!="
and $.X.filter does not contain
"protoPayload.methodName !
=" ) and $.X.filter contains
"beta.compute.routes.patch"
and $.X.filter contains
"beta.compute.routes.insert"';
show X; count(X) less than 1

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where

Prisma™ Cloud Release Notes 71 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
( $.X.filter contains
"resource.type =" or $.X.filter
contains "resource.type=" )
and ( $.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=" ) and
$.X.filter contains "gce_route"
and ( $.X.filter contains
"protoPayload.methodName="
or $.X.filter contains
"protoPayload.methodName
=" ) and ( $.X.filter
does not contain
"protoPayload.methodName!="
and $.X.filter does not contain
"protoPayload.methodName !
=" ) and $.X.filter contains
"beta.compute.routes.patch"
and $.X.filter contains
"beta.compute.routes.insert"';
show X; count(X) less than 1

Impact— Low. New alerts will be generated

against the policy violations.

GCP Log metric filter and alert does not exist Changes— The Policy RQL is updated to verify
for VPC network changes if resource type is present in the Log metric
filter.
Policy Type— Config
Severity— Informational.
Current RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
($.X.filter does not
contain "resource.type
=" or $.X.filter does not
contain "resource.type=")
and ($.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!

Prisma™ Cloud Release Notes 72 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

=") and $.X.filter

contains "gce_network"
and ($.X.filter contains
"jsonPayload.event_subtype="
or $.X.filter contains
"jsonPayload.event_subtype
=") and ($.X.filter
does not contain
"jsonPayload.event_subtype!="
and $.X.filter does not contain
"jsonPayload.event_subtype !
=") and $.X.filter contains
"compute.networks.insert"
and $.X.filter contains
"compute.networks.patch"
and $.X.filter contains
"compute.networks.delete"
and $.X.filter contains
"compute.networks.removePeering"
and $.X.filter contains
"compute.networks.addPeering"';
show X; count(X) less than 1

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
($.X.filter contains
"resource.type =" or $.X.filter
contains "resource.type=")
and ($.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!
=") and $.X.filter
contains "gce_network"
and ($.X.filter contains
"jsonPayload.event_subtype="
or $.X.filter contains
"jsonPayload.event_subtype
=") and ($.X.filter
does not contain
"jsonPayload.event_subtype!="
and $.X.filter does not contain
"jsonPayload.event_subtype !
=") and $.X.filter contains
"compute.networks.insert"
and $.X.filter contains
"compute.networks.patch"
and $.X.filter contains

Prisma™ Cloud Release Notes 73 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

"compute.networks.delete"
and $.X.filter contains
"compute.networks.removePeering"
and $.X.filter contains
"compute.networks.addPeering"';
show X; count(X) less than 1

Impact— Low. New alerts will be generated

against the policy violations.

GCP Log metric filter and alert does not exist Changes— The Policy RQL is updated to verify
for Cloud Storage IAM permission changes if resource type is present in the Log metric
filter.
Policy Type— Config
Severity— Informational.
Current RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
($.X.filter does not
contain "resource.type
=" or $.X.filter does not
contain "resource.type=")
and ($.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!
=") and $.X.filter
contains "gcs_bucket"
and ($.X.filter contains
"protoPayload.methodName="
or $.X.filter contains
"protoPayload.methodName
=") and ($.X.filter
does not contain
"protoPayload.methodName!="
and $.X.filter does not contain
"protoPayload.methodName !
=") and $.X.filter contains
"storage.setIamPermissions"';
show X; count(X) less than 1

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config

Prisma™ Cloud Release Notes 74 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

from cloud.resource where

api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
($.X.filter contains
"resource.type =" or $.X.filter
contains "resource.type=")
and ($.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!
=") and $.X.filter
contains "gcs_bucket"
and ($.X.filter contains
"protoPayload.methodName="
or $.X.filter contains
"protoPayload.methodName
=") and ($.X.filter
does not contain
"protoPayload.methodName!="
and $.X.filter does not contain
"protoPayload.methodName !
=") and $.X.filter contains
"storage.setIamPermissions"';
show X; count(X) less than 1

Impact— Low. New alerts will be generated

against the policy violations.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

CIS Google Kubernetes Engine (GKE) v1.4.0 - The Center for Internet Security (CIS) releases
(Level 1 and Level 2) benchmarks for best practice security
recommendations. CIS Google Kubernetes
Engine (GKE) v1.4.0 - (Level 1 and Level 2)
is a set of recommendations for configuring
Kubernetes to support a strong security
posture. Benchmarks are tied to specific
Kubernetes releases. The CIS Kubernetes
Benchmark is written for open-source
Kubernetes distribution and is intended to be
universally applicable. Based on the existing
CIS Benchmark, this standard adds additional
Google Cloud-specific controls.
You can review this compliance standard
and its associated policies on Prisma Cloud’s
Compliance > Standard page.

Prisma™ Cloud Release Notes 75 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Changes in Existing Behavior

FEATURE DESCRIPTION

S3 Flow Logs with Hourly Partition If you currently ingest AWS flow logs using
S3 with the 24-hour partition, you need to
This change was first announced in the look
change it to the hourly partition.
ahead that was published with the 23.1.1
release. To make this change, Configure Flow Logs
to use the hourly partition and enable the
required additional fields.
Impact— VPC Flow logs with partitions set to
Every 24 hours (default) will be disabled. As a
result, you will no longer be able to monitor or
receive alerts for these logs.

REST API Updates

No REST API updates for 23.6.1.

Features Introduced in May 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in May 2023.
• New Features Introduced in 23.5.2
• New Features Introduced in 23.5.1

New Features Introduced in 23.5.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Changes in Existing Behavior
• REST API Updates
• Deprecation Notice

New Features

FEATURE DESCRIPTION

Release Notes Look Ahead Displayed on The New in Prisma Cloud section on the
Home Page Home page now includes information from
the Look Ahead section of the release notes.

Prisma™ Cloud Release Notes 76 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Use this information to access the release

notes and stay informed on deprecation
notices and changes in behavior.

Adoption Advisor Furthers Your Code & Build The Adoption Advisor now includes two
Hygiene additional checks for enforcing hygiene in the
Code & Build phase.
You can Create Custom Secret Signature
in the Code Policy Management category.
This enables you to prevent developers from
committing hard coded secrets based on
custom signatures.
You can Add Drift Alert Rule in the
Notifications category. This enables you
to trace and get notified regarding the
configuration changes between the deployed
cloud resources and your IaC templates in
order to quickly remediate drifts.

Attack Path Policies Displayed on Home Prisma Cloud Attack Path policies identify
Page, Command Center, and Alerts the confluence of issues that increase the
likelihood of a security breach.
You can now view the Attack Path policies on
the Homepage, Command Center dashboard,
and the Alerts page as a specific Saved View.

API Ingestions

SERVICE API DETAILS

Update Amazon Translate aws-translate-terminology

This API is updated to remove the
CreatedAt field in the resource JSON.

AWS Serverless Application Repository aws-serverlessrepo-application

Additional permissions required:
• serverlessrepo:GetApplication
Policy

• serverlessrepo:ListApplicatio
ns

The Security Audit role includes the

permissions.

Prisma™ Cloud Release Notes 77 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

AWS Transfer Family aws-transfer-family-user

Additional permissions required:
• transfer:ListUsers

• transfer:DescribeUser

The Security Audit role includes the

permissions.

Amazon API Gateway aws-apigatewayv2-api

Additional permission required:
• apigateway:GET

The Security Audit role includes the

permission.

Google Traffic Director Network Service gcloud-traffic-director-network-service-tls-

route
Additional permission required:
• networkservices.tlsRoutes.lis
t

The Viewer role includes the permission.

This API will list only Global

resources.

Google Traffic Director Network Service gcloud-traffic-director-network-service-tcp-

route
Additional permission required:
• networkservices.tcpRoutes.lis
t

The Viewer role includes the permission.

This API will list only Global

resources.

Google Traffic Director Network Service gcloud-traffic-director-network-service-grpc-

route
Additional permission required:

Prisma™ Cloud Release Notes 78 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• networkservices.grpcRoutes.li
st

The Viewer role includes the permission.

This API will list only Global

resources.

Google Traffic Director Network Service gcloud-traffic-director-network-service-http-

route
Additional permission required:
• networkservices.httpRoutes.li
st

The Viewer role includes the permission.

This API will list only Global

resources.

New Policies

NEW POLICIES DESCRIPTION

Azure Virtual Machine that is reachable from Identifies Azure Virtual machines that are
any untrust internet source to ports with high reachable from any untrust internet source
risk to ports with high risk. Azure VMs with
untrusted access to high risky ports may
enable bad actors to use brute force on a
system to gain unauthorized access to the
entire network. As a best practice, restrict
traffic from unknown IP addresses and limit
the access to known hosts, services, or
specific entities.
Severity— High
RQL—

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'Instance'
and dest.cloud.type =
'Azure' and protocol.ports
in ( 'tcp/20', 'tcp/21',
'tcp/23', 'tcp/25', 'tcp/110',
'tcp/135', 'tcp/143',
'tcp/445', 'tcp/1433:1434',

Prisma™ Cloud Release Notes 79 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

'tcp/3000', 'tcp/3306',
'tcp/4333', 'tcp/5000',
'tcp/5432', 'tcp/5500',
'tcp/5601', 'tcp/8080',
'tcp/8088', 'tcp/8888',
'tcp/9200', 'tcp/9300' ) and
dest.resource.state = 'Active'

Azure SQL Server (PaaS) reachable from any Identifies Azure SQL Servers (PaaS) that are
untrust internet source reachable from any untrust internet source
on TCP port. SQL Server instances with
untrusted access to the internet may enable
bad actors to use brute force on a system
to gain unauthorised access to the entire
network. As a best practice, restrict traffic
from untrusted IP addresses and limit the
access to known hosts, services, or specific
entities.
Severity— High
RQL—

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'PaaS'
and dest.cloud.type = 'AZURE'
and dest.paas.service.type in
( 'MicrosoftSQLServers' )

GCP VM instance that is internet reachable Identifies GCP VM instances that are internet
with unrestricted access (0.0.0.0/0) reachable with unrestricted access (0.0.0.0/0).
VM instances with unrestricted access to the
internet may enable bad actors to use brute
force on a system to gain unauthorised access
to the entire network. As a best practice,
restrict traffic from unknown IP addresses and
limit the access to known hosts, services, or
specific entities.
Severity— High
RQL—

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'GCP' and
dest.resource.state = 'Active'

Prisma™ Cloud Release Notes 80 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

AWS S3 bucket is not configured with MFA Changes— The policy RQL has been updated
Delete to exclude S3 buckets which are configured
with bucketLifecycleConfiguration
rules because MFA Delete can’t be enabled for
those buckets.
Severity— Low
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-s3api-get-
bucket-acl' AND json.rule =
'(versioningConfiguration.status
equals Enabled and
(versioningConfiguration.mfaDeleteEnabled
does not exist or
versioningConfiguration.mfaDeleteEnabled
equals false))'

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-s3api-get-
bucket-acl' AND json.rule =
versioningConfiguration.status
equals Enabled and
(versioningConfiguration.mfaDeleteEnabled
does not exist or
versioningConfiguration.mfaDeleteEnabled
is false) AND
(bucketLifecycleConfiguration
does not exist or
bucketLifecycleConfiguration.rules[*].stat
equals Disabled)

Impact— Medium. Existing alerts for AWS

S3 buckets that have bucketlifecycle
configuration enabled will be resolved as
Policy_Updated.

Prisma™ Cloud Release Notes 81 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Changes in Existing Behavior

FEATURE DESCRIPTION

Disabled Policy cannot be Re-enabled within When you disable a policy, a message to
4 Hours inform you that Disabling this policy will
automatically mark any open alerts as
resolved. You won’t be able to enable the
policy back for 4 hours. Are you sure you
want to continue? is displayed. After you
confirm, the policy will be disabled and that
marks the start of a 4-hour window during
which you cannot re-enable the policy. During
this period, the button to enable the policy
will be greyed out in the UI, and if you use
the API to change the policy status the HTTP
response will display an error.
Impact— The restriction will apply to all policy
types and all policy severities.

UEBA Anomaly Policy Attribution Extended Alerts from UEBA anomaly policies were
to Support Compute Instances attributed to compute instances using their
cloud IDs and not names. For example, an
alert was attributed to an AWS EC2 instance
by its ID i-019b8f824f4f77001 and not by
its name demo-host. When such an alert was
generated, you would not be able to click
on the resource to see the Unified Asset
Inventory (UAI) details and the Command
Center also reported the instance by its ID
instead of name.
Prisma Cloud has now added additional
checks to UEBA anomaly policies to make
sure alerts are attributed to a resource by its
name. Now, when you click on a resource
on the Alerts page, the UAI details will be
displayed.

REST API Updates

No REST API updates for 23.5.2.

Deprecation Notice

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 82 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Azure Defender for Cloud Secure Score API Prisma Cloud no longer ingests metadata
Ingestion for the azure-defender-for-cloud-
secure-score API.
In RQL, the key is not available in the
api.name attribute auto completion.
Impact— If you have a saved search or custom
policies based on this API, you must delete
them manually.
The policy alerts will be resolved as
Policy_deleted.

New Features Introduced in 23.5.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Recurring Reports for Cloud Security To make sure that you are not missing
Assessment anything important, you can now schedule a
recurring Cloud Security Assessment Report
and keep track of the risks from open alerts in
your monitored cloud accounts.
You can customize it to run on a daily,
weekly, or monthly basis and pick an email
template. Once you set it up, you can access
all scheduled reports on Alerts > Reports.

Prisma™ Cloud Release Notes 83 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Credit Allocation for Usage You can now distribute the credits you have
purchased for the security features on Prisma
Cloud amongst your teams. When you add a
credit allocation rule (Settings > Licensing >
Credit Allocation), you can provide the total
number of credits for an account group, and
define a usage threshold % at which you want
to be notified. For example, if you set the
threshold to 80% for 1000 credits, an alarm is
generated when the usage is at 800 credits.
You can also monitor the credit usage on
Settings > Licensing > Credit Allocation for a
specified time range.

Cloud Network Analyzer Support for GCP Prisma Cloud now supports network exposure
queries on GCP cloud environments. In
addition to AWS and Azure, you can now also
calculate the net effective reachability of your
GCP cloud resources.

Prisma™ Cloud Release Notes 84 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Additional Alert Details in Asset Detail View In Asset Inventory, to better understand the
risks posed by policy violations, the alert
details now also display Policy Name and
Alert Time in addition to Alert ID and Severity
in the asset detail view.

Home Page Access for all All Prisma Cloud users who log in to the
administrative console can now view the
Home page. Based on your permissions, you
can use this page to see the urgent alerts,
recommended workflows, and as a launch
point for onboarding assets that you want
to monitor. Release Notes and industry
research from our Unit 42 team are also at
your fingertips.

Broadened Access for Adoption Advisor The Adoption Advisor is now accessible to
all Prisma Cloud users. Based on your role
and access privileges, you can view a list of

Prisma™ Cloud Release Notes 85 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

items and widgets that provide visibility into

your operationalization journey and guidance
on the next steps and remediation actions to
secure your cloud infrastructure from code to
cloud.

Enhancement IAM Asset Details Enhancements to the IAM details view

provide you with greater visibility into the
permissions associated with your assets.
Currently, additional information is available
for AWS:
• groups
• roles
• policies

API Ingestions

SERVICE API DETAILS

AWS IoT Analytics aws-iot-analytics-channel

Additional permissions required:
• iotanalytics:ListChannels

• iotanalytics:ListTagsForResou
rce

You must manually add the permissions or

update the CFT template to enable them.

Not supported in AWS Gov.

AWS Security Hub aws-securityhub-enabled-standards

Additional permission required:

Prisma™ Cloud Release Notes 86 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• securityhub:GetEnabledStandar
ds

The Security Audit role includes the

permission.

Azure Compute azure-compute-gallery

Additional permission required:
• Microsoft.Compute/galleries/r
ead

The Reader role includes the permission.

Azure Compute azure-compute-gallery-image

Additional permissions required:
• Microsoft.Compute/galleries/r
ead

• Microsoft.Compute/galleries/i
mages/read

The Reader role includes the permissions.

Azure Managed Identity azure-managed-identity-user-assigned-

identities
Additional permission required:
• Microsoft.ManagedIdentity/use
rAssignedIdentities/read

The Reader role includes the permission.

Update Azure Key Vault azure-key-vault-list

The resource JSON for this API now includes
the following new fields under the key[*]
subfield.
For RSA Key:
• e

• n

• kty

• size

Prisma™ Cloud Release Notes 87 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• key_ops

For Elliptic Curve Key:

• x

• y

• crv

• kty

• key_ops

Update Azure Service Fabric azure-service-fabric-cluster

The resource JSON for this API no longer
includes the properties.clusterState
field.

Google Hybrid Connectivity gcloud-hybrid-connectivity-global-hub

Additional permissions required:
• networkconnectivity.hubs.list

• networkconnectivity.hubs.getI
amPolicy

The Viewer role includes the permissions.

Google Hybrid Connectivity gcloud-hybrid-connectivity-spoke

Additional permissions required:
• networkconnectivity.locations
.list

• networkconnectivity.spokes.li
st

• networkconnectivity.spokes.ge
tIamPolicy

The Viewer role includes the permissions.

Google Serverless VPC Access gcloud-serverless-vpc-access-connector

Additional permissions required:

Prisma™ Cloud Release Notes 88 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• vpcaccess.locations.list

• vpcaccess.connectors.list

The Viewer role includes the permissions.

Google Stackdriver Logging gcloud-logging-default-sink-exclusion

Additional permission required:
• logging.exclusions.list

The Viewer role includes the permission.

OCI Service Mesh oci-service-mesh-virtualservice-routetable

Additional permissions required:
• MESH_VIRTUAL_SERVICE_ROUTE?_T
ABLE_LIST

• MESH_VIRTUAL_SERVICE_ROUTE?_T
ABLE_READ

You must update the Terraform template to

enable the permissions.

OCI Service Mesh oci-service-mesh-virtualservice

Additional permissions required:
• MESH_VIRTUAL_SERVICE?_LIST

• MESH_VIRTUAL_SERVICE?_READ

You must update the Terraform template to

enable the permissions.

New Policies

NEW POLICIES DESCRIPTION

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
port scan activity vulnerabilities that are connected with remote
systems known for port scan activities. Port
scans are a type of discovery attack where
a source host is probing a target host across
multiple ports, to find out what services
are running and to uncover vulnerabilities

Prisma™ Cloud Release Notes 89 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

associated with those services. The network

connectivity with remote systems known
for port scan activity on a publicly exposed
and exploitable instance indicates that the
instance could be under attack or already
have been compromised.
Policy Severity— Critical.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
ransomware activity vulnerabilities that are connected with remote
systems known for ransomware activities.
Ransomware is a type of malware that
prevents users from accessing their system or
personal files and demands ransom payment
in order to regain access. The network
connectivity with remote systems known for
ransomware activity on a publicly exposed
and exploitable instance indicates that the
instance could be under attack or already
have been compromised.
Policy Severity— Critical.

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

Azure VM instance in running state that is Changes— The policy name and the RQL is
internet reachable with unrestricted access updated to report instance configured with
(0.0.0.0/0) other than HTTP/HTTPS port HTTP (80) and HTTP (443) port and instance
which are in active state only.
Current Name— Azure VM instance in
running state that is internet reachable with
unrestricted access (0.0.0.0/0) other than
HTTP/HTTPS port Updated Name— Azure
Virtual Machine in running state that is
internet reachable with unrestricted access
(0.0.0.0/0)
Updated Description— Identifies azure VM
instances in running state that are internet
reachable with unrestricted access (0.0.0.0/0).
VM instances with unrestricted access to the
internet may enable bad actors to use brute
force on a system to gain unauthorised access

Prisma™ Cloud Release Notes 90 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

to the entire network. As a best practice,

restrict traffic from unknown IP addresses and
limit the access to known hosts, services, or
specific entities.
Severity— High
Current RQL—

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AZURE'
and protocol.ports in
( 'tcp/0:79', 'tcp/81:442',
'tcp/444:65535' ) and
dest.resource.state = 'Active'

Updated RQL—

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AZURE'
and dest.resource.state =
'Active'

Impact— Medium. New alerts will be

generated when instance is exposed to
internet and configured where HTTP / HTTPS
port.

GCP Kubernetes Engine Clusters have Master Changes— The policy RQL is updated to
authorized networks disabled reflect the latest CSP behavior.
Severity— Low
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-container-
describe-clusters' AND json.rule
= status equals RUNNING and
(masterAuthorizedNetworksConfig.
[*] is empty or
masterAuthorizedNetworksConfig.enabled
equals "false")

Prisma™ Cloud Release Notes 91 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-container-
describe-clusters' AND json.rule
= status equals RUNNING and
masterAuthorizedNetworksConfig.enabled
does not equal "true"

Impact— Medium. New alerts are generated

for the failing resources. This includes
resources where Master authorized networks
were previously enabled but are now
configured as disabled.

Policy Deletions

GCP Policies The following policies are deleted because

GCP has deprecated basic authentication,
Kubernetes dashboard, and Istio for GKE.
• GCP Kubernetes Engine Clusters Basic
Authentication is set to Enabled
• GCP Kubernetes Engine Clusters web UI/
Dashboard is set to Enabled
• GCP Kubernetes cluster istioConfig not
enabled
Impact— Low. Previously generated alerts
are resolved as Policy_Deleted. The out-
of-the-box compliance mappings for the
above policies are removed and can affect the
compliance score.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for Mitre Att&ck v12 Prisma Cloud now supports the Mitre
Att&ck v12 compliance standard. The MITRE
ATTACK Framework is a curated knowledge
base that tracks threat actors' cyber adversary
tactics and techniques throughout the attack
lifecycle. The framework is intended to be
used as a tool to improve your organization’s
security posture.
You can now view this built-in standard and
the associated policies on Prisma Cloud’s

Prisma™ Cloud Release Notes 92 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Compliance > Standard page with this

support. You can also generate reports for
immediate viewing or download, or schedule
recurring reports to track this compliance
standard over time.

Support for CRI Profile v.1.2.1 Prisma Cloud now supports the CRI Profile
v.1.2.1 compliance standard. This version
includes a reference to cybersecurity
time synchronization controls based on
best practices as requested by the U.S.
Department of the Treasury.
You can now view this built-in standard and
the associated policies on Prisma Cloud’s
Compliance > Standard page with this
support. You can also generate reports for
immediate viewing or download, or schedule
recurring reports to track this compliance
standard over time.

Support for CIS Microsoft Azure Foundations Prisma Cloud now supports the CIS Microsoft
Benchmark v2.0.0 Azure Foundations Benchmark v2.0.0
compliance standard. This benchmark
specifies best practices for configuring Azure
services in accordance with industry best
practices.
You can now view this built-in standard and
the associated policies on Prisma Cloud’s
Compliance > Standard page with this
support. You can also generate reports for
immediate viewing or download, or schedule
recurring reports to track this compliance
standard over time.

Changes in Existing Behavior

FEATURE DESCRIPTION

Critical Severity Policies Included in Auto- Prisma Cloud now includes Critical severity
Enable Default Policies in Enterprise Settings policies in the list of policies that are enabled
out-of-the-box in Enterprise Settings > Auto-
Enable Default Policies. With this change,
both critical and high severity policies (current
behavior), will be enabled out-of-the-box.
Impact—

Prisma™ Cloud Release Notes 93 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• If you had previously selected Medium

severity, it will now also include Critical.
• If you had previously selected High and
Medium severities, it will now also include
Critical.
• If you had previously selected Critical
severity, it will be retained.
• If you had not selected any severity, none
will be added.

Support for Permissions for Code Security Prisma Cloud now includes additional read
permissions for Code Security in the terraform
template that you use for onboarding GCP
organizations and projects.
Impact— None. The additional read
permissions are included by default in the
terraform template.

REST API Updates

No REST API updates for 23.5.1.

Features Introduced in April 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in April 2023.
• New Features Introduced in 23.4.2
• New Features Introduced in 23.4.1

New Features Introduced in 23.4.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Changes in Existing Behavior
• REST API Updates
• Deprecation Notice

New Features

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 94 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Simplified Onboarding of AWS, Azure, and Prisma Cloud now provides a simplified
GCP Cloud Accounts onboarding experience to adapt to your
security priorities in a streamlined manner
with support for CSPM, CWPP, Data Security,
and Identity Security grouped as Foundational
and/or Advanced capabilities (with a few
enabled by default). The updated onboarding
workflow provides a Faster First Time to
Value (FTTV) by allowing you to onboard
your AWS, Azure, or GCP cloud accounts and
selecting the security capabilities in fewer
clicks.

Support for New Regions on GCP Prisma Cloud now ingests data for resources
deployed in the Doha and Turin cloud regions
on GCP.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

Prisma™ Cloud Release Notes 95 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Addition of New IP Addresses Prisma Cloud has added new NAT IP

addresses to the existing list. Make sure to
review the list and update the IP addresses in
your allow lists.

Enhancement Intelligent Network Graph Enhancements to Prisma Cloud’s Investigate

Provides Contextual View Graph provide you with a comprehensive
understanding of where your assets
are deployed, potential environmental
vulnerabilities and their risk level, to help
you determine if further investigation is
warranted.
The new Intelligent Network Graph now
provides a contextual view of cloud traffic
patterns by automatically grouping assets
based on parent relationships and creating
a top-down hierarchy for every IP address
associated with Prisma Cloud monitored
assets.
Expand the graph to the level of the asset
you’re investigating and select View Details
link in the sidecar to analyze specific network
traffic flows.
You can also download a CSV report of the
traffic flow of your entire network, a node, an
instance, or a specific connection between a
source and a destination node.
You can save Searches under My Saved
Searches. Use Saved Searches to create
custom policies to generate alerts when a
specific pattern of network flow is detected.

Enhancement Adoption Advisor Thresholds The thresholds on the Adoption Advisor are
updated to give you a more accurate progress
indicator for the following checks:
• Onboard and Configure Cloud Accounts
• Enable Audit Logs
• Enable Flow Logs
• Define Alert Rules

Prisma™ Cloud Release Notes 96 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

• Policies— Create Config Policies, Create

Network Policies, and Create Audit Policies
With this enhancement, your adoption
progress should better reflect the checks
you’re enforcing for your business needs,
making it easier for you to see how well
you’re doing.

Enhancement IsSubset method for RQL _Set The _Set function is enhanced to add
function support for the _Set.isSubset method
that enables you to identify whether a specific
value or comma separated list of values
returned by the JSON path of the resource is
fully contained within the target list.
The syntax is:

_Set.isSubset(<path>,
<targelist>) is [ true |
false ]

where
<path> = JSON path
<target_list> = a set of strings
without any whitespace.
Example:

config from cloud.resource where

api.name= 'aws-ec2-describe-
security-groups' AND json.rule
= groupName contains rql and
_Set.isSubset(tags[*].key,
(Name,"no_value",rql***auto)) is
true

API Ingestions

SERVICE API DETAILS

Amazon Firewall Manager aws-fms-admin-account

Additional permission required:
• fms:GetAdminAccount

You must manually add the permission or

update the CFT template to enable them.

Prisma™ Cloud Release Notes 97 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Amazon Firewall Manager aws-fms-compliance-status

Additional permissions required:
• fms:ListPolicies

• fms:ListComplianceStatus

The Security Audit role includes the

permissions.

Amazon Firewall Manager aws-fms-policy

Additional permissions required:
• fms:GetAdminAccount

• fms:ListPolicies

• fms:GetPolicy

The Security Audit role only includes the

permission

fms:ListPolicies

You must manually add the

permissions or update the CFT
template to enable

fms:GetPolicy

and

fms:GetAdminAccount

Update Amazon RDS aws-rds-db-cluster

This API is updated to include a new field

dBclusterParameterGroupArn

in the resource JSON.

Prisma™ Cloud Release Notes 98 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

Azure CDN azure-frontdoor-standardpremium-origin-

groups
Additional permissions required:
• Microsoft.Cdn/profiles/read

• Microsoft.Cdn/profiles/origin
groups/read

The Reader role includes the permissions.

Azure CDN azure-frontdoor-standardpremium-security-

policies
Additional permissions required:
• Microsoft.Cdn/profiles/read

• Microsoft.Cdn/profiles/securi
typolicies/read

The Reader role includes the permissions.

Update Azure Event Hubs azure-event-hub-namespace

This API is updated to include the following
new fields in the resource JSON:
• MinimumTlsVersion

• disableLocalAuth

Update Azure Service Bus azure-service-bus-namespace

This API is updated to include a new field

MinimumTlsVersion

in the resource JSON.

Google Cloud Function gcloud-cloud-function-v2

Additional permissions required:
• cloudfunctions.locations.list

• cloudfunctions.functions.list

• cloudfunctions.functions.getI
amPolicy

Prisma™ Cloud Release Notes 99 ©2023 Palo Alto Networks, Inc.

Prisma™ Cloud Release Information

The Viewer role includes the permissions.

Google Cloud Memorystore for Memcached gcloud-memorystore-memcached-instance

Additional permissions required:
• memcache.locations.list

• memcache.instances.list

The Viewer role includes the permissions.

OCI Database oci-database-autonomous-database

Additional permission required:
• AUTONOMOUS_DATABASE_INSPECT

You must download and execute the

Terraform template from the console to
enable the permission.

OCI Database oci-database-db-home

Additional permission required:
• DB_HOME_INSPECT

You must download and execute the

Terraform template from the console to
enable the permission.

OCI Database oci-database-db-home-patch

Additional permission required:
• DB_HOME_INSPECT

You must download and execute the

Terraform template from the console to
enable the permission.

OCI Database oci-database-db-system-patch

Additional permission required:
• DB_SYSTEM_INSPECT

You must download and execute the

Terraform template from the console to
enable the permission.

Prisma™ Cloud Release Notes 100 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

OCI DataLabeling oci-datalabeling-dataset

Additional permissions required:
• DATA_LABELING_DATASET_INSPECT

• DATA_LABELING_DATASET_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI File Storage oci-file-storage-mount-target

Additional permissions required:
• COMPARTMENT_INSPECT

• MOUNT_TARGET_INSPECT

• MOUNT_TARGET_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI JMS oci-jms-fleet

Additional permissions required:
• FLEET_INSPECT

• FLEET_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Service Mesh oci-service-mesh-access-policy

Additional permissions required:
• MESH_ACCESS_POLICY_LIST

• MESH_ACCESS_POLICY_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Service Mesh oci-service-mesh-virtual-deployment

Prisma™ Cloud Release Notes 101 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• MESH_VIRTUAL_DEPLOYMENT_LIST

• MESH_VIRTUAL_DEPLOYMENT_READ

• MESH_VIRTUAL_DEPLOYMENT_PROXY
_CONFIG_READ

• MESH_PROXY_DETAILS_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Service Mesh oci-service-mesh-meshes

Additional permissions required:
• SERVICE_MESH_LIST

• SERVICE_MESH_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Speech oci-speech-transcription-job

Additional permissions required:
• AI_SERVICE_SPEECH_TRANSCRIPTI
ON_JOB_INSPECT

• AI_SERVICE_SPEECH_TRANSCRIPTI
ON_JOB_READ

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Vision oci-vision-model

Additional permissions required:
• AI_SERVICE_VISION_MODEL_INSPE
CT

• AI_SERVICE_VISION_MODEL_READ

Prisma™ Cloud Release Notes 102 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

You must download and execute the

Terraform template from the console to
enable the permissions.

OCI Vision oci-vision-project

Additional permissions required:
• AI_SERVICE_VISION_PROJECT_INS
PECT

• AI_SERVICE_VISION_PROJECT_REA
D

You must download and execute the

Terraform template from the console to
enable the permissions.

New Policies

NEW POLICIES DESCRIPTION

Workload Protection Policies For protecting hosts and containers from

runtime incidents and detecting vulnerabilities
on these workloads, you have 3 new out-of-
the-box policies:
• Serverless Functions detected with known
Vulnerabilities (Workload Vulnerability)
• Host VM Images detected with known
Vulnerabilities (Workload Vulnerability)
• Apps Embedded detected with Runtime
Incidents (Workload Incident)
To find these policies, select Policies and filter
on the Policy Type Workload Incident and
Workload Vulnerability.

The Apps Embedded detected

with Runtime Incidents policy will
only work for GCP GCR and AWS
Fargate, not AWS EKS and Azure
ACI.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed, have critical or high
unusual high volume data transfer activity vulnerabilities and high volume data transfer
activity. The high volume data transfer could
be a data exfiltration attempt. Exfiltration

Prisma™ Cloud Release Notes 103 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

consists of techniques that adversaries

may use to steal data from your network.
Once they’ve collected data, adversaries
often package it to avoid detection while
removing it. This can include compression
and encryption. Attackers can exploit
vulnerabilities on the EC2 instance to
compromise the confidentiality, integrity
and availability of the affected EC2 instance
and perform malicious actions. If network
connectivity with remote systems known for
high volume data transfer activity is observed
on a publicly exposed and exploitable
EC2 instance, it could indicate that the
instance is already under attack or has
been compromised. Immediate attention is
required to investigate the high volume data
transfer activity, remediate the critical or high
vulnerabilities and restrict the public exposure
reported for the EC2 instance as soon as
possible.
Policy Severity— Critical.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
cryptomining domain request activity vulnerabilities that are connected with remote
systems known for cryptomining domain
request activities. Cryptomining domain
request initiates suspicious DNS queries
to domain names that are associated with
known crypto-mining pools to generate new
coins in cryptocurrencies such as Bitcoin
and Monero. The network connectivity with
remote systems known for cryptomining
domain request on a publicly exposed and
exploitable instance indicates that the
instance could be under attack or already
have been compromised.
Policy Severity— Critical.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
DGA domain request activity vulnerabilities that are connected with remote
systems known for DGA domain request
activities. Domain generation algorithms
(DGAs) are used to generate pseudo-random
domain names, typically in large numbers
within the context of establishing a malicious
command-and-control (C2) communications

Prisma™ Cloud Release Notes 104 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

channel. The network connectivity with

remote systems known for DGA domain
request activity on a publicly exposed and
exploitable instance indicates that the
instance could be under attack or already
have been compromised.
Policy Severity— Critical.

Policy Updates
No Policy Updates for 23.4.2.

Changes in Existing Behavior

FEATURE DESCRIPTION

Rate Limit Exception for GCP APIs The API calls from Prisma Cloud now use
quota from the onboarded GCP Projects
instead of the GCP Project where the service
account is created. This change enables
Prisma Cloud to ingest resource metadata
across multiple projects without exceeding
the GCP API rate limits.
To ensure continuous insights into all of
your GCP resources and to prevent rate limit
exception errors, follow the steps listed in
prerequisites to onboard GCP and make sure
to complete them.

If you use the Terraform template

provided by Prisma Cloud, the
required permissions to the GCP
service account are automatically
enabled.

Impact— Not completing the tasks may

result in rate limit exception errors for Prisma
Cloud’s authorized API calls to GCP.

Update for Google Compute APIs Prisma Cloud now provides global region
support, as well as a backend update to the
resource ID for gcloud-compute-internal-lb-
backend-service API. As a result, all resources
for these APIs will be deleted and then
regenerated on the management console.
Existing alerts corresponding to
these resources will be resolved as

Prisma™ Cloud Release Notes 105 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Resource_Updated, and new alerts will be

generated against policy violations if any.
Impact—You may notice a reduced alert
count. However, once the resources for
gcloud-compute-internal-lb-backend-service
resume ingesting data, the alert count will
return to the original numbers.

REST API Updates

CHANGE DESCRIPTION

Cloud Accounts Endpoints The following new endpoints are now available for the
Cloud Accounts API:
• Save Account Config With Given Attributes - POST /
config/v3/account
• Fetch Aws Org Master Account Details - GET /config/
v3/account/awsorg/:id
• Performs a Permissions Check for the Given PCDS
Account (AWS Org) - GET /config/v3/account/
awsorg/:id/status

Data Security Settings Endpoints The following new endpoints are now available for the
Data Security Settings API:
• Clone Data Pattern - POST /config/v3/dss-api/data-
pattern/clone/dssTenantId/:dssTenantId
• List Data Patterns - GET /config/v3/dss-api/data-
pattern/dssTenantId/:dssTenantId
• Add Data Pattern - POST /config/v3/dss-api/data-
pattern/dssTenantId/:dssTenantId
• Update Data Pattern - PUT /config/v3/dss-api/
data-pattern/dssTenantId/:dssTenantId/pattern-
id/:patternId
• Delete Data Pattern - DELETE /config/v3/dss-api/
data-pattern/dssTenantId/:dssTenantId/pattern-
id/:patternId
• Get Data Pattern by Name - GET /config/v3/dss-api/
data-pattern/name/dssTenantId/:dssTenantId
• List Data Profiles - GET /config/v3/dss-api/data-
profile/dssTenantId/:dssTenantId
• Update Data Profile Status - PUT /config/v3/dss-api/
data-profile/dssTenantId/:dssTenantId

Prisma™ Cloud Release Notes 106 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Add Data Profile - POST /config/v3/dss-api/data-

profile/dssTenantId/:dssTenantId
• Get Data Profile Details - GET /config/v3/dss-api/data-
profile/dssTenantId/:dssTenantId/id/:profileId
• Update Data Profile - PUT /config/v3/dss-api/data-
profile/dssTenantId/:dssTenantId/id/:profileId
• Clone Data Profile - POST /config/v3/dss-api/data-
profile/dssTenantId/:dssTenantId/id/:profileId
• Delete Data Profile - DELETE /config/v3/dss-api/data-
profile/dssTenantId/:dssTenantId/id/:profileId
• Get Snippet Configuration - GET /config/v3/dss-api/
snippets/dssTenantId/:dssTenantId
• Update Snippet Configuration - POST /config/v3/dss-
api/snippets/dssTenantId/:dssTenantId
• Perform a Credit Estimation - POST /config/v3/
estimated-credits
• Update the Resources Scan Config - PUT /config/v3/
resource/configure
• Fetch All Resources for the PCDS Tenant - GET /
config/v3/resources
• Generate an Azure Terraform Script for all Azure
accounts under a PCDS Tenant - GET /config/v3/
tenant/acl-script
• Fetch the Tenant Config for a PCDS Tenant - GET /
config/v3/tenant/config
• Update the PCDS Tenant Resource Report Frequency -
PUT /config/v3/tenant/resource/sizing/configure

New APIs for Onboarding GCP The following new endpoints are now available for the
Cloud Accounts Cloud Accounts API.
• Add GCP Cloud Account- POST /cas/v1/gcp_account
• Update GCP Cloud Account - PUT /cas/v1/
gcp_account/:id
• Get GCP Cloud Account Status- POST /cas/v1/
cloud_account/status/gcp
• Generate and Download the GCP Terraform Template-
POST /cas/v1/gcp_template

New API to Get Cloud Account The following new endpoint is added to get the
Deployment Types deployment types of a cloud account. This endpoint is
supported only for Alibaba account.
• Get Cloud Account Deployment Type - GET /cas/v1/
cloud/:cloudType/deployment-type

Prisma™ Cloud Release Notes 107 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Parameter Added for A new parameter deployment type is added to the
Alibaba Account request or response body of the following endpoints. This
parameter is supported only for Alibaba accounts.
• Add Cloud Account - POST /cloud/:cloud_type
• Update Cloud Account - PUT /cloud/:cloud_type/:id
• List Cloud Accounts - GET /cloud
• List Cloud Org Accounts - GET /cloud/:cloud_type/:id/
project

Deprecation Notice

FEATURE DESCRIPTION

End of Support for AWS Classic The aws-ec2-classic-instance API is planned

EC2 Service for deprecation at the end of April 2023. As AWS has
announced the depreciation of the resource type, Prisma
Cloud will no longer ingest the aws-ec2-classic-
instance API. For more information, see Retiring EC2-
Classic Networking.

Prisma Cloud Data Security v1, The following Prisma Cloud Data Security APIs (v1, v2)
v2 APIs for AWS cloud account onboarding, data settings, data
profiles, snippets, and data patterns are deprecated:
Cloud Accounts Endpoints
• Add Data Security Config (AWS Org) - POST /dlp/
api/config/v2
• Update Data Security Config (AWS Org) - PUT /dlp/
api/config/v2
• Check Data Security Preconditions (AWS Org) -
POST /dlp/api/v1/config/awsorg/status
• Get Data Security Config (AWS Org) - GET /dlp/api/
config/v2/:accountId
Data Security Settings Endpoints
• List Data Resources - GET /dlp/api/v1/resource-
inventory/resources
• Update Data Scan Config - PUT /dlp/api/config/
v2/resource
• List Data Patterns - PUT /dlp/api/v1/dss-api/
data-pattern
• Add Data Pattern - POST /dlp/api/v1/dss-api/
data-pattern

Prisma™ Cloud Release Notes 108 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Clone Data Pattern - POST /dlp/api/v1/dss-api/

data-pattern/clone
• Get Data Pattern Details - GET /dlp/api/v1/dss-
api/data-pattern/id/:patternId
• Get Data Pattern By Name - GET /dlp/api/v1/
dss-api/data-pattern/name
• Update Data Pattern - PUT /dlp/api/v1/dss-api/
data-pattern/:patternId
• Delete Data Pattern - DELETE /dlp/api/v1/dss-
api/data-pattern/:patternId
• List Data Profiles - GET /dlp/api/v1/dss-api/
data-profile
• Add Data Profile - POST /dlp/api/v1/dss-api/
data-profile
• Update Data Profile Status - PUT /dlp/api/v1/dss-
api/data-profile
• Get Data Profile Details - GET /dlp/api/v1/dss-
api/data-profile/id/:profileId
• Update Data Profile - PUT /dlp/api/v1/dss-api/
data-profile/id/:profileId
• Clone Data Profile - POST /dlp/api/v1/dss-api/
data-profile/id/:profileId
• Delete Data Profile - DELETE /dlp/api/v1/dss-
api/data-profile/id/:profileId
• Get Snippet Configuration - GET /dlp/api/v1/dss-
api/snippets
• Update Snippet Configuration - POST /dlp/api/v1/
dss-api/snippets

New Features Introduced in 23.4.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

Prisma™ Cloud Release Notes 109 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features

FEATURE DESCRIPTION

Support for New Region on AWS Prisma Cloud now ingests data for resources
deployed in the Hyderabad cloud region on
AWS.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

Enhancement OCI Terraform File Update Prisma Cloud now supports over 100 IAM
policy statements without requiring a service
limit increase from OCI. With this change, you
must update your existing Terraform file to
enable read permissions for all the supported
services necessary for an OCI tenant on
Prisma Cloud.

API Ingestions

SERVICE API DETAILS

Azure Virtual WAN azure-vpn-server-configurations

Additional permission required:
• Microsoft.Network/vpnServerCo
nfigurations/read

The Reader role includes the permission.

Azure Virtual WAN azure-p2s-vpn-gateway

Additional permission required:
• Microsoft.Network/p2sVpnGatew
ays/read

The Reader role includes the permission.

Google Certificate Authority Service gcloud-certificate-authority-certificate-

template
Additional permissions required:

Prisma™ Cloud Release Notes 110 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• privateca.locations.list

• privateca.certificateTemplate
s.list

• privateca.certificateTemplate
s.getIamPolicy

The Viewer role includes the permissions.

Google Traffic Director Network Service gcloud-traffic-director-network-service-

gateway
Additional permissions required:
• networkservices.locations.lis
t

• networkservices.gateways.list

The Viewer role includes the permissions.

Google Traffic Director Network Service gcloud-traffic-director-network-service-mesh

Additional permissions required:
• networkservices.locations.lis
t

• networkservices.meshes.list

• networkservices.meshes.getIam
Policy

The Viewer role includes the permissions.

New Policies

NEW POLICIES DESCRIPTION

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
malware activity vulnerabilities that are connected with
remote systems known for malware activities.
Malware includes viruses, trojans, worms and
other types of malware that affect the popular
open-source operating system. The network
connectivity with remote systems known
for malware activity on a publicly exposed

Prisma™ Cloud Release Notes 111 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

and exploitable instance indicates that the

instance could be under attack or already
have been compromised.
Policy Severity— Critical.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
botnet activity vulnerabilities that are connected with
remote systems known for botnet activities.
A Botnets can be used to perform distributed
denial-of-service (DDoS) attacks, steal data,
send spam, and allows the attacker to access
the device and its connection. The network
connectivity with remote systems known
for botnet activity on a publicly exposed
and exploitable instance indicates that the
instance could be under attack or already
have been compromised.
Policy Severity— Critical.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
cryptominer activity vulnerabilities that are connected with remote
systems known for cryptominer activities.
Cryptominer hides on computers or mobile
devices to surreptitiously use the machine’s
resources to mine cryptocurrencies. The
network connectivity with remote systems
known for cryptominer activity on a publicly
exposed and exploitable instance indicates
that the instance could be under attack or
already have been compromised.
Policy Severity— Critical.

AWS EC2 instance publicly exposed with Identifies AWS EC2 instances which are
critical/high exploitable vulnerabilities and publicly exposed and have exploitable
backdoor activity vulnerabilities that are connected with
remote systems known for backdoor
activities. A backdoor allows unauthorized
remote access to the instances where the
malware is installed while bypassing the
authentication mechanisms in place. The
network connectivity with remote systems
known for backdoor activity on a publicly
exposed and exploitable instance indicates
that the instance could be under attack or
already have been compromised.

Prisma™ Cloud Release Notes 112 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Policy Severity— Critical.

Policy Updates
No Policy Updates for 23.4.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for ISO/IEC 27001:2022 Prisma Cloud now supports the ISO/IEC
27001:2022 compliance standard.
ISO/IEC 27001:2022 provides guidelines
for organizational information security
standards and information security
management practices, including the
selection, implementation, and management
of controls while taking the organization’s
information security risk environment into
account.
With this support, you can now view this
built-in standard and the related policies on
Prisma Cloud’s Compliance > Standard page.
Additionally, you can generate reports for
immediate viewing or download, or you can
schedule recurring reports to keep track of
this compliance standard over time.

Changes in Existing Behavior

FEATURE DESCRIPTION

Changes to Policy Severity Level First Prisma Cloud updated the system default
announced in 23.2.1 policies to help you identify critical alerts and
address them effectively. The policy severity
levels for some system default policies are
re-aligned to use the newly introduced
Critical and Informational severities. Due to
this change, the policies have five levels of
severity; Critical, High, Medium, Low, and
Informational. You can prioritize critical alerts
first and then move on to the other levels.
For more information, see the updated list of
policies.
Impact—

Prisma™ Cloud Release Notes 113 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Your existing open alerts associated with

updated policies will have a change in their
severity levels.
• If you have Alert rules set up based on
the Policy Severity filter, there may be
a decrease or increase in the number of
alerts.
• The overall Compliance posture may
change due to possible alert number
changes.
• If you have alert rules configured for
external integrations such as ServiceNow,
this shift in the number of alerts may result
in sending notifications for the Resolved or
Open alerts.
• If you change a custom severity of a policy
back to the default severity, the new
severity update will apply.

This update will not affect the

severities of your custom policies
or the system default policies
for which you have manually
changed the severities (custom
severity). Also, if you have
included a policy in at least one
other alert rule (not based
on severity filter), there
will be no change in the alert
numbers.

If you have any questions, contact

your Prisma Cloud Customer Success
Representative.

Update for Google Compute APIs Prisma Cloud now provides global region
support, as well as a backend update to the
resource ID for gcloud-compute-url-maps,
gcloud-compute-target-http-proxies, and
gcloud-compute-target-https-proxies APIs.
As a result, all resources for these APIs will
be deleted and then regenerated on the
management console.
Existing alerts corresponding to
these resources will be resolved as
Resource_Updated, and new alerts will be
generated against policy violations if any.

Prisma™ Cloud Release Notes 114 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact—You may notice a reduced alert

count. However, once the resources for
gcloud-compute-url-maps, gcloud-compute-
target-http-proxies, and gcloud-compute-
target-https-proxies resume ingesting data,
the alert count will return to the original
numbers.

REST API Updates

CHANGE DESCRIPTION

New APIs for Onboarding Azure The following new endpoints are now available for the
Cloud Accounts Cloud Accounts API.
• Add Azure Cloud Account- POST /cas/v1/
azure_account
• Update Azure Cloud Account- PUT /cas/v1/
azure_account/:account_id
• Generate and Download the Azure Terraform
Template- POST /cas/v1/azure_template

New APIs for Data Security The following new endpoints are now available for the
Onboarding Data Security Onboarding API.
• Fetch Account Config By Storage UUID- GET /config/
v3/account/storageUUID/:id
• Fetch Account Config By PCDS Account ID- GET /
config/v3/account/:id
• Update the account config for the specified PCDS
Account ID- PUT /config/v3/account/:id
• Performs a Permissions Check for the Given PCDS
Account- GET /config/v3/account/:id/status
• Generate an Azure Terraform Script- GET /config/v3/
account/:subscriptionId/acl-script
• Generate an Azure Terraform Script- GET /config/v3/
tenant/:tenantId/:subscriptionId/terraform-script

Features Introduced in March 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in March 2023.
• New Features Introduced in 23.3.2
• New Features Introduced in 23.3.1

Prisma™ Cloud Release Notes 115 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features Introduced in 23.3.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Support for New Regions on GCP Prisma Cloud now ingests data for resources
deployed in the Madrid, Milan, Paris, Tel Aviv,
Toronto, Santiago, Columbus, and Dallas
cloud regions on GCP.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

API Ingestions

SERVICE API DETAILS

Update AWS Config aws-configservice-describe-configuration-

recorders
This API is updated with an additional field
region in the resource JSON.

AWS Network Firewall aws-network-firewall-firewall-policy

Additional permissions required:
• network-firewall:ListFirewall
Policies

Prisma™ Cloud Release Notes 116 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• network-firewall:DescribeFire
wallPolicy

• network-firewall:DescribeReso
urcePolicy

You must manually add the permissions or

update the CFT template to enable them.

Not supported in AWS China.

AWS Network Firewall aws-network-firewall-firewall

Additional permissions required:
• network-firewall:ListFirewall
s

• network-firewall:DescribeFire
wall

The Security Audit role only includes the

network-firewall:ListFirewalls

permission. You must manually add

network-firewall:DescribeFirewa
ll

permission or update the CFT template to

enable it.

Not supported in AWS China.

AWS Systems Manager aws-ssm-resource-compliance-summary

Additional permission required:
• ssm:ListResourceComplianceSum
maries

The Security Audit role includes the

permission.

Google Cloud Firestore gcloud-cloud-firestore-native-database

Additional permission required:

Prisma™ Cloud Release Notes 117 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• datastore.databases.list

The Viewer role includes the permission.

Google Anthos GKE Fleet Management gcloud-anthos-gke-fleet-membership

Additional permissions required:
• gkehub.locations.list

• gkehub.memberships.list

• gkehub.memberships.getIamPoli
cy

The Viewer role includes the permissions.

Google Anthos GKE Fleet Management gcloud-anthos-gke-fleet-feature

Additional permissions required:
• gkehub.locations.list

• gkehub.features.list

• gkehub.features.getIamPolicy

The Viewer role includes the permissions.

Update Google Certificate Authority Service Additional permission

privateca.locations.list

is required for the following APIs:

• gcloud-certificate-authority-ca
• gcloud-certificate-authority-certificate
• gcloud-certificate-authority-pool
• gcloud-certificate-authority-revocation-
lists
The Viewer role includes the permission.

Update Google Dataplex gcloud-dataplex-lake-zone-asset-action

Additional permission required:
• dataplex.locations.list

The Viewer role includes the permission.

Prisma™ Cloud Release Notes 118 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Update API Gateway gcloud-apigateway-gateway

Additional permission required:
• apigateway.locations.list

The Viewer role includes the permission.

New Policies
No New Policies for 23.3.2.

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

AWS Cloudfront Distribution with S3 have Changes— The policy RQL is updated to
Origin Access set to disabled include the new feature of AWS origin access
control.
Current RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
'origins.items[*].s3OriginConfig
exists and
origins.items[*].s3OriginConfig.originAcce
is empty'

Updated RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
'origins.items[*].s3OriginConfig
exists and
origins.items[*].s3OriginConfig.originAcce
is empty and
origins.items[*].originAccessControlId
is empty'

Impact— Medium. Existing open alerts related

to AWS feature Origin Access Control will be
resolved with resolution as Policy_Updated.

Prisma™ Cloud Release Notes 119 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS access keys not used for more than 90 Changes— The policy name, description, and
days RQL are updated to meet the compliance
standard of 45 days.
Updated Policy name— AWS Access key not
used for more than 45 days
Updated Description— This policy identifies
IAM users for which access keys are not used
for more than 45 days. Access keys allow
users programmatic access to resources.
However, if any access key has not been
used in the past 45 days, then that access key
needs to be deleted (even though the access
key is inactive).
Current RQL—

config from cloud.resource

where cloud.type ='aws' and
api.name = 'aws-iam-get-
credential-report' AND json.rule
= '(access_key_1_active
is true and
((access_key_1_last_used_date !
= N/A and
_DateTime.ageInDays(access_key_1_last_used
> 90) or
(access_key_1_last_used_date
== N/A and
access_key_1_last_rotated !
= N/A and
_DateTime.ageInDays(access_key_1_last_rota
> 90))) or (access_key_2_active
is true and
((access_key_2_last_used_date !
= N/A and
_DateTime.ageInDays(access_key_2_last_used
> 90) or
(access_key_2_last_used_date
== N/A and
access_key_2_last_rotated !
= N/A and
_DateTime.ageInDays(access_key_2_last_rota
> 90)))'

Updated RQL—

config from cloud.resource

where cloud.type ='aws' and
api.name = 'aws-iam-get-
credential-report' AND json.rule
= '(access_key_1_active
is true and
((access_key_1_last_used_date !

Prisma™ Cloud Release Notes 120 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

= N/A and
_DateTime.ageInDays(access_key_1_last_used
> 45) or
(access_key_1_last_used_date
== N/A and
access_key_1_last_rotated !
= N/A and
_DateTime.ageInDays(access_key_1_last_rota
> 45))) or (access_key_2_active
is true and
((access_key_2_last_used_date !
= N/A and
_DateTime.ageInDays(access_key_2_last_used
> 45) or
(access_key_2_last_used_date
== N/A and
access_key_2_last_rotated !
= N/A and
_DateTime.ageInDays(access_key_2_last_rota
> 45)))'

Impact— High. The alert count will increase

for access keys that have not been used in
more than 45 days.

GCP VM disks not encrypted with Customer- Changes— The policy RQL is updated to check
Supplied Encryption Keys (CSEK) the GCP compute disks that are not encrypted
with CSEK.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcp-compute-disk-list' AND
json.rule = diskEncryptionKey
does not exist and name does
not start with "gke-" and
status equals READY

Updated RQL—

config from cloud.resource where

api.name = 'gcp-compute-disk-
list' AND json.rule = status
equals READY and name does
not start with "gke-" and
diskEncryptionKey.sha256 does
not exist

Impact— Low. New alerts may be generated

when the VM disks are not encrypted with
CSEK. No impact on existing alerts.

Prisma™ Cloud Release Notes 121 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for ISO/IEC 27002:2022 Prisma Cloud now supports the ISO/IEC
27002:2022 compliance standard.
ISO/IEC 27002:2022 provides guidelines
for organizational information security
standards and information security
management practices, including the
selection, implementation, and management
of controls while taking the organization’s
information security risk environment into
account.
With this support, you can now view this
built-in standard and the related policies on
Prisma Cloud’s Compliance > Standard page.
Additionally, you can generate reports for
immediate viewing or download, or you can
schedule recurring reports to keep track of
this compliance standard over time.

Changes in Existing Behavior

FEATURE DESCRIPTION

Global Region Support for Target ssl proxy Prisma Cloud now provides global region
support for gcloud-compute-target-ssl-
proxy API. Due to this, all the resources will
be deleted and then regenerated on the
management console.
Existing alerts corresponding to these
resources are resolved as Resource_Updated,
and new alerts will be generated against the
policy violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for gcloud-compute-target-ssl-
proxy start ingesting data again.

Update Prisma Cloud Data Security IP The list of source IP addresses for data
Addresses security in US and EU regions are updated.
Make sure you review the list, add the new IP

Prisma™ Cloud Release Notes 122 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

addresses in your allow lists, and remove the

old ones.
US New IPs (to add)
• 3.128.230.117
• 3.14.212.156
• 3.22.23.119
• 20.9.80.30
• 20.9.81.254
• 20.228.128.132
• 20.228.250.145
• 20.253.198.116
• 20.253.198.147
US Old IPs (to remove)
• 20.121.153.41
• 20.121.153.87
• 20.121.153.100
• 52.226.252.199
• 20.121.153.105
• 52.226.252.38
• 20.119.0.19
• 20.12.129.169
• 20.221.94.213
• 20.12.129.184
• 20.12.129.193
• 20.12.129.195
• 20.12.129.196
• 20.118.48.12
• 20.121.153.41
• 20.121.153.87
• 20.121.153.100
• 52.226.252.199
• 20.121.153.105
• 52.226.252.38
• 20.119.0.19
• 40.118.253.86
• 138.91.88.27

Prisma™ Cloud Release Notes 123 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• 138.91.228.231
• 104.42.8.63
• 104.42.4.238
• 40.118.249.60
• 40.112.243.64
EU New IPs (to add)
• 3.64.66.135
• 18.198.52.216
• 3.127.191.112
• 20.223.237.240
• 20.238.97.44
• 20.26.194.122
• 51.142.252.210
• 51.124.198.75
• 51.124.199.134
EU Old IPs (to remove)
• 20.113.10.157
• 20.113.11.130
• 20.113.12.29
• 20.113.12.30
• 20.79.228.76
• 20.113.9.21
• 20.79.107.0
• 20.223.28.120
• 20.223.28.149
• 20.223.28.176
• 20.223.28.189
• 20.223.28.207
• 20.223.28.226
• 20.107.224.16
• 20.90.227.199
• 20.90.227.255
• 20.90.228.8
• 20.90.228.71
• 20.90.228.129
• 20.90.228.194

Prisma™ Cloud Release Notes 124 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• 20.90.134.24
• 20.103.147.247
• 20.103.148.141
• 20.103.149.167
• 20.103.149.216
• 20.103.149.237
• 20.103.150.28
• 20.105.232.10

REST API Updates

No REST API Updates for 23.3.2.

New Features Introduced in 23.3.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

GRBAC now available for Data Security Granular Role Based Access Control
(GRBAC) is now available for Data Security
functionality in Prisma Cloud. You can now
create Custom Roles with the option to View,
Create, Update or Delete Data Security
functions. GRBAC allows you to enforce least
privileged access, giving you the option to
create roles with the minimum amount of
access to Data Security required for a users
job function. Custom Role creation is limited
to users with a current System Administrator
role.

Prisma™ Cloud Release Notes 125 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Task Delegation on Adoption Advisor For operationalizing the security capabilities

available on Prisma Cloud, you can now
assign tasks to specific members on your
team so that the right person is assigned
and accountable for completing the task and
making progress.
The Assignee receives an email with a link to
the appropriate page on the administrative
console where the Adoption Advisor side
panel provides guidance on the high-
level steps to complete the task and the
documentation link for more details.

Prisma™ Cloud Release Notes 126 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Vulnerabilities displayed in Command Center The Command Center dashboard on the

Prisma Cloud console now includes a
snapshot view of Urgent Vulnerabilities, Top
5 Vulnerable Images, and Top 5 Vulnerable
Hosts. Vulnerabilities triggering Critical and

Prisma™ Cloud Release Notes 127 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

High alerts are grouped into these actionable

views, giving you insight into the impacted
resources in your environment and providing
you with remediation options. You can view
data for the past 30 days and also filter results
by:
• Time Range - Viewable for the last day,
week, month, or a customized time frame
• Account Groups
• Cloud Accounts
Currently, only System Administrators
can view the Vulnerabilities widget. The
Vulnerability dashboard is also currently not
available for Government and China based
deployments.

Prisma Cloud Chronicles The Chronicles is a weekly email update to

summarize your team’s usage of Prisma Cloud,
suggest product adoption improvements and
links to the Release Notes to show what’s
new, and provide actionable opportunities to
secure your cloud environment.

Prisma™ Cloud Release Notes 128 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Support for Finance Regions on Alibaba Prisma Cloud now ingests data for resources
Cloud deployed in Alibaba Finance Cloud for
Hangzhou, Shanghai, and Shenzhen regions.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

Enhancement Separate Text Boxes for Key If you are using tags, you no longer need
and Value Entries to use a colon (:) to separate key and value
entries in a single text box while assigning
resource tags on Alert Overview and Asset
Inventory. You can now enter Key and Value
in separate text boxes.

Prisma™ Cloud Release Notes 129 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Enhancement Asset Inventory The text strings displayed in Asset Inventory

are improved for better readability and
accuracy.
• The Asset Inventory displays "Data as of:"
similar to that displayed in Asset Explorer
to indicate the freshness of the snapshot of
the data.
• The Date filter in Asset Explorer now
displays "Most recent" instead of the
absolute date-time.
• The Asset Detail View displays "You are
viewing the most recent data about this
asset" text to indicate that it is the most
recent data for the asset regardless of the
data roll-up time and it may be more up to
date than the latest snapshot.
• The Asset Detail View also displays "You
are viewing data about a deleted asset"
to indicate that you are viewing an asset
which has been deleted from your cloud
environment.

Prisma™ Cloud Release Notes 130 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

API Ingestions

SERVICE API DETAILS

Azure Defender for Cloud azure-defender-for-cloud-workspace-setting

Additional permission required:
• Microsoft.Security/workspaceS
ettings/read

The Reader role includes the permission.

Azure Defender for Cloud azure-defender-for-cloud-setting

Additional permission required:
• Microsoft.Security/settings/r
ead

The Reader role includes the permission.

Azure Defender for Cloud azure-defender-for-cloud-security-contact

Additional permission required:
• Microsoft.Security/securityCo
ntacts/read

The Reader role includes the permission.

Azure Defender for Cloud azure-defender-for-cloud-secure-score

Additional permission required:
• Microsoft.Security/secureScor
es/read

The Reader role includes the permission.

Azure Batch Account azure-batch-account-pool

Additional permissions required:
• Microsoft.Batch/batchAccounts
/read

• Microsoft.Batch/batchAccounts
/pools/read

The Reader role includes the permissions.

Prisma™ Cloud Release Notes 131 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Cloud Deploy gcloud-cloud-deploy-configuration

Additional permissions required:
• clouddeploy.config.get

• clouddeploy.locations.list

The Viewer role includes the permissions.

Google Cloud Deploy gcloud-cloud-deploy-delivery-pipeline

Additional permissions required:
• clouddeploy.locations.list

• clouddeploy.deliveryPipelines
.list

• clouddeploy.deliveryPipelines
.getIamPolicy

The Viewer role includes the permissions.

Google Cloud Deploy gcloud-cloud-deploy-target

Additional permissions required:
• clouddeploy.locations.list

• clouddeploy.targets.list

• clouddeploy.targets.getIamPol
icy

The Viewer role includes the permissions.

New Policies

NEW POLICIES DESCRIPTION

Attack Path Policies To help prioritize alerts and mitigate security

issues, Prisma Cloud provides 5 new out-of-
the-box Attack Path policies that are of critical
severity and enabled by default.
The Attack Path policies are:
• AWS EC2 instance with s3:GetObject
permission is publicly exposed and not

Prisma™ Cloud Release Notes 132 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

configured with Instance Metadata

Service v2 (IMDSv2)
This policy identifies AWS EC2 instances with
s3:GetObject permission which are publicly
exposed and not configured with Instance
Metadata Service v2 (IMDSv2). With IMDSv2,
every request is protected by session
authentication. IMDSv2 protects against
misconfigured-open website application
firewalls, misconfigured-open reverse
proxies, unpatched SSRF vulnerabilities,
and misconfigured-open layer-3 firewalls
and network address translation. As a best
practice, only use IMDSv2 for all your EC2
instances.
• AWS EC2 instance with iam:PassRole and
ec2:RunInstances permissions is publicly
exposed
This policy identifies AWS EC2 instances
with risky permissions and are publicly
exposed. EC2 instances associated with
'iam:PassRole','ec2:RunInstances' permissions
can be used to escalate privileges by passing
an existing IAM role to a new EC2 instance
and moving laterally. It is highly recommended
that you remove the risky permissions from
the IAM role attached to EC2 instances.
Additionally, review and restrict the public
exposure based on the business requirements.
• AWS EC2 instance with ORG level WRITE
permissions is publicly exposed
This policy identifies AWS EC2 instances
which with risky ORG level WRITE
permissions and are publicly exposed. EC2
instances having org level write permissions
can be used to escalate privileges at the ORG
level and move laterally between accounts.
It is highly recommended to remove the
risky permissions from the IAM role attached
to EC2 instances. Additionally, review and
restrict the public exposure based on the
business requirements.
• AWS EC2 instance with Critical/High
exploitable vulnerability is publicly
exposed

Prisma™ Cloud Release Notes 133 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

This policy identifies AWS EC2 instances

which have known exploitable vulnerabilities
and are publicly exposed. An attacker can
exploit the vulnerability to compromise the
confidentiality, integrity, or availability of the
affected EC2 instance and perform malicious
actions. As a best practice, remediate the
Critical/High exploitable vulnerabilities
reported for EC2 instances. Additionally,
review and restrict the public exposure based
on the business requirements.
• AWS EC2 instance with iam:PassRole and
lambda:InvokeFunction permissions is
publicly exposed
This policy identifies AWS EC2
instances which are attached to an
IAM role with risky permissions and are
publicly exposed. EC2 instances having
'iam:PassRole','lambda:CreateFunction',
'lambda:InvokeFunction' permissions can
be used to escalate privileges by passing an
existing IAM role to a new Lambda function
and moving laterally. As a best practice
remove the risky permissions from the IAM
role attached to EC2 instances. Additionally,
review and restrict the public exposure based
on the business requirements.

Attack Path policies are

not available in China and
Government regions.

Azure Anomaly Policies Prisma Cloud provides the following new

policies that detect anomalies using the
information in audit logs for your Azure cloud
accounts:
• Azure Compute workload assigning roles
to resources—Detects when an Azure
Compute workload assigns a role to a
resource, resource group, or subscription.
• Azure Compute workload modifying Key
Vault configurations—Detects when an
Azure Compute workload modifies the
configuration of a key vault.
• Azure Compute workload deleting
network security groups—Detects when an

Prisma™ Cloud Release Notes 134 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Compute workload deletes network

security groups.
• Azure Compute workload disabling Azure
alerts—Detects when an Azure Compute
workload deletes Azure Monitor alert rules.
• Azure Compute workload creating or
modifying route tables—Detects when
an Azure Compute workload creates or
modifies Azure routing tables.
• Azure Compute workload disabling anti-
malware extensions—Detects when an
Azure Compute workload disables anti-
malware extensions.
• Azure user reading database master keys—
Detects when an Azure user reads master
keys from a Cosmos DB.
• Azure user executing remote commands
on virtual machines—Detects when an
Azure user runs commands remotely on a
virtual machine.
These anomaly policies:
• Identify when an Azure compute workload
uses potential Privilege Escalation or
Defense Evasion tactics
• Detect when an Azure user is using
Credential Access or Lateral Movement
Tactics Prisma Cloud triggers alerts for
these anomaly policies after ingesting the
audit logs from Azure cloud accounts and
the anomaly policies are added to an alert
rule.
You also can specify a role in the anomaly
trusted list to suppress the alerts. The
specified anomaly policy will not generate
alerts for the matching role names added to
this trusted list.

Policy Updates

POLICY UPDATES DESCRIPTION

Changes to Network Anomaly Policies The names of the network anomaly policies
are modified to be self explanatory and also
make it easier to identify cloud resources
involved in the alerts reported by these

Prisma™ Cloud Release Notes 135 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

policies. Additionally, the Resource Name

column in the alert details for external
network anomaly policies (excluding Port
Sweep activity) now displays the internal
resource (cloud instance) targeted or
generating traffic instead of the public IP
address of the source host participating in the
suspicious activity.
• The Port Sweep activity (External)
network anomaly policy involves multiple
internal resources and selecting only one
can create confusion. In order to avoid
confusion, Port Sweep activity (External)
policy continues to display the public IP
address in the Resource Name.
• The severity of the Network data
exfiltration activity anomaly policy is
changed from high to medium.
For more information, see the list of policies
that are affected.
Impact— Only applies to any new alert
generated by an anomaly policy. No impact on
existing alerts.

Policy Updates-RQL

GCP HTTPS Load balancer is configured with Changes— The policy RQL is updated to
SSL policy having TLS version 1.1 or lower match changes introduced in the gcloud-
compute-ssl-policies API.
Current RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
ssl-policies' as X; config
from cloud.resource where
api.name = 'gcloud-compute-
target-https-proxies' as Y;
filter "($.Y.sslPolicy exists
and $.X.sslPolicies is not
empty) and ($.X.sslPolicies[?
((@.profile=='MODERN'||
@.profile=='CUSTOM')
&& @.minTlsVersion!
='TLS_1_2')].selfLink contains
$.Y.sslPolicy)"; show Y;

Prisma™ Cloud Release Notes 136 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
ssl-policies' AND json.rule
= (profile equals MODERN or
profile equals CUSTOM) and
minTlsVersion does not equal
"TLS_1_2" as X; config from
cloud.resource where api.name
= 'gcloud-compute-target-
https-proxies' AND json.rule
= sslPolicy exists as Y;
filter "$.X.selfLink contains
$.Y.sslPolicy"; show Y;

Impact— High. Existing alerts will be resolved

as Resource_Updated. New alerts will be
generated against the policy violations.

GCP Load Balancer SSL proxy permits SSL Changes— The policy RQL is updated to
policies with weak cipher suites match changes introduced in the gcloud-
compute-ssl-policies API.
Current RQL—

config from cloud.resource

where api.name = 'gcloud-
compute-target-ssl-proxy' as
X; config from cloud.resource
where api.name = 'gcloud-
compute-ssl-policies' as Y;
filter "$.X.sslPolicy does not
exist or ($.Y.sslPolicies[?
(@.profile=='COMPATIBLE')].selfLink
contains $.X.sslPolicy)
or ($.Y.sslPolicies[?
((@.profile=='MODERN'||
@.profile=='CUSTOM')
&& (@.minTlsVersion!
='TLS_1_2'))].selfLink
contains $.X.sslPolicy
or ($.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_GCM_SHA256'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_GCM_SHA384'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_CBC_SHA'

Prisma™ Cloud Release Notes 137 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy))"; show
X;

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
compute-target-ssl-proxy' as
X; config from cloud.resource
where api.name = 'gcloud-
compute-ssl-policies' as Y;
filter "$.X.sslPolicy does not
exist or ($.Y.profile equals
COMPATIBLE and $.Y.selfLink
contains $.X.sslPolicy) or
( ($.Y.profile equals MODERN
or $.Y.profile equals CUSTOM)
and $.Y.minTlsVersion does not
equal TLS_1_2 and $.Y.selfLink
contains $.X.sslPolicy ) or
( $.Y.profile equals CUSTOM
and ( $.Y.enabledFeatures[*]
contains
TLS_RSA_WITH_AES_128_GCM_SHA256
or $.Y.enabledFeatures[*]
contains
TLS_RSA_WITH_AES_256_GCM_SHA384
or $.Y.enabledFeatures[*]
contains
TLS_RSA_WITH_AES_128_CBC_SHA or
$.Y.enabledFeatures[*] contains
TLS_RSA_WITH_AES_256_CBC_SHA or
$.Y.enabledFeatures[*] contains
TLS_RSA_WITH_3DES_EDE_CBC_SHA )
and $.Y.selfLink contains
$.X.sslPolicy ) "; show X;

Impact— High. Existing alerts will be resolved

as Resource_Updated. New alerts will be
generated against the policy violations.

GCP Load Balancer HTTPS proxy permits SSL Changes— The policy RQL is updated to
policies with weak cipher suites match changes introduced in the gcloud-
compute-ssl-policies API.

Prisma™ Cloud Release Notes 138 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
target-https-proxies' as X;
config from cloud.resource
where api.name = 'gcloud-
compute-ssl-policies' as Y;
filter "($.Y.sslPolicies[?
(@.profile=='COMPATIBLE')].selfLink
contains $.X.sslPolicy)
or ($.Y.sslPolicies[?
((@.profile=='MODERN'||
@.profile=='CUSTOM')
&& (@.minTlsVersion!
='TLS_1_2'))].selfLink
contains $.X.sslPolicy
or ($.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_GCM_SHA256'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_GCM_SHA384'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy))"; show
X;

Updated RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
target-https-proxies' as X;
config from cloud.resource
where api.name = 'gcloud-
compute-ssl-policies' as Y;
filter " $.X.sslPolicy does not
exist or ($.Y.profile equals
COMPATIBLE and $.Y.selfLink
contains $.X.sslPolicy) or

Prisma™ Cloud Release Notes 139 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

( ($.Y.profile equals MODERN

or $.Y.profile equals CUSTOM)
and $.Y.minTlsVersion does not
equal TLS_1_2 and $.Y.selfLink
contains $.X.sslPolicy ) or
( $.Y.profile equals CUSTOM
and ( $.Y.enabledFeatures[*]
contains
TLS_RSA_WITH_AES_128_GCM_SHA256
or $.Y.enabledFeatures[*]
contains
TLS_RSA_WITH_AES_256_GCM_SHA384
or $.Y.enabledFeatures[*]
contains
TLS_RSA_WITH_AES_128_CBC_SHA or
$.Y.enabledFeatures[*] contains
TLS_RSA_WITH_AES_256_CBC_SHA or
$.Y.enabledFeatures[*] contains
TLS_RSA_WITH_3DES_EDE_CBC_SHA )
and $.Y.selfLink contains
$.X.sslPolicy ) "; show X;

Impact— High. Existing alerts will be resolved

as Resource_Updated. New alerts will be
generated against the policy violations.

GCP HTTPS Load balancer SSL Policy not Changes— The policy RQL is updated to
using restrictive profile match changes introduced in the gcloud-
compute-ssl-policies API.
Current RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
ssl-policies' as X; config
from cloud.resource where
api.name = 'gcloud-compute-
target-https-proxies' as Y;
filter "($.Y.sslPolicy exists
and $.X.sslPolicies is not
empty) and ($.X.sslPolicies[?
(@.profile!='RESTRICTED' &&
@.profile!='CUSTOM')].selfLink
contains $.Y.sslPolicy)"; show
Y;

Updated RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
ssl-policies' AND json.rule
= profile does not equal
RESTRICTED and profile does not
equal CUSTOM as X; config from
cloud.resource where api.name

Prisma™ Cloud Release Notes 140 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

= 'gcloud-compute-target-
https-proxies' AND json.rule
= sslPolicy exists as Y;
filter " $.X.selfLink contains
$.Y.sslPolicy "; show Y;

Impact— High. Existing alerts will be resolved

as Resource_Updated. New alerts will be
generated against the policy violations.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

CSA Cloud Controls Matrix (CCM) v4.0.6 Prisma Cloud now supports the CSA Cloud
Controls Matrix (CCM) v4.0.6 compliance
standard.
The CSA Cloud Controls Matrix (CCM) is a
cybersecurity control framework for cloud
computing. It is a spreadsheet that contains
a list of common frameworks and regulations
that your organization must follow. Each
control maps to a number of industry-
accepted security standards, regulations, and
frameworks, which means that completing
the CCM controls also completes the
accompanying standards and regulations. It
reduces the need to use multiple frameworks
and simplifies cloud security by displaying all
common cloud standards in one place.
With this support, you can now view this
built-in standard and the related policies on
Prisma Cloud’s Compliance > Standard page.
Additionally, you can generate reports for
immediate viewing or download, or you can
schedule recurring reports to keep track of
this compliance standard over time.

Changes in Existing Behavior

FEATURE DESCRIPTION

Google Compute SSL Policies Update Prisma Cloud now includes a JSON update
to increase the visibility and monitoring of
gcloud-compute-ssl-policies API resources.
Due to this, all the resources will be deleted

Prisma™ Cloud Release Notes 141 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

and then regenerated on the management

console.
Existing alerts corresponding to
these resources will be resolved as
Resource_Updated, and new alerts will be
generated against the policy violations.
Impact— You may notice an increased count
for the number of alerts for the following
OOTB policies:
• GCP HTTPS Load balancer SSL Policy not
using restrictive profile
• GCP Load Balancer HTTPS proxy permits
SSL policies with weak cipher suites
• GCP Load Balancer SSL proxy permits SSL
policies with weak cipher suites
• GCP HTTPS Load balancer is configured
with SSL policy having TLS version 1.1 or
lower
However, the alert count will return to the
original numbers once the resources for
gcloud-compute-ssl-policies start ingesting
data again.

REST API Updates

CHANGE DESCRIPTION

Command Center APIs The following new endpoints are available for the
Command Center API:
• List Top Vulnerabilities - POST /
commandcenter/v1/top-vulnerabilities
• List Total Vulnerable Images and Hosts -
POST /commandcenter/v1/vulnerabilities/summary

New APIs for Onboarding AWS The following new endpoints are now available for the
Cloud ccounts Cloud Accounts API. These endpoints include the updates
to generate External ID in the IAM Role and to enable
This change was first announced
selection of Security Capabilities and Permissions.
in the Look Ahead that was
published with the 22.4.1 release • Add AWS Cloud Account - POST /cas/v1/
aws_account
• Update AWS Cloud Account - PUT /cas/v1/
aws_account/:id

Prisma™ Cloud Release Notes 142 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Get AWS Cloud Account Status - POST /cas/v1/

cloud_account/status/aws
• List Children of Parent (AWS) - POST /cas/
v1/aws_account/:parent_id/children
• List Ancestors (AWS) - POST /cas/v1/
aws_account/:account_id/ancestors
• Fetch Supported Features For Cloud Type -
POST /cas/v1/features/cloud/:cloud_type
• Generate and Download the AWS CFT
Template - POST /cas/v1/aws_template
• Generate the AWS CFT Template Link - POST /
cas/v1/aws_template/presigned_url

Cloud Ingested Logs API The following new endpoints are available for the Cloud
Ingested Logs API:
• Get Eventbridge configuration
details - GET /audit_logs/v2/tenant/:tenantId/
aws_accounts/:accountId/eventbridge_config
• Update Eventbridge configuration
- PUT /audit_logs/v2/tenant/:tenantId/
aws_accounts/:accountId/eventbridge_config
• Get AWS eventbridge config status
- GET /audit_logs/v2/tenant/:tenantId/
aws_accounts/:accountId/eventbridge_config/status
• Generate Eventbridge CFT - GET /audit_logs/
v2/tenant/:tenantId/aws_accounts/:accountId/
eventbridge_config/cft_download

Features Introduced in February 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in February 2023.
• New Features Introduced in 23.2.2
• New Features Introduced in 23.2.1

New Features Introduced in 23.2.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates

Prisma™ Cloud Release Notes 143 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Changes in Existing Behavior

• Deprecation Notices

New Features

FEATURE DESCRIPTION

Enhancement Role Assignment Modification If you have enabled access to users on Prisma
for SSO Sign-In Cloud using SSO with JIT provisioning, you
can no longer modify their roles in the Prisma
Cloud administrative console, unless they
have previously been added to an SSO bypass
list. The role management for these users
needs to be completed from the Identity
Provider (IdP) for the change to take effect.

Users on the SSO

bypass list can
modify their roles
and login directly
to the Prisma
Cloud console
using credentials.
However, once you
opt to sign-in using
SSO, your role will
get reset to the IdP
provisioned role.

API Ingestions

SERVICE API DETAILS

Amazon ECR aws-ecr-registry

Additional permissions required:
• ecr:GetRegistryPolicy

• ecr:DescribeRegistry

• ecr:DescribePullThroughCacheR
ules

Prisma™ Cloud Release Notes 144 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

You must manually add the

permissions or update the CFT
template to enable them.

Amazon Chime aws-chime-voice-connector

Additional permissions required:
• chime:ListVoiceConnectors

• chime:GetVoiceConnectorLoggin
gConfiguration

The Security Audit role only includes the

chime:ListVoiceConnectors

permission.

You must manually add the

permission or update the CFT
template to enable

chime:GetVoiceConnect
orLoggingConfiguratio
n

Google Analytics Hub gcloud-analytics-hub-data-exchange-listing

Additional permissions required:
• analyticshub.dataExchanges.li
st

• analyticshub.listings.list

• analyticshub.dataExchanges.ge
tIamPolicy

The Viewer role includes the permissions.

Google Compute Engine gcloud-compute-external-vpn-gateway

Additional permission required:
• compute.externalVpnGateways.l
ist

Prisma™ Cloud Release Notes 145 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Viewer role includes the permission.

Google Dataproc Metastore gcloud-dataproc-metastore-federation

Additional permissions required:
• metastore.locations.list

• metastore.federations.list

• metastore.federations.getIamP
olicy

The Viewer role includes the permissions.

New Policies

NEW POLICIES DESCRIPTION

DNS Rebinding Activity Anomaly Policy A new DNS rebinding activity anomaly
policy is now available on the Policies page
in Prisma Cloud. It detects when computing
resources perform domain requests for
rebinding domains by inspecting every DNS
request performed by all monitored compute
resources and looking for consecutive
anomalous requests.
By default, the alert disposition of the policy is
set to conservative.

Azure AKS cluster is not configured with disk Identifies AKS clusters that are not configured
encryption set with disk encryption set. Azure Key Vault
Provider for Secrets Store CSI Driver allows
for the integration of an Azure key vault as
a secrets store with an Azure Kubernetes
Service (AKS) cluster via a CSI volume. It is
recommended to enable secret store CSI
driver for your Kubernetes clusters.

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-kubernetes-
cluster' AND json.rule =
properties.powerState.code
equal ignore case Running and
properties.addonProfiles.azureKeyvaultSecr
is false

Prisma™ Cloud Release Notes 146 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Service Fabric cluster not configured Identifies Service Fabric clusters that are
with cluster protection level security not configured with cluster protection level
security. Service Fabric provides levels of
protection for node-to-node communication
using a primary cluster certificate. It is
recommended to set the protection level to
ensure that all node-to-node messages are
encrypted and digitally signed.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-service-
fabric-cluster' AND json.rule
= properties.provisioningState
equal ignore case Succeeded and
((properties.fabricSettings[*].name
does not equal ignore
case "Security" and
properties.fabricSettings[*].parameters[*]
does not equal ignore case
"ClusterProtectionLevel") or
(properties.fabricSettings[?
any(name equal ignore case
"Security" and parameters[?
any(name equal ignore case
"ClusterProtectionLevel"
and value equal ignore case
"None")] exists )] exists))

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

AWS EC2 instance that is internet reachable Changes— The policy name and description
with unrestricted access (0.0.0.0/0) other are updated.The policy RQL is updated to
than HTTP/HTTPS port report instances configured with HTTP (80)
and HTTP (443) ports, which are in active
state only.
Current Name— AWS EC2 instance that is
internet reachable with unrestricted access
(0.0.0.0/0) other than HTTP/HTTPS port
Updated Name— AWS EC2 instance that is
internet reachable with unrestricted access
(0.0.0.0/0)
Updated Description— Identifies AWS EC2
instances that are internet reachable with
unrestricted access (0.0.0.0/0). EC2 instances

Prisma™ Cloud Release Notes 147 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

with unrestricted access to the internet

may enable bad actors to use brute force
on a system to gain unauthorised access
to the entire network. As a best practice,
restrict traffic from unknown IP addresses and
limit the access to known hosts, services, or
specific entities.
Current RQL—

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AWS' and
protocol.ports in ( 'tcp/0:79',
'tcp/81:442', 'tcp/444:65535' )

Updated RQL—

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AWS' and
dest.resource.state = 'Active'

Impact— Medium. Existing alerts will be

resolved as Policy_Updated for instances
that are no longer active. New alerts are
generated when the instance is connected to
the internet and configured with an HTTP /
HTTPS port.

AWS Glue connection do not have SSL Changes— The policy RQL has been updated
configured to exclude AWS Glue with connection type as
Network from reporting because they cannot
be configured for SSL.
Current RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-glue-connection' AND
json.rule = (connectionType
equals KAFKA and
connectionProperties.KAFKA_SSL_ENABLED
is false) or (connectionType
does not equal KAFKA and
connectionProperties.JDBC_ENFORCE_SSL
is false)

Prisma™ Cloud Release Notes 148 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-glue-connection' AND
json.rule = ((connectionType
equals KAFKA and
connectionProperties.KAFKA_SSL_ENABLED
is false) or (connectionType
does not equal KAFKA and
connectionProperties.JDBC_ENFORCE_SSL
is false)) and connectionType
does not equal "NETWORK"

Impact— Low. Existing alerts will be resolved

as Policy_Updated.

Azure Virtual Network subnet is not Changes— The policy RQL is updated to
configured with a Network Security Group exclude the private endpoint and private link
associated subnets.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-network-
subnet-list' AND json.rule =
networkSecurityGroupId does not
exist and name does not equal
ignore case "GatewaySubnet"
and name does not equal ignore
case "AzureFirewallSubnet"
and ['properties.delegations']
[*].['properties.serviceName']
does not equal
"Microsoft.Netapp/volumes" and
['properties.privateEndpointNetworkPolicie
equals Enabled and
['properties.privateLinkServiceNetworkPoli
equals Enabled

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-network-
subnet-list' AND json.rule =
networkSecurityGroupId does not
exist and name does not equal
ignore case "GatewaySubnet"
and name does not equal ignore
case "RouteServerSubnet" and
name does not equal ignore
case "AzureFirewallSubnet" and
['properties.delegations'][*].

Prisma™ Cloud Release Notes 149 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

['properties.serviceName'] does
not equal "Microsoft.Netapp/
volumes"

Impact— Medium. Existing alerts will be

resolved as Policy_Updated for which private
endpoint is in disabled state. New alerts are
generated for private endpoints in disabled
state with no network security group.

Policy Updates-Metadata

GCP VPC Network subnets have Private Changes— The policy remediation CLI
Google access disabled command description to define granular
permissions required for running the
remediation CLI command is updated.
Updated Remediation CLI Description
— This CLI command requires
'compute.subnetworks.setPrivateIpGoogleAccess',
'compute.subnetworks.setPrivateIpGoogleAccess'
and 'compute.subnetworks.update'
permissions. Successful execution will enable
GCP VPC Network subnets 'Private Google
access'.
Impact— No impact on alerts.

GCP Storage buckets are publicly accessible Changes— The policy remediation CLI
to all authenticated users command description to define granular
permissions required for running the
remediation CLI command is updated.
Updated Remediation CLI Description
— This CLI command requires
'storage.buckets.getIamPolicy’ and
'storage.buckets.setIamPolicy' permissions.
Successful execution will revoke
'allAuthenticatedUsers' permission access in
GCP Storage buckets.
Impact— No impact on alerts.

GCP Storage log buckets have object Changes— The policy remediation CLI
versioning disabled command description to define granular
permissions required for running the
remediation CLI command is updated.
Updated Remediation CLI Description
— This CLI command requires
'storage.buckets.update' permission.
Successful execution will enable GCP Storage
log buckets 'versioning'.

Prisma™ Cloud Release Notes 150 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— No impact on alerts.

GCP Storage buckets are publicly accessible Changes— The policy remediation CLI
to all users command description to define granular
permissions required for running the
remediation CLI command is updated.
Updated Remediation CLI Description
— This CLI command requires
'storage.buckets.getIamPolicy' and
'storage.buckets.setIamPolicy' permissions.
Successful execution will revoke 'allUsers'
permission access in GCP Storage buckets.
Impact— No impact on alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Update AWS Foundational The AWS Foundational Security Best Practices standard
Security Best Practices Standard has been updated to map default policies to the relevant
sections.
Impact— No impact on alerts. The compliance report score
will be impacted because of the new mapping.

Changes in Existing Behavior

FEATURE DESCRIPTION

Google Cloud Task Update Prisma Cloud will no longer ingest gcloud-
cloud-task API related resources because
these are ephemeral. As a result, all gcloud-
cloud-task resources will be deleted from
your tenant.
Impact— No impact on alerts.

Deprecation Notices

FEATURE DESCRIPTION

Legacy IaC Scan on Prisma Cloud no longer supports legacy IaC scanning
app.govcloud.io is End of on GovCloud. The IaC Scan plugins and the DevOps
Support dashboard have been removed from the platform.

Prisma™ Cloud Release Notes 151 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features Introduced in 23.2.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Asset Class Filter An Asset Class is an an asset attribute that

aligns with the generally intended application
of a given asset type. The new Asset Class
filter is available on the Asset Inventory and
Alerts Overview pages and allows you to filter
assets based on the following asset classes:
• Code
• Compute
• Database
• Identity and Security
• Network
• Other
• Storage
When you use this filter, the results on
the Prisma Cloud console are narrowed to
display the list of assets that match your
criterion.

Prisma™ Cloud Release Notes 152 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Performance Improvements for Investigate The config and event query results on
RQL Queries the Investigate page are optimized to load
the initial set of results significantly faster.
To enable faster load times, the backend
automatically uses a heuristic search to
retrieve search results for your query. When
you enter the query and click Search, the
interface loads the first 100 search results,
and you can use the Load More button to
fetch more results. The Get Total Count
button enables you to get a full count of all
pertinent results, and is available for eligible
queries that include attributes that support
the heuristic search only.
All config attributes except
cloud.accountgroup, azure.resource.group,
limit search records, aggregate functions
(count and group by), and all finding
type attributes such as finding.type,
finding.severity, are currently optimized for
faster search results. For event queries, the
attribute cloud type supports heuristic search.

API Access Key Expiration Notifications Prisma Cloud allows you to create and
manage API keys to facilitate programmatic
access to our features and functionality. To
ensure uninterrupted access to Prisma Cloud
APIs, you can now set up the following Access
Key Expiration Notifications:
• Email notifications for named user Access
Keys
• Alarm Center notifications for Service
Account Access Keys

Prisma™ Cloud Release Notes 153 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Navigate to Enterprise Settings > Access Key

Expiration Notifications to set a notification
threshold prior to access key expiration.

Updates to Access Key Expiration

Notifications settings may take up
to 24 hours to take effect.

Support for AWS Tags on Prisma Cloud IAM Prisma Cloud IAM now supports AWS tags.
Leverage tags to create RQL queries and
dynamic custom policies, by using specific
tags to group your cloud resources, roles,
groups, policies, etc. when defining your alert
rules.

Send Audit Logs to External Integrations Forward audit logs from Prisma Cloud to an
external integration that you have configured
to integrate with your existing security
workflows.
• Select Settings > Enterprise Settings.
• Enable, Send Audit Logs to integration.
• Select the AWS SQS or Webhooks
notification channel to send the audit logs.
All new audit logs that are generated after
you enable the integration will be sent to
this channel. You can view the audit logs
on Settings > Audit Logs on Prisma Cloud.

Prisma™ Cloud Release Notes 154 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Prisma™ Cloud Release Notes 155 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Prisma Cloud does not forward

Successful Login type audit log
messages to external integrations
to minimize noise and log
flooding. However, all other audit
log types can be forwarded to any
supported external integration
such as Webhook or SQS. For
example, Prisma Cloud does not
forward the following audit log
message.

'xxx@paloaltonetworks.com'(with
role 'System
Admin':'System
Admin') logged in
via password

Support for Azure Permission Levels on Prisma Cloud IAM now leverages Azure
Prisma Cloud IAM Permission levels for better visibility into your
Azure identity permissions, providing you with
a more granular view of granted permissions.
In addition, you can use these new attributes
to create custom policies to more closely
monitor your cloud resources.

Update IAM Query Attributes The new

CONTAINS ALL

operator is now supported for the

action.name attribute. With this operator,
you can run queries with AND logic in
between values. For example, if you want to
get only roles that contain all actions: X, Y,
and Z:

config from iam where

action.name CONTAINS ALL
( 'Microsoft.AgFoodPlatform/
farmBeats/seasons/write',
'Microsoft.AgFoodPlatform/
fields/delete' )

Use this operator to more granularly query

groups, roles, and policies.

Prisma™ Cloud Release Notes 156 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

API Ingestions

SERVICE API DETAILS

Amazon CloudWatch aws-cloudwatch-insight-rule

Additional permissions required:
• cloudwatch:DescribeInsightRul
es

• cloudwatch:ListTagsForResourc
e

The Security Audit role includes the

permissions.

Amazon Kinesis Video aws-kinesis-video-stream

Additional permissions required:
• kinesisvideo:ListTagsForStrea
m

• kinesisvideo:ListStreams

• kinesisvideo:DescribeNotifica
tionConfiguration

You must add the permissions manually or use

CFT template to update the permissions.

Google Analytics Hub gcloud-analytics-hub-data-exchange

Additional permission required:
• analyticshub.dataExchanges.li
st

The Viewer role includes the permission.

Google Compute Engine gcloud-compute-vpn-gateway

Additional permission required:
• compute.vpnGateways.list

The Viewer role includes the permission.

Google Compute Engine gcloud-compute-target-vpn-gateway

Additional permission required:

Prisma™ Cloud Release Notes 157 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• compute.targetVpnGateways.lis
t

The Viewer role includes the permission.

OCI Certificate oci-certificate-certificates

Additional permissions required:
• inspect leaf-certificates

• read leaf-certificates

You must manually add these permissions.

OCI Cloud Guard oci-cloudguard-security-zone

Additional permissions required:
• inspect security-zone

• read security-zone

You must manually add these permissions.

OCI Cloud Guard oci-cloudguard-security-recipe

Additional permissions required:
• inspect security-recipe

• read security-recipe

You must manually add these permissions.

OCI Data Safe oci-data-safe-private-endpoint

Additional permissions required:
• inspect data-safe-private-end
points

• read data-safe-private-endpoi
nts

You must manually add these permissions.

OCI Data Safe oci-data-safe-target-database

Additional permissions required:
• inspect target-databases

Prisma™ Cloud Release Notes 158 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• read target-databases

You must manually add these permissions.

OCI IAM oci-iam-dynamic-group

Additional permission required:
• inspect dynamic-groups

You must manually add the permission.

OCI NoSQL Database oci-nosql-database-table

Additional permissions required:
• inspect nosql-tables

• read nosql-tables

You must manually add these permissions.

OCI Scanning oci-scanning-host-scantarget

Additional permissions required:
• inspect host-scan-targets

• read host-scan-targets

You must manually add these permissions.

OCI Scanning oci-scanning-host-scanrecipe

Additional permissions required:
• inspect host-scan-recipes

• read host-scan-recipes

You must manually add these permissions.

OCI Vaults oci-vault-keyvault

Additional permissions required:
• inspect vaults

• read vaults

You must manually add these permissions.

Prisma™ Cloud Release Notes 159 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies

NEW POLICIES DESCRIPTION

AWS SSM documents are public Identifies list of SSM documents that are
public and might allow unintended access. A
public SSM document can expose valuable
information about your account, resources,
and internal processes. It is recommended
to only share SSM documents to only
few private AWS accounts based on the
requirement.

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-ssm-
document' AND json.rule =
accountSharingInfoList[*].accountId
equal ignore case "all"

AWS CloudFront distributions does not have Identifies list of CloudFront distributions
a default root object configured which does not have default root object
configured. If a CloudFront distribution does
not have a default root object configured,
requests for the root of your distribution
pass to your origin server which might
return a list of the private contents of your
origin. To avoid exposing the contents of
your distribution or returning an error it is
recommended to specify a default root object.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
defaultRootObject is empty

Azure Storage account is not configured with Identifies Storage accounts that are
private endpoint connection not configured with a private endpoint
connection. Azure Storage account private
endpoints can be configured using Azure
Private Link. Private Link allows users to
access an Azure Storage account from within
the virtual network or from any peered virtual
network. When Private Link is combined with
restricted NSG policies, it helps reduce the
risk of data exfiltration. It is recommended

Prisma™ Cloud Release Notes 160 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

to configure Private Endpoint Connection to

Storage account.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-storage-
account-list' AND json.rule =
properties.provisioningState
equals Succeeded and
networkRuleSet.defaultAction
equal ignore case Allow and
networkRuleSet.virtualNetworkRules
is empty and
networkRuleSet.ipRules[*]
is empty and
properties.privateEndpointConnections[*]
is empty

Azure Microsoft Defender for Cloud set to Identifies Azure Microsoft Defender for Cloud
Off for Resource Manager which has defender setting for Resource
Manager (ARM) set to Off. Enabling Azure
Defender for ARM provides protection
against issues like Suspicious resource
management operations, Use of exploitation
toolkits, Lateral movement from the Azure
management layer to the Azure resources
data plane. It is highly recommended to
enable Azure Defender for ARM.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
security-center-settings' AND
json.rule = pricings[?any(name
equal ignore case Arm and
properties.pricingTier does not
equal ignore case Standard)]
exists

GCP SQL server instance database flag 3625 Identifies GCP SQL server instance for which
(trace flag) is not set to on database flag 3625 (trace flag) is not set to
on. Trace flag can help prevent the disclosure
of sensitive information by masking the
parameters of some error messages using
'*', for users who are not members of the
sysadmin fixed server role. It is recommended
to set 3625 (trace flag) database flag for SQL
Server instance to on.

config from cloud.resource

where cloud.type = 'gcp'
AND api.name = 'gcloud-

Prisma™ Cloud Release Notes 161 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

sql-instances-list' AND
json.rule = "databaseVersion
contains SQLSERVER and
state equals RUNNABLE and
(settings.databaseFlags[*].name
does not contain 3625 or
settings.databaseFlags[?
any(name contains 3625 and value
contains off)] exists)"

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

Activity Log Retention should not be set to Changes— The policy name, description,and
less than 365 days recommendations are updated according to
the latest vendor UI settings.The policy RQL
is updated to check log profile status so that
disabled log profiles will be reported.
Current Name— Activity Log Retention should
not be set to less than 365 days Updated
Name— Azure Activity Log retention should
not be set to less than 365 days
Updated Description— Identifies Log profiles
which have log retention set to less than
365 days. Log profile controls how your
Activity Log is exported and retained. Since
the average time to detect a breach is over
200 days, it is recommended to retain your
activity log for 365 days or more in order to
have time to respond to any incidents.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
cloud.service = 'Azure Monitor'
AND api.name = 'azure-monitor-
log-profiles-list' AND json.rule
= 'isLegacy is true and
(properties.retentionPolicy !
exists or
(properties.retentionPolicy.days !
= 0 and
properties.retentionPolicy.days
< 365))'

Prisma™ Cloud Release Notes 162 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-monitor-log-
profiles-list' AND json.rule
= isLegacy is true and
(properties.retentionPolicy
does not exist or
properties.retentionPolicy.enabled
is false or
(properties.retentionPolicy.enabled
is true and
(properties.retentionPolicy.days
does not equal 0 and
properties.retentionPolicy.days
< 365)))

Impact— Low. New alerts will be generated

for disabled log profiles.

Policy Updates-Metadata

AWS Certificate Manager (ACM) has invalid Changes— The policy description is updated.
or failed certificate
Updated Description— Identifies certificates
in ACM which are either in Invalid or Failed
state. If the ACM certificate is not validated
within 72 hours, it becomes Invalid. An ACM
certificate fails when,
• the certificate is requested for invalid
public domains
• the certificate is requested for domains
which are not allowed
• missing contact information
• typographical errors
In such cases (Invalid or Failed certificate),
you will have to request for a new certificate.
It is strongly recommended to delete the
certificates which are in failed or invalid state.
Impact— No impact on alerts.

AWS ECS/ Fargate task definition root user Changes— The policy name and description
found are updated.
Current Name— AWS ECS/ Fargate task
definition root user found Updated Name—
AWS ECS Fargate task definition root user
found

Prisma™ Cloud Release Notes 163 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated Description— Identifies AWS ECS

Fargate task definition which has user name
as root. As a best practice, the user name to
use inside the container should not be root.
Note: This parameter is not supported for
Windows containers.
Impact— No impact on alerts.

CloudTrail trail is not integrated with Changes— The policy name and description
CloudWatch Log are updated.
Current Name— CloudTrail trail is not
integrated with CloudWatch Log Updated
Name— AWS CloudTrail trail logs is not
integrated with CloudWatch Log
Updated Description— Identifies AWS
CloudTrail which has trail logs that are not
integrated with CloudWatch Log. Enabling
the CloudTrail trail logs integrated with
CloudWatch Logs will enable the real-time
as well as historic activity logging. This
will further improve monitoring and alarm
capability.
Impact— No impact on alerts.

S3 buckets with configurations set to host Changes— The policy name and description
websites are updated.
Current Name— S3 buckets with
configurations set to host websites Updated
Name— AWS S3 buckets with configurations
set to host websites
Updated Description— Identifies AWS S3
buckets that are configured to host websites.
To host a website on AWS S3 you should
configure a bucket as a website. By frequently
surveying these S3 buckets, you can ensure
that only authorized buckets are enabled to
host websites. Make sure to disable static
website hosting for unauthorized S3 buckets.
Impact— No impact on alerts.

Azure Storage account container storing Changes— The policy recommendation steps
activity logs is publicly accessible are updated to reflect CSP UI changes.
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 164 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Container Registry does not use a Changes— The policy description and
dedicated resource group recommendation steps are updated to
according to the new URL linked provided by
CSP.
Impact— No impact on alerts.

SQL Instances do not have SSL configured Changes— The policy name, description, and
recommendation steps are updated.
Current Name— SQL Instances do not have
SSL configured Updated Name— GCP SQL
Instances do not have valid SSL configuration
Updated Description— Identifies GCP
SQL instances that do not have valid
SSL configuration with an unexpired SSL
certificate. Cloud SQL supports connecting
to an instance using the Secure Socket Layer
(SSL) protocol. If Cloud SQL Auth proxy is not
used for authentication, it is recommended
to utilize SSL for connection to SQL Instance,
ensuring the security for data in transit.
Impact— No impact on alerts.

SQL DB Instance backup Binary logs Changes— The policy name, description, and
configuration is not enabled recommendation steps are updated.
Current Name— SQL DB Instance backup
Binary logs configuration is not enabled
Updated Name— GCP SQL MySQL DB
instance point-in-time recovery backup
(Binary logs) is not enabled
Updated Description— identifies Cloud SQL
MySQL DB instances whose point-in-time
recovery backup is not enabled. In case of
an error, point-in-time recovery helps you
recover an instance to a specific point in
time. It is recommended to enable automated
backups with point-in-time recovery to
prevent any data loss in case of an unwanted
scenario.
Impact— No impact on alerts.

Changes in Existing Behavior

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 165 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Global Region Support for Google VPC Prisma Cloud now provides global region
Firewall Rule support for gcloud-compute-firewall-
rules-list. Due to this, all the resources will
be deleted, and then regenerated on the
management console.
Existing alerts corresponding to this resource
are resolved as Resource_Deleted, and
new alerts will be generated against policy
violations.
Impact—You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for gcloud-compute-firewall-
rules-list start ingesting data again.

Google VPC Network API Update Prisma Cloud now provides global region
support, as well as a backend update to
the resource ID for the gcloud-compute-
networks-list API. As a result, all resources for
this API will be deleted and then regenerated
on the management console.
Existing alerts corresponding to
these resources will be resolved as
Resource_Updated, and new alerts will be
generated against policy violations if any.
Impact—You may notice a reduced alert
count. However, once the resources for
gcloud-compute-networks-list resume
ingesting data, the alert count will return to
the original numbers.

REST API Updates

CHANGE DESCRIPTION

Update Enterprise Settings API The response object for the GET /settings/enterprise
endpoint now include the following additional properties:
• auditLogSiemIntgrIds

• auditLogsEnabled

The request body and response object for the POST /

settings/enterprise endpoint now include the following
additional properties:

Prisma™ Cloud Release Notes 166 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• auditLogSiemIntgrIds

• auditLogsEnabled

Features Introduced in January 2023

Edit on GitHub
Learn what’s new on Prisma™ Cloud in January 2023.
• New Features Introduced in 23.1.2
• New Features Introduced in 23.1.1

New Features Introduced in 23.1.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Changes in Existing Behavior
• New Compliance Benchmarks and Updates
• REST API Updates

New Features

FEATURE DESCRIPTION

Cloud Account Onboarding for more Security Prisma Cloud provides an improved and
Coverage simplified onboarding experience, by
providing you with the option to select which
security capabilities you want and by creating
the role with the permissions required for
those capabilities.
You can now enable Agentless Workload
Scanning, Serverless Function Scanning,
Agent Based Workload Protection, Data
Security, and Remediation capabilities as part
of the new onboarding workflow for your
AWS, Azure, and GCP cloud accounts using
minimal steps.
• After you successfully onboard your cloud
account on Prisma Cloud, by default,
the account is automatically available
in Compute and enabled for Workload
Discovery and Serverless function scans.

Prisma™ Cloud Release Notes 167 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• The option to enable Data Security is now

part of the onboarding workflow and is
only available for AWS and Azure cloud
accounts.

• For previously onboarded cloud accounts,

when you Edit the account and enable or
disable the additional security capabilities,
the permissions for the Prisma Cloud role
is updated. You must download the CFT
again and apply it on the Cloud Service
Provider (AWS, Azure, or GCP) to apply the
latest changes.

Depending on the capabilities you

have enabled, make sure to follow
the steps to configure Agentless
Workload Scanning, Serverless
Function Scanning, and Agent
Based Workload Protection.

Ingest Audit Logs using Amazon EventBridge By default, Prisma Cloud uses the Amazon
CloudTrail service to ingest audit logs. Event
assisted ingestion is an enhancement that
makes the API call only if the resource
configuration is changed. After onboarding
your AWS account, you can now configure
Amazon EventBridge on Prisma Cloud to
support event assisted ingestion in near real
time, which allows Prisma Cloud to reduce
the total number of API calls and total time to
alert.

Prisma™ Cloud Release Notes 168 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Support for AWS GuardDuty and Inspector After onboarding your AWS account on
Malware Findings Prisma Cloud and configuring EventBridge,
you can now Configure Findings to view
vulnerability and malware findings generated
by AWS GuardDuty or vulnerabilities
generated by AWS Inspector on the Prima
Cloud Resource page. Once enabled, if
GuardDuty detects suspicious activity on
a workload, it initiates a malware scan on
the associated EC2 instance. If malware
is detected during the scan, GuardDuty
generates an additional finding. The findings
provide context and can detect the malicious
software that is the source of the suspicious
behavior, so that you can take appropriate
response actions.

GA Recurring Reports for Adoption Advisor You can now schedule a recurring Adoption
Advisor Report to receive a summary of your
adoption and improvements on our cloud
security posture at regular cadence. You can
schedule the report to run on a daily, weekly,
or monthly intervals, and view a list of all
scheduled reports under Adoption Advisor >
Reports.

Prisma™ Cloud Release Notes 169 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Support for AWS IAM Identity Center Prisma Cloud now integrates with AWS IAM
Identity Center, providing you complete
visibility into the access privileges of users
currently using AWS IAM Identity Center to
log into AWS, this includes users and groups
created in or imported into Identity Center.
You can also create access policies, user alerts
and remediate risky permissions for AWS
IAM Identity Center users. Prisma Cloud does
require additional permissions to support
AWS IAM Identity Center integration. If you
are using a CloudFormation template for AWS
account onboarding no additional action is
required. The required permissions are part
of the CloudFormation onboarding template.
You can also manually add permissions to take
advantage of AWS IAM Identity Center.

Retrieval of Data Storage Size Estimates for Prisma Cloud now retrieves the approximate
Azure Blob Storage storage size of your Azure blob storage
and storage for sensitive data scanning and
provides an estimate credit consumption
required to scan your Azure blob storage. The
size of scannable data is based on file size and
file type. The estimates in Azure leverages
the Azure Inventory policies and creates files
on a daily or weekly basis. You can choose to
follow a few recommendations to lower your
cost.

API Ingestions

SERVICE API DETAILS

Access Analyzer aws-access-analyzer

Additional permission required:
• access-analyzer:GetAnalyzer

The Security Audit role includes the

permission.

Amazon CloudFront aws-cloudfront-origin-access-control

Additional permissions required:
• cloudfront:ListOriginAccessCo
ntrols

Prisma™ Cloud Release Notes 170 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Security Audit role includes the

permissions.

Amazon Prometheus aws-prometheus-workspace

Additional permissions required:
• aps:DescribeLoggingConfigurat
ion

• aps:ListWorkspaces

No default role includes the permissions.

Azure Stream Analytics azure-streamanalytics-streamingjobs

Additional permission required:
• Microsoft.StreamAnalytics/str
eamingjobs/Read

The Reader role includes the permission.

Azure Event Grid azure-event-grid-topic-privatelinkresource

Additional permissions required:
• Microsoft.EventGrid/topics/re
ad

• Microsoft.EventGrid/topics/pr
ivateLinkResources/read

The Reader role includes the permissions.

Azure IoT Hub azure-devices-iot-hub-privatelinkresource

Additional permissions required:
• Microsoft.Devices/iotHubs/Rea
d

• Microsoft.Devices/iotHubs/pri
vateLinkResources/Read

The Reader role includes the permissions.

Azure Event Grid azure-event-grid-domains-

privatelinkresource
Additional permissions required:

Prisma™ Cloud Release Notes 171 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Microsoft.EventGrid/domains/r
ead

• Microsoft.EventGrid/domains/p
rivateLinkResources/read

The Reader role includes the permissions.

Azure Storage Sync Services azure-storage-sync-service-

privatelinkresource
Additional permissions required:
• Microsoft.StorageSync/storage
SyncServices/read

• Microsoft.StorageSync/storage
SyncServices/privateLinkResou
rces/read

The Reader role includes the permissions.

Azure Stream Analytics azure-streamanalytics-streamingjobs-

diagnostic-settings
Additional permissions required:
• Microsoft.StreamAnalytics/str
eamingjobs/Read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Google Dataplex gcloud-dataplex-lake-task

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.tasks.list

• dataplex.tasks.getIamPolicy

The Viewer role includes the permissions.

Google Dataplex gcloud-dataplex-lake-contentitem

Additional permissions required:

Prisma™ Cloud Release Notes 172 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• dataplex.locations.list

• dataplex.lakes.list

• dataplex.content.list

• dataplex.tasks.getIamPolicy

The Viewer role includes the permissions.

Google Dataplex gcloud-dataplex-lake-zone-entity

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.zones.list

• dataplex.entities.list

The Viewer role includes the permissions.

New Policies
No new policies for 23.1.2.

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

AWS ALB attached WAFv2 WebACL is not Changes— The policy RQL is updated to
configured with AMR for Log4j Vulnerability ignore alerting resources when firewall
manager ACL rules are configured with
(AWSManagedRulesKnownBadInputsRuleSet
and AWSManagedRulesAnonymousIpList)
Current RQL—

config from cloud.resource

where api.name = 'aws-elbv2-
describe-load-balancers' AND
json.rule = scheme equals
internet-facing and type
equals application as X; config
from cloud.resource where
api.name = 'aws-waf-v2-web-acl-

Prisma™ Cloud Release Notes 173 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

resource' AND json.rule = NOT

( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter
'$.Y.resources.applicationLoadBalancer[*]
contains $.X.loadBalancerArn';
show X;

Updated RQL—

config from cloud.resource

where api.name = 'aws-elbv2-
describe-load-balancers' AND
json.rule = scheme equals
internet-facing and type
equals application as X; config
from cloud.resource where
api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule =
(webACL.postProcessFirewallManagerRuleGrou
does not contain
AWSManagedRulesAnonymousIpList
or
webACL.postProcessFirewallManagerRuleGroup
does not contain
AWSManagedRulesKnownBadInputsRuleSet)
and NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter
'$.Y.resources.applicationLoadBalancer[*]
contains $.X.loadBalancerArn';
show X;

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

AWS API Gateway Rest API attached WAFv2 Changes— The policy RQL is updated to
WebACL is not configured with AMR for ignore alerting resources when firewall
Log4j Vulnerability manager ACL rules are configured with
(AWSManagedRulesKnownBadInputsRuleSet
and AWSManagedRulesAnonymousIpList)

Prisma™ Cloud Release Notes 174 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where api.name = 'aws-
apigateway-get-stages' AND
json.rule = webAclArn is
not empty as X; config from
cloud.resource where api.name
= 'aws-waf-v2-web-acl-
resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.webAclArn'; show X;

Updated RQL—

config from cloud.resource

where api.name = 'aws-
apigateway-get-stages' AND
json.rule = webAclArn is
not empty as X; config
from cloud.resource where
api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule =
(webACL.postProcessFirewallManagerRuleGrou
does not contain
AWSManagedRulesAnonymousIpList
or
webACL.postProcessFirewallManagerRuleGroup
does not contain
AWSManagedRulesKnownBadInputsRuleSet)
and NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.webAclArn'; show X;

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

AWS AppSync attached WAFv2 WebACL Changes— The policy RQL is updated to
is not configured with AMR for Log4j ignore alerting resources when firewall
Vulnerability manager ACL rules are configured with

Prisma™ Cloud Release Notes 175 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

(AWSManagedRulesKnownBadInputsRuleSet
and AWSManagedRulesAnonymousIpList)
Current RQL—

config from cloud.resource

where api.name = 'aws-
appsync-graphql-api' AND
json.rule = wafWebAclArn
is not empty as X; config
from cloud.resource where
api.name = 'aws-waf-v2-web-acl-
resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.wafWebAclArn'; show
X;

Updated RQL—

config from cloud.resource

where api.name = 'aws-
appsync-graphql-api' AND
json.rule = wafWebAclArn
is not empty as X; config
from cloud.resource where
api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule =
(webACL.postProcessFirewallManagerRuleGrou
does not contain
AWSManagedRulesAnonymousIpList
or
webACL.postProcessFirewallManagerRuleGroup
does not contain
AWSManagedRulesKnownBadInputsRuleSet)
and NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.wafWebAclArn'; show
X;

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Prisma™ Cloud Release Notes 176 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS CloudFront attached WAFv2 WebACL Changes— The policy RQL is updated to
is not configured with AMR for Log4j ignore alerting resources when firewall
Vulnerability manager ACL rules are configured with
(AWSManagedRulesKnownBadInputsRuleSet
and AWSManagedRulesAnonymousIpList)
Current RQL—

config from cloud.resource

where api.name = 'aws-
cloudfront-list-distributions'
AND json.rule = webACLId is
not empty as X; config from
cloud.resource where api.name
= 'aws-waf-v2-global-web-acl-
resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.webACLId'; show X;

Updated RQL—

config from cloud.resource

where api.name = 'aws-
cloudfront-list-distributions'
AND json.rule = webACLId is
not empty as X; config from
cloud.resource where api.name
= 'aws-waf-v2-global-web-
acl-resource' AND json.rule
=(webACL.postProcessFirewallManagerRuleGro
does not contain
AWSManagedRulesAnonymousIpList
or
webACL.postProcessFirewallManagerRuleGroup
does not contain
AWSManagedRulesKnownBadInputsRuleSet)
and NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.webACLId'; show X;

Prisma™ Cloud Release Notes 177 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

AWS CloudFront viewer protocol policy is Changes— The policy RQL is updated to check
not configured with HTTPS for cacheBehavior viewer protocol policy
along with defaultCacheBehavior viewer
protocol policy for HTTPS configuration.
Current RQL—

config from cloud.resource

where api.name = 'aws-
cloudfront-list-distributions'
AND json.rule = webACLId is
not empty as X; config from
cloud.resource where api.name
= 'aws-waf-v2-global-web-acl-
resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGro
contains
AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroup
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn
equals $.X.webACLId'; show X;

Updated RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
defaultCacheBehavior.viewerProtocolPolicy
contains "allow-all" or
cacheBehaviors.items[?
any( viewerProtocolPolicy
contains "allow-all" )] exists

Impact— Medium. New alerts will be

generated for resources which have
cacheBehavior viewer protocol policy not
configured for HTTPS configuration.

Azure Storage accounts soft delete is Changes— The policy RQL has been updated
disabled to exclude FileStorage accounts which do not
support blobs. The recommendation steps
have been updated to reflect the changes in
the CSP.

Prisma™ Cloud Release Notes 178 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-storage-
account-list' AND json.rule =
deleteRetentionPolicy.blob.enabled
is false

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-storage-
account-list' AND json.rule =
deleteRetentionPolicy.blob.enabled
is false and (kind does not
equal ignore case FileStorage)

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Delete SQL server Changes— The policy RQL is updated to
firewall rule does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Sql/servers/
firewallRules/delete" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals

Prisma™ Cloud Release Notes 179 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

equals Microsoft.Sql/servers/
firewallRules/delete" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Create or update Changes— The policy RQL is updated to
SQL server firewall rule does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Sql/servers/
firewallRules/write" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Sql/servers/
firewallRules/write" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Delete network Changes— The policy RQL is updated to
security group does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.

Prisma™ Cloud Release Notes 180 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Sql/servers/
firewallRules/write" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/delete" as
X; count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Create or update Changes— The policy RQL is updated to
network security group does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/write" as
X; count(X) less than 1

Prisma™ Cloud Release Notes 181 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/write" as
X; count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Delete network Changes— The policy RQL is updated to
security group rule does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/
securityRules/delete" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/

Prisma™ Cloud Release Notes 182 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

securityRules/delete" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Create or update Changes— The policy RQL is updated to
network security group rule does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/
securityRules/write" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Network/
networkSecurityGroups/
securityRules/write" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Create policy Changes— The policy RQL is updated to
assignment does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.

Prisma™ Cloud Release Notes 183 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Authorization/
policyAssignments/write" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Authorization/
policyAssignments/write" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Create or update Changes— The policy RQL is updated to
security solution does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Security/
securitySolutions/write" as X;
count(X) less than 1

Prisma™ Cloud Release Notes 184 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Security/
securitySolutions/write" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Update security Changes— The policy RQL is updated to
policy does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Security/
policies/write" as X; count(X)
less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Security/
policies/write" as X; count(X)
less than 1

Prisma™ Cloud Release Notes 185 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

Azure Activity log alert for Delete security Changes— The policy RQL is updated to
policy does not exist exclude resource group to report only
subscriptions. The recommendation steps
have been updated according to the CSP
changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule
= "location equals Global
and properties.enabled
equals true and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Security/
securitySolutions/delete" as X;
count(X) less than 1

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-activity-
log-alerts' AND json.rule =
"location equals Global and
properties.enabled equals true
and properties.scopes[*] does
not contain resourceGroups and
properties.condition.allOf[?
(@.field=='operationName')].equals
equals Microsoft.Security/
securitySolutions/delete" as X;
count(X) less than 1

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

OCI MFA is disabled for IAM users Changes— The policy RQL has been
updated to exclude alerting for Inactive and
Programmatic users because programmatic
users will not have MFA.
Current RQL—

config from cloud.resource where

cloud.type = 'oci' AND api.name
= 'oci-iam-user' AND json.rule
= 'isMfaActivated is false'

Prisma™ Cloud Release Notes 186 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'oci' AND
api.name = 'oci-iam-user' AND
json.rule = lifecycleState
equal ignore case ACTIVE and
capabilities.canUseConsolePassword
is true and isMfaActivated is
false

Impact— Low. Alerts generated for

programmatic user will be resolved as
Policy_Updated.

Policy Updates-Metadata

Azure Activity log alert for delete policy Changes— The recommendation steps have
assignment does not exist been updated according to the CSP changes.
Impact— Low. Previously generated alerts will
be resolved as Policy_Updated.

Azure SQL Server allow access to any Azure Changes— The policy recommendation steps
internal resources have been updated to reflect the lastest CSP
changes.
Impact— No impact on alerts.

Azure log profile not capturing activity logs Changes— The policy recommendation steps
for all regions have been updated to reflect the lastest CSP
changes.
Impact— No impact on alerts.

Azure subscriptions with custom roles are Changes— The policy description and
overly permissive recommendation steps have been updated to
reflect the lastest CSP changes.
Updated Policy Description— Identifies azure
subscriptions with custom roles are overly
permissive. Least privilege access rule should
be followed and only necessary privileges
should be assigned instead of allowing full
administrative access.
Impact— No impact on alerts.

Azure storage account has a blob container Changes— The policy recommendation steps
with public access have been updated to reflect the lastest CSP
changes.
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 187 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Storage Account 'Trusted Microsoft Changes— The policy description and
Services' access not enabled recommendation steps have been updated to
reflect the lastest CSP changes.
Updated Policy Description— Identifies
Storage Accounts which have 'Trusted
Microsoft Services' access not enabled.
Some Microsoft services that interact with
storage accounts operate from networks that
can’t be granted access through network
rules. To help this type of service work as
intended, allow the set of trusted Microsoft
services to bypass the network rules. These
services will then use strong authentication
to access the storage account. If the Allow
trusted Microsoft services exception is
enabled, the following services: Azure Backup,
Azure Site Recovery, Azure DevTest Labs,
Azure Event Grid, Azure Event Hubs, Azure
Networking, Azure Monitor and Azure
SQL Data Warehouse (when registered
in the subscription), are granted access to
the storage account. It is recommended to
enable Trusted Microsoft Services on storage
account instead of leveraging network rules.
Impact— No impact on alerts.

Azure storage account logging for queues is Changes— The policy recommendation steps
disabled have been updated to reflect the lastest CSP
changes.
Impact— No impact on alerts.

Storage Accounts without Secure transfer Changes— The policy name, description, and
enabled recommendation steps have been updated to
reflect the lastest CSP changes.
Current Policy Name— Storage Accounts
without Secure transfer enabled Updated
Policy Name— Azure Storage Account
without Secure transfer enabled
Updated Policy Description— identifies
Storage accounts which have Secure transfer
feature disabled. The secure transfer option
enhances the security of your storage account
by only allowing requests to the storage
account by a secure connection. When
'secure transfer required' is enabled, REST
APIs to access your storage accounts connect
using HTTPs any requests using HTTP will be

Prisma™ Cloud Release Notes 188 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

rejected. When you are using the Azure files

service, connection without encryption will
fail. It is highly recommended to enable secure
transfer feature on your storage account.

Azure storage does not support

HTTPs for custom domain names,
this option is not applied when
using a custom domain name.

Impact— No impact on alerts.

Azure Storage accounts soft delete is Changes— The policy name, description,
disabled and remediation CLI descriptions have been
updated.
Current Policy Name— Azure Storage
accounts soft delete is disabled
Updated Policy Name— Azure Storage
account soft delete is disabled
Updated Policy Description— Identifies
Azure Storage accounts which has soft delete
disabled. Azure Storage contains important
access logs, financial data, personal and other
secret information which is accidentally
deleted by a user or application could
cause data loss or data unavailability. It is
recommended to enable soft delete setting in
Azure Storage accounts.
Updated Remediation CLI Description— This
CLI command requires 'Microsoft.Storage/
storageAccounts/blobServices/write'
permission. Successful execution will enable
soft delete for blobs on Azure Storage
accounts. NOTE: As best practice we are
setting delete retention days to 30 days; it can
be changed based on customer requirement
by cloning the policy.
Impact— No impact on alerts.

Azure Microsoft Defender for Cloud Changes— The policy recommendation steps
automatic provisioning of log Analytics agent have been updated to reflect the lastest CSP
for Azure VMs is set to Off changes.
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 189 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes in Existing Behavior

FEATURE DESCRIPTION

‘Monitor and Protect’ renamed Remediation With the Cloud Account Onboarding changes
for more Security Coverage, the Monitor and
Monitor & Protect modes are revised. For an
existing account that was onboarded with
Monitor & Protect mode, the Remediation
security capability represents the mode.

These modes are no longer available when

onboarding new cloud accounts. For the new
workflow, see Cloud Account Onboarding for
more Security Coverage.

Update AWS Account Onboarding During onboarding your AWS cloud account
on Prisma Cloud, if you are already logged in
to your AWS management console, you can
either Download IAM Role CFT or Create
IAM Role on the fly.

Prisma™ Cloud Release Notes 190 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

When you click Create IAM Role, Prisma

Cloud creates a dynamic link that takes you
directly to the Quick create stack page in the
AWS management console.

You do not need to enter the template details

manually in order to create the stack, it
is auto-populated based on the Security
Capabilities and Permissions you have
selected.

Google Kubernetes Engine Container The resource ID for the gcloud-container-

ClusterID Update describe-clusters API in Prisma Cloud is
updated in the backend. As a result, all
resources for these APIs will be deleted
and then regenerated on the management
console.

Prisma™ Cloud Release Notes 191 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Existing alerts for these resources are

resolved as Resource_Updated, and new
alerts will be generated against policy
violations.
Impact—You may notice a reduced alert
count. However, once the resources for the
gcloud-container-describe-clusters APIs
resume ingesting data, the alert count will
return to the original numbers.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Sarbanes-Oxley Act (SOX) Prisma Cloud now supports the Sarbanes-

Oxley Act (SOX) compliance standard.
In addition to improving the accuracy
of corporate disclosures, SOX protects
shareholders and the general public from
accounting errors and fraudulent business
practices. Corporations must save all business
records, including electronic records and
electronic messages, for "not less than five
years" to comply with SOX. Non-compliance
can result in fines, imprisonment, or both.
With this support, you can now view this
built-in standard and the related policies on
Prisma Cloud’s Compliance > Standard page.
Additionally, you can generate reports for
immediate viewing or download, or you can
schedule recurring reports to keep track of
this compliance standard over time.

CIS Google Cloud Platform Foundation The Center for Internet Security (CIS) releases
Benchmark v2.0.0 (Level 1 and Level 2) benchmarks for best practice security
recommendations. CIS Google Cloud Platform
Foundation Benchmark v2.0.0 is based on
the CIS Google Cloud Computing Platform
Foundations Benchmark v1.0.0 published
by the Center for Internet Security (CIS).
The CIS benchmark provides guidance to
securing the GCP environment, covering
everything from network to servers to
operating systems. The important sections
covered in the benchmark include IAM,
Logging and monitoring configuration, Virtual

Prisma™ Cloud Release Notes 192 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Network Security settings, and Kubernetes

Engine configuration.
You can review this compliance standard
and its associated policies on Prisma Cloud’s
Compliance > Standard page.

CIS Google Kubernetes Engine (GKE) v1.3.0 - The Center for Internet Security (CIS) releases
(Level 1 and Level 2) benchmarks for best practice security
recommendations. CIS Google Kubernetes
Engine (GKE) v1.3.0 - (Level 1 and Level 2)
is a set of recommendations for configuring
Kubernetes to support a strong security
posture. Benchmarks are tied to specific
Kubernetes releases. The CIS Kubernetes
Benchmark is written for the open source
Kubernetes distribution and is intended to be
universally applicable. Based on the existing
CIS Benchmark, this standard adds additional
controls that are Google Cloud-specific.
You can review this compliance standard
and its associated policies on Prisma Cloud’s
Compliance > Standard page.

REST API Updates

CHANGE DESCRIPTION

Update Critical and The following new properties are added to the response
Informational Severity Alerts objects of both:
Updates
• GET /compliance/posture
• POST /compliance/posture
• summary

object has two additional properties

• informationalSeverityFailedResources

• criticalSeverityFailedResources

Prisma™ Cloud Release Notes 193 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• complianceDetails

array has two additional properties

• informationalSeverityFailedResources

• criticalSeverityFailedResources

The following new properties are added to the response

objects of both:
• GET /compliance/posture/trend
• POST /compliance/posture/trend
• informationalSeverityFailedResources

• criticalSeverityFailedResources

The following new properties are added to the response

objects of both:
• GET /v2/inventory
• POST /v2/inventory
• summary

object has two additional properties

• informationalSeverityFailedResources

• criticalSeverityFailedResources

• groupedAggregates

array has two additional properties

• informationalSeverityFailedResources

• criticalSeverityFailedResources

The following new properties are added to the response

objects of both:
• GET /v2/inventory
• POST /v2/inventory
• informationalSeverityFailedResources

• criticalSeverityFailedResources

Prisma™ Cloud Release Notes 194 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The following new properties are added to the response

objects of both:
• GET /resource/scan_info
• POST /resource/scan_info
alertStatus object within the resources array has two
additional properties
• informational

• critical

Update Adoption Advisor API The following new endpoints are available for the
Adoption Advisor API:
• GET /adoptionadvisor/report

• POST /adoptionadvisor/report

• PUT /adoptionadvisor/report/{reportId}

• DELETE /adoptionadvisor/report/{reportI
d}

• DELETE /adoptionadvisor/report/{reportI
d}/download

• GET /adoptionadvisor/report/{reportId}/
{createdOn}/download

• GET /adoptionadvisor/report/generate

New Features Introduced in 23.1.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Changes in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 195 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Adoption Advisor for Code to Cloud To assist you in the process of monitoring and
securing your cloud resources, the Adoption
Advisor has been updated to provide
guidance on foundational, intermediate, and
advanced tasks throughout the application
lifecycle. The Adoption Advisor includes
three stages of the code to cloud application
lifecycle: Code & Build, Deploy, and Runtime.
You can follow these stages at your own
pace, using the "walk, crawl, run" principles to
gradually adopt various security capabilities.

Centralized Product Resources in Knowledge The Knowledge Center integrates the

Center resources that were in the Resource Center.
You can now access all the product resources
directly from the left navigation on Prisma
Cloud.

Critical and Informational Severity Policies To help you categorize and distinguish the
varying degrees of severity of Prisma Cloud
policies and associated alerts, two new levels
of severity are being added. There are no
changes to the severity of any system default
policies. However, you can now modify
policy severity to Critical and Informational as
needed.

Prisma™ Cloud Release Notes 196 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Look for PDF Reports The Compliance reports and the Cloud
Security Assessment report for Alerts
are updated with a new look and better
visualization.

Update Prisma Cloud Data Security-Scan .zip Prisma Cloud can now scan your storage
Files up to 2.5GB resources with .zip file extensions of up to
2.5GB for data classification and malware. The
size of the uncompressed files must be:
• less than 20MB to be supported by DSS
for scanning and
• less than 100MB to be supported by
Wildfire for scanning.

Update Change in Terraform file name for The terraform files you download during
Azure and GCP accounts onboarding Azure and GCP accounts on
Prisma Cloud have new names.

Prisma™ Cloud Release Notes 197 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Old Azure Terraform File Name—

azure_template API

• New Azure Terraform File Name—

prisma-cloud-azure-terraform-
<ts>.tf.json

• Old GCP Terraform File Name—

gcp_template API

• New GCP Terraform File Name—

prisma-cloud-gcp-terraform-<t
s>.tf.json

API Ingestions

SERVICE API DETAILS

Amazon Kendra aws-kendra-index

Additional permissions required:
• kendra:DescribeIndex

• kendra:ListIndices

• kendra:ListTagsForResource

The Security Audit role only includes the

permission

kendra:ListIndices

Prisma™ Cloud Release Notes 198 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

You must manually add the

permissions or update the CFT
template to enable

kendra:DescribeIndex

and

kendra:ListTagsForRes
ource

Amazon EventBridge aws-events-eventbus

Additional permissions required:
• events:ListTagsForResource

• events:ListEventBuses

The Security Audit role includes these

permissions.

Azure Automation Accounts azure-automation-account-diagnostic-

settings
Additional permissions required:
• Microsoft.Automation/automati
onAccounts/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Batch Account azure-batch-account-diagnostic-settings

Additional permissions required:
• Microsoft.Batch/batchAccounts
/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Prisma™ Cloud Release Notes 199 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Cognitive Services azure-cognitive-search-service-diagnostic-

settings
Additional permissions required:
• Microsoft.Search/searchServic
es/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Cosmos DB azure-documentdb-cassandra-clusters-

diagnostic-settings
Additional permissions required:
• Microsoft.DocumentDB/cassandr
aClusters/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Cosmos DB azure-cosmos-db-diagnostic-settings

Additional permissions required:
• Microsoft.DocumentDB/database
Accounts/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Database for MariaDB Server azure-database-maria-db-server-diagnostic-

settings
Additional permissions required:
• Microsoft.DBforMariaDB/server
s/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Prisma™ Cloud Release Notes 200 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Database for MySQL azure-mysql-flexible-server-diagnostic-

settings
Additional permissions required:
• Microsoft.DBforMySQL/flexible
Servers/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Database for PostgreSQL azure-postgresql-flexible-server-diagnostic-

settings
Additional permissions required:
• Microsoft.DBforPostgreSQL/fle
xibleServers/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Event Hubs azure-event-hub-namespace-diagnostic-

settings
Additional permissions required:
• Microsoft.EventHub/namespaces
/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure Kubernetes Service azure-kubernetes-cluster-diagnostic-settings

Additional permissions required:
• Microsoft.ContainerService/ma
nagedClusters/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure SQL Database azure-sql-db-diagnostic-settings

Prisma™ Cloud Release Notes 201 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• Microsoft.Sql/servers/read

• Microsoft.Sql/servers/databas
es/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Azure SQL Database azure-sql-managed-instance-diagnostic-

settings
Additional permissions required:
• Microsoft.Sql/managedInstance
s/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes these permissions.

Google Apigee X gcloud-apigee-x-organization-analytics-

datastore
Additional permissions required:
• apigee.organizations.list

• apigee.datastores.list

The Viewer role includes these permissions.

Google Apigee X gcloud-apigee-x-organization-api-product

Additional permissions required:
• apigee.organizations.list

• apigee.apiproducts.get

• apigee.apiproducts.list

The Viewer role includes these permissions.

Google Apigee X gcloud-apigee-x-organization-api-proxy

Additional permissions required:

Prisma™ Cloud Release Notes 202 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• apigee.organizations.list

• apigee.proxies.get

• apigee.proxies.list

• apigee.deployments.list

The Viewer role includes these permissions.

Google Apigee X gcloud-apigee-x-organization-report

Additional permissions required:
• apigee.organizations.list

• apigee.reports.list

The Viewer role includes these permissions.

Google Apigee X gcloud-apigee-x-organization-host-security-

report
Additional permissions required:
• apigee.organizations.list

• apigee.envgroups.list

• apigee.hostsecurityreports.li
st

The Viewer role includes these permissions.

Google Apigee X gcloud-apigee-x-organization-security-profile

Additional permissions required:
• apigee.organizations.list

• apigee.securityProfiles.list

The Viewer role includes these permissions.

Update Google BigQuery API gcloud-bigquery-table

Additional permission required:

bigquery.tables.get

Prisma™ Cloud Release Notes 203 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

You must update the Terraform template to

enable this permission.

Google Cloud KMS gcloud-kms-keyring-list

Additional permissions required:
• cloudkms.keyRings.get

• cloudkms.keyRings.getIamPolic
y

The Viewer role includes these permissions.

Google Cloud KMS gcloud-kms-crypto-keys-list

Additional permissions required:
• cloudkms.cryptoKeys.get

• cloudkms.cryptoKeys.getIamPol
icy

The Viewer role includes these permissions.

Google Dataproc Metastore gcloud-dataproc-metastore-service

Additional permissions required:
• metastore.locations.list

• metastore.services.getIamPoli
cy

• metastore.services.list

The Viewer role includes these permissions.

Google Dataplex gcloud-dataplex-lake-zone-asset-action

Additional permissions required:
• dataplex.lakes.list

• dataplex.zones.list

• dataplex.assets.list

• dataplex.assetActions.list

The Viewer role includes these permissions.

Prisma™ Cloud Release Notes 204 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Vertex AI gcloud-vertex-ai-notebook-runtime

Additional permission required:
• notebooks.runtimes.list

The Viewer role includes this permission.

OCI Analytics oci-analytics-instance

Additional permissions required:
• inspect analytics-instances

• read analytics-instances

You must manually add these permissions.

OCI API Management oci-apimanagement-apigateway-deployment

Additional permissions required:
• inspect api-gateways

• read api-gateways

• inspect api-deployments

• read api-deployments

You must manually add these permissions.

OCI Budgets oci-budgets-budget

Additional permissions required:
• inspect usage-budgets

• read usage-budgets

You must manually add these permissions.

OCI Networking oci-networking-ipsec-connection

Additional permission required:
• inspect ipsec-connections

You must manually add the permission.

OCI Networking oci-networking-networkloadbalancer

Prisma™ Cloud Release Notes 205 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• inspect network-load-balancer
s

• read network-load-balancers

You must manually add the permissions.

New Policies
No new policies for 23.1.1.

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

Azure AD Users can consent to apps Changes— The policy RQL and
accessing company data on their behalf is recommendation steps have been updated
enabled according to the CSP changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-active-
directory-authorization-
policy' AND json.rule =
permissionGrantPolicyIdsAssignedToDefaultU
contains microsoft-user-
default-legacy

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-active-
directory-authorization-
policy' AND json.rule =
defaultUserRolePermissions.permissionGrant
contains microsoft-user-
default-legacy

Impact— Low. Previously generated alerts will

be resolved as Policy_Updated.

SQL servers which do not have Azure Active Changes— The policy Name, Description, and
Directory admin configured Recommendation steps have been updated to
maintain consistency across policies. The RQL

Prisma™ Cloud Release Notes 206 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

has been updated with a new RQL grammar

that will improve the accuracy of the results.
Current Policy Name— SQL servers which
do not have Azure Active Directory admin
configured Updated Policy Name— Azure
SQL server not configured with Active
Directory admin authentication
Updated Policy Description— Identifies
Azure SQL servers that are not configured
with Active Directory admin authentication.
Azure Active Directory authentication is a
mechanism of connecting to Microsoft Azure
SQL Database and SQL Data Warehouse by
using identities in Azure Active Directory
(Azure AD). With Azure AD authentication,
you can centrally manage the identities of
database users and other Microsoft services
in one central location. As a best practice,
configure SQL servers with Active Directory
admin authentication.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-sql-
server-list' AND json.rule
= '$.serverAdmins !exists
or $.serverAdmins[]
size equals 0 or
($.serverAdmins[].properties.administrator
exists and
$.serverAdmins[].properties.administratorT
does not equal
ActiveDirectory and
$.serverAdmins[].properties.login
is not empty)'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-sql-
server-list' AND json.rule
= serverAdmins does not
exist or serverAdmins[*]
size equals 0 or
(serverAdmins[*].properties.administratorT
exists and
serverAdmins[*].properties.administratorTy
does not equal
ActiveDirectory and

Prisma™ Cloud Release Notes 207 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

serverAdmins[*].properties.login
is not empty)

Impact— No impact on alerts.

Azure Virtual Network subnet is not Changes— The policy RQL has been updated
configured with a Network Security Group to ignore the case sensitive of the parameter
value.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-network-
subnet-list' AND json.rule =
networkSecurityGroupId does
not exist and name is not
member of ("GatewaySubnet",
"AzureFirewallSubnet") and
['properties.delegations']
[*].['properties.serviceName']
does not equal
"Microsoft.Netapp/volumes" and
['properties.privateEndpointNetworkPolicie
equals Enabled and
['properties.privateLinkServiceNetworkPoli
equals Enabled

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-network-
subnet-list' AND json.rule =
networkSecurityGroupId does not
exist and name does not equal
ignore case "GatewaySubnet"
and name does not equal ignore
case "AzureFirewallSubnet"
and ['properties.delegations']
[*].['properties.serviceName']
does not equal
"Microsoft.Netapp/volumes" and
['properties.privateEndpointNetworkPolicie
equals Enabled and
['properties.privateLinkServiceNetworkPoli
equals Enabled

Impact— Low. Previous generated alert

for gateway subnets where the name is
not as GatewaySubnet will be resolved as
Policy_Updated.

Policy Updates-Metadata

Prisma™ Cloud Release Notes 208 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Storage Account default network Changes— The policy description and
access is set to 'Allow' recommendation steps have been updated to
reflect the latest CSP changes.
Updated Policy Description— Identifies
Storage accounts which have default network
access is set to 'Allow'. Restricting default
network access helps to provide a new layer
of security, since storage accounts accept
connections from clients on any network. To
limit access to selected networks, the default
action must be changed.
Impact— No impact on alerts.

GCP Kubernetes Engine Clusters have Changes— The policy name, description, and
Stackdriver Logging disabled recommendation steps have been updated to
reflect the latest CSP changes.
Current Policy Name— GCP Kubernetes
Engine Clusters have Stackdriver Logging
disabled Updated Policy Name— GCP
Kubernetes Engine Clusters have Cloud
Logging disabled
Updated Policy Description— Identifies
Kubernetes Engine Clusters which have
disabled Cloud Logging. Enabling Cloud
Logging will let the Kubernetes Engine to
collect, process, and store your container and
system logs in a dedicated persistent data
store.
Impact— No impact on alerts.

GCP User managed service accounts have Changes— The policy recommendation steps
user managed service account keys have been updated to reflect the latest CSP
changes.
Impact— No impact on alerts.

GCP Kubernetes Engine Clusters have Legacy Changes— The policy recommendation
Authorization enabled steps have been updated to reflect the
latest CSP changes. The remediation CLI has
been removed because there is no single cli
command that can update both Zonal and
Regional GKE clusters.
Impact— Changes to recommendation steps
will have no impact on existing alerts. There is
no remediation support available.

Prisma™ Cloud Release Notes 209 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Kubernetes Engine Clusters have Cloud Changes— The policy description has been
Monitoring disabled updated to reflect the latest CSP changes.
Updated Policy Description— Identifies
Kubernetes Engine Clusters which have
disabled Cloud monitoring. Enabling Cloud
monitoring will let the Kubernetes Engine to
monitor signals and build operations in the
clusters.
Impact— No impact on alerts.

GCP Kubernetes Engine Clusters not Changes— The policy recommendation steps
configured with network traffic egress have been updated to reflect the latest CSP
metering changes.
Impact— No impact on alerts.

GCP Log metric filter and alert does not exist Changes— The policy recommendation steps
for Project Ownership assignments/changes have been updated to reflect the latest CSP
changes.
Impact— No impact on alerts.

Logging on the Stackdriver exported Bucket Changes— The policy name, description, and
is disabled recommendation steps have been updated to
reflect the latest CSP changes.
Current Policy Name— Logging on the
Stackdriver exported Bucket is disabled
Updated Policy Name— GCP Bucket
containing Operations Suite Logs have bucket
logging disabled
Updated Policy Description— Identifies the
buckets containing Operations Suite Logs for
which logging is disabled. Enabling bucket
logging, logs all the requests made on the
bucket which can be used for debugging and
forensics. It is recommended to enable logging
on the buckets containing Operations Suite
Logs.
Impact— No impact on alerts.

Policy Deletions

AWS Policies Changes— The following policies are deleted

because the API used in it does not ingest
the required fields. This policy validates
the availability limit for the Subnet and
Security group, which is not a security
misconfiguration:

Prisma™ Cloud Release Notes 210 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS VPC Subnets nearing availability limit

• AWS VPC Security group nearing
availability limit
Impact— No impact on alerts. The compliance
mapping for the above policy is removed
due to which the compliance score can get
affected. The affected compliance standards
are:
NIST SP 800-171 Revision 2, PCI DSS
v3.2.1, Copy of APRA (CPS 234) Information
Security, NIST SP 800-172, Copy of 1Copy
of Brazilian Data Protection Law (LGPD),
HITRUST v.9.4.2, ACSC Information Security
Manual (ISM), NIST CSF, TestCompliance,
Copy of Brazilian Data Protection Law
(LGPD), MAS TRM 2021, ISO/IEC
27002:2013, ISO/IEC 27017:2015, MLPS
2.0 (Level 2), CIS Controls v8, CIS Controls
v7.1, HITRUST CSF v.9.6.0, Secure Controls
Framework (SCF) - 2022.2.1, APRA (CPS
234) Information Security, Cybersecurity
Maturity Model Certification (CMMC) v.1.02,
Brazilian Data Protection Law (LGPD), CSA
CCM v.4.0.1, ISO/IEC 27018:2019

AWS EC2 instance is not configured with Changes— AWS has deprecated the AWS
VPC classic network service. As a result, this policy
is now obsolete and is deleted.
Impact— No impact on alerts. The compliance
mapping for the above policy is removed
due to which the compliance score can get
affected. The affected compliance standards
are:
NIST SP 800-171 Revision 2, PCI DSS
v3.2.1, Copy of APRA (CPS 234) Information
Security, NIST SP 800-172, Copy of 1Copy
of Brazilian Data Protection Law (LGPD),
HITRUST v.9.4.2, ACSC Information Security
Manual (ISM), NIST CSF, TestCompliance,
Copy of Brazilian Data Protection Law
(LGPD), MAS TRM 2021, ISO/IEC
27002:2013, ISO/IEC 27017:2015, MLPS
2.0 (Level 2), CIS Controls v8, CIS Controls
v7.1, HITRUST CSF v.9.6.0, Secure Controls
Framework (SCF) - 2022.2.1, APRA (CPS
234) Information Security, Cybersecurity
Maturity Model Certification (CMMC) v.1.02,

Prisma™ Cloud Release Notes 211 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Brazilian Data Protection Law (LGPD), CSA

CCM v.4.0.1, ISO/IEC 27018:2019

Changes in Existing Behavior

FEATURE DESCRIPTION

Monitor and Protect renamed Remediation With the Cloud Account Onboarding changes
for more Security Coverage, the Monitor and
Monitor & Protect modes are revised. For
an existing account that was onboarded with
Monitor & Protect mode, the Remediation
security capability represents the mode.

These modes are no longer available when

onboarding new cloud accounts. For the new
workflow, see Cloud Account Onboarding for
More Security Coverage.

Update AWS Account Onboarding During onboarding your AWS cloud account
on Prsima Cloud, if you are already logged in
to your AWS management console, you can
either Download IAM Role CFT or Create
IAM Role on the fly.

When you click Create IAM Role, Prisma

Cloud creates a dynamic link that takes you

Prisma™ Cloud Release Notes 212 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

directly to the Quick create stack page in the

AWS management console. You do not need
to enter the template details manually in order
to create the stack, it is auto-populated based
on the Security Capabilities and Permissions
you’ve selected.

Google BigQuery API Resource ID Update The resource ID for the gcloud-bigquery-
dataset-list in Prisma Cloud is updated in the
backend. As a result, all resources for gcloud-
bigquery-dataset-list API will be deleted
and then regenerated on the management
console.
Existing alerts corresponding to these
resources is resolved as Resource_Updated,
and new alerts will be generated against
policy violations.
Impact—You may notice a reduced count
for the number of alerts. However, once the
resources for the gcloud-bigquery-dataset-
list API resumes ingesting data, the alert count
will return to the original numbers.

Near Zero Rate Limit Exception for GCP APIs You must enable the following GCP APIs for
each project that the Prisma Cloud service
account accesses to monitor and protect your
GCP resources. If you have onboarded your
GCP account at the Organization level, this
configuration ensures that the API rate limit
quota is applied to each GCP project that is
part of the onboarded GCP Organization,
and not counted entirely towards the project
where the service account is created.
• bigtableadmin.googleapis.com

Prisma™ Cloud Release Notes 213 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• container.googleapis.com

• logging.googleapis.com

• monitoring.googleapis.com

• pubsub.googleapis.com

• serviceusage.googleapis.com

• firebaserules.googleapis.com

Impact—No impact on alerts.

REST API Updates

CHANGE DESCRIPTION

Update Asset Explorer API The following new query parameters are added to the
existing GET/resource/scan_info endpoint:
• asset.severity

• vulnerability.severity

• includeEventForeignEntities

This API has been updated to show the following new

fields in the JSON response body for GET/resource/
scan_info and POST/resource/scan_info endpoints:
• resourceConfigJsonAvailable

• resourceDetailsAvailable

• unifiedAssetId

• vulnerabilityStatus

• assetType

Update Asset Inventory API The following new query parameters are added to the
existing GET/v2/inventory endpoint:
• asset.severity

Prisma™ Cloud Release Notes 214 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• vulnerability.severity

Changes to the Get Asset The structure of the Get Asset (POST /uai/v1/asset)
Endpoint Response Object response object has been modified. All the properties of
the data object are now included under a new asset object.
The asset object is included in the data object.

Prisma™ Cloud Release Notes 215 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Features Introduced in 2022

Edit on GitHub
Stay informed on the new capabilities and policies added to Prisma Cloud in 2022.
The following topic provides a snapshot of new features introduced for Prisma™ Cloud in 2022.
Refer to the Prisma™ Cloud Administrator’s Guide for more information on how to use the
service.
• Features Introduced in December 2022
• Features Introduced in November 2022
• Features Introduced in October 2022
• Features Introduced in September 2022
• Features Introduced in August 2022
• Features Introduced in July 2022
• Features Introduced in June 2022
• Features Introduced in May 2022
• Features Introduced in April 2022
• Features Introduced in March 2022
• Features Introduced in February 2022
• Features Introduced in January 2022
Refer to the Limited GA Features on Prisma Cloud for features that have limited general
availability (LGA).

Features Introduced in December 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in December 2022.

New Features Introduced in 22.12.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Changes in Existing Behavior
• REST API Updates

Prisma™ Cloud Release Notes 216 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features

FEATURE DESCRIPTION

Update Asset Inventory An enhanced Asset Inventory provides a

consolidated view of assets discovered
by Prisma Cloud. You can review all your
assets on Prisma Cloud across multi-
cloud deployments—public and private
cloud environments. The enhanced Asset
Inventory provides new capabilities to
identify and prioritize remediation of security
issues detected within your monitored
environments.
In addition to the assets currently available in
Prisma Cloud, the enhanced Asset Inventory
also includes new asset types from Prisma
Cloud Compute, including hosts, containers,
and container images. You can view this data
in a tabular format and search and filter down
to specific resources or sets of resources
based on your selected filters.

Improvement to Flow Logs Ingestion Time Prisma Cloud now provides hourly partition
for your AWS S3 Flow Logs. By switching to
hourly partition, Prisma Cloud makes fewer
calls to your S3 bucket thereby reducing cost,
solving lag, and provides better ingestion
performance over the existing 24-hour
partition.
Create a new flow log setting with the
hourly partition and enable the additional
fields required on the AWS console. Some
additional fields such as, tcp-flags and flow-
direction configured on the AWS console
are used to ensure accuracy of the Internet
exposure calculation in network policies.

Prisma™ Cloud Release Notes 217 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

External ID update for AWS Cloud Account While onboarding AWS standalone or
Onboarding organization accounts in Prisma Cloud
Console, you cannot provide the External ID.
This change was first announced in the look
Instead, Prisma Cloud generates an External
ahead that was published with the 22.4.1
ID and includes it in the IAM Role CFT. You
release.
can use this External ID and complete the
onboarding process within 30 days. If you do
not complete the onboarding within this 30-
day period, you must restart the onboarding
workflow.
This change is currently limited to the Prisma
Cloud Console and does not impact already
onboarded AWS accounts.
You can continue to use the existing cloud
account onboarding APIs until the new APIs
that use the External ID generated by Prisma
Cloud are available (expected in February
2023). After the new APIs are available, you
have 90 days to update your automation
scripts for onboarding new cloud accounts.
Similarly, the CFTs in the S3 bucket that
allow custom External IDs will continue to
be available until the end of March 2023 for
backward compatibility.

API Ingestions

SERVICE API DETAILS

Amazon CodePipeline aws-code-pipeline-pipeline

Additional permissions required:
• codepipeline:ListPipelines

• codepipeline:GetPipeline

• codepipeline:ListTagsForResou
rce

Prisma™ Cloud Release Notes 218 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Security Audit role includes the

permissions except

codepipeline:ListTagsForResource

You must add the permission

manually or use CFT template to
update the

codepipeline:ListTags
ForResource

permission.

Amazon Forecast aws-forecast-predictor

Additional permissions required:
• forecast:DescribePredictor

• forecast:DescribeAutoPredicto
r

• forecast:ListTagsForResource

• forecast:ListPredictors

You must add the permissions

manually or use CFT template to
update the permissions.

Amazon Forecast aws-forecast-dataset

Additional permissions required:
• forecast:ListDatasets

• forecast:DescribeDataset

• forecast:ListTagsForResource

The Security Audit role only includes

forecast:ListDatasets

permission.

Prisma™ Cloud Release Notes 219 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

You must add the permissions

manually or use CFT template to
update the

forecast:DescribeData
set

and

forecast:ListTagsForR
esource

permissions.

AWS Glue DataBrew aws-glue-data-brew-job

Additional permissions required:
• databrew:DescribeJob

• databrew:ListJobs

You must add the permissions

manually or use CFT template to
update the permissions.

Azure App Service azure-app-service-diagnostic-settings

Additional permissions required:
• Microsoft.Web/sites/Read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure Compute azure-cloudservices-roleinstance-publicip

Additional permissions required:
• Microsoft.Compute/cloudServic
es/read

• Microsoft.Compute/cloudServic
es/roleInstances/read

• Microsoft.Compute/virtualMach
ineScaleSets/virtualMachines/

Prisma™ Cloud Release Notes 220 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

networkInterfaces/ipConfigura
tions/publicIPAddresses/read

The Reader role includes the permissions.

Azure Data Lake Analytics azure-data-lake-analytics-diagnostic-settings

Additional permissions required:
• Microsoft.DataLakeAnalytics/a
ccounts/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure Key Vault azure-key-vault-diagnostic-settings

Additional permissions required:
• Microsoft.KeyVault/vaults/rea
d

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure Key Vault azure-key-vault-privatelinkresource

Additional permissions required:
• Microsoft.KeyVault/vaults/rea
d

• Microsoft.KeyVault/vaults/pri
vateLinkResources/read

The Reader role includes the permissions.

Azure Logic Apps azure-logic-app-workflow-diagnostic-settings

Additional permissions required:
• Microsoft.Logic/workflows/rea
d

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Prisma™ Cloud Release Notes 221 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Recovery Services azure-recovery-service-vault-diagnostic-

settings
Additional permissions required:
• Microsoft.RecoveryServices/Va
ults/read

• Microsoft.Insights/Diagnostic
Settings/Read

The Reader role includes the permissions.

Azure Subscriptions azure-subscription-list

Additional permission required:

Microsoft.Resources/subscription
s/read

The Reader role includes the permission.

Azure Virtual Network azure-network-private-endpoint

Additional permission required:

Microsoft.Network/privateEndpoin
ts/read

The Reader role includes the permission.

Google Apigee X gcloud-apigee-x-organization-shared-flow

Additional permissions required:
• apigee.organizations.list

• apigee.sharedflows.list

• apigee.sharedflows.get

• apigee.deployments.list

The Viewer role includes the permissions.

Google Apigee X gcloud-apigee-x-organization-data-collector

Additional permissions required:
• apigee.organizations.list

Prisma™ Cloud Release Notes 222 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• apigee.datacollectors.list

The Viewer role includes the permissions.

Google Apigee X gcloud-apigee-x-organization-instance

Additional permissions required:
• apigee.instances.list

• apigee.instanceattachments.li
st

• apigee.organizations.list

The Viewer role includes the permissions.

Google Apigee X gcloud-apigee-x-organization-environment

Additional permissions required:
• apigee.organizations.list

• apigee.environments.get

• apigee.environments.getIamPol
icy

• apigee.organizations.get

The Viewer role includes the permissions.

Google Apigee X gcloud-apigee-x-organization

Additional permissions required:
• apigee.organizations.list

• apigee.organizations.get

The Viewer role includes the permissions.

Google Dataplex gcloud-dataplex-lake-zone-asset

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.zones.list

Prisma™ Cloud Release Notes 223 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• dataplex.assets.list

• dataplex.assets.getIamPolicy

The Viewer role includes the permissions.

Google Healthcare gcloud-healthcare-dataset

Additional permission required:
• healthcare.datasets.get

The Viewer role includes the permission.

Google Identity and Access Management gcloud-iam-service-accounts-keys-list

Additional permission required:
• iam.serviceAccountKeys.get

The Viewer role includes the permission.

Google Identity and Access Management gcloud-iam-service-accounts-list

Additional permission required:
• iam.serviceAccounts.get

The Viewer role includes the permission.

Google Stackdriver Monitoring gcloud-monitoring-policies-list

Additional permission required:
• monitoring.alertPolicies.get

The Monitoring Viewer role includes the

permission.

Google Compute Engine gcloud-ssl-certificate

Additional permission required:
• compute.sslCertificates.get

The Viewer role includes the permission.

Google Compute Engine gcloud-compute-instance-template

Additional permission required:
• compute.instanceTemplates.get

Prisma™ Cloud Release Notes 224 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Viewer role includes the permission.

Google AI Platform gcloud-ai-platform-job

Additional permission required:
• ml.jobs.get

The Viewer role includes the permission.

Google API Keys gcloud-api-key

Additional permission required:
• apikeys.keys.get

The API Keys Viewer role includes the

permission.

Google API Gateway gcloud-apigateway-gateway

Additional permission required:
• apigateway.gateways.get

The API Gateway Viewer role includes the

permission.

Google Cloud Armor gcloud-armor-security-policy

Additional permission required:
• compute.securityPolicies.get

The Viewer role includes the permission.

Google Cloud Composer gcloud-composer-environment

Additional permission required:
• composer.environments.get

The Viewer role includes the permission.

Update Google VPC gcloud-compute-project-firewall-policy

Additional permission required:
• compute.regionfirewallPolicie
s.list

The Viewer role includes the permission.

Prisma™ Cloud Release Notes 225 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies

NEW POLICIES DESCRIPTION

Azure Cosmos DB (PaaS) instance reachable Identifies Azure Cosmos DB (PaaS) instances
from untrust internet source that are internet reachable from untrust
internet source. Cosmos DB (PaaS) instances
with untrusted access to the internet may
enable bad actors to use brute force on a
system to gain unauthorised access to the
entire network. As a best practice, restrict
traffic from untrusted IP addresses and
limit the access to known hosts, services, or
specific entities.

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'PaaS'
and dest.cloud.type = 'AZURE'
and dest.paas.service.type in
('MicrosoftDocumentDBDatabaseAccount')

Instance affected by Spring Cloud Function Identifies instances installed with the Spring
SpringShell vulnerability is exposed Cloud Function version that are vulnerable to
to network traffic from the internet arbitrary code execution CVE-2022-22963,
(CVE-2022-22963) and exposed to network traffic from the
internet. As a best practice, upgrade to the
Requires the Compute subscription to
latest Spring Cloud Function version and limit
generate alerts on Prisma Cloud.
internet exposure.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN (resource
where finding.type IN
('Host Vulnerability') AND
finding.source IN ('Prisma
Cloud') AND finding.name
IN ('CVE-2022-22963')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by OpenSSL X.509 Identifies instances installed with OpenSSL

email address 4-Byte BOF (Spooky SSL) version vulnerable for Spooky SSL: OpenSSL
vulnerability is exposed to network traffic X.509 email address 4-Byte buffer overflow
from the internet (CVE-2022-3602) vulnerability CVE-2022-3602 and exposed to
network traffic from the internet. As a best
Requires the Compute subscription to
practice, upgrade the OpenSSL version to
generate alerts on Prisma Cloud.

Prisma™ Cloud Release Notes 226 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

the latest version and limit exposure to the

internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-3602') ) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Text4shell RCE Identifies instances installed with Apache

vulnerability is exposed to network traffic Commons Text project code version
from the internet (CVE-2022-42889) vulnerable for CVE-2022-42889 and exposed
to network traffic from the internet. As a best
Requires the Compute subscription to
practice, upgrade the Apache Commons Text
generate alerts on Prisma Cloud.
project code version to the latest version and
limit exposure to the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-42889') )
AND source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Apache Log4j Identifies instances installed with Apache

JDBC Appender remote code execution Log4j JDBC Appender version vulnerable for
vulnerability is exposed to network traffic CVE-2021-44832. As a best practice, upgrade
from the internet (CVE-2021-44832) the Apache Log4j JDBC Appender version to
the latest version and limit exposure to the
Requires the Compute subscription to
internet.
generate alerts on Prisma Cloud.
network from vpc.flow_record
where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-44832')) AND
source.publicnetwork IN

Prisma™ Cloud Release Notes 227 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

('Internet IPs', 'Suspicious

IPs')

Instance affected by Apache Log4j Thread Identifies instances installed with Apache
Context Map remote code execution Log4j Thread Context Map version vulnerable
vulnerability is exposed to network traffic for CVE-2021-45046 and exposed to network
from the internet (CVE-2021-45046) traffic from the internet. As a best practice,
upgrade the Apache Log4j Thread Context
Requires the Compute subscription to
Map version to the latest version and limit
generate alerts on Prisma Cloud.
exposure to the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-45046')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Apache Log4j denial of Identifies instances installed with

service vulnerability is exposed to network Apache Log4j version vulnerable for
traffic from the internet (CVE-2021-45105) CVE-2021-45105 and exposed to network
traffic from the internet. As a best practice,
Requires the Compute subscription to
update the Apache Log4j version to the latest
generate alerts on Prisma Cloud.
version and limit exposure to the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-45105')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Argo CD vulnerability is Identifies instances installed with Argo CD

exposed to network traffic from the internet vulnerability for CVE-2022-24348 and
(CVE-2022-24348) exposed to network traffic from the internet.
As a best practice, upgrade to the latest
Requires the Compute subscription to
version of Argo CD and limit exposure to the
generate alerts on Prisma Cloud.
internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource

Prisma™ Cloud Release Notes 228 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-24348')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Linux kernel Dirty Pipe Identifies instances installed with Dirty Pipe
vulnerability is exposed to network traffic vulnerability for CVE-2022-0847 and exposed
from the internet (CVE-2022-0847) to network traffic from the internet. As a best
practice, upgrade to the latest version of Dirty
Requires the Compute subscription to
Pipe Linux kernel and limit exposure to the
generate alerts on Prisma Cloud.
internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-0847')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Java Psychic Signatures Identifies instances installed with with
vulnerability is exposed to network traffic Oracle Java SE versions vulnerable for
from the internet (CVE-2022-21449) CVE-2022-21449 and exposed to network
traffic from the internet. As a best practice,
Requires the Compute subscription to
upgrade to the latest Java Psychic Signatures
generate alerts on Prisma Cloud.
Oracle Java SE version and limit exposure to
the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-21449')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Linux kernel container Identifies instances installed with with Linux
escape vulnerability is exposed to network kernel container escape version vulnerable
traffic from the internet (CVE-2022-0185) for CVE-2022-0185 and exposed to network
traffic from the internet. As a best practice,

Prisma™ Cloud Release Notes 229 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Requires the Compute subscription to upgrade to the latest Oracle Java SE version
generate alerts on Prisma Cloud. and limit exposure to the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-0185')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by DCE/RPC remote code Identifies instances installed with SMB
execution vulnerability is exposed to network DCE/RPC remote code execution version
traffic from the internet (CVE-2022-26809) vulnerability for CVE-2022-26809 and
exposed to network traffic from the internet.
Requires the Compute subscription to
As a best practice, upgrade to the latest SMB
generate alerts on Prisma Cloud.
DCE/RPC remote code execution version and
limit exposure to the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-26809')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Instance affected by Samba vfs_fruit module Identifies network facing instances installed
remote code execution vulnerability is with Samba vfs_fruit module remote
exposed to network traffic from the internet code execution version vulnerability for
(CVE-2021-44142) CVE-2022-44142 and exposed to network
traffic from the internet. As a best practice,
Requires the Compute subscription to
upgrade to the latest Samba vfs_fruit module
generate alerts on Prisma Cloud.
remote code execution version and limit
exposure to the internet.

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-44142')) AND
source.publicnetwork IN

Prisma™ Cloud Release Notes 230 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

('Internet IPs', 'Suspicious

IPs')

If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-
Features Introduced in December 2022 for details on new Configuration Build policies.

Policy Updates
See Prisma Cloud Known Issues for a policy status change issue that may affect you.

POLICY UPDATES DESCRIPTION

Policy Updates-RQL

Instance affected by Apache Log4j Changes— The policy RQL has been updated
vulnerability is exposed to network traffic to enhance the scope of network traffic
from the internet (CVE-2021-44228) direction.
Current RQL—

network from vpc.flow_record

where bytes > 0 AND
source.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-44228') ) AND
destination.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Updated RQL—

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN (resource
where finding.type IN
('Host Vulnerability') AND
finding.source IN ('Prisma
Cloud') AND finding.name
IN ('CVE-2021-44228')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Impact— Low. New alerts will be generated if

there any vulnerable resources.

Instance affected by OMIGOD vulnerability is Changes— The policy name and RQL have
exposed to network traffic from the internet been updated to enhance the scope of
network traffic direction.

Prisma™ Cloud Release Notes 231 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current Policy Name— Instance affected by

OMIGOD vulnerability is exposed to network
traffic from the internet
Updated Policy Name— Instance affected by
OMIGOD vulnerability is exposed to network
traffic from the internet [CVE-2021-38647]
Current RQL—

network from vpc.flow_record

where bytes > 0 AND
source.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-38647')) AND
destination.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Updated RQL—

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN (resource
where finding.type IN
('Host Vulnerability') AND
finding.source IN ('Prisma
Cloud') AND finding.name
IN ('CVE-2021-38647')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Impact— Low. New alerts will be generated if

there any vulnerable resources.

Instance affected by SpringShell vulnerability Changes- The policy name, description, and
is exposed to network traffic from the RQL are updated to enhance the scope of
internet network traffic direction.
Requires the Compute subscription to Current Policy Name— Instance affected
generate alerts on Prisma Cloud. by SpringShell vulnerability is exposed to
network traffic from the internet
Updated Policy Name— Instance affected by
Spring Framework SpringShell vulnerability is
exposed to network traffic from the internet
[CVE-2022-22965]
Updated Policy Description— Identifies
Instances installed with the Java Spring
Framework version vulnerable to arbitrary

Prisma™ Cloud Release Notes 232 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

code execution CVE-2022-22965 and

exposed to network traffic from the internet.
As a best practice, upgrade the Java Spring
Framework version to the latest version and
limit exposure to the internet.
Current RQL—

network from vpc.flow_record

where bytes > 0 AND
source.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-22963',
'CVE-2022-22965')) AND
destination.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Updated RQL—

network from vpc.flow_record

where bytes > 0 AND
dest.resource IN (resource
where finding.type IN
('Host Vulnerability') AND
finding.source IN ('Prisma
Cloud') AND finding.name
IN ('CVE-2022-22963',
'CVE-2022-22965')) AND
source.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Impact— Low. New alerts will be generated if

there any vulnerable resources.

AWS Customer Master Key (CMK) rotation is Changes— The policy RQL has been updated
not enabled to only report custom keys generated by KMS
that have the automatic key rotation feature.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name='aws-kms-get-key-
rotation-status' AND json.rule
= keyMetadata.keyState
equals Enabled and
keyMetadata.keyManager
equals CUSTOMER and
(rotation_status.keyRotationEnabled
is false or

Prisma™ Cloud Release Notes 233 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

rotation_status.keyRotationEnabled
equals "null") and
keyMetadata.customerMasterKeySpec
equals SYMMETRIC_DEFAULT

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name='aws-kms-get-key-
rotation-status' AND json.rule
= keyMetadata.keyState
equals Enabled and
keyMetadata.keyManager equals
CUSTOMER and keyMetadata.origin
equals AWS_KMS and
(rotation_status.keyRotationEnabled
is false or
rotation_status.keyRotationEnabled
equals "null") and
keyMetadata.customerMasterKeySpec
equals SYMMETRIC_DEFAULT

Impact— Medium. Existing alerts will

be resolved as Policy_Updated for KMS
resources configured with asymmetric keys.

Azure App Service Web app doesn’t use Changes— The policy RQL has been updated
latest Java version to check the updated Java version supported
by the vendor.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= 'properties.state
equals Running and
((config.isJava11VersionLatest
exists and
config.isJava11VersionLatest
equals false) or
(config.javaVersion exists
and (config.javaVersion
does not equal 1.8
and config.javaVersion
does not equal 11)) or
(config.linuxFxVersion is not
empty and config.linuxFxVersion
contains JAVA and
config.linuxFxVersion contains
8 and config.linuxFxVersion
does not contain 8-jre8) or
(config.linuxFxVersion is not

Prisma™ Cloud Release Notes 234 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

empty and config.linuxFxVersion

contains JBOSSEAP and
config.linuxFxVersion does
not contain 7-java8) or
(config.linuxFxVersion is not
empty and config.linuxFxVersion
contains TOMCAT and
config.linuxFxVersion does not
contain -jre8))'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= 'properties.state
equals Running and
((config.javaVersion exists
and config.javaVersion
does not equal 1.8 and
config.javaVersion does not
equal 11 and config.javaVersion
does not equal 17) or
(config.linuxFxVersion is not
empty and config.linuxFxVersion
contains JAVA and
(config.linuxFxVersion contains
8 or config.linuxFxVersion
contains 11 or
config.linuxFxVersion contains
17) and config.linuxFxVersion
does not contain 8-jre8 and
config.linuxFxVersion does
not contain 11-java11 and
config.linuxFxVersion does
not contain 17-java17) or
(config.linuxFxVersion is not
empty and config.linuxFxVersion
contains JBOSSEAP and
config.linuxFxVersion does
not contain 7-java8 and
config.linuxFxVersion does
not contain 7-java11 and
config.linuxFxVersion does
not contain 7-java17) or
(config.linuxFxVersion
contains TOMCAT and
config.linuxFxVersion does
not end with 10.0-jre8 and
config.linuxFxVersion does
not end with 9.0-jre8 and
config.linuxFxVersion does
not end with 8.5-jre8 and
config.linuxFxVersion does
not end with 10.0-java11 and

Prisma™ Cloud Release Notes 235 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

config.linuxFxVersion does
not end with 9.0-java11 and
config.linuxFxVersion does
not end with 8.5-java11 and
config.linuxFxVersion does
not end with 10.0-java17 and
config.linuxFxVersion does
not end with 9.0-java17 and
config.linuxFxVersion does not
end with 8.5-java17))'

Impact— Low. Alerts generated for Java

version 17 will be resolved as Policy_Updated.

Policy Updates—Metadata

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for VPC network changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for IAM custom role changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for VPC network route changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for Cloud Storage IAM permission changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for Audit Configuration changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for SQL instance configuration changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 236 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Log metric filter and alert does not exist Changes— The policy recommendation
for VPC Network Firewall rule changes steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

Changes in Existing Behavior

FEATURE DESCRIPTION

Global Region Support for Google Compute Prisma Cloud now provides global region
Engine support for

gcloud-compute-instance-template

API. Due to this, all the resources will be

deleted once, and then regenerated on
the management console. Existing alerts
corresponding to these resources are resolved
as Resource_Updated, and new alerts will be
generated against the policy violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for

gcloud-compute-instance-template

start ingesting data again.

Region Support for Google Cloud Load Prisma Cloud can now store regional
Balancing APIs resources as well as global resources for

gcloud-compute-target-http-prox
ies

and

gcloud-compute-target-https-pro
xies

APIs. Due to this, new alerts will be generated

against policy violations.
Impact— You may notice an increased count
in the number of alerts for

Prisma™ Cloud Release Notes 237 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

gcloud-compute-target-http-prox
ies

and

gcloud-compute-target-https-pro
xies

APIs.

Alerts for Audit Events To make your experience with audit event
alerts consistent with configuration alerts
for custom policies, the policy evaluation
for audit events is updated to use the alert
rule configuration. The targets for the cloud
accounts and cloud regions for which you
want to trigger alerts are now only inherited
from the alert rule.
Earlier, when you run an audit event query
on the Investigate page, and save the query
as a saved search and then use this saved
search query as match criteria in a policy, the
matched issues that trigger alerts used inputs
from both the alert rule configuration and
saved search.
As an example, if you had created a
saved search that includes the RQL for
cloud.account, cloud.accountgroup,
or cloud.region, such as event
from cloud.audit_logs where
cloud.account = 'Developer
Sandbox' AND cloud.region =
'AWS Canada' AND operation IN
('DeleteAccessKey') the cloud.account,
and cloud.region attributes will now be
ignored for custom and existing policies and
their associated alerts.
Only, the target cloud accounts and cloud
regions that you specify in the alert rule
configuration will be used to scope when
alerts are generated for the custom Audit
Event policy.
Impact— The change in how the targets for
generating alerts scoped may result in a larger
number of alerts than before. This change will
be rolled out gradually over multiple phases.

Prisma™ Cloud Release Notes 238 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Multi-Level Protection Scheme 2.0 (Level 2) Prisma Cloud now supports the Multi-Level
Protection Scheme 2.0 (Level 2) compliance
standard. This level of information security is
based on the compliance standard that nearly
all domestic and foreign companies operating
in China must follow.
With this support, you can now view this
built-in standard and the related policies On
Prisma Cloud’s Compliance > Standard page.
Additionally, you can generate reports for
immediate viewing or download, or you can
schedule recurring reports to keep track of
this compliance over time.

Secure Controls Framework (SCF) - 2022.2.1 Prisma Cloud now supports the Secure
standards Controls Framework (SCF) - 2022.2.1
standards. The Secure Controls Framework
(SCF) is a meta-framework that corresponds
to more than 100 industry frameworks and
laws related to cybersecurity and privacy.
The SCF is concerned with internal controls.
These are the cybersecurity and privacy
policies, standards, procedures, and other
processes designed to provide assurance that
business objectives will be met and unwanted
events will be prevented, detected, and
corrected.
With this support, you can now view this
built-in standard and the related policies On
Prisma Cloud’s Compliance > Standard page.
Additionally, you can generate reports for
immediate viewing or download, or you can
schedule recurring reports to keep track of
this compliance over time.

REST API Updates

CHANGE DESCRIPTION

Asset Explorer API The following new endpoint returns detailed information
for the asset with the given id:

Prisma™ Cloud Release Notes 239 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• POST /uai/v1/asset

Features Introduced in November 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in November 2022.

New Features Introduced in 22.11.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Changes in Existing Behavior

New Features

FEATURE DESCRIPTION

Prisma Cloud launches new Home Page As a system administrator, you have a new
Home page when you log in to Prisma
Cloud. This page provides instant access to
the critical issues, latest information, and
recommendations for next steps. Use this
page as a launch pad to:
• See the latest summary of what happened
in the last 24 hours.
• Identify where to resume on your
operationalization journey. You have a
central context to:
• Review the recommended workflows.
• Get started with connecting the
providers - repositories, registries and
cloud accounts - to scan artifacts and
secure resources that are used and
deployed through your code to cloud
journey.
• Take the next steps in adopting the
suite of security capabilities from the
Adoption Advisor
• Stay informed on what’s new on Prisma
Cloud with easy access to the release
information and cloud security blogs from
Unit 42.

Prisma™ Cloud Release Notes 240 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Anomaly Policies for AWS DNS Activity On Policies and Alerts > Overview, a new
Policy Subtype for DNS displays.

The two new policies that use information

in DNS logs for your AWS cloud accounts to
detect anomalies are:
• Cryptomining domain request activity
— detects when monitored resources
attempt to contact a known cryptomining
pool using DNS protocol to retrieve the IP
address of the cryptominer.
• DGA domain request activity— detects
when monitored resources attempt to
resolve domain names in which domain
names look like they are generated by an
algorithm.
When you enable DNS log ingestion, and add
the DNS anomaly policies to an alert rule,
alerts for DNS anomaly policies are triggered.

Prisma™ Cloud Release Notes 241 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

These new anomaly policies generate alerts

when they detect suspicious domains in DNS
queries. With the addition of these policies,
you also have the ability to specify a Domain
Name in an anomaly trusted list to suppress
alerts. For the domain names that are added
to this trusted list, the DNS anomaly policies
will not generate alerts.

Ingestion of AWS DNS Logs from Amazon DNS logs provide critical data in detecting
Kinesis Data Firehose threats such as, Cryptomining pools, domain
generation algorithms (DGAs), and DNS
rebinding. Prisma Cloud fetches DNS logs
for accounts that are streamed on Amazon
Kinesis Data Firehose in a logging account on
AWS.
After you enable DNS log ingestion on Prisma
Cloud, all requests made to AWS default
DNS resolvers are logged while DNS queries
made to external servers or DNS servers not
managed by AWS are not logged. Logging is
enabled per VPC.

IAM Access Control for Service Principals Ensure applications, hosted services, and
automated tools securely access your Azure
Update
cloud resources with IAM access control
for service principals. Assign permissions
to the external service or service principal
and enforce the appropriate level of access
control. Like access control for individual
users, service principals can be queried
and alerts can be created for application
registration and remediation.
Use the App Registration value
for source.cloud.resource.type
and Service Principal in the
grantedby.cloud.entity.type in your
IAM queries to query service principals.

Support for Azure Tenant You can now enable Data Security on your
Azure tenant and configure data security for
Prisma Cloud Data Security
all the subscriptions under that tenant. You
can set up Forward and Backward scan to
scan your Azure resources for data security
issues and also choose custom scan or choose
to scan all objects in your tenants.

Prisma™ Cloud Release Notes 242 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Timestamp based on Resource Ingestion for On the Data Dashboard and Inventory pages,
Time Range Filters when you used the Time Range filter the
timestamp displayed was based on when the
Update
resource was created in the cloud account.
For improved accuracy, the timestamp
displayed is now based on when the resource
was ingested.

API Ingestions

SERVICE API DETAILS

AWS Cloud9 aws-cloud9-environment

Additional permissions required:
• cloud9:ListEnvironments

• cloud9:ListTagsForResource

• cloud9:DescribeEnvironments

• cloud9:DescribeEnvironmentMem
berships

The Security Audit role includes the

permissions except

cloud9:ListTagsForResource

Prisma™ Cloud Release Notes 243 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

You must add the permission

manually or use CFT template to
update the

cloud9:ListTagsForRes
ource

permission.

AWS WorkSpaces Bundle aws-workspace-bundle

Additional permissions required:
• workspaces:DescribeTags

• workspaces:DescribeWorkspaceB
undles

The Security Audit role includes the

permissions.

This API will not ingest public

bundles. You can only retrieve
bundles that belong to your
account.

AWS WorkSpaces aws-workspace-ip-group

Additional permissions required:
• workspaces:DescribeTags

• workspaces:DescribeIpGroups

The Security Audit role includes the

permissions.

Azure Attestation azure-attestation-providers

Additional permission required:

Microsoft.Attestation/attestatio
nProviders/read

The Reader role includes the permission.

Azure Blueprint azure-blueprints-list

Additional permission required:

Prisma™ Cloud Release Notes 244 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Blueprint/blueprints/
read

The Reader role includes the permission.

Azure Confluent azure-confluent-organizations

Additional permission required:

Microsoft.Confluent/organization
s/Read

The Reader role includes the permission.

Azure Datadog azure-datadog-monitors

Additional permission required:

Microsoft.Datadog/monitors/read

The Reader role includes the permission.

Azure Dev Center azure-dev-centers

Additional permission required:

Microsoft.DevCenter/devcenters/
read

The Reader role includes the permission.

Azure Elastic azure-elastic-monitors

Additional permission required:

Microsoft.Elastic/monitors/read

The Reader role includes the permission.

Azure Event Grid azure-event-grid-topic

Additional permission required:

Microsoft.EventGrid/topics/read

The Reader role includes the permission.

Azure Managed Services azure-managedservices-registration-

assignments

Prisma™ Cloud Release Notes 245 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permission required:

Microsoft.ManagedServices/regist
rationAssignments/read

The Reader role includes the permission.

Azure Storage azure-storage-file-shares

Additional permission required:

Microsoft.Storage/storageAccount
s/fileServices/shares/read

The Reader role includes the permission.

Azure Storage Mover azure-storage-movers

Additional permission required:

Microsoft.StorageMover/storageMo
vers/read

The Reader role includes the permission.

Azure Workloads azure-workloads-monitors

Additional permission required:

Microsoft.Workloads/monitors/re
ad

The Reader role includes the permission.

Azure Virtual Network azure-network-service-endpoint-policy

Additional permissions required:
• Microsoft.Network/serviceEndp
ointPolicies/read

• Microsoft.Network/serviceEndp
ointPolicies/serviceEndpointP
olicyDefinitions/read

• Microsoft.Network/privateEndp
oints/read

The Reader role includes the permissions.

Google Datastream gcloud-datastream-connection-profile

Prisma™ Cloud Release Notes 246 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• datastream.locations.list

• datastream.connectionProfiles
.list

The Viewer role includes the permissions.

Google Datastream gcloud-datastream-private-connection

Additional permissions required:
• datastream.locations.list

• datastream.privateConnections
.list

The Viewer role includes the permissions.

Google Datastream gcloud-datastream-stream

Additional permissions required:
• datastream.locations.list

• datastream.streams.list

The Viewer role includes the permissions.

Google VPC gcloud-compute-project-firewall-policy

Additional permission required:

compute.firewallPolicies.list

The Viewer role includes the permission.

New Policies

NEW POLICIES DESCRIPTION

GCP Identity-Aware Proxy (IAP) not enabled Identifies GCP External HTTP(s) Load
for External HTTP(s) Load Balancer Balancers for which Identity-Aware Proxy
(IAP) is disabled. IAP is used to enforce access
control policies for applications and resources.
It works with signed headers or the App
Engine standard environment Use API to
secure connections to External HTTP(s) Load
Balancers. Enabling Identity-Aware Proxy for

Prisma™ Cloud Release Notes 247 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

securing the External HTTP(s) Load Balancers

is recommended.

config from cloud.resource where

api.name = 'gcloud-compute-
external-backend-service' AND
json.rule = iap does not exist
or iap.enabled equals "false"

GCP API key is created for a project Identifies GCP projects where API keys are
created. Keys are insecure because they can
be viewed publicly, such as from within a
browser, or they can be accessed on a device
where the key resides. To avoid this API
related security risk, we recommended using
standard authentication flow.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-api-key' as
X; count(X) greater than 0

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

AWS VPC endpoint policy is overly Changes— The policy RQL has been updated
permissive to check for only VPC Gateway Endpoints.
Also, the policy name, description, and
recommendation steps have been updated.
Current Name— AWS VPC endpoint policy is
overly permissive disabled
Updated Name— AWS VPC gateway
endpoint policy is overly permissive
Updated Description— Identifies VPC
gateway endpoints that have a VPC endpoint
(VPCE) policy that is overly permissive. When
the Principal element value is set to '*' within
the access policy, the VPC gateway endpoint
allows full access to any IAM user or service
within the VPC using credentials from any
AWS accounts. It is highly recommended
to have the least privileged VPCE policy to
protect the data leakage and unauthorized
access.

Prisma™ Cloud Release Notes 248 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-describe-
vpc-endpoints' AND json.rule
= policyDocument.Statement[?
any(Effect equals Allow and
(Principal.AWS equals * or
Principal equals *) and Action
contains * and Condition does
not exist)] exists

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-describe-vpc-
endpoints' AND json.rule =
vpcEndpointType equals Gateway
and policyDocument.Statement[?
any(Effect equals Allow and
(Principal.AWS equals * or
Principal equals *) and Action
contains * and Condition does
not exist)] exists

Impact— Medium. Existing open alerts related

to VPC Endpoint’s other than Gateway will be
resolved and resolution status will be updated
as Policy_Updated.

AWS RDS minor upgrades not enabled Changes— The policy RQL has been updated
to check if the RDS DB instances are in the
“available” state.
Current RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-rds-describe-db-instance
s' AND json.rule = autoMinorVers
ionUpgrade is false and engine d
oes not contain docdb and engine
does not contain neptune

Updated RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-rds-describe-db-instance
s' AND json.rule = dbinstanceSta
tus equals available and autoMin

Prisma™ Cloud Release Notes 249 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

orVersionUpgrade is false and en

gine does not contain docdb and
engine does not contain neptune

Impact— Medium. Existing open alerts

related to RDS instances which are not in the
available state will be resolved and resolution
status will be updated as Policy_Updated.

Azure AKS cluster pool profile count contains Changes— The policy RQL has been updated
less than 3 nodes with new syntax to increase accuracy and the
remediation details are updated to reflect the
CSP UI changes.
Updated Description— Identifies AKS clusters
that are configured with node pool profile less
than 3 nodes. It is recommended to have at
least 3 or more than 3 nodes in a node pool
for a more resilient cluster. (Clusters smaller
than 3 may experience downtime during
upgrades.)
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-kubernetes-
cluster' AND json.rule =
"properties.agentPoolProfiles[?
(@.type ==
'AvailabilitySet')].count < 3"

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-kubernetes-
cluster' AND json.rule =
'properties.powerState.code
equal ignore case Running and
properties.agentPoolProfiles[?
any(type equal ignore case
AvailabilitySet and count less
than 3)] exists'

Impact— Low. The alerts generated for

stopped resources are resolved with
resolution status as Policy_Updated.

Azure Front Door does not have the Azure Changes— The policy RQL has been updated
Web application firewall (WAF) enabled to provide more accuracy in alert results.

Prisma™ Cloud Release Notes 250 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where api.name = 'azure-
frontdoor' AND json.rule =
properties.provisioningState
equals Succeeded as X; config
from cloud.resource where
api.name = 'azure-frontdoor-
waf-policy' as Y; filter
'$.X.properties.frontendEndpoints[*].prope
does not exist or
($.X.properties.frontendEndpoints[*].prope
contains $.Y.name and
$.Y.properties.policySettings.enabledState
equals Disabled)'; show X;

Updated RQL—

config from cloud.resource

where api.name = 'azure-
frontdoor' AND json.rule =
properties.provisioningState
equals Succeeded as X; config
from cloud.resource where
api.name = 'azure-frontdoor-
waf-policy' as Y; filter
'$.X.properties.frontendEndpoints[*].prope
does not exist or
($.X.properties.frontendEndpoints[*].prope
equal ignore case $.Y.id and
$.Y.properties.policySettings.enabledState
equals Disabled)'; show X;

Impact— Low. The alerts are resolved with

resolution status as Policy_Updated.

Azure SQL Database with Auditing Retention Changes— The policy RQL and
less than 90 days recommendation steps have been updated
to exclude Log Analytics and Event Hubs, as
retention periods are not configurable.
Current RQL—

config from cloud.resource

where api.name = 'azure-sql-
server-list' AND json.rule =
'(serverBlobAuditingPolicy
does not exist or
serverBlobAuditingPolicy
is empty or
serverBlobAuditingPolicy.properties.state
equals Disabled or
serverBlobAuditingPolicy.properties.retent
does not exist or

Prisma™ Cloud Release Notes 251 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

(serverBlobAuditingPolicy.properties.state
equals Enabled and
serverBlobAuditingPolicy.properties.retent
does not equal 0 and
serverBlobAuditingPolicy.properties.retent
less than 90))' as X; config
from cloud.resource where
api.name = 'azure-sql-
db-list' AND json.rule =
'blobAuditPolicy does not exist
or blobAuditPolicy is empty or
blobAuditPolicy.properties.retentionDays
does not exist or
(blobAuditPolicy.properties.state
equals Enabled and
blobAuditPolicy.properties.retentionDays
does not equal 0 and
blobAuditPolicy.properties.retentionDays
less than 90)' as Y; filter
'$.Y.blobAuditPolicy.id
contains $.X.sqlServer.name';
show Y;

Updated RQL—

config from cloud.resource

where api.name = 'azure-sql-
server-list' AND json.rule =
'(serverBlobAuditingPolicy
does not exist or
serverBlobAuditingPolicy
is empty or
serverBlobAuditingPolicy.properties.state
equals Disabled or
serverBlobAuditingPolicy.properties.retent
does not exist or
(serverBlobAuditingPolicy.properties.stora
is not empty and
serverBlobAuditingPolicy.properties.state
equals Enabled and
serverBlobAuditingPolicy.properties.retent
does not equal 0 and
serverBlobAuditingPolicy.properties.retent
less than 90))' as X;
config from cloud.resource
where api.name = 'azure-
sql-db-list' AND json.rule
= '(blobAuditPolicy
does not exist or
blobAuditPolicy is empty or
blobAuditPolicy.properties.retentionDays
does not exist or
(blobAuditPolicy.properties.storageEndpoin
is not empty and
blobAuditPolicy.properties.state
equals Enabled and

Prisma™ Cloud Release Notes 252 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

blobAuditPolicy.properties.retentionDays
does not equal 0 and
blobAuditPolicy.properties.retentionDays
less than 90))' as Y; filter
'$.Y.blobAuditPolicy.id
contains $.X.sqlServer.name';
show Y;

Impact— Low. Previously generated alerts for

SQL databases configured with Log Analytics
and Event hubs auditing will be resolved as
Policy_Updated.

GCP PostgreSQL instance database flag Changes— The policy RQL has been enhanced
log_statement is not set appropriately to resolve false alerts by changing the
contain operator to equals. Due to this,
collision with similar flag names such as
log_statement_stats will be avoided.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-sql-instances-list'
AND json.rule = "state equals
RUNNABLE and databaseVersion
contains POSTGRES and
(settings.databaseFlags[*].name
does not contain log_statement
or settings.databaseFlags[?
any(name contains log_statement
and value contains all or value
contains none )] exists)"

Updated RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-sql-instances-list'
AND json.rule = state equals
RUNNABLE and databaseVersion
contains POSTGRES and
( settings.databaseFlags[?
any( name equals
"log_statement" )]
does not exist or
settings.databaseFlags[?
any( name equals "log_statement"
and value equals "all" or value
equals "none" )] exists)

Impact— Low. Previously generated alerts

due to collision with similar flag names will be
resolved as Policy_Updated.

Prisma™ Cloud Release Notes 253 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Kubernetes Engine Clusters have binary Changes— The policy RQL has been
authorization disabled updated to match CSP data. The datapoint
binaryAuthorization.enabled
is deprecated and replaced by
binaryAuthorization.evaluationMode
and the remediation CLI is removed since no
single CLI command is available to update
both Zonal and Regional GKE clusters.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-container-describe-cl
usters' AND json.rule = 'binaryA
uthorization does not exist or b
inaryAuthorization.enabled is fa
lse'

Updated RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-container-describe-cl
usters' AND json.rule = binaryAu
thorization.evaluationMode does
not exist or binaryAuthorization
.evaluationMode equal ignore cas
e EVALUATION_MODE_UNSPECIFIED or
binaryAuthorization.evaluationM
ode equal ignore case DISABLED

Impact— High. Previously generated alerts will

be resolved as Policy_Updated and new alerts
will be generated for existing resources. Also,
no remediation support will be available for
this policy.

Policy Updates—Metadata

AWS S3 bucket accessible to unmonitored Changes— The policy recommendation steps

cloud accounts have been updated to specify that cloud
accounts monitored by Prisma Cloud should
be added to the S3 bucket ACL.
Impact— No impact on alerts.

Azure AKS cluster Azure CNI networking not Changes— The policy recommendation steps
enabled have been updated.
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 254 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure AKS cluster monitoring not enabled Changes— The policy recommendation steps
have been updated.
Impact— No impact on alerts.

Azure AKS cluster HTTP application routing Changes— The policy recommendation steps
enabled have been updated.
Impact— No impact on alerts.

Azure AKS enable role-based access control Changes— The policy recommendation steps
(RBAC) not enforced have been updated.
Impact— No impact on alerts.

GCP Kubernetes Engine Clusters have Changes— The policy name and
Stackdriver Monitoring disabled recommendation steps have been updated to
reflect the CSP changes.
Current Name— GCP Kubernetes Engine
Clusters have Stackdriver Monitoring disabled
Updated Name— GCP Kubernetes Engine
Clusters have Cloud Monitoring disabled
Impact— No impact on alerts.

GCP Storage log buckets have object Changes— The policy recommendation
versioning disabled steps have been updated to reflect the CSP
changes.
Impact— No impact on alerts.

Storage Buckets with publicly accessible Changes— The policy name and
Stackdriver logs recommendation steps have been updated to
reflect the CSP changes.
Current Name— Storage Buckets with publicly
accessible Stackdriver logs
Updated Name— GCP Storage Buckets with
publicly accessible GCP logs
Impact— No impact on alerts.

Changes in Existing Behavior

FEATURE DESCRIPTION

Global Region Support for Google Compute Prisma Cloud now provides global region
Engine support for

Prisma™ Cloud Release Notes 255 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

gcloud-compute-instance-template

API. Due to this, all the resources will be

deleted once, and then regenerated on
the management console. Existing alerts
corresponding to these resources are resolved
as Resource_Updated, and new alerts will be
generated against the policy violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for

gcloud-compute-instance-template

start ingesting data again.

Region Support for Google Cloud Load Prisma Cloud can now store regional
Balancing APIs resources as well as global resources for

gcloud-compute-target-http-prox
ies

and

gcloud-compute-target-https-pro
xies

APIs. Due to this, new alerts will be generated

against policy violations.
Impact—You may notice an increased count in
the number of alerts for

gcloud-compute-target-http-proxi
es and gcloud-compute-target-htt
ps-proxies

APIs.

Alerts for Audit Events To make your experience with audit event
alerts consistent with configuration alerts
for custom policies, the policy evaluation
for audit events is updated to use the alert
rule configuration. The targets for the cloud
accounts and cloud regions for which you

Prisma™ Cloud Release Notes 256 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

want to trigger alerts are now only inherited

from the alert rule.
Earlier, when you run an audit event query
on the Investigate page, and save the query
as a saved search and then use this saved
search query as match criteria in a policy, the
matched issues that trigger alerts used inputs
from both the alert rule configuration and
saved search.
As an example, if you had created a
saved search that includes the RQL for
cloud.account, cloud.accountgroup,
or cloud.region, such as event
from cloud.audit_logs where
cloud.account = 'Developer
Sandbox' AND cloud.region =
'AWS Canada' AND operation IN
('DeleteAccessKey') the cloud.account,
and cloud.region attributes will now be
ignored for custom and existing policies and
their associated alerts.
Only, the target cloud accounts and cloud
regions that you specify in the alert rule
configuration will be used to scope when
alerts are generated for the custom Audit
Event policy.
Impact— The change in how the targets for
generating alerts scoped may result in a larger
number of alerts than before. This change will
be rolled out gradually over multiple phases.

Features Introduced in October 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in October 2022.
• New Features Introduced in 22.10.2
• New Features Introduced in 22.10.1

New Features Introduced in 22.10.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Change in Existing Behavior

Prisma™ Cloud Release Notes 257 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• REST API Updates

New Features

FEATURE DESCRIPTION

Unified Policy and Alerts for Compute Incident policies and alerts for hosts and
Workloads on the Platform containers are now accessible from the
Policies and Alerts pages on the Prisma
Cloud console. This provides a single-pane
to configure alert rules and view compute
workload alerts so that you can contextualize
and prioritize remediation.
The Host and Container policies for detecting
vulnerabilities and runtime incidents are
visible on the Policies page. As a start,
there are 4 new policies categorized as
policy subtype Workload Vulnerability and
Workload Incident.
Alert rules support the use of these policies
along with Compute Access Groups, which
is a resource list where you can specify
the scope of compute workloads that
want to scan against these policies. On the
Alerts > Overview, the alert details surface
vulnerabilities detected on both hosts and
containers that violate these policies and
directly link to the Vulnerability Explorer
on Compute. The alerts are generated
for Agentless scanning or scanning with
Defenders.

Enable Resolved Alert State in Jira In addition to Open alert state notifications
Notification Template configured in the notification template, Prisma
Cloud integration with Jira now allows you to
configure and send notifications for Resolved
alert states through Jira tickets.
For more details, refer to Integrate Prisma
Cloud with Jira.

Prisma™ Cloud Release Notes 258 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Granular Role Based Access Control Enhancements to Prisma Cloud roles now
allow you to create custom roles leveraging
Granular Role Based Access Control (GRBAC).
Easily create, edit, or update existing roles
to enforce least-access privileges to Prisma
Cloud features, limiting access to only
those functions that align with a user’s job
responsibilities.
GRBAC creates a dynamic experience for
Prisma Cloud users, with a customizable
console that displays only the features
assigned to any given user, providing an
additional layer of security.

CWP Widgets in Adoption Advisor The Adoption Advisor includes two new
widgets for Cloud Workload Protection
(CWP).
• Discovered Vs Secured Resources— With
this widget you can now gain visibility
into the protection coverage of your
cloud environment. You can now review
the resources discovered through Cloud
Discovery and compare them with the
defenders that have been deployed.
• Vulnerability Trends— With this widget
you can now track the impacted resources
for vulnerabilities discovered and resolved

Prisma™ Cloud Release Notes 259 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

over time across images, hosts, containers,

and functions.

API Ingestions

SERVICE API DETAILS

Amazon DevOps Guru aws-devops-guru-service-integration

Additional permission required:

devops-guru:DescribeServiceInteg
ration

Amazon Kinesis Data Analytics aws-kinesisanalyticsv2-application

Additional permission required:
• kinesisanalytics:ListTagsForR
esource

• kinesisanalytics:ListApplicat
ions

• kinesisanalytics:DescribeAppl
ication

Prisma™ Cloud Release Notes 260 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Security Audit role includes

only

kinesisanalytics:List
Applications

permission.
You must add the permissions
manually or use CFT template to
update the following permissions:
• kinesisanalytics:Li
stApplications

• kinesisanalytics:De
scribeApplication

AWS Account Management aws-account-management-alternate-contact

Additional permission required:

account:GetAlternateContact

Azure App Service azure-app-service-deployment-slots

Additional permissions required:
• Microsoft.Web/sites/slots/rea
d

• Microsoft.Web/serverfarms/sit
es/read

The Reader role includes the permissions.

Azure App Service azure-visual-studio-accounts

Additional permission required:

Microsoft.VisualStudio/Account/
Read

The Reader role includes the permission.

Azure Bot Service azure-botservice-bots

Additional permission required:

Prisma™ Cloud Release Notes 261 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.BotService/botServices
/read

The Reader role includes the permission.

Azure Chaos Studio azure-chaos-experiments

Additional permission required:

Microsoft.Chaos/experiments/read

The Reader role includes the permission.

Azure Confidential Ledger azure-confidential-ledgers

Microsoft.ConfidentialLedger/led
gers/read

The Reader role includes the permission.

Azure Defender for Cloud azure-iot-security-solutions

Additional permission required:

Microsoft.Security/iotSecuritySo
lutions/read

The Reader role includes the permission.

Azure Kusto azure-kusto-clusters

Additional permission required:

Microsoft.Kusto/Clusters/read

The Reader role includes the permission.

Azure Lab Services azure-labservices-labs

Additional permission required:

Microsoft.LabServices/labs/read

The Reader role includes the permission.

Azure Logic Apps azure-logic-app-integration-account

Additional permission required:

Prisma™ Cloud Release Notes 262 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Logic/integrationAccou
nts/read

The Reader role includes the permission.

Azure Storage azure-storage-account-keys

Additional permissions required:
• Microsoft.Storage/storageAcco
unts/read

• Microsoft.Storage/storageAcco
unts/listKeys/action

The Reader role includes the permissions.

Azure Synapse Analytics azure-synapse-workspace

Additional permission required:

Microsoft.Synapse/workspaces/re
ad

The Reader role includes the permission.

Azure Virtual WAN azure-virtual-wan-list

Additional permission required:

Microsoft.Network/virtualWans/r
ead

The Reader role includes the permission.

Azure Video Indexer azure-video-indexer-accounts

Additional permission required:

Microsoft.VideoIndexer/accounts/
read

The Reader role includes the permission.

Azure Visual Studio azure-web-static-sites

Additional permission required:

Microsoft.Web/staticSites/Read

Prisma™ Cloud Release Notes 263 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Reader role includes the permission.

Google Vertex AI gcloud-vertex-ai-notebook-instance

Additional permissions required:
• notebooks.locations.list

• notebooks.instances.list

• notebooks.instances.checkUpgr
adability

• notebooks.instances.getHealth

• notebooks.instances.getIamPol
icy

The Viewer role includes the permissions.

Google Workflows gcloud-workflows-workflow

Additional permissions required:
• workflows.locations.list

• workflows.workflows.list

The Viewer role includes the permissions.

New Policies
No new policies in 22.10.2.

Policy Updates
See Prisma Cloud Known Issues for a policy status change issue that may affect you.

POLICY UPDATE DESCRIPTION

Anomaly Policy Update The Port scan activity (External) anomaly

policy is modified to make it easier to identify
cloud resources that are being actively
scanned by suspicious actors on the internet.
In the alert details, the Resource Name now
displays your internal resource (target host)
that is being scanned instead of the public IP
address of the source (suspicious actor) host
that is performing the scan.

Prisma™ Cloud Release Notes 264 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The change also impacts the number of port

scan alerts generated on Prisma Cloud. Earlier,
multiple hosts scanning the same internal
resource (target host) triggered many alerts.
Now, the multiple hosts scanning the same
instance will trigger a single alert and record
the IP address of the external host from the
most recent scan.
The change only applies to any new alerts
generated for the Port scan activity (External)
policy. For existing alerts, the public IP
address of the source host performing the
scan will remain in the Resource Name field.

Change in Existing Behavior

FEATURE DESCRIPTION

Resource ID Update for Google Cloud Armor The resource ID is updated in the backend
for gcloud-armor-security-policy API in
Prisma Cloud. Due to this, all the resources
for gcloud-armor-security-policy will be
deleted once and then regenerated on the
management console.
Existing alerts corresponding to this resource
is resolved as Resource_Updated, and
new alerts will be generated against policy
violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for gcloud-armor-security-
policy start ingesting data again

REST API Updates

CHANGE DESCRIPTION

Prisma™ Cloud Release Notes 265 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Permission Group APIs The following new endpoints are available for
Permission Group APIs:
• Get an existing Permission
Group By ID -https://prisma.pan.dev/
api/cloud/cspm/permission-
groups#operation/get_1[GET /authz/v1/
permission_group/{id}]
• Update an existing Permission
Group - PUT /authz/v1/
permission_group/{id}
• Delete an existing Permission
Group by ID - DELETE /authz/v1/
permission_group/{id}
• Get all existing Permission
Groups - GET /authz/v1/
permission_group
• Add a new Custom Permission
Group - POST /authz/v1/
permission_group
• Get a list of active features -
GET /authz/v1/feature

New Features Introduced in 22.10.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Change in Existing Behavior
• REST API Updates

New Features

FEATURE DESCRIPTION

Prisma Cloud Service in France Prisma Cloud tenant (app.fr.prismacloud.io) is

now available for the France region starting
October 10th, 2022.

Update Default Alert Rule To reduce Alert fatigue, the default alert
rule now includes only the Prisma Cloud
Recommended OOTB policies, for Prisma

Prisma™ Cloud Release Notes 266 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Cloud tenants created after the 22.10.1

release. You can filter these policies using the

Prisma_Cloud

label.

API Ingestions

SERVICE API DETAILS

Amazon Macie aws-macie2-session

Additional permissions required:
• macie2:GetClassificationExpor
tConfiguration

• macie2:GetMacieSession

• macie2:GetRevealConfiguration

• macie2:GetFindingsPublication
Configuration

Amazon MemoryDB aws-memorydb-parameter-group

Additional permissions required:
• memorydb:DescribeParameters

• memorydb:DescribeParameterGro
ups

• memorydb:ListTags

Amazon MemoryDB aws-memorydb-cluster

Additional permissions required:
• memorydb:DescribeClusters

• memorydb:ListTags

Update Amazon Glue aws-glue-datacatalog

Two new fields added:

Prisma™ Cloud Release Notes 267 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• CatalogId

• RegionId

Azure Cosmos DB azure-documentdb-cassandra-clusters

Additional permission required:

Microsoft.DocumentDB/cassandraCl
usters/read

The Reader role includes the permission.

Azure Dev Test Labs azure-devtestlab-global-schedules

Additional permission required:

Microsoft.DevTestLab/schedules/
read

The Reader role includes the permission.

Azure Digital Twins azure-digital-twins

Additional permission required:

Microsoft.DigitalTwins/digitalTw
insInstances/read

The Reader role includes the permission.

Azure Event Grid azure-event-grid-domains

Additional permission required:

Microsoft.EventGrid/domains/read

The Reader role includes the permission.

Azure Healthcare Apis azure-healthcare-apis-workspaces

Additional permission required:

Microsoft.HealthcareApis/workspa
ces/read

The Reader role includes the permission.

Azure Health Bot azure-healthbot-bots

Prisma™ Cloud Release Notes 268 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permission required:

Microsoft.HealthBot/healthBots/
Read

The Reader role includes the permission.

Azure IoT Central azure-iot-central-apps

Additional permission required:

Microsoft.IoTCentral/IoTApps/re
ad

The Reader role includes the permission.

Azure IoT Hub azure-devices-iot-hub-resource

Additional permission required:

Microsoft.Devices/iotHubs/Read

The Reader role includes the permission.

Azure Load Testing azure-loadtest-service-load-tests

Additional permission required:

Microsoft.LoadTestService/loadTe
sts/read

The Reader role includes the permission.

Azure Managed Applications azure-solutions-applications

Additional permission required:

Microsoft.Solutions/applications
/read

The Reader role includes the permission.

Azure Maps Management azure-maps-accounts

Additional permission required:

Microsoft.Maps/accounts/read

The Reader role includes the permission.

Prisma™ Cloud Release Notes 269 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Mixed Reality azure-mixed-reality-object-anchors-accounts

Additional permission required:

Microsoft.MixedReality/ObjectAnc
horsAccounts/read

The Reader role includes the permission.

Azure Network Function azure-network-function-traffic-collectors

Additional permission required:

Microsoft.NetworkFunction/azureT
rafficCollectors/read

The Reader role includes the permission.

Azure Orbital azure-orbital-spacecrafts

Additional permission required:

Microsoft.Orbital/spacecrafts/r
ead

The Reader role includes the permission.

Azure Resource Mover azure-migrate-move-collections

Additional permission required:

Microsoft.Migrate/moveCollection
s/read

The Reader role includes the permission.

Azure StorSimple azure-storsimple-managers

Additional permission required:

Microsoft.StorSimple/managers/r
ead

The Reader role includes the permission.

Azure Stream Analytics azure-streamanalytics-clusters

Additional permission required:

Prisma™ Cloud Release Notes 270 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.StreamAnalytics/cluste
rs/Read

The Reader role includes the permission.

Azure Test Base azure-test-base-accounts

Additional permission required:

Microsoft.TestBase/testBaseAccou
nts/read

The Reader role includes the permission.

Azure Time Series Insights azure-timeseriesinsights-environments

Additional permission required:

Microsoft.TimeSeriesInsights/env
ironments/read

The Reader role includes the permission.

Azure Web PubSub Service azure-signalrservice-web-pub-sub

Additional permission required:

Microsoft.SignalRService/WebPubS
ub/read

The Reader role includes the permission.

Google Compute Engine gcloud-compute-autoscaler

Additional permission required:

compute.autoscalers.list

The Viewer role includes the permission.

Google Dataplex gcloud-dataplex-lake-environment

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.environments.list

Prisma™ Cloud Release Notes 271 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• dataplex.environments.getIamP
olicy

The Viewer role includes the permissions.

Google Dataplex gcloud-dataplex-lake-zone

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.zones.list

• dataplex.zones.getIamPolicy

The Viewer role includes the permissions.

New Policies
No new policies for 22.10.1.

Policy Updates
No policy updates for 22.10.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for CIS Microsoft Azure Foundations Support is now available for CIS Azure
Benchmark v1.5.0 - Level 1 and Level 2 Foundations Benchmark version 1.5.0. It is a
compliance standard for securing Microsoft
Azure resources. This benchmark provides
prescriptive guidelines for configuring Azure
services in accordance with industry best
practices.

Support for CIS Amazon Web Services Support is now available for CIS Amazon Web
Foundations Benchmark v1.5.0 - Level 1 and Services Foundations Benchmark version
Level 2 1.5.0. This benchmark provides prescriptive
guidance for configuring security options
for a subset of Amazon Web Services on
foundational, testable, and architecture-
agnostic settings.

Support for Fedramp Moderate and Low Support is now available for Federal Risk
Control Standards and Authorization Management Program

Prisma™ Cloud Release Notes 272 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

(FedRAMP) Moderate and Low control

standards. The security controls outlined
in FedRAMP are based on NIST Special
Publication 800-53, which provides the
standards and security requirements for
federal government information systems.

Change in Existing Behavior

FEATURE DESCRIPTION

Global Region Support for Google API Keys Prisma Cloud now provides global region
support for gcloud-api-key. Due to this, all
the resources will be deleted once, and then
regenerated on the management console.
Existing alerts corresponding to these
resources are resolved as Resource_Updated,
and new alerts will be generated against
policy violations.
Impact—*You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers
once theresources for *gcloud-api-key start
ingesting data again.

REST API Updates

No REST API updates for 22.10.1.

Features Introduced in September 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in September 2022.
• New Features Introduced in 22.9.2
• New Features Introduced in 22.9.1

New Features Introduced in 22.9.2

• New Features
• API Ingestions
• New Policies
• Policy Updates
• New Compliance Benchmarks and Updates
• Change in Existing Behavior

Prisma™ Cloud Release Notes 273 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• REST API Updates

New Features

FEATURE DESCRIPTION

GA Prisma Cloud Data Security—Support for Prisma Cloud now supports data security
Azure Subscription for your Azure Subscription accounts. After
configuring Prisma Cloud Data Security for
Azure, you can discover and classify data
stored in Azure Blob Storage and protect
accidental exposure, misuse, or sharing of
sensitive data.
You can set up Forward and Backward scan
to scan your Azure resources for data security
issues. You can also set up a custom scan or
choose to scan all objects.
Prisma Cloud supports the following file types
and size for Azure:
• For data classification scanning the file size
must be less than 20MB
• For malware scanning the file size must be
less than 20MB
• Exposure evaluation for all file types.
Prisma Cloud provides out-of-the-box policies
to detect sensitive blobs exposed in public
storage accounts and malware blobs in Azure
Blob storage accounts.

You can also create your own customized

data security policy.

Prisma™ Cloud Release Notes 274 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

API support is not currently

provided for Prisma Cloud Data
Security for Azure.

Update Prisma Cloud Data Security for AWS Prisma Cloud can now scan .tsv types of file
—New File Extension Supported for Data extensions on your storage buckets for data
Classification Scanning classification.

Update Prisma Cloud Data Security for AWS Prisma Cloud displays s3:GetObject missing
—New Missing Permission permission on the Data Security Settings page
when your AWS bucket has KMS encryption
enabled and Prisma Cloud does not have
access to the bucket. You can resolve the
issue and then configure data security for that
bucket.

API Ingestions

SERVICE API DETAILS

AWS DataSync aws-datasync-location

Additional permissions required:
• datasync:DescribeLocationEfs

• datasync:ListLocations

• datasync:DescribeLocationSmb

• datasync:DescribeLocationSmb

• datasync:DescribeLocationFsxO
penZfs

Prisma™ Cloud Release Notes 275 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• datasync:DescribeLocationFsxW
indows

• datasync:DescribeLocationS3

• datasync:DescribeLocationObje
ctStorage

• datasync:DescribeLocationFsxO
ntap

• datasync:ListTagsForResource

• datasync:ListTasks

• datasync:DescribeLocationHdfs

• datasync:DescribeLocationFsxL
ustre

• datasync:DescribeLocationNfs

This API will only ingest locations

that the Datasync Task uses.

The Security Audit role includes this

permission.

Amazon QLDB aws-qldb-ledger

Additional permissions required:
• qldb:ListLedgers

• qldb:DescribeLedger

• qldb:ListTagsForResource

Amazon Translate aws-translate-terminology

Additional permissions required:
• translate:ListTerminologies

• translate:GetTerminology

The Security Audit role includes the

permission:

Prisma™ Cloud Release Notes 276 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

translate:ListTerminologies

Azure Advisor azure-advisor-configurations

Additional permission required:

Microsoft.Advisor/configurations
/read

The Reader role includes the permission.

Azure Analysis Services azure-analysisservices-servers

Additional permission required:

Microsoft.AnalysisServices/serve
rs/read

The Reader role includes the permission.

Azure App Configuration azure-appconfiguration-configuration-stores

Additional permission required:

Microsoft.AppConfiguration/confi
gurationStores/read

The Reader role includes the permission.

Azure Automanage azure-automanage-configuration-profiles

Additional permission required:

Microsoft.Automanage/configurati
onProfiles/Read

The Reader role includes the permission.

Azure Container Apps azure-app-container-apps

Additional permission required:

microsoft.app/containerapps/read

The Reader role includes the permission.

Azure Communication azure-communication-services

Prisma™ Cloud Release Notes 277 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permission required:

Microsoft.Communication/Communic
ationServices/Read

The Reader role includes the permission.

Azure Compute azure-cloudservices-list

Additional permission required:

Microsoft.Compute/cloudServices/
read

The Reader role includes the permission.

Azure Compute azure-cloudservices-roleinstance-publicip

Additional permissions required:
• Microsoft.Compute/cloudServic
es/read

• Microsoft.Compute/cloudServic
es/roleInstances/read

• Microsoft.Compute/virtualMach
ineScaleSets/virtualMachines/
networkInterfaces/ipConfigura
tions/publicIPAddresses/read

The Reader role includes the permissions.

Azure Compute azure-compute-dedicated-host-groups

Additional permission required:

Microsoft.Compute/hostGroups/re
ad

The Reader role includes the permission.

Azure Hybrid Compute azure-hybridcompute-machines

Additional permission required:

Microsoft.HybridCompute/machines
/read

The Reader role includes the permission.

Prisma™ Cloud Release Notes 278 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Managed Grafana azure-dashboard-grafana

Additional permission required:

Microsoft.Dashboard/grafana/read

The Reader role includes the permission.

Azure Stack HCI azure-azurestackhci-clusters

Additional permission required:

Microsoft.AzureStackHCI/Clusters
/Read

The Reader role includes the permission.

Azure Virtual Network azure-network-public-ip-prefixes

Additional permission required:

Microsoft.Network/publicIPPrefix
es/read

The Reader role includes the permission.

Google Dataproc Clusters gcloud-dataproc-autoscaling-policy

Additional permissions required:
• dataproc.autoscalingPolicies.
list

• dataproc.autoscalingPolicies.
getIamPolicy

The Viewer role includes these permissions.

Google Dataplex gcloud-dataplex-lake

Additional permissions required:
• dataplex.locations.list

• dataplex.lakes.list

• dataplex.lakes.getIamPolicy

The Viewer role includes these permissions.

Prisma™ Cloud Release Notes 279 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Recommendation gcloud-recommender-organization-iam-

policy-lateral-movement-insight
Additional permission required:

recommender.iamPolicyLateralMove
mentInsights.list

The Viewer role includes this permission.

New Policies
See the look ahead updates for planned features and policy updates for 22.10.1

POLICY NAME DESCRIPTION

AWS ElastiCache Memcached cluster with in- Identifies AWS ElastiCache Memcached
transit encryption disabled clusters that have in-transit encryption
disabled. It is highly recommended to
implement in-transit encryption in order to
protect data from unauthorized access as it
travels through the network, between clients
and cache servers. Enabling data encryption
in-transit helps to prevent unauthorized
users from reading sensitive data between
your Memcached and their associated cache
storage systems.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-elasticache-cache-cluste
rs' AND json.rule = engine equal
s memcached and transitEncryptio
nEnabled is false

Azure SQL server Transparent Data Identifies SQL servers in which Transparent
Encryption (TDE) encryption disabled Data Encryption (TDE) is disabled. TDE
encryption performs real-time encryption
and decryption of the server, related
reinforcements, and exchange log records
without requiring any changes to the
application. It is recommended to have TDE
encryption on your SQL servers to protect the
server from malicious activity.

config from cloud.resource

where cloud.type = 'azure'
and api.name = 'azure-
sql-server-list' AND

Prisma™ Cloud Release Notes 280 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

json.rule = ['sqlServer'].
['properties.state'] equal
ignore case Ready and
sqlEncryptionProtectors[*].kind
does not exist

Azure VM OS disk is not configured with any Identifies VM OS disks that are not configured
encryption with any encryption. Azure offers Server-
Side Encryption (SSE) with platform-managed
keys [SSE with PMK] by default for managed
disks. It is recommended to enable default
encryption or you may optionally choose to
use a customer-managed key to protect from
malicious activity.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-disk-
list' and json.rule = osType
exists and managedBy exists
and (encryptionSettings
does not exist or
encryptionSettings.enabled
is false) and encryption.type
is not member of
("EncryptionAtRestWithCustomerKey","Encryp

Azure data disk is not configured with any Identifies VM data disks that are not
encryption configured with any encryption. Azure offers
Server-Side Encryption (SSE) with platform-
managed keys [SSE with PMK] by default for
managed disks. It is recommended to enable
default encryption or you may optionally
choose to use a customer-managed key to
protect from malicious activity.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-disk-
list' AND json.rule = osType
does not exist and managedBy
exists and (encryptionSettings
does not exist or
encryptionSettings.enabled
is false) and encryption.type
is not member of
("EncryptionAtRestWithCustomerKey",
"EncryptionAtRestWithPlatformAndCustomerKe

GCP KMS crypto key is anonymously Identifies GCP KMS crypto keys that are
accessible anonymously accessible. Granting permissions
to 'allUsers' or 'allAuthenticatedUsers' allows

Prisma™ Cloud Release Notes 281 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

anyone to access the KMS key. As a security

best practice, it is recommended not to bind
such members to KMS IAM policy.

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-kms-crypto-keys-list'
AND json.rule = ((purpose does
not equal ENCRYPT_DECRYPT) or
(purpose equals ENCRYPT_DECRYPT
and primary.state
equals ENABLED)) and
iamPolicy.bindings[*].members
contains allUsers or
iamPolicy.bindings[*].members
contains allAuthenticatedUsers

GCP Cloud Run service is publicly accessible Identifies GCP Cloud Run services that
are publicly accessible. Granting Cloud
Run Invoker permission to 'allUsers' or
'allAuthenticatedUsers' allows anyone to
access the Cloud Run service over internet.
Such access might not be desirable if sensitive
data is stored at the location. As security
best practice it is recommended to remove
public access and assign the least privileges
to the GCP Cloud Run service according to
requirements.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-cloud-run-
services-list' AND json.rule
= status.conditions[?any(type
equals Ready and status
equals True)] exists and
status.conditions[?any(type
equals RoutesReady and status
equals True)] exists and
iamPolicy.bindings[?any(role
equals roles/run.invoker and
members is member of (allUsers,
allAuthenticatedUsers))] exists

GCP Log metric filter and alert does not exist Identifies GCP accounts which do not
for VPC network route patch and insert have a log metric filter and alert for VPC
network route patch and insert events.
Monitoring network routes patching and
insertion activities will help in identifying VPC
traffic flows through an expected path. It is
recommended to create a metric filter and

Prisma™ Cloud Release Notes 282 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

alarm to detect activities related to the patch

and insertion of VPC network routes.

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
( $.X.filter does not
contain "resource.type
=" or $.X.filter does not
contain "resource.type=" )
and ( $.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=" ) and
$.X.filter contains "gce_route"
and ( $.X.filter contains
"protoPayload.methodName="
or $.X.filter contains
"protoPayload.methodName
=" ) and ( $.X.filter
does not contain
"protoPayload.methodName!="
and $.X.filter does not contain
"protoPayload.methodName !
=" ) and $.X.filter contains
"beta.compute.routes.patch"
and $.X.filter contains
"beta.compute.routes.insert"';
show X; count(X) less than 1

GCP Log metric filter and alert does not exist Identifies GCP accounts which do not
for VPC network route delete and insert have a log metric filter and alert for VPC
network route delete and insert events.
Monitoring network routes deletion and
insertion activities will help in identifying
VPC traffic flows through an expected path.
It is recommended to create a metric filter
and alarm to detect activities related to the
deletion and insertion of VPC network routes.

config from cloud.resource

where api.name = 'gcloud-
logging-metric' as X; config
from cloud.resource where
api.name = 'gcloud-monitoring-
policies-list' as Y; filter
'$.Y.conditions[*].metricThresholdFilter
contains $.X.name and
( $.X.filter does not

Prisma™ Cloud Release Notes 283 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contain "resource.type
=" or $.X.filter does not
contain "resource.type=" )
and ( $.X.filter does not
contain "resource.type !
=" and $.X.filter does not
contain "resource.type!=" ) and
$.X.filter contains "gce_route"
and ( $.X.filter contains
"protoPayload.methodName:"
or $.X.filter contains
"protoPayload.methodName :" )
and ( $.X.filter
does not contain
"protoPayload.methodName!:"
and $.X.filter does not contain
"protoPayload.methodName !:" )
and $.X.filter contains
"compute.routes.delete"
and $.X.filter contains
"compute.routes.insert"'; show
X; count(X) less than 1

Policy Updates

POLICY NAME DESCRIPTION

Policy Updates—RQL

Azure Function App doesn’t redirect HTTP to Changes— The policy RQL is enhanced to
HTTPS check for apps that are in the Running state
and to increase accuracy of alerts.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-app-
service' AND json.rule = 'kind
contains functionapp and
properties.httpsOnly equals
false'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= properties.state equal
ignore case Running and kind

Prisma™ Cloud Release Notes 284 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contains functionapp and

properties.httpsOnly is false

Impact— Low. Previously generated alerts for

apps in the Stopped state will be resolved as
Policy_Updated.

Azure Function App doesn’t use HTTP 2.0 Changes— The policy RQL is enhanced to
check for apps that are in the Running state
and to increase accuracy of alerts.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-app-
service' AND json.rule = 'kind
contains functionapp and
config.http20Enabled equals
false'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= properties.state equal
ignore case Running and kind
contains functionapp and
config.http20Enabled is false

Impact— Low. Previously generated alerts for

apps in the Stopped state will be resolved as
Policy_Updated.

Azure Function App authentication is off Changes— The RQL has been updated to
check apps with status 'RUNNING'. The
recommendation steps have also been
updated to match the latest UI changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-app-
service' AND json.rule = 'kind
contains functionapp and
config.siteAuthEnabled equals
false'

Prisma™ Cloud Release Notes 285 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= properties.state equal
ignore case Running and kind
contains functionapp and
config.siteAuthEnabled is false

Impact— Low. Previously generated alerts for

apps in the Stopped state will be resolved as
Policy_Updated.

Azure Function App client certificate is Changes— The RQL has been updated to
disabled check apps with status 'RUNNING'.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-app-
service' AND json.rule = 'kind
contains functionapp and
properties.clientCertEnabled
equals false'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= properties.state equal
ignore case Running and kind
contains functionapp and
properties.clientCertEnabled is
false

Impact— Low. Previously generated alerts for

apps in the Stopped state will be resolved as
Policy_Updated.

Azure Function App doesn’t use latest TLS Changes— The RQL has been updated to
version check apps with status 'RUNNING'.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-app-
service' AND json.rule = 'kind
contains functionapp and

Prisma™ Cloud Release Notes 286 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

config.minTlsVersion does not

equal 1.2'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= properties.state equal
ignore case Running and kind
contains functionapp and
config.minTlsVersion does not
equal "1.2"

Impact— Low. Previously generated alerts for

apps in the Stopped state will be resolved as
Policy_Updated.

Azure Function App doesn’t have a Managed Changes— The RQL has been updated to
Service Identity check apps with status 'RUNNING'. The
recommendation steps have also been
updated to match the latest UI changes.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-app-service'
AND json.rule = 'kind contains
functionapp and (identity.type
does not exist or identity.type
does not equal SystemAssigned
or identity.principalId is
empty)'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
app-service' AND json.rule
= properties.state equal
ignore case Running and kind
contains functionapp and
(identity.type does not exist
or identity.principalId is
empty)

Impact— Low. Previously generated alerts for

apps in the Stopped state will be resolved as
Policy_Updated.

Prisma™ Cloud Release Notes 287 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure SQL Server audit log retention is less Changes— The policy RQL and
than 91 days recommendation steps have been updated to
check for only storage account log retention
because log retention cannot be set for other
log destinations.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-sql-
server-list' AND json.rule =
"$.serverBlobAuditingPolicy.properties.sta
== Enabled and
($.serverBlobAuditingPolicy.properties.ret
= 0 and
$.serverBlobAuditingPolicy.properties.rete
< 91)"

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-sql-
server-list' AND json.rule =
serverBlobAuditingPolicy.properties.state
equal ignore case Enabled and
serverBlobAuditingPolicy.properties.storag
is not empty and
(serverBlobAuditingPolicy.properties.reten
does not equal 0 and
serverBlobAuditingPolicy.properties.retent
< 91)

Impact— The alerts generated for log

destinations other than storage account log
destinations are resolved as Policy_Updated.

Policy Updates—Metadata

Azure App Service Web app client certificate Changes— The policy recommendation steps
is disable have been updated to include precise steps.
Impact— No impact on alerts.

Azure SQL server TDE protector is not Changes— The policy recommendation steps
encrypted with BYOK (Use your own key) have been updated.
Impact— No impact on alerts.

Azure App Service Web app doesn’t use Changes— The policy description and
latest Python version recommendation steps have been updated to
reflect the CSP UI changes.

Prisma™ Cloud Release Notes 288 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated Description— Identifies App Service

Web apps that are not configured with latest
Python version. Periodically, newer versions
are released for Python software either due
to security flaws or to include additional
functionality. It is recommended to use the
latest Python version for web apps in order to
take advantage of security fixes, if any.
Impact— No impact on alerts.

Azure App Service Web app doesn’t use Changes— The policy description and
latest PHP version recommendation steps have been updated to
reflect the CSP UI changes.
Updated Description— Identifies App Service
Web apps that are not configured with latest
PHP version. Periodically, newer versions
are released for PHP software either due
to security flaws or to include additional
functionality. It is recommended to use the
latest PHP version for web apps in order to
take advantage of security fixes, if any.
Impact— No impact on alerts.

Azure App Service Web app doesn’t use Changes— The policy description and
latest .Net Core version recommendation steps have been updated to
reflect the CSP UI changes.
Updated Description— Identifies App Service
Web apps that are not configured with
latest .Net Core version. Periodically, newer
versions are released for .Net Core software
either due to security flaws or to include
additional functionality. It is recommended
to use the latest .Net version for web apps in
order to take advantage of security fixes, if
any.
Impact— No impact on alerts.

Azure Resource Group does not have a Changes— The policy recommendation steps
resource lock have been updated.
Impact— No impact on alerts.

If you have enabled the Code Security subscription on Prisma Cloud, see Code Security -
Features Introduced in September 2022 for details on new Configuration Build policies and
updates to add build rules for existing Configuration Run policies.

Prisma™ Cloud Release Notes 289 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for Korea-Information Security Support is now available for Korea

Management System (K-ISMS) Information Security Management System
(K-ISMS). This benchmark is a certification
system to assess if an enterprise’s or
organization’s information security
management system is properly established,
managed, and operated.

Change in Existing Behavior

FEATURE DESCRIPTION

Access to Data for Deleted Assets The ability to view and investigate data
for assets that have been deleted in cloud
First announced in 22.4.1 and updated in
accounts which are onboarded to Prisma
22.8.1 to list the new API.
Cloud will be available for up to 90 days
after asset deletion. This is a change from the
current behavior where you had access to
the historical data for deleted assets, starting
from the time you onboarded the account on
Prisma Cloud.
To align with this change, Prisma Cloud will
limit the time range filters to 90 days of
history. To support use cases where further
retention is required, a new API end point
is available to Prisma Cloud users with the
System Admin role to retrieve deleted asset
records. For API details, see GET/config/api/
v1/tenant/{prisma_id}/archiveList.

REST API Updates

No REST API updates for 22.9.2.

New Features Introduced in 22.9.1

• New Features
• API Ingestions
• New Policies
• Policy Updates
• Change in Existing Behavior

Prisma™ Cloud Release Notes 290 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• REST API Updates

New Features

FEATURE DESCRIPTION

Top Priority Security Risks View with The Command Center Dashboard provides
Command Center you with a unified view of the top cloud
security incidents and risks discovered across
all the assets monitored by Prisma Cloud,
grouped by the following threat vectors:
• Incidents
• Misconfigurations
• Exposures
• Identity Risks
• Data Risks
Customizable filters allow you to isolate
threat activity by time range, asset and
account groups for further investigation. Now
your security team has the actionable insight
you need to resolve the highest priority
incidents, and risks across all your cloud
resources.

Prisma™ Cloud Release Notes 291 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

IAM Security Supports AWS Permission Prisma Cloud’s IAM security module algorithm
Boundaries now supports AWS Permission Boundaries in
the Net Effective Permissions calculations, to
help you better identify when a permission
was last used.

Cloud Network Analyzer Support for Azure Prisma Cloud now supports network exposure
queries on Azure cloud environments.
You can now calculate the net effective
reachability for virtual machines or PaaS
service in Azure.

Update Azure Onboarding Permission If you are using Custom role while onboarding
your Azure account, as per Microsoft’s
recommendation, you need to add
Microsoft.Network/networkWatchers/
queryFlowLogStatus/* in order to provide
read-only permission to query flow log status
in Network Watcher.

API Ingestions

SERVICE API DETAILS

AWS Amplify aws-amplify-app

Additional permission required:

amplify:ListApps

AWS Global Accelerator aws-global-accelerator-accelerator

Additional permissions required:
• globalaccelerator:ListTagsFor
Resource

• globalaccelerator:ListAcceler
ators

Prisma™ Cloud Release Notes 292 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• globalaccelerator:DescribeAcc
eleratorAttributes

The Security Audit role includes this

permission.

Amazon Route53 aws-route53-query-logging-config

Additional permission required:

route53:ListQueryLoggingConfigs

The Security Audit role includes this

permission.

Azure HDInsight azure-hdinsight-applications

Additional permissions required:
• Microsoft.HDInsight/clusters/
read

• Microsoft.HDInsight/clusters/
applications/read

The Reader role includes the permissions.

Azure Subscriptions azure-subscription-tenantpolicy

Additional permission required:

Microsoft.Subscription/Policies/
default/read

The Reader role includes the permission.

Google Cloud Data Loss Prevention gcloud-dlp-project-stored-infotype

Additional permission required:

dlp.storedInfoTypes.list

The Viewer role includes this permission.

Google Recommendation gcloud-recommender-project-iam-policy-

lateral-movement-insight
Additional permission required:

Prisma™ Cloud Release Notes 293 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

recommender.iamPolicyLateralMove
mentInsights.list

The Viewer role includes this permission.

Google Dataproc Clusters gcloud-dataproc-workflow-template

Additional permission required:
• dataproc.workflowTemplates.li
st

• dataproc.workflowTemplates.ge
tIamPolicy

The Viewer role includes this permission.

OCI MySQL oci-mysql-dbsystems

Additional permissions required:
• read mysql-insta

• inspect mysql-instances

You must add these permissions manually.

New Policies
See the look ahead updates for planned features and policy updates for 22.9.2.

POLICY NAME DESCRIPTION

AWS SQS Queue not configured with server Identifies AWS SQS queues which are not
side encryption configured with server side encryption.
Enabling server side encryption would encrypt
all messages that are sent to the queue
and the messages are stored in encrypted
form. Amazon SQS decrypts a message only
when it is sent to an authorized consumer.
It is recommended to enable server side
encryption for AWS SQS queues in order to
protect sensitive data in the event of a data
breach or malicious users gaining access to
the data.

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-sqs-get-queue-
attributes' AND json.rule =

Prisma™ Cloud Release Notes 294 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

attributes.KmsMasterKeyId
does not exist and
attributes.SqsManagedSseEnabled
is false

Azure PostgreSQL (PaaS) instance reachable Identifies Azure PostgreSQL (PaaS)

from untrust internet source on TCP port instances that are internet reachable from
5432 an untrust internet source on TCP port
5432. PostgreSQL (PaaS) instances with
untrusted access to the internet may enable
bad actors to use brute force on a system
to gain unauthorized access to the entire
network. As a best practice, restrict traffic
from untrusted IP addresses and limit access
to known hosts, services, or specific entities.

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'PaaS'
and dest.cloud.type = 'AZURE'
and dest.paas.service.type in
( 'MicrosoftDBforPostgreSQLFlexibleServers
'MicrosoftDBforPostgreSQLServers' )
and protocol.ports = 'tcp/5432'

Azure MySQL (PaaS) instance reachable from Identifies Azure MySQL (PaaS) instances
untrust internet source on TCP port 3306 that are internet reachable from an untrust
internet source on TCP port 3306. MySQL
(PaaS) instances with untrusted access to the
internet may enable bad actors to use brute
force on a system to gain unauthorized access
to the entire network. As a best practice,
restrict traffic from untrusted IP addresses
and limit access to known hosts, services, or
specific entities.

config from network

where source.network =
UNTRUST_INTERNET and
dest.resource.type = 'PaaS'
and dest.cloud.type = 'AZURE'
and dest.paas.service.type in
( 'MicrosoftDBforMySQLFlexibleServers',
'MicrosoftDBforMySQLServers' )
and protocol.ports = 'tcp/3306'

Azure VM instance in running state that is Identifies Azure VM instances in running state
internet reachable with unrestricted access that is internet reachable with unrestricted
(0.0.0.0/0) other than HTTP/HTTPS port access (0.0.0.0/0) other than HTTP/HTTPS
port. VM instances with unrestricted access

Prisma™ Cloud Release Notes 295 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

to the internet may enable bad actors to use

brute force on a system to gain unauthorized
access to the entire network. As a best
practice, restrict traffic from unknown IP
addresses and limit access to known hosts,
services, or specific entities.

The HTTP-80 and HTTPs-443

web ports are excluded as these
are internet-facing ports with
legitimate traffic.

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AZURE'
and protocol.ports in
( 'tcp/0:79', 'tcp/81:442',
'tcp/444:65535' ) and
dest.resource.state = 'Active'

GCP BigQuery Dataset not configured with Identifies BigQuery Datasets that are not
default CMEK configured with default CMEK. Setting a
Default Customer-Managed Encryption
Key (CMEK) for a data set ensures any
tables created in the future will use the
specified CMEK if none other is provided. It
is recommended to configure all BigQuery
Datasets with default CMEK.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-bigquery-
dataset-list' AND json.rule =
defaultEncryptionConfiguration.kmsKeyName
does not exist]

GCP Cloud Function is publicly accessible Identifies GCP Cloud Functions that are
publicly accessible. Allowing 'allusers' /
'allAuthenticatedUsers' to cloud functions
can lead to unauthorized invocation of the
functions or unwanted access to sensitive
information. It is recommended to follow the
least privileged access policy and grant access
restrictively.

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-cloud-function'

Prisma™ Cloud Release Notes 296 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AND json.rule = status equals

ACTIVE and iamPolicy.bindings[?
any(members[*] is member of
("allAuthenticatedUsers","allUsers"))]
exists

IAM Security New Policies Azure Managed Identity (user assigned or

system assigned) with the Azure built-in roles
of Owner
Managed identities provide an automatic way
for applications to connect to resources that
support Azure Active Directory (Azure AD)
authentication. Using the Azure built-in role
of Owner with managed identities provides
broad permissions sets for a non-human
identity that can lead to privilege escalation.
A few examples are: virtual machine lateral
movement (like running commands on
other VMs), storage account access, and
configuration access.

config from iam where

source.cloud.type = 'Azure'
AND grantedby.cloud.entity.type
IN ( 'System Assigned',
'User Assigned' ) AND
grantedby.cloud.policy.type
= 'Built-in Role' AND
grantedby.cloud.policy.name =
'Owner'

Azure Managed Identity (user assigned or

system assigned) with the Azure built-in roles
of Contributor
Managed identities provide an automatic way
for applications to connect to resources that
support Azure Active Directory (Azure AD)
authentication. Using the Azure built-in role of
Contributor with managed identities provides
broad permissions sets for a non-human
identity that can lead to privilege escalation.
A few examples are, virtual machine lateral
movement (like running commands on
other VMs), storage account access, and
configuration access.

config from iam where

source.cloud.type = 'Azure'
AND grantedby.cloud.entity.type
IN ( 'System Assigned',

Prisma™ Cloud Release Notes 297 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

'User Assigned' ) AND

grantedby.cloud.policy.type
= 'Built-in Role' AND
grantedby.cloud.policy.name =
'Contributor'

Azure Managed Identity (user assigned or

system assigned) with the Azure built-in roles
of Reader
Managed identities provide an automatic way
for applications to connect to resources that
support Azure Active Directory (Azure AD)
authentication. Using the Azure built-in role
of Reader with managed identities provides
broad permissions sets for a non-human
identity that can lead to several scenarios of
subscription information enumeration.

config from iam where

source.cloud.type = 'Azure'
AND grantedby.cloud.entity.type
IN ( 'System Assigned',
'User Assigned' ) AND
grantedby.cloud.policy.type
= 'Built-in Role' AND
grantedby.cloud.policy.name =
'Reader'

Azure Managed Identity (user assigned or

system assigned) with Key Vault access
Managed identities provide an automatic way
for applications to connect to resources that
support Azure Active Directory (Azure AD)
authentication. Providing Key Vault access
lets non-human identities query key vaults for
credential and secret data.

config from iam where

source.cloud.type = 'Azure'
AND grantedby.cloud.entity.type
IN ( 'System Assigned',
'User Assigned' ) AND
dest.cloud.service.name =
'Microsoft.KeyVault']

Azure Managed Identity with permissions to

manage Azure permissions broadly that was
unused in the last 90 days

Prisma™ Cloud Release Notes 298 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Managed identities provide an automatic way

for applications to connect to resources that
support Azure Active Directory (Azure AD)
authentication. Managed identity with the
ability to change Azure permissions through
role assignments are risky permission that can
lead to privilege escalation.

config from iam where

source.cloud.type = 'Azure'
AND grantedby.cloud.entity.type
IN ( 'System Assigned',
'User Assigned' ) AND
dest.cloud.resource.name =
'*' AND action.name STARTS
WITH 'Microsoft.Authorization/
roleAssignments/' AND
action.lastaccess.days > 90

Azure Managed Identity with permissions to

other subscriptions
Identifies the Azure resources which can be
accessed from another subscription (cross-
account) through IAM policies.

config from iam where

source.cloud.type = 'Azure'
AND source.cloud.account !
= dest.cloud.account AND
source.cloud.resource.type !=
'user'

Azure AD user with the Azure built-in roles of

Owner
Using the Azure built-in role of Owner with
Azure AD users provides broad permissions
sets that can lead to privilege escalation.
A few examples are virtual machine lateral
movement (like running commands on
other VMs), storage account access and
configuration access.

config from iam where

source.cloud.type = 'Azure'
AND source.cloud.resource.type
= 'user' AND
grantedby.cloud.policy.type
= 'Built-in Role' AND
grantedby.cloud.policy.name =
'Owner'

Prisma™ Cloud Release Notes 299 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure AD user with the Azure built-in roles of

Contributor
Using the Azure built-in role of Contributor
with Azure AD users provides broad
permissions sets that can lead to privilege
escalation. A few examples are virtual
machine lateral movement (like running
commands on other VMs), storage account
access and configuration access.

config from iam where

source.cloud.type = 'Azure'
AND source.cloud.resource.type
= 'user' AND
grantedby.cloud.policy.type
= 'Built-in Role' AND
grantedby.cloud.policy.name =
'Contributor'

Azure AD user with the Azure built-in roles of

Reader
Using the Azure built-in role of Reader with
Azure AD users provides broad permissions
sets that can lead to several scenarios of
subscription information enumeration.

config from iam where

source.cloud.type = 'Azure'
AND source.cloud.resource.type
= 'user' AND
grantedby.cloud.policy.type
= 'Built-in Role' AND
grantedby.cloud.policy.name =
'Reader'

Azure AD users with Key Vault access

Providing Key Vault access lets users query
key vaults for credential and secret data.
The least privilege model should be enforced
and unused sensitive permissions should be
revoked.

config from iam where

source.cloud.type = 'Azure'
AND source.cloud.resource.type
= 'user' AND
dest.cloud.service.name =
'Microsoft.KeyVault'

Prisma™ Cloud Release Notes 300 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure AD user with permissions to manage

Azure permissions broadly that was not used
in the last 90 days
Azure AD users with the ability to change
Azure permissions through role assignments
are risky permission that can lead to privilege
escalation.

config from iam where

source.cloud.type = 'Azure'
AND source.cloud.resource.type
= 'user' AND
dest.cloud.resource.name =
'*' AND action.name STARTS
WITH 'Microsoft.Authorization/
roleAssignments/' AND
action.lastaccess.days > 90

Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates—RQL

AWS ElastiCache Redis with in-transit Changes— The policy RQL has been updated
encryption disabled (Non-replication group) to report only AWS Redis resources. Due
to the ingestion of Memcached clusters,
the policy was listing Memcached resources
along with AWS ElastiCache Redis, which did
not have in-transit encryption enabled and
resulted in false positive alerts.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elasticache-
cache-clusters' AND json.rule
= transitEncryptionEnabled is
false and replicationGroupId
does not exist

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elasticache-
cache-clusters' AND json.rule
= engine equals redis and
transitEncryptionEnabled is

Prisma™ Cloud Release Notes 301 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

false and replicationGroupId

does not exist

Impact— Low. The existing alerts that

were reporting for Memcached clusters
are resolved with resolution status as
Policy_Updated.

AWS RDS minor upgrades not enabled *Changes—*The policy RQL has been updated
to ignore false positive alerts for AWS
DocumentDB and NeptuneDB.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-rds-describe-
db-instances' AND json.rule
= autoMinorVersionUpgrade is
false

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-rds-describe-
db-instances' AND json.rule
= autoMinorVersionUpgrade is
false and engine does not
contain docdb and engine does
not contain neptune

Impact— Low. The existing alerts for AWS

DocumentDB and NeptuneDB resources
are resolved with resolution status as
Policy_Updated.

AWS SNS topic policy overly permissive for Changes— The policy RQL has been updated
publishing to ignore condition statement check in the
RQL.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-sns-
get-topic-attributes' AND
json.rule = Policy.Statement[?
any(Effect equals Allow and
(Principal.AWS equals * or
Principal equals *) and (Action
contains SNS:Publish or Action
contains sns:Publish) and

Prisma™ Cloud Release Notes 302 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Condition does not exist)]

exists

Updated RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-sns-
get-topic-attributes' AND
json.rule = Policy.Statement[?
any(Effect equals Allow and
(Principal.AWS equals * or
Principal equals *) and (Action
contains SNS:Publish or Action
contains sns:Publish) and
(Condition does not exist or
Condition all empty))] exists

Impact— Medium. New alerts are generated

for AWS SNS topics with condition
statements and Policy actions with
SNS:Publish permissions.

AWS CloudFront web distribution that allow Changes— The policy name, description,
TLS versions 1.0 or lower and RQL are updated to match latest
recommended TLS version.
Current Policy Name— AWS CloudFront web
distribution that allow TLS versions 1.0 or
lower
Updated Policy Name— AWS CloudFront
web distribution using insecure TLS version
Updated Description— Identifies AWS
CloudFront web distributions which
are configured with TLS versions for
HTTPS communication between viewers
and CloudFront. As a best practice, use
recommended TLSv1.2_2021 as the
minimum protocol version in your CloudFront
distribution security policies.
Current RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
'viewerCertificate.certificateSource
does not contain cloudfront and
(viewerCertificate.minimumProtocolVersion
equals TLSv1 or

Prisma™ Cloud Release Notes 303 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

viewerCertificate.minimumProtocolVersion
equals TLSv1_2016)'

Updated RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
viewerCertificate.certificateSource
does not contain cloudfront and
viewerCertificate.minimumProtocolVersion
does not equal TLSv1.2_2021

Impact— Medium. New alerts are

generated for AWS CloudFront where new
recommended TLS version policy is not met.

AWS ElastiCache Redis with in-transit Changes— The policy RQL has been updated
encryption disabled (Non-replication group) to report only AWS Redis resources. Due
to the ingestion of Memcached clusters,
the policy was listing Memcached resources
along with AWS ElastiCache Redis, which did
not have in-transit encryption enabled and
resulted in false positive alerts.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elasticache-
cache-clusters' AND json.rule
= transitEncryptionEnabled is
false and replicationGroupId
does not exist

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elasticache-
cache-clusters' AND json.rule
= engine equals redis and
transitEncryptionEnabled is
false and replicationGroupId
does not exist

Impact— Low. The existing alerts that

were reporting for Memcached clusters
are resolved with resolution status as
Policy_Updated.

Prisma™ Cloud Release Notes 304 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS RDS minor upgrades not enabled Changes— The policy RQL has been updated
to ignore false positive alerts for AWS
DocumentDB and NeptuneDB.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-rds-describe-
db-instances' AND json.rule
= autoMinorVersionUpgrade is
false

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-rds-describe-
db-instances' AND json.rule
= autoMinorVersionUpgrade is
false and engine does not
contain docdb and engine does
not contain neptune

Impact— Low. The existing alerts for AWS

DocumentDB and NeptuneDB resources
are resolved with resolution status as
Policy_Updated.

AWS SNS topic policy overly permissive for Changes— The policy RQL has been updated
publishing to ignore condition statement check in the
RQL.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-sns-
get-topic-attributes' AND
json.rule = Policy.Statement[?
any(Effect equals Allow and
(Principal.AWS equals * or
Principal equals *) and (Action
contains SNS:Publish or Action
contains sns:Publish) and
Condition does not exist)]
exists

Updated RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-sns-
get-topic-attributes' AND

Prisma™ Cloud Release Notes 305 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

json.rule = Policy.Statement[?
any(Effect equals Allow and
(Principal.AWS equals * or
Principal equals *) and (Action
contains SNS:Publish or Action
contains sns:Publish) and
(Condition does not exist or
Condition all empty))] exists

Impact— Medium. New alerts are generated

for AWS SNS topics with condition
statements and Policy actions with
SNS:Publish permissions.

AWS CloudFront web distribution that allow Changes— The policy name, description,
TLS versions 1.0 or lower and RQL are updated to match latest
recommended TLS version.
Current Policy Name— AWS CloudFront web
distribution that allow TLS versions 1.0 or
lower
Updated Policy Name— AWS CloudFront
web distribution using insecure TLS version
Updated Description— Identifies AWS
CloudFront web distributions which
are configured with TLS versions for
HTTPS communication between viewers
and CloudFront. As a best practice, use
recommended TLSv1.2_2021 as the
minimum protocol version in your CloudFront
distribution security policies.
Current RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
'viewerCertificate.certificateSource
does not contain cloudfront and
(viewerCertificate.minimumProtocolVersion
equals TLSv1 or
viewerCertificate.minimumProtocolVersion
equals TLSv1_2016)'

Updated RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-cloudfront-list-
distributions' AND json.rule =
viewerCertificate.certificateSource
does not contain cloudfront and

Prisma™ Cloud Release Notes 306 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

viewerCertificate.minimumProtocolVersion
does not equal TLSv1.2_2021

Impact— Medium. New alerts are

generated for AWS CloudFront where new
recommended TLS version policy is not met.

AWS ElastiCache Redis with in-transit Changes— The policy RQL has been updated
encryption disabled (Non-replication group) to report only AWS Redis resources. Due
to the ingestion of Memcached clusters,
the policy was listing Memcached resources
along with AWS ElastiCache Redis, which did
not have in-transit encryption enabled and
resulted in false positive alerts.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elasticache-
cache-clusters' AND json.rule
= transitEncryptionEnabled is
false and replicationGroupId
does not exist

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elasticache-
cache-clusters' AND json.rule
= engine equals redis and
transitEncryptionEnabled is
false and replicationGroupId
does not exist

Impact— Low. The existing alerts that

were reporting for Memcached clusters
are resolved with resolution status as
Policy_Updated.

AWS RDS minor upgrades not enabled Changes— The policy RQL has been updated
to ignore false positive alerts for AWS
DocumentDB and NeptuneDB.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-rds-describe-
db-instances' AND json.rule
= autoMinorVersionUpgrade is
false

Prisma™ Cloud Release Notes 307 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-rds-describe-
db-instances' AND json.rule
= autoMinorVersionUpgrade is
false and engine does not
contain docdb and engine does
not contain neptune

Impact— Low. The existing alerts for AWS

DocumentDB and NeptuneDB resources
are resolved with resolution status as
Policy_Updated.

Policy Updates—Metadata

GCP PostgreSQL instance database flag Changes— The policy recommendation steps
log_connections is disabled have been updated to reflect the latest CSP
changes.
Impact— No impact on existing alerts.

GCP Kubernetes Engine Clusters have Binary Changes— Updated policy recommendation
authorization disabled steps to reflect the latest CSP changes.
Impact— No impact on existing alerts.

GCP Log bucket retention policy is not Changes— Updated policy recommendation
configured using bucket lock steps to reflect the latest CSP changes.
Impact— No impact on existing alerts.

Change in Existing Behavior

FEATURE DESCRIPTION

Region Support for Google Compute Engine Region support for gcp-compute-disk-list API
is enabled on Prisma Cloud.
Due to this, all the resources for gcp-
compute-disk-list are deleted once and then
regenerated on the management console.
Existing alerts corresponding to these
resources are resolved as Resource_Updated,
and new alerts are generated against policy
violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert

Prisma™ Cloud Release Notes 308 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

count will return to the original numbers once

the resources for gcp-compute-disk-list start
ingesting data again.

REST API Updates

CHANGE DESCRIPTION

Licensing APIs The following new endpoints are available for Licensing
APIs:
• Usage Count By Cloud Type V2 - POST /license/
api/v2/usage - This is a new Licensing API that allows
you to get paginated usage data in the response object
for the selected cloud types.
• Resource Usage Over Time V2 - POST /license/
api/v2/time_series - This is a new Licensing API that
allows you to get a breakdown of resource usage over
time.

Alert Rules APIs The following Alert Rules APIs are updated with a new
filter called Alert Rule Policy Filter , which allows
you to filter alerts based on policy severity, policy label,
cloud type, and compliance standard:
• List Alert Rules V2 - GET /v2/alert/rule
• Add an Alert Rule - POST /alert/rule
• Get Alert Rule by ID - GET /alert/rule/{id}
• Update Alert Rule - PUT /alert/rule/{id}

Features Introduced in August 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in August 2022.
• New Features Introduced in 22.8.2
• New Features Introduced in 22.8.1

New Features Introduced in 22.8.2

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates

Prisma™ Cloud Release Notes 309 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features

FEATURE DESCRIPTION

Customized Views for Alert Prioritization Saved views on Prisma Cloud simplifies the
challenge of prioritizing alerts. With Saved
Views, alerts are organized into appropriate
threat vector categories so that your teams
can focus on what matters the most. The
8 default views are Overview, Incidents,
Exposure, Vulnerabilities, Misconfigurations,
CIEM, Malware, and Data, and you can
choose to enable or disable these.
Each view includes preset filters that display
the most relevant alerts for the category.
As an example, the Exposure saved view
provides a look at all of the internet exposure
alerts. In addition, you can filter on the most
important alert criteria to create your own
Saved Views, and choose the visualizations
and the default sort order of the tabular data.

Adoption Advisor Enhancement To help you gauge progress on adoption

of the Cloud Workload Protection and
Cloud Code Security capabilities on Prisma
Cloud, the Adoption Advisor now gives
you the visibility and guidance of your
operationalization journey so you know where
you are, what to do, and why.

Alert Rules Policies Filter The new Add Filter option helps you select
policies easily based on Policy Severity, Cloud

Prisma™ Cloud Release Notes 310 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Type, Compliance Standard, and Policy Label

while creating or editing alert rules.
Once you select all policies based on the
filtered results, you can enable Include new
policies matching filter criteria and Prisma
Cloud will automatically scan any such policies
added in future.

Prisma Cloud Service in Japan Prisma Cloud tenant (app.jp.prismacloud.io) is

now available for the Japan region.

Update Prisma Cloud Data Security—New Prisma Cloud can now scan the following
File Extensions Supported for Malware types of file extensions on your storage
Scanning buckets for malware:
• .rar
• .zip
• .7z

API Ingestions Amazon App Mesh

aws-appmesh-mesh
Additional permissions required:
• appmesh:ListMeshes

Prisma™ Cloud Release Notes 311 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• appmesh:DescribeMesh

• appmesh:ListTagsForResource

The Security Audit role includes the

permissions.

Amazon App Mesh

aws-appmesh-virtual-gateway
Additional permissions required:
• appmesh:ListVirtualGateways

• appmesh:DescribeVirtualGatewa
y

• appmesh:ListMeshes

• appmesh:ListTagsForResource

The Security Audit role includes the

permissions.

This API only ingests virtual

gateway resources owned by
the same account. It does not
ingest when the virtual gateway
is a shared resource in another
account.

AWS Step Functions

aws-step-functions-statemachine
Additional permissions required:
• states:ListStateMachines

• states:DescribeStateMachine

• states:ListTagsForResource

Azure HDInsight
azure-hdinsight-cluster
Additional permission required:

Prisma™ Cloud Release Notes 312 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.HDInsight/clusters/re
ad

The Reader role includes the permission.

API Ingestions Azure Management Group

azure-management-group-entities-list
Additional permissions required:
• Microsoft.Resources/subscript
ions/read (Scope: Per subscri
ption level)

• Microsoft.Management/manageme
ntGroups/descendants/read2 (S
cope: Tenancy / Root Manageme
nt level)

The Reader role includes the permission.

Ensure that you use the right

scope for the respective
permission.Inherited permissions
will not work for the permission

"Microsoft.Resources/
subscriptions/read"

. Assign this permission directly to

the subscription resource.

Azure Power BI Embedded

azure-powerbi-dedicated-capacities
Additional permissions required:
• Microsoft.PowerBIDedicated/se
rvers/read

• Microsoft.PowerBIDedicated/ca
pacities/read

The Reader role includes the permissions.

Azure Synapse Analytics

azure-synapse-spark-configuration
Additional permissions required:

Prisma™ Cloud Release Notes 313 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Microsoft.Synapse/workspaces/
read

• Microsoft.Synapse/workspaces/
sparkConfigurations/read

The Reader role includes the permissions.

Google Cloud Data Loss Prevention

gcloud-dlp-project-inspect-template
Additional permission required:

dlp.inspectTemplates.list

The Viewer role includes this permission.

Google Cloud Data Loss Prevention

gcloud-dlp-project-deidentify-template
Additional permission required:

dlp.deidentifyTemplates.list

The Viewer role includes this permission.

Google Cloud Data Loss Prevention

gcloud-dlp-project-job-trigger
Additional permission required:

dlp.jobTriggers.list

The Viewer role includes this permission.

Update Google Cloud Storage Google Cloud Storage

gcloud-storage-buckets-list
The JSON metadata for this API now includes
a new field called serviceAccount that
retrieves the name of the service account
linked to each bucket. You can view this
metadata on the page when you use a Config
or IAM query where the

api.name = gcloud-storage-bucket
s-list

Prisma™ Cloud Release Notes 314 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

Policy Updates-RQL AWS EKS cluster security group overly

permissive to all traffic
Changes— The policy RQL has been updated
to check for default cluster Security Groups
along with custom attached Security Groups
attached to the EKS cluster.
Current RQL—

config from cloud.resource

where api.name = 'aws-eks-
describe-cluster' as X; config
from cloud.resource where
api.name = 'aws-ec2-describe-
security-groups' AND json.rule
= isShared is false and
(ipPermissions[*].ipv4Ranges[*]
contains 0.0.0.0/0 or
ipPermissions[*].ipv6Ranges[*]
contains ::/0) as Y; filter
'$.X.resourcesVpcConfig.securityGroupIds
contains $.Y.groupId'; show Y;

Updated RQL—

config from cloud.resource

where api.name = 'aws-eks-
describe-cluster' as X; config
from cloud.resource where
api.name = 'aws-ec2-describe-
security-groups' AND json.rule
= isShared is false and
(ipPermissions[*].ipv4Ranges[*]
contains 0.0.0.0/0 or
ipPermissions[*].ipv6Ranges[*]
contains ::/0) as Y; filter
'$.X.resourcesVpcConfig.securityGroupIds
contains $.Y.groupId or
$.X.resourcesVpcConfig.clusterSecurityGrou
contains $.Y.groupId'; show Y;

Impact— Low. New alerts will be triggered

for AWS EKS cluster which are having default
cluster security group overly permissive to all
traffic.

Prisma™ Cloud Release Notes 315 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Policy Updates-Metadata AWS Lambda function managed ENI

reachable from untrust internet source
Changes— The policy subtype has been
updated from Network Event to Network
Config.
Impact— No impact on existing alerts.

Policy Deletion GCP Kubernetes Engine Clusters have pod

security policy disabled
Deleted this policy and Out of the Box (OOB)
compliance mappings since pod security
status information is no longer available.
Impact— Low. Previously generated alerts are
resolved as Policy_Deleted.

If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-
Features Introduced in August 2022 for details on new Configuration Build policies.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for CIS GKE version 1.2.0 Support is now available for Center for Internet
Security (CIS) benchmark for Google Kubernetes
Engine (GKE) version 1.2.0. This benchmark includes
a set of recommendations for configuring GKE
version 1.2 to support a strong security posture.

REST API Updates

CHANGE DESCRIPTION

Add Entries to Anomaly Trusted A new Anomaly Trusted List API endpoint is now
List available. It enables you to add one or more entries to
the Anomaly Trusted List.
POST /anomalies/trusted_list

New Features Introduced in 22.8.1

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates

Prisma™ Cloud Release Notes 316 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• REST API Updates

New Features

FEATURE DESCRIPTION

Adoption Advisor PDF Report Reports in PDF format can now be

downloaded directly from your Adoption
Advisor dashboard.
Adoption summary details such as Adoption
Progress and checks can be generated as a
PDF report in real time.
Additionally, you can choose whether to
include widget data from the last 30, 60, or 90
days in the PDF report.

API Ingestions Amazon AppFlow

aws-appflow-flow
Additional permissions required:
• appflow:DescribeFlow

• appflow:ListFlows

Amazon Grafana
aws-grafana-workspace
Additional permissions required:
• grafana:DescribeWorkspace

• grafana:DescribeWorkspaceAuth
entication

Prisma™ Cloud Release Notes 317 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• grafana:ListWorkspaces

Amazon Transcribe
aws-transcribe-language-model
Additional permissions required:
• transcribe:ListLanguageModels

• transcribe:ListTagsForResourc
e

Azure Active Directory Enterprise

Applications
azure-active-directory-enterprise-
applications
Additional permission required:

Application.Read.All

Google Cloud Data Loss Prevention

gcloud-dlp-organization-inspect-template
Additional permission required:

dlp.inspectTemplates.list

The Viewer role includes this permission.

Google Cloud Data Loss Prevention

gcloud-dlp-organization-deidentify-template
Additional permission required:

dlp.deidentifyTemplates.list

The Viewer role includes this permission.

Google Firebase Remote Config

gcloud-firebase-remote-config-template
Additional permission required:

cloudconfig.configs.get

Prisma™ Cloud Release Notes 318 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Viewer role includes this permission.

Update API Ingestion—Amazon Connect Amazon Connect

aws-connect-instance
This API is updated with an additional field
attributes in the resource JSON.

Update API Ingestion—Azure Media Service Azure Media Service

azure-media-service-account
This API is updated to include the following
new fields in the resource JSON:
• systemData{}

• identity{}

Update API Ingestion—Azure Kubernetes Azure Kubernetes Service

Service
azure-kubernetes-cluster
Since the API version is upgraded from
2019-04-01 to 2022-04-01, Prisma Cloud
now supports the ingestion of the newly
added fields from the resource JSON.

Change in Existing Behaviour Support for If you have custom policies on Prisma
SES Identities Attached with a Single Identity Cloud using aws-ses-identities API where
Policy policies is used in its RQL, new alerts are
generated for the SES identity resources that
have only a single identity policy attached.
Impact— Medium. New alerts are generated
based on the resource configuration.

Change in Existing Behavior Region Names on You can now see the correct Region Names
Investigate Page for gcloud-container-describe-clusters and
gcloud-redis-instances-list resources on the
Investigate page.
Impact— The existing alerts for these policies
are resolved as Resource_Updated and new
alerts will be generated based on the resource
configuration.

Change in Existing Behavior Region Support Region support for gcloud-bigquery-dataset-

for Google BigQuery list and gcloud-bigquery-table APIs have been
enabled on Prisma Cloud.
Due to this, all the resources for gcloud-
bigquery-dataset-list and gcloud-bigquery-

Prisma™ Cloud Release Notes 319 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

table APIs display Region Name on the

Investigate page.
Impact— If there are any existing custom
policies containing Region Name in its RQL,
then new alerts are generated against policy
violations.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.8.2

Policy Updates Description

New Policy AWS Lambda function URL AuthType set to

NONE
Identifies AWS Lambda which has function
URL AuthType set to NONE. AuthType
determines how Lambda authenticates
or authorizes requests to your function
URL. When AuthType is set to NONE,
Lambda doesn’t perform any authentication
before invoking your function. It is highly
recommended to set AuthType to AWS_IAM
for Lambda function URL to authenticate via
AWS IAM.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-lambda-list-functions' AN
D json.rule = authType equal ign
ore case NONE

AWS DocumentDB cluster deletion

protection is disabled
Identifies AWS DocumentDB clusters for
which deletion protection is disabled. Enabling
deletion protection for DocumentDB clusters
prevents irreversible data loss resulting from
accidental or malicious operations.

config from cloud.resource wher

e cloud.type = 'aws' AND api.na
me= 'aws-docdb-db-cluster' AND j
son.rule = Status contains avail

Prisma™ Cloud Release Notes 320 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

able and DeletionProtection is f

alse

AWS Neptune Cluster not configured with

IAM authentication
Identifies AWS Neptune clusters that are
not configured with IAM authentication. If
you enable IAM authentication, you don’t
need to store user credentials in the database
because authentication is managed externally
using IAM. IAM database authentication
ensures the network traffic to and from
database clusters is encrypted using Secure
Sockets Layer (SSL), provides central access
management to your database resources, and
enforces the use of profile credentials instead
of a password for greater security.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-neptune-db-cluster' AND j
son.rule = Status contains avail
able and IAMDatabaseAuthenticati
onEnabled is false

AWS Neptune cluster deletion protection is

disabled
Identifies AWS Neptune clusters for which
deletion protection is disabled. Enabling
deletion protection for Neptune clusters
prevents irreversible data loss resulting from
accidental or malicious operations.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-neptune-db-cluster' AND j
son.rule = Status contains avail
able and DeletionProtection is f
alse

AWS Web Application Firewall v2 (AWS

WAFv2) logging is disabled
Identifies Web Application Firewall v2s
(AWS WAFv2) for which logging is disabled.
Enabling WAFv2 logging logs all web requests
inspected by the service which can be used
for debugging and additional forensics. The

Prisma™ Cloud Release Notes 321 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

logs will help to understand why certain rules

are triggered and why certain web requests
are blocked. You can also integrate the logs
with any SIEM and log analysis tools for
further analysis. It is recommended to enable
logging on your Web Application Firewall v2s
(WAFv2).

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule =
'(resources.applicationLoadBalancer[*]
exists or
resources.apiGateway[*]
exists or resources.other[*]
exists) and
loggingConfiguration.resourceArn
does not exist'

AWS Web Application Firewall (AWS WAF)

Classic logging is disabled
Identifies Classic Web Application Firewalls
(AWS WAFs) for which logging is disabled.
Enabling WAF logging, logs all web requests
inspected by the service which can be used
for debugging and additional forensics. The
logs will help to understand why certain rules
are triggered and why certain web requests
are blocked. You can also integrate the logs
with any SIEM and log analysis tools for
further analysis. It is recommended to enable
logging on your Classic Web Application
Firewalls (WAFs).

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-waf-classic-web-acl-
resource' AND json.rule =
'(resources.applicationLoadBalancer[*]
exists or
resources.apiGateway[*]
exists or resources.other[*]
exists) and
loggingConfiguration.resourceArn
does not exist'

Azure Service bus namespace not configured

with Azure Active Directory (Azure AD)
authentication

Prisma™ Cloud Release Notes 322 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Identifies Service bus namespaces that are

not configured with Azure Active Directory
(Azure AD) authentication and are enabled
with local authentication. Azure AD provides
superior security and ease of use over shared
access signatures (SAS). With Azure AD, there
is no need to store the tokens in your code
and risk potential security vulnerabilities. It is
recommended to configure the Service bus
namespaces with Azure AD authentication so
that all actions are strongly authenticated.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-service-bus-namespac
e' AND json.rule = properties.st
atus equals "Active" and (proper
ties.disableLocalAuth does not e
xist or properties.disableLocalA
uth is false)

Azure Virtual Machine vTPM feature is

disabled
Identifies Virtual Machines that have Virtual
Trusted Platform Module (vTPM) feature
disabled. Virtual Trusted Platform Module
(vTPM) provide enhanced security to the
guest operating system. It is recommended
to enable virtual TPM device on supported
virtual machines to facilitate measured Boot
and other OS security features that require a
TPM.

This assessment only applies to

trusted launch enabled virtual
machines. You can’t enable
trusted launch on existing virtual
machines that were initially
created without it.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
vm-list' AND json.rule =
powerState equal ignore case
"PowerState/running" and
['properties.securityProfile'].
['securityType'] equal ignore
case "TrustedLaunch" and
['properties.securityProfile'].

Prisma™ Cloud Release Notes 323 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

['uefiSettings'].['vTpmEnabled']
is false

Azure Virtual Machine (Windows) secure

boot feature is disabled
Identifies Virtual Machines (Windows) that
have the secure boot feature disabled.
Enabling Secure Boot on supported Windows
virtual machines provides mitigation against
malicious and unauthorized changes to the
boot chain. The secure boot helps protect
your VMs against boot kits, rootkits, and
kernel-level malware. So it is recommended to
enable Secure boot for Azure Windows virtual
machines.

This assessment only applies to

trusted launch-enabled Windows
virtual machines. You can’t
enable trusted launch on existing
virtual machines that were
initially created without it.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
vm-list' AND json.rule =
powerState equal ignore case
"PowerState/running" and
['properties.storageProfile'].
['osDisk'].['osType']
contains "Windows" and
['properties.securityProfile'].
['securityType'] equal ignore
case "TrustedLaunch" and
['properties.securityProfile'].
['uefiSettings'].
['secureBootEnabled'] is false

Azure Batch account is not configured with

managed identity
Identifies Batch accounts that are not
configured with managed identity. Managed
identity can be used to authenticate any
service that supports Azure AD authentication
without having credentials in your code.
Storing credentials in a code increases the
threat surface in case of exploitation, and
also managed identities eliminate the need

Prisma™ Cloud Release Notes 324 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

for developers to manage credentials. So as

a security best practice, it is recommended
to have the managed identity to your Batch
account.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-batch-account' AND j
son.rule = properties.provisioni
ngState equal ignore case Succee
ded and identity does not exist
or identity.type equal ignore ca
se "None"

OCI Kubernetes Engine Cluster endpoint

is not configured with Network Security
Groups
Identifies Kubernetes Engine Clusters
endpoint that are not configured with
Network Security Groups. Network security
groups give fine-grained control of resources
and help in restricting network access to your
cluster node pools. It is recommended to
restrict access to the Cluster node pools by
configuring network security groups.

config from cloud.resource wher

e cloud.type = 'oci' AND api.na
me = 'oci-containers-artifacts-k
ubernetes-cluster' AND json.rule
= lifecycleState equal ignore c
ase ACTIVE and endpointConfig ex
ists and (endpointConfig.nsgIds
does not exist or endpointConfig
.nsgIds equal ignore case "null
" or endpointConfig.nsgIds is em
pty)

OCI Kubernetes Engine Cluster boot volume

is not configured with in-transit data
encryption
Identifies Kubernetes Engine Clusters that
are not configured with in-transit data
encryption. Configuring In-transit encryption
on clusters boot volumes, encrypts data
in transit between the instance, the boot
volume, and the block volumes. All the data
moving between the instance and the block
volume is transferred over an internal and

Prisma™ Cloud Release Notes 325 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

highly secure network. It is recommended that

Clusters boot volumes should be configured
with in-transit data encryption to minimize
risk for sensitive data being leaked.

config from cloud.resource where

cloud.type = 'oci' AND api.name
= 'oci-containers-artifacts-kub
ernetes-cluster-nodepool' AND js
on.rule = lifecycleState equal i
gnore case ACTIVE and (nodeConfi
gDetails.isPvEncryptionInTransit
Enabled equal ignore case "null"
or nodeConfigDetails.isPvEncryp
tionInTransitEnabled does not ex
ist)

OCI Kubernetes Engine Cluster pod security

policy not enforced
Identifies Kubernetes Engine Clusters that are
not enforced with pod security policy. The
Pod Security Policy defines a set of conditions
that pods must meet to be accepted by the
cluster; when a request to create or update a
pod does not meet the conditions in the pod
security policy, that request is rejected and an
error is returned.

config from cloud.resource where

cloud.type = 'oci' AND api.name
= 'oci-containers-artifacts-kub
ernetes-cluster' AND json.rule =
lifecycleState equal ignore cas
e ACTIVE and options.admissionCo
ntrollerOptions.isPodSecurityPol
icyEnabled is false

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for HITRUST CSF v9.6.0 HITRUST CSF is a framework designed and
built to streamline regulatory compliance
through a common set of security controls
mapped to various standards such as
HIPAA, NIST, HITECH, and others, to enable
organizations, particularly healthcare, to
achieve and maintain full compliance. The

Prisma™ Cloud Release Notes 326 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

CSF contains 14 control categories that

comprise 49 control objectives and 156
control specifications.

Support for Cybersecurity Maturity Model The Cybersecurity Maturity Model

Certification (CMMC) Certification (CMMC) 2.0 is a comprehensive
framework that builds on the initial CMMC
framework. The CMMC is a security
assessment and verification standard for
defense contractors serving the Department
of Defense (DoD). The framework helps to
assess the security levels of companies in
the Defense Industrial Base (DIB) to protect
Controlled Unclassified Information (CUI) and
Federal Contract Information (FCI) against
frequent and complex cyberattacks, including
Advanced Persistent Threats.

Support for DFS 23 NYCRR 500 The New York DFS Cybersecurity Regulations
(23 NYCRR 500) are a new set of regulations
by the New York Department of Financial
Services (NYDFS) that imposes new
cybersecurity requirements on all covered
financial institutions.
These regulations are designed to ensure
your organization can effectively protect
your customers' confidential information
from cyberattacks. These include conducting
regular security risk assessments, keeping
audit trails of asset use, providing defensive
infrastructures, maintaining policies and
procedures for cyber security, and creating an
incident response plan.
Violation of these regulations can result in
fines of up to US$250,000 or one percent of
total bank assets.

REST API Updates

CHANGE DESCRIPTION

Alert Response Count Updates The alert count limit (maximum number of items that
will be returned) in one response is 10,000 for the
following Alerts APIs:
• POST - /v2/alert
• GET - /v2/alert

Prisma™ Cloud Release Notes 327 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• POST - /alert
• GET - /alert

If you enter a value >10,000 for the limit,

an HTTP 400 response is returned. The
supported values are between 1-10,000,
the default is 10,000.

Bulk Export Resource Archives The new Data Service API endpoint is now available. It
allows you to retrieve resource archives from AWS S3
for the required time period.
GET /config/api/v1/tenant/{prisma_id}/archiveList

Features Introduced in July 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in July 2022.
• New Features Introduced in 22.7.2
• New Features Introduced in 22.7.1

New Features Introduced in 22.7.2

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates

New Features

Feature Description

Runtime Security Plans Prisma Cloud Enterprise Edition now offers

two new Runtime Security plans— Runtime
Security Foundations and Runtime Security
Advanced. These plans offer select Prisma
Cloud modules and capabilities, and are
metered by virtual machines (VMs). You can
add other modules, not included in these
plans, using Prisma Cloud credits.
Refer to the Enterprise Edition Pricing Guide
or contact your Palo Alto Networks Account
Manager or Sales Representative for more
information on the Runtime Security plans.

Prisma™ Cloud Release Notes 328 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Licensing Updates The Licensing page is updated for a better

view of your license information and credit
usage.
The License Consumption details table has a
new tabular format that displays the average
credit usage for run-time assets and build-
time assets that you are monitoring with
Prisma Cloud. The build-time view displays
usage information only if you have activated
the Code Security subscription.
The License Information section now displays
two new fieldsi — Active Plan, and Active
Plan Start Date — to reflect the availability of
the new Runtime Security plans within Prisma
Cloud Enterprise Edition. As an existing
Enterprise Edition customer, your default
Active Plan is the Standard plan.

IAM Graph View IAM graph view helps you visualize the
relationships between the source, granter,
Applies only if you have activated the IAM
and destination so that you can answer the
Security subscription on Prisma Cloud
questions such as who has access to your
resource and how was the access granted?
This view enables you to review the
permissions and fix any excessive access
privileges. The interactive graph view also
enables you to update the relationships using
the visualization, and the corresponding RQL
is updated automatically.

Prisma™ Cloud Release Notes 329 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Support for GCP on IAM Security IAM Security on Prisma Cloud now supports
enhanced capabilities to calculate effective
Applies only if you have activated the IAM
permissions, detect overly permissive
Security subscription on Prisma Cloud
access, and suggest corrections to reach
the least privilege entitlements in your GCP
environments. It includes out-of-the-box
policies that govern IAM best practices to
help you identify risky permissions and get to
the ideal set of privileges for your deployment
in GCP.
After you use the cloud account onboarding
Terraform template to onboard your GCP
cloud account on Prisma Cloud and activate
the IAM Security subscription, complete the
instructions in Grant permissions for Ingesting
Google Workspace Groups.

Prisma™ Cloud Release Notes 330 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Top Alerts View by MITRE ATT&CK Tactics You can now quickly identify the most critical
issues that you need to address, by leveraging
the MITRE ATT&CK framework in the Top
Incidents and Risks widget on the Alerts
Overview. Prisma Cloud detects cloud risks (a
misconfiguration with potential future impact)
and incidents (an undesirable event which has
happened) in real time and automatically maps
every alert to the appropriate MITRE ATT&CK
Tactic. Toggle View by MITRE ATT&CK to
prioritize your incident response based on
tactics instead of the default view of alerts
listed with policy names.

Cloud Account Onboarding Templates— To enable additional capabilities for

Permission Updates theFeature Introduced in Compute-July
2022, the following additional permissionsare
added to the onboarding templates onPrisma
Cloud.AWS
The following actions are added to the
PrismaCloud-IAM-ReadOnly-Policy:
• "apprunner:DescribeAutoScalingConfiguration"
• "apprunner:ListAutoScalingConfigurations"
• "apprunner:ListTagsForResource"

Prisma™ Cloud Release Notes 331 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• "apprunner:ListServices""apprunner:DescribeCustomDom
• apprunner:DescribeService"
To the PrismaCloud-Remediation-Compute-
Policy-AgentlessScanning, the following
statement is added:

{ "Sid":
"PCCAgentlessServiceLinkedRole",
"Effect": "Allow", "Action":
"iam:CreateServiceLinkedRole",
"Resource":
"arn:aws:iam::*:role/aws-
service-role/spot.amazonaws.com/
*", "Condition": {"StringLike":
{"iam:AWSServiceName":
"spot.amazonaws.com"}}}

For AWS GovCloud, the FedRamp templates

do not include these additional permissions.
Azure
Monitor and Protect mode Terraform
template— "Microsoft.ContainerRegistry/
registries/listCredentials/action"
Monitor mode Terraform templates
"Microsoft.ContainerRegistry/registries/
listCredentials/action"
"Microsoft.Web/sites/functions/action"
"Microsoft.ContainerInstance/containerGroups/
containers/exec/action"

GCP
Artifact Registry Scanning permissions
are added to both the Monitor mode, and
Monitor and Protect mode Terraform
templates.
And the compute_role_permissions_org has
these additional actions
• "iam.serviceAccounts.list"
• "compute.instances.setLabels"
• "compute.snapshots.create"
• "compute.snapshots.delete"
• "compute.snapshots.setLabels"

Change in Existing Behavior Last Access The number of results for last access
Results destinations, to show when a permission was

Prisma™ Cloud Release Notes 332 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

IAM Security actually used, is limited to 100 when you use

the RQL

config from iam where action.las

taccess.days

. Due to the high volume of data that is

associated with this query, the only latest 100
results for a permission will be displayed on
the Investigate page.

Change in Existing Behavior Multi-region Prisma Cloud enables multi-region support

Support for CryptoKeys, KMS, and Storage for CryptoKeys asset, KMS asset, and
Collector Storage Collector on GCP. Also, the
resources for gcloud-kms-keyring-list are
ingested according to actual values instead
of hexadecimal values. For example, if
the gcloud-kms-ring-list has a resource
6da26df4be06b9c68fea2f2ff83c9cb5 ,
it is ingested as projects/ingestion-qa-
manual-2/locations/us-central1/
keyRings/bhb-key-2
Due to this, all the resources for gcloud-
kms-keyring-list are deleted once, and then
regenerated on the management console.
The existing alerts corresponding to these
resources are resolved as Resource_Updated,
and new alerts will be generated against
policy violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for gcloud-kms-keyring-list
start ingesting data again.

Change in Existing Behavior Region Support Prisma Cloud enables region support for
for Google App Engine gcloud-app-engine-application.
Due to this, all the resources for gcloud-app-
engine-application are deleted once, and then
regenerated on the management console.
Existing alerts corresponding to these
resources are resolved as Resource_Updated,
and new alerts will be generated against
policy violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert

Prisma™ Cloud Release Notes 333 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

count will return to the original numbers

once the resources for gcloud-app-engine-
application start ingesting data again.

Change in Existing Behavior Update Custom If you have created custom policies that use
Policies RQL to Include Crypto Keys the gcloud-kms-keyring-list API in
Metadata from the New API RQL to include Crypto Keys metadata, you
must perform the following steps to ensure
This change was part of the 22.7.1 Hotfix the accuracy of alerts:
release.
• Clone the affected custom policy to create
a new custom policy.
• Update the RQL of the cloned custom
policy to use the new gcloud-kms-
crypto-keys-list API by replacing the
existing gcloud-kms-keyring-list
API.
• Add the new custom policy with the
updated RQL to the alert rule.
• Delete the original custom policy that
was affected by the change.If you
had mapped the custom policy to any
compliance standards on Prisma Cloud, this
workflow ensures that the new policy is
automatically mapped.
Impact— No impact on alerts.

If you need assistance with this

workflow, contact your Palo Alto
Networks Account Manager or
Support Representative.

API Ingestions Amazon AppRunner

aws-apprunner-auto-scaling-configuration
Additional permissions required:
• apprunner:DescribeAutoScaling
Configuration

• apprunner:ListAutoScalingConf
igurations

• appstream:ListTagsForResource

Amazon AppRunner
aws-apprunner-service

Prisma™ Cloud Release Notes 334 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• apprunner:ListServices

• apprunner:DescribeCustomDomai
ns

• apprunner:DescribeService

• apprunner:ListTagsForResource

Amazon IoT
aws-iot-account-audit-configuration
Additional permission required:

iot:DescribeAccountAuditConfigur
ation

The Security Audit role includes this

permission.

Amazon IoT
aws-iot-domain-configuration
Additional permissions required:
• iot:DescribeDomainConfigurati
on

• iot:ListDomainConfigurations

• iot:ListTagsForResource

The Security Audit role includes these

permissions.

Azure Purview
azure-purview-default-account
Additional permissions required:
• Microsoft.Purview/accounts/re
ad

• Microsoft.Purview/getDefaultA
ccount/read

Prisma™ Cloud Release Notes 335 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Microsoft.Resources/subscript
ions/read

The Reader role includes these permissions.

Azure Storage
azure-storage-account-blob-diagnostic-
settings
Additional permissions required:
• Microsoft.Storage/storageAcco
unts/read

• Microsoft.Storage/storageAcco
unts/blobServices/read

• Microsoft.Storage/storageAcco
unts/providers/Microsoft.Insi
ghts/diagnosticSettings/read

The Reader role includes these permissions.

Azure Storage
azure-storage-account-file-diagnostic-
settings
Additional permissions required:
• Microsoft.Storage/storageAcco
unts/read

• Microsoft.Storage/storageAcco
unts/fileServices/read

• Microsoft.Storage/storageAcco
unts/providers/Microsoft.Insi
ghts/diagnosticSettings/read

The Reader role includes these permissions.

Azure Storage
azure-storage-account-queue-diagnostic-
settings
Additional permissions required:
• Microsoft.Storage/storageAcco
unts/read

Prisma™ Cloud Release Notes 336 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Microsoft.Storage/storageAcco
unts/queueServices/read

• Microsoft.Storage/storageAcco
unts/providers/Microsoft.Insi
ghts/diagnosticSettings/read

The Reader role includes these permissions.

Azure Storage
azure-storage-account-table-diagnostic-
settings
Additional permissions required:
• Microsoft.Storage/storageAcco
unts/read

• Microsoft.Storage/storageAcco
unts/tableServices/read

• Microsoft.Storage/storageAcco
unts/providers/Microsoft.Insi
ghts/diagnosticSettings/read

The Reader role includes these permissions.

Google Traffic Director

gcloud-traffic-director-authorization-policy
Additional permissions required:
• networksecurity.authorization
Policies.list

• networksecurity.authorization
Policies.getIamPolicy

The Viewer role includes this permission.

Google Traffic Director

gcloud-traffic-director-server-tls-policy
Additional permissions required:
• networksecurity.serverTlsPoli
cies.list

• networksecurity.serverTlsPoli
cies.getIamPolicy

Prisma™ Cloud Release Notes 337 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Viewer role includes this permission.

Google Traffic Director

gcloud-traffic-director-client-tls-policy
Additional permissions required:
• networksecurity.clientTlsPoli
cies.list

• networksecurity.clientTlsPoli
cies.getIamPolicy

The Viewer role includes this permission.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.8.1

Policy Updates Description

New Policy AWS Secret Manager Automatic Key

Rotation is not enabled
Identifies AWS Secret Manager that are
not enabled with key rotation. As a security
best practice, it is important to rotate the
keys periodically, so that if the keys are
compromised, the data in the underlying
service is still secure with the new keys.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-secretsmanager-describe-
secret' AND json.rule = rotation
Enabled is false

AWS Classic Load Balancer not configured to

span multiple Availability Zones
Identifies AWS Classic Load Balancers
that are not configured to span multiple
Availability Zones. Classic Load Balancer
would not be able to redirect traffic to
targets in another Availability Zone if
the sole configured Availability Zone
becomes unavailable. As a best practice, it

Prisma™ Cloud Release Notes 338 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

is recommended to configure Classic Load

Balancer to span multiple Availability Zones.

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elb-describe-
load-balancers' AND json.rule =
description.availabilityZones[*]
size less than 2

AWS ECR Repository not configured with a

lifecycle policy
Identifies AWS ECR Repositories that are not
configured with a lifecycle policy. Amazon
ECR lifecycle policies enable you to specify
the lifecycle management of images in
a repository. This helps to automate the
cleanup of unused images and the expiration
of images based on age or count. As a best
practice, it is recommended to configure ECR
repository with lifecycle policy which helps to
avoid unintentionally using outdated images in
your repository.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-ecr-get-repository-polic
y' AND json.rule = lifecyclePoli
cy does not exist

AWS Kinesis Firehose with Direct PUT as

source has SSE encryption disabled
Identifies Amazon Kinesis Firehose with
Direct PUT as source which has Server-side
encryption (SSE) encryption disabled. Enabling
Server Side Encryption allows you to meet
strict regulatory requirements and enhance
the security of your data at rest. As a best
practice, enable SSE for the Amazon Kinesis
Firehose.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-kinesis-firehose-deliver
y-stream' AND json.rule = delive
ryStreamEncryptionConfiguration
exists and deliveryStreamEncrypt

Prisma™ Cloud Release Notes 339 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

ionConfiguration.status equals D
ISABLED

AWS OpenSearch attached security group

overly permissive to all traffic
Identifies AWS OpenSearch attached Security
group that is overly permissive to all traffic.
Security group enforces IP-based access
policies to OpenSearch. As a best practice,
restrict traffic solely from known static IP
addresses or CIDR range.

config from cloud.resource

where api.name = 'aws-
es-describe-elasticsearch-
domain' AND json.rule =
vpcoptions.securityGroupIds[*]
exists as X; config from
cloud.resource where api.name
= 'aws-ec2-describe-security-
groups' AND json.rule =
isShared is false and
(ipPermissions[*].ipv4Ranges[*].cidrIp
equals 0.0.0.0/0 or
ipPermissions[*].ipv6Ranges[*].cidrIpv6
equals ::/0) as Y; filter
'$.X.vpcoptions.securityGroupIds[*]
contains $.Y.groupId'; show Y;

AWS EKS cluster public endpoint access

overly permissive to all traffic
Identifies EKS clusters that have an overly
permissive public endpoint accessible to
all traffic. When you create a new cluster,
Amazon EKS creates an endpoint for the
managed Kubernetes API server that you
use to communicate with your cluster (using
Kubernetes management tools such as
kubectl). By default, this API server endpoint
accepts all connections from the public
internet, and access to the API server is
secured using a combination of AWS Identity
and Access Management (IAM) and native
Kubernetes Role Based Access Control
(RBAC).
Allowing all traffic to the EKS cluster may
cause a bad actor to brute force their way into
the system and potentially get access to the
entire network. As a best practice, restrict

Prisma™ Cloud Release Notes 340 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

traffic solely from known static IP addresses.

Limit the access list to include known hosts,
services, or specific employees only.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-eks-describe-cluster' AN
D json.rule = resourcesVpcConfig
.endpointPublicAccess is true an
d resourcesVpcConfig.publicAcces
sCidrs contains "0.0.0.0/0"

AWS OpenSearch node-to-node encryption

is disabled
Identifies AWS OpenSearch for which
none-to-node encryption is disabled.
Each OpenSearch domain resides within a
dedicated VPC. By default, traffic within
the VPC is unencrypted. Enabling node-
to-node encryption provides an additional
security layer by using TLS encryption
for all communications between Amazon
OpenSearch Service instances in a cluster.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-es-describe-elasticsearc
h-domain' AND json.rule = proces
sing is false and (nodeToNodeEnc
ryptionOptions.enabled is false
or nodeToNodeEncryptionOptions.e
nabled does not exist)

Azure Automation account variables are not

encrypted
Identifies Automation accounts variables that
are not encrypted. Variable assets are values
that are available to all runbooks and DSC
configurations in your Automation account.
When a variable is created, you can specify
that it be stored encrypted. Azure Automation
stores each encrypted variable securely. It
is recommended to enable encryption of
Automation account variable assets when
storing sensitive data.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-

Prisma™ Cloud Release Notes 341 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

automation-account' AND
json.rule = variable[?
any(properties.isEncrypted is
false)] exists

Azure Data Factory (V2) is not configured

with managed identity
Identifies Data Factories (V2) that are
not configured with managed identity.
Managed identity can be used to authenticate
to any service that supports Azure AD
authentication, without having credentials
in your code. Storing credentials in a code
increases the threat surface in case of
exploitation and also managed identities
eliminate the need for developers to manage
credentials. So as a security best practice, it is
recommended to have the managed identity
to your Data Factory.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-data-factory-v2' AND
json.rule = properties.provisio
ningState equal ignore case Succ
eeded and identity does not exis
t or identity.type equal ignore
case "None"

Azure Data Factory (V2) configured with

overly permissive network access
Identifies Data factories (V2) configured
with overly permissive network access. If
Data factory managed virtual network along
with managed private endpoints protects
against data exfiltration. It is recommended
to configure the Data factory with a private
endpoint; so that the Data factory is
accessible only to restricted entities.

config from cloud.resource wher

e cloud.type = 'azure' AND api.
name = 'azure-data-factory-v2' A
ND json.rule = properties.provis
ioningState equal ignore case Su
cceeded and properties.publicNet
workAccess equal ignore case Ena
bled

Prisma™ Cloud Release Notes 342 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure PostgreSQL database flexible server

configured with overly permissive network
access
Identifies Azure PostgreSQL database
flexible servers that are configured with
overly permissive network access. It is highly
recommended to create PostgreSQL database
flexible server with private access to help
secure access to server via VNet Integration
or with a Firewall rule, you can restrict it
further to only a set of IPv4 addresses or IPv4
address ranges.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
postgresql-flexible-server' AND
json.rule = properties.state
equal ignore case Ready and
properties.network.publicNetworkAccess
equal ignore case Enabled
and firewallRules[?
any(properties.startIpAddress
equals 0.0.0.0 and
properties.endIpAddress equals
255.255.255.255)] exists

Azure Automation account is not configured

with managed identity
Identifies Automation accounts that are
not configured with managed identity.
Managed identity can be used to authenticate
to any service that supports Azure AD
authentication, without having credentials
in your code. Storing credentials in a code
increases the threat surface in case of
exploitation and also managed identities
eliminate the need for developers to manage
credentials. So as a security best practice, it is
recommended to have the managed identity
to your Automation account.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-automation-account'
AND json.rule = identity does no
t exist or identity.type equal i
gnore case "None"

Prisma™ Cloud Release Notes 343 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Automation account configured with

overly permissive network access
Identifies Automation accounts configured
with overly permissive network access. It is
recommended to configure the Automation
account with private endpoints so that the
Automation account is accessible only to
restricted entities.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-automation-account'
AND json.rule = properties.publi
cNetworkAccess does not exist or
properties.publicNetworkAccess
is true

Azure Virtual network not protected by

DDoS Protection Standard
Identifies Virtual networks not protected
by DDoS Protection Standard. Distributed
denial of service (DDoS) attacks are some of
the largest availability and security concerns
exhausting an application’s resources, making
the application unavailable to legitimate users.
Azure DDoS Protection Standard provides
enhanced DDoS mitigation features to defend
against DDoS attacks.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-network-
vnet-list' AND json.rule =
['properties.provisioningState']
equals Succeeded and
(['properties.ddosProtectionPlan'].
['id'] does not exist or
['properties.enableDdosProtection']
is false)

Azure PostgreSQL database server deny

public network access setting is not set
Identifies Azure PostgreSQL database servers
that have Deny public network access setting
is not set. When 'Deny public network
access' is set to yes, only private endpoint
connections will be allowed to access this
resource. It is highly recommended to set

Prisma™ Cloud Release Notes 344 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Deny public network access setting to Yes,

which would allow PostgreSQL database
server to be accessed only through private
endpoints.

This feature is available in all

Azure regions where Azure
Database for PostgreSQL - Single
server supports General Purpose
and Memory Optimized pricing
tiers.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-postgresql-server' A
ND json.rule = properties.userVi
sibleState equal ignore case Rea
dy and sku.tier does not equal i
gnore case Basic and properties.
publicNetworkAccess equal ignore
case Enabled

GCP KMS Symmetric key not rotating in

This change was part of the 22.7.1 Hotfix
every 90 days
release.
Identifies GCP KMS Symmetric keys that are
not rotating every 90 days. A key is used to
protect some corpus of data. A collection of
files could be encrypted with the same key
and people with decrypt permissions on that
key would be able to decrypt those files. It’s
recommended to make sure the 'rotation
period' is set to a specific time to ensure data
cannot be accessed through the old key.

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-kms-crypto-keys-list'
AND json.rule = purpose equal i
gnore case "ENCRYPT_DECRYPT" and
primary.state equals "ENABLED"
and (rotationPeriod does not exi
st or rotationPeriod greater tha
n 7776000)

Prisma™ Cloud Release Notes 345 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

See also New Policies and Policy

Updates to learn about the
old policy. If you have custom
policies that include Crypto Keys
metadata in the RQL, see New
Features.

Policy Deletion GCP KMS encryption key not rotating in

every 90 days
This change was part of the 22.7.1 Hotfix
This policy is being replaced with a new policy
release.
GCP KMS Symmetric key not rotating in
every 90 days because the gcloud-kms-
keyring-list API in its RQL is no longer
able to assess the Crypto Keys metadata.
The gcloud-kms-crypto-keys-list API
in the replaced policy will be able to assess
the Crypto Keys metadata to improve the
accuracy of alerts.
Impact— Previously generated alerts for GCP
KMS encryption key not rotating in every 90
days will be resolved as Policy_Deleted.

If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-
Features Introduced in July 2022 for details on new Configuration Build policies, updates to
add build rules for existing Configuration Run policies, and policy deletions.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for CIS Google Cloud Platform The CIS Benchmarks provide a foundation for
Foundation Benchmark v1.3.0 establishing a strong security posture. The CIS
Benchmarks are a set of recommendations
and best practices to provide your
organization with a baseline of configurations
and policies to protect your applications,
infrastructure, and data.
The Center for Internet Security (CIS) has
released version 1.3.0 of Google Cloud
Platform Foundation Benchmarks. The
update adds 21 new benchmarks covering
best practices for securing Google Cloud
environments. The updates are broad in
scope, with recommendations covering
configurations and policies ranging from

Prisma™ Cloud Release Notes 346 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

resource segregation to Compute and

Storage.

Support for CIS Oracle Cloud Infrastructure The Center for Internet Security (CIS) has
Foundations Benchmark v1.2.0 released version 1.2.0 of Oracle Cloud
Infrastructure Foundation Benchmarks.
CIS Oracle Cloud Infrastructure Foundations
Benchmark provides prescriptive guidance for
establishing a secure baseline configuration
for the Oracle Cloud Infrastructure
environment. The scope of this benchmark is
to establish a base level of security for anyone
utilizing the Oracle Cloud Infrastructure
services.

REST API Updates

No REST API updates for 22.7.2

New Features Introduced in 22.7.1

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates

New Features

Feature Description

GA Cloud Asset Inventory (CAI) Support Prisma Cloud has adopted Google’s Cloud
Asset Inventory (CAI) service for a few GCP
services. The CAI service reduces the number
of API calls to GCP and helps speed the time
to report on assets on Prisma Cloud. CAI is
enabled by default on Prisma Cloud.
The following GCP services/APIs have CAI
support on Prisma Cloud:
• KMS (Get IAM policy, List Keyrings &
Cryptokeys)
• Pub-Sub (Get IAM policy)
• Dataproc (Get IAM policy)
• Cloud Function (Get IAM policy)
• Cloud Run (Get IAM policy)

Prisma™ Cloud Release Notes 347 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• BigQuery (Get IAM policy, List BigQuery

Datasets & Tables)
• Compute Instance (GET IAM policy)

Change in Crypto Key Ingestions when CAI is There is a change with the ingestion of Crypto
Enabled Keys metadata in Google Cloud KMS when
CAI is enabled.
The gcloud-kms-keyring-list API no longer
includes the Crypto Keys metadata. This
metadata is now available as a part of the
gcloud-kms-crypto-keys-list API.
Impact— All the resources that were
ingested as a part of the gcloud-kms-
keyring-list API will no longer include the
Crypto Keys metadata, and all existing alerts
associated with this API are resolved as
Resource_Updated.

IAM Security Checks in Adoption Advisor The Adoption Advisor is enhanced to

include Identity and Access Management
(IAM) checks. After you activate the IAM
Security subscription, these checks provide
governance and visibility into the entitlements
—various permissions and policies— across
your cloud resources.

Anomaly Trusted List Support for IP-based When creating a trusted list for anomaly
Protocols policies, you can now suppress anomaly alerts
depending on IP-based protocols.
From the Settings > Anomalies > Anomaly
Settings, you can create a trusted list where
you can add one or more IP-based protocol
entries. You can choose the following
anomaly policy types to apply to the trusted
list:

Prisma™ Cloud Release Notes 348 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• unusual protocol activity (Internal)

• unusual protocol activity (External)
After adding a protocol to this trusted list,
subsequent anomalous activity detected on
the protocol will no longer trigger an unusual
protocol activity alert.

Update in JSON Metadata for Google Cloud Earlier, all the project resources for a gcloud-
Resource Manager organization-project-info API were stored
under a single json.
Now, all the project resources for gcloud-
organization-project-info API are stored as
separate json resources. For example, if your
organization has ten GCP projects, those
projects are stored as ten different resources
in json instead of a single resource.
There are no changes to the permissions of
this API.
Impact— The existing alerts for these
resources are resolved as Resource_Deleted.

Prisma Cloud Data Security—Support for Prisma Cloud now supports data classification
Large File Size scanning of .csv, .json, and .txt files of up to
2.5GB file size.

API Ingestions Amazon AppStream 2.0

aws-app-stream-fleet

Prisma™ Cloud Release Notes 349 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• appstream:DescribeImages

• appstream:DescribeFleets

• appstream:ListTagsForResource

Amazon AppStream 2.0

aws-app-stream-stack
Additional permissions required:
• appstream:DescribeStacks

• appstream:ListTagsForResource

Amazon AppStream 2.0

aws-app-stream-usage-report-subscription
Additional permission required:

appstream:DescribeUsageReportSub
scriptions

Azure Purview
azure-purview-account
Additional permissions required:
• Microsoft.Purview/accounts/re
ad

• Microsoft.Purview/getDefaultA
ccount/read

• Microsoft.Purview/accounts/pr
ivateEndpointConnections/read

The Reader role includes these permissions.

Azure Purview
azure-purview-privatelinkresource
Additional permission required:

Prisma™ Cloud Release Notes 350 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Purview/accounts/priva
telinkresources/read

The Reader role includes the permission.

Google Artifact Registry

gcloud-artifact-registry-repository
Additional permissions required:
• artifactregistry.locations.li
st

• artifactregistry.repositories
.list

• artifactregistry.repositories
.getIamPolicy

The Viewer role includes these permissions.

Google Compute Engine

gcloud-compute-instances-list
Additional permission required:

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Cloud Function

gcloud-cloud-function
Additional permission required:

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Cloud Run

gcloud-cloud-run-services-list
Additional permission required:

Prisma™ Cloud Release Notes 351 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Datastore
gcloud-datastore-index
Additional permission required:

datastore.indexes.list

The Viewer role includes the permission.

Google Dataproc Clusters

gcloud-dataproc-clusters-list
Additional permission required:

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Pubsub
gcloud-pubsub-subscription
Additional permission required:

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Pubsub
gcloud-pubsub-topic
Additional permission required:

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Pubsub

Prisma™ Cloud Release Notes 352 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

gcloud-pubsub-snapshot
Additional permission required:

cloudasset.assets.searchAllIamPo
licies

The Viewer role includes this permission.

Google Vertex AI
gcloud-vertex-ai-notebook-environment
Additional permissions required:
• notebooks.locations.list

• notebooks.environments.list

The Viewer role includes these permissions.

Only Zonal Resources are

supported.

OCI Containers And Artifacts

oci-containers-artifacts-containerimages
Additional permissions required:
• inspect repos

• read repos

You must add the permissions manually.

OCI Certificate
oci-certificate-certificateauthorities
Additional permissions required:
• inspect certificate-authoriti
es

• read certificate-authorities

You must add the permissions manually.

OCI Functions

Prisma™ Cloud Release Notes 353 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

oci-functions
Additional permissions required:
• inspect fn-function

• read fn-function

You must add the permissions manually.

OCI Web Application Firewall

oci-waf-waasaddresslist
Additional permissions required:
• inspect waas-address-list

• read waas-address-list

You must add the permissions manually.

Update API Ingestion—Amazon Route53 The following API is updated with additional
attributes; domain details and domain tags.
Amazon Route53
aws-route53-domain
Additional permissions required:
• route53domains:ListDomains

• route53domains:ListTagsForDom
ain

• route53domains:GetDomainDetai
l

The Security Audit role includes these

permissions.
Impact— No impact on alerts.

Update API Ingestion—Google BigQuery Google BigQuery

All the existing permissions are replaced with
the following new permissions to ingest the
gcloud-bigquery-dataset-list and gcloud-
bigquery-table APIs:

Prisma™ Cloud Release Notes 354 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• cloudasset.assets.searchAllRe
sources

• cloudasset.assets.searchAllIa
mPolicies

The Cloud Asset Viewer role includes these

permissions.
Impact— Without these permissions, the
dataset and tables will not be ingested and the
all existing alerts associated with this API will
be resolved as Resource_Updated.

Update API Ingestion—Google Cloud KMS Google Cloud KMS

All the existing permissions are replaced with
the following new permissions to ingest the
gcloud-kms-keyring-list and gcloud-kms-
crypto-keys-list APIs:
• cloudasset.assets.searchAllRe
sources

• cloudasset.assets.searchAllIa
mPolicies

The Cloud Asset Viewer role includes these

permissions.
Impact— Without these permissions, the Key
ring and Crypto keys will not be ingested and
the all existing alerts associated with this API
will be resolved as Resource_Updated.

Update API Ingestion—Google Data Catalog • The gcloud-data-catalog-entry-group API

now includes support for Multi-Region
Resources in Asia, EU, and US.
• The gcloud-data-catalog-taxonomy API
now includes support for Multi-Region
Resources in EU and US.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.7.2

Policy Updates Description

Prisma™ Cloud Release Notes 355 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policy AWS S3 bucket policy does not enforce

HTTPS request only
Identifies the AWS S3 bucket having a policy
that does not enforce only HTTPS requests.
Enforcing the S3 bucket to accept only HTTPS
requests would prevent potential attackers
from eavesdropping on data in-transit or
manipulating network traffic using man-
in-the-middle or similar attacks. It is highly
recommended to explicitly deny access to
HTTP requests in S3 bucket policy.

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-s3api-get-
bucket-acl' AND json.rule =
policy.Statement[?any(Effect
equals Deny and Action equals
s3:* and (Principal.AWS equals
* or Principal equals *) and
Condition.Bool.aws:SecureTransport
contains false )] does not
exist

AWS S3 bucket access control lists (ACLs) in

use
Identifies AWS S3 buckets which are using
access control lists (ACLs). ACLs are legacy
way to control access to S3 buckets. It is
recommended to disable bucket ACL and
instead use IAM policies or S3 bucket policies
to manage access to your S3 buckets.

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-s3api-get-
bucket-acl' AND json.rule =
ownershipControls.rules[*] does
not contain BucketOwnerEnforced

AWS Lambda function managed ENI

reachable from any untrust internet source
Identifies Network interfaces attached to the
Lambda function that are exposed to inbound
traffic from any untrust internet source.
Lambda function exposed to the internet are
prone to external security threats. It is highly
recommended to restrict network interfaces

Prisma™ Cloud Release Notes 356 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

that are attached to the Lambda function to

known hosts or services only.

config from network where source

.network = UNTRUST_INTERNET and
dest.resource.type = 'Interface'
and dest.cloud.type = 'AWS' and
dest.network.interface.type = '
Lambda'

Policy Updates-Metadata Nepture logging is not enabled

Changes— The policy name has been updated
to correct the typo error.
Current Name— Nepture logging is not
enabled
Updated Name— Neptune logging is not
enabled
Impact— No impact on alerts.

Policy Updates-RQL SQL Server Firewall rules allow access to any

Azure internal resources
Changes— The policy name, description,
and recommendations have been updated
according to the latest vendor UI settings.
The policy RQL has been updated to include
an extra check to verify if PublicNetwork is
enabled or not, which increases the accuracy
of results.
Current Name— SQL Server Firewall rules
allow access to any Azure internal resources
Updated Name— Azure SQL Server allow
access to any Azure internal resources
Updated Description— Identifies SQL Servers
that are configured to allow access to any
Azure internal resources. Firewall settings
with start IP and end IP both with ‘0.0.0.0’
represents access to all Azure internal
network. When this settings is enabled,
SQL server will accept connections from all
Azure resources including other subscription
resources as well. It is recommended to
use firewall rules or VNET rules to allow
access from specific network ranges or virtual
networks.

Prisma™ Cloud Release Notes 357 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where api.name = 'azure-sql-
server-list' AND json.rule =
"$.firewallRules.[*] size
> 0 and $.firewallRules.
[*].endIpAddress contains
0.0.0.0 and $.firewallRules.
[*].startIpAddress contains
0.0.0.0"

Updated RQL—

config from cloud.resource

where api.name = 'azure-
sql-server-list' AND
json.rule = ['sqlServer'].
['properties.publicNetworkAccess']
equal ignore case Enabled
and firewallRules[?
any(startIpAddress equals
"0.0.0.0" and endIpAddress
equals "0.0.0.0")] exists

Impact— Low. Previously generated alert for

public network disabled resources will be
resolved as 'Policy_Updated'.

Azure PostgreSQL Database Server 'Allow

access to Azure services' enabled
Changes— The policy RQL has been
updated to include an extra check to verify
if PublicNetwork is enabled or not, which
increases the accuracy of results.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-postgresql-
server' AND json.rule =
firewallRules.value[*].properties.startIpA
equals 0.0.0.0 and
firewallRules.value[].properties.endIpAddr
equals 0.0.0.0

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-postgresql-
server' AND json.rule =

Prisma™ Cloud Release Notes 358 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

properties.publicNetworkAccess
equal ignore case Enabled and
firewallRules.value[*].properties.startIpA
equals "0.0.0.0" and
firewallRules.value[*].properties.endIpAdd
equals "0.0.0.0"

Impact— Low. Previously generated alert for

public network disabled resources will be
resolved as 'Policy_Updated'.

Azure SQL Servers Firewall rule allow access

to all IPV4 address
Changes— The policy recommendation has
been updated as per latest vendor UI settings.
The policy RQL has been updated to include
an extra check to verify if PublicNetwork is
enabled or not, which increases the accuracy
of results.
Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
sql-server-list' AND
json.rule = firewallRules[?
any(startIpAddress equals
0.0.0.0 and endIpAddress equals
255.255.255.255)] exists

Updated RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
sql-server-list' AND
json.rule = ['sqlServer'].
['properties.publicNetworkAccess']
equal ignore case Enabled
and firewallRules[?
any(startIpAddress equals
"0.0.0.0" and endIpAddress
equals "255.255.255.255")]
exists

Impact— Low. Previously generated alert for

public network disabled resources will be
resolved as 'Policy_Updated'.

Azure Cosmos DB allows traffic from public

Azure datacenters

Prisma™ Cloud Release Notes 359 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes— The policy RQL has been updated

to enhance its accuracy.
Current RQL—

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-cosmos-db' AND json.
rule = properties.provisioningSt
ate equals Succeeded and propert
ies.ipRangeFilter is not empty a
nd properties.ipRangeFilter cont
ains 0.0.0.0

Updated RQL—

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-cosmos-db' AND json.
rule = properties.provisioningSt
ate equals Succeeded and propert
ies.ipRangeFilter is not empty a
nd properties.ipRangeFilter star
tsWith 0.0.0.0 or properties.ipR
angeFilter endsWith 0.0.0.0

Impact— Low. Previously generated alert for

partial matching 0.0.0.0 will be resolved as
'Policy_Updated'.

Azure Microsoft Defender for Cloud security

contact additional email is not set
Changes— The policy RQL has been
updated to consider only defender enabled
subscriptions.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= 'securityContacts is empty or
securityContacts[*].properties.email
is empty'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= (securityContacts is

Prisma™ Cloud Release Notes 360 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

empty or securityContacts[?
any(properties.email is
empty)] exists) and pricings[?
any(properties.pricingTier equal
ignore case Standard)] exists

Impact— Low. Previously generated alert for

subscription where Defender is not enabled
will be resolved as 'Policy_Updated'.

Azure Microsoft Defender for Cloud security

alert email notifications is not set
Changes— The policy RQL has been
updated to consider only defender enabled
subscriptions.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= 'securityContacts is empty or
securityContacts[*].properties.email
is empty or
securityContacts[*].properties.alertNotifi
equals Off'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= (securityContacts is
empty or securityContacts[?
any(properties.email is
empty and alertNotifications
equal ignore case Off)]
exists) and pricings[?
any(properties.pricingTier equal
ignore case Standard)] exists

Impact— Low. Previously generated alert for

subscription where Defender is not enabled
will be resolved as 'Policy_Updated'.

Azure PostgreSQL Database Server Firewall

rule allow access to all IPV4 address
Changes— The policy RQL has been
updated to include an extra check to verify
if PublicNetwork is enabled or not, which
increases the accuracy of results.

Prisma™ Cloud Release Notes 361 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
postgresql-server' AND json.rule
= firewallRules.value[?
any(properties.startIpAddress
equals 0.0.0.0 and
properties.endIpAddress equals
255.255.255.255)] exists

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-postgresql-
server' AND json.rule =
properties.publicNetworkAccess
equal ignore case Enabled
and firewallRules.value[?
any(properties.startIpAddress
equals 0.0.0.0 and
properties.endIpAddress equals
255.255.255.255)] exists

Impact— Low. Previously generated alert for

public network disabled resources will be
resolved as 'Policy_Updated'.

AWS IAM Groups with administrator access

permissions
Changes— The policy RQL has been
updated to fix false positive alerts when the
contains operator is used for matching.
Current RQL—

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-iam-list-groups' as
X; config from cloud.resource
where api.name = 'aws-iam-get-
policy-version' as Y; filter
"($.X.inlinePolicies[*].policyDocument.Sta
(@.Effect=='Allow' &&
@.Resource=='*')].Action
any equal *) or
($.X.attachedPolicies[*].policyArn
contains $.Y.policyArn and
$.Y.document.Statement[?
(@.Effect=='Allow' &&
@.Resource=='*')].Action any
equal *)"; show X;

Prisma™ Cloud Release Notes 362 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where api.name = 'aws-iam-
list-groups' as X; config
from cloud.resource where
api.name = 'aws-iam-get-
policy-version' AND json.rule =
document.Statement[?any(Effect
equals Allow and Action
equals * and Resource equals
* )] exists as Y; filter
"($.X.inlinePolicies[*].policyDocument.Sta
(@.Effect=='Allow' &&
@.Resource=='*')].Action
any equal * ) or
($.X.attachedPolicies[*].policyArn
intersects $.Y.policyArn)";
show X;

Impact— Low. Previously generated alerts

for AWS IAM groups resources having
false positive alerts will be resolved as
'Policy_Updated'.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for PCI DSS v4.0 Payment Card Industry Data Security
Standard (PCI DSS) is a global standard
that provides a baseline of technical and
operational requirements designed to protect
account data.
PCI DSS v4.0 replaces version 3.2.1 to
address emerging threats and technologies,
and enable innovative methods to combat
new threats.
Support for PCI DSS v4.0 is available on
Alibaba, AWS, Azure, GCP, and OCI.

Support for Federal Financial Institutions The Federal Financial Institutions Examination
Examination Council (FFIEC) Council (FFIEC) is an interagency body of the
U.S. government made up of several financial
regulatory agencies that is responsible
for establishing consistent guidelines,
uniform practices, and principles for financial
institutions.

Prisma™ Cloud Release Notes 363 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The FFIEC publishes guidelines for IT

management, cybersecurity, and protection of
consumer financial data.
Failure to comply with FFIEC guidelines can
result in fines and penalties for federally-
supervised financial institutions.
Support for FFIEC is available on Alibaba,
AWS, Azure, GCP, and OCI.

Support for CIS CSC v7.1 The Center for Internet Security (CIS)
publishes the CIS Critical Security Controls
(CSC) to help your organization better defend
against known attacks by refining key security
concepts into actionable controls to achieve
significant overall cybersecurity defense.
There are 20 CIS controls in v7.1. CIS
separates these controls into three categories
as follows:
• basic controls
• foundational controls
• organizational controls
You can use the CIS Controls to quickly
establish the protections through
cybersecurity actions where you can eliminate
the most common attacks.
Support for CIS CSC v7.1 is available on
Alibaba, AWS, Azure, GCP, and OCI.

Support for CIS CSC v8 In version 8, CIS redesigned the controls to

define them better and simplify the guidelines.
There are 18 CIS controls in v8. The new
v8 guidelines are reordered and grouped by
different cyber security activities from the v7
CIS Controls.
You can now use these controls to help your
organization better apply the principles of the
security controls or to transition any tools or
processes that were built around version 7.1.
Support for CIS CSC v8 is available on
Alibaba, AWS, Azure, GCP, and OCI.

Prisma™ Cloud Release Notes 364 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

REST API Updates

CHANGE DESCRIPTION

New API Endpoints for AWS S3 New API endpoints are available for AWS S3
Flow Logs onboarding for organization and standalone accounts
on all supported stacks as follows:
• GET /cloud-accounts-manager/v1/cloud-
accounts/aws/{accountId}/features/aws-
flow-logs/s3
Fetches AWS S3 Flow Log feature details of the
monitored account.
• PATCH /cloud-accounts-manager/v1/
cloud-accounts/aws/{accountId}/
features/aws-flow-logs/s3
Saves AWS S3 Flow Log feature details of the
monitored account.
• POST /cloud-accounts-manager/v1/cloud-
accounts/aws/{accountId}/features/aws-
flow-logs/s3/status
Checks AWS S3 Flow Log status of the monitored
account.

Features Introduced in June 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in June 2022.
• New Features Introduced in 22.6.3
• New Features Introduced in 22.6.2
• New Features Introduced in 22.6.1

New Features Introduced in 22.6.3

• New Features
• New Policies and Policy Updates
• REST API Updates

New Features

Feature Description

API Ingestions Amazon Connect

Prisma™ Cloud Release Notes 365 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

aws-connect-instance
Additional permissions required:
• connect:ListInstances

• connect:ListInstanceStorageCo
nfigs

Amazon EventBridge
aws-events-rule
Additional permissions required:
• events:ListRules

• events:ListTargetsByRule

• events:ListTagsForResource

The Security Audit role includes these

permissions.

Amazon Pinpoint
aws-pinpoint-email-channel
Additional permissions required:
• mobiletargeting:GetEmailChann
el

• mobiletargeting:GetApps

Amazon Pinpoint
aws-pinpoint-sms-channel
Additional permissions required:
• mobiletargeting:GetSmsChannel

• mobiletargeting:GetApps

Azure Synapse Analytics

azure-synapse-privatelinkhub-
privatelinkresource
Additional permission required:

Prisma™ Cloud Release Notes 366 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Synapse/privateLinkHub
s/privateLinkResources/read

The Reader role includes this permission.

Azure Synapse Analytics

azure-synapse-privatelinkhub
Additional permission required:

Microsoft.Synapse/privateLinkHub
s/read

The Reader role includes this permission.

Azure Synapse Analytics

azure-synapse-privatelinkresource
Additional permissions required:
• Microsoft.Synapse/workspaces/
read

• Microsoft.Synapse/workspaces/
privateLinkResources/read

The Reader role includes these permissions.

Google Cloud IAM

gcloud-iam-organization-deny-policy
Additional permissions required:
• iam.denypolicies.get

• iam.denypolicies.list

The Viewer role includes these permissions.

Google Cloud IAM

gcloud-iam-project-deny-policy
Additional permissions required:
• iam.denypolicies.get

• iam.denypolicies.list

Prisma™ Cloud Release Notes 367 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The Viewer role includes these permissions.

Google Security Command Center

gcloud-security-command-center-
organization-setting
Additional permission required:

securitycenter.organizationsetti
ngs.get

The Viewer role includes this permission.

Google Security Command Center

gcloud-security-command-center-
organization-notification-config
Additional permission required:

securitycenter.notificationconfi
g.list

The Viewer role includes this permission.

Google Security Command Center

gcloud-security-command-center-
organization-mute-config
Additional permission required:

securitycenter.muteconfigs.list

The Viewer role includes this permission.

OCI Web Application Firewall

oci-waf-networkaddresslist
Additional permissions required:
• inspect waf-network-address-l
ist

• read waf-network-address-list

You must add the permissions manually.

Prisma™ Cloud Release Notes 368 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

OCI Web Application Firewall

oci-waf-waaspolicy
Additional permissions required:
• inspect waas-policy

• read waas-policy

You must add the permissions manually.

Update Google Compute Engine API Google Compute Engine

gcloud-ssl-certificate
This API will be updated to remove the
following fields in the resource JSON:
• certificate

• selfManaged.certificate

Decommission of redlock.io Domain This The announcement about replacing the

change was first announced in the look ahead redlock.io domain name with prismacloud.io
that was published with the 22.5.2 release. was first sent in July, 2019. Due to this, the
redirect from redlock.io to prismacloud.io
is removed and no longer supported. The
redlock.io domain is decommissioned.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.7.1

Policy Updates Description

New Policy AWS Lambda execution role having overly

permissive inline policy
Identifies AWS Lambda Function execution
role having overly permissive inline policy
embedded. Lambda functions having overly
permissive policy could lead to lateral
movement in account or privilege being
escalated when compromised. It is highly
recommended to have the least privileged

Prisma™ Cloud Release Notes 369 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

access policy to protect the Lambda Functions

from unauthorized access.

config from cloud.resource

where api.name = 'aws-
lambda-list-functions' as X;
config from cloud.resource
where api.name = 'aws-iam-
list-roles' AND json.rule =
inlinePolicies[*].policyDocument.Statement
any(Effect equals Allow and
(Action equals "*" or Action
contains :* or Action[*]
contains :*) and (Resource
equals "*" or Resource[*]
anyStartWith "*"))] exists
as Y; filter '$.X.role equals
$.Y.role.arn'; show Y;

AWS IAM policy attached to AWS Lambda

execution role is overly permissive
Identifies Lambda Functions execution
role having overly permissive IAM policy
attached to it. Lambda functions having
overly permissive policy could lead to lateral
movement in account or privilege being
escalated when compromised. It is highly
recommended to have the least privileged
access policy to protect the Lambda Functions
from unauthorized access.

config from cloud.resource where

api.name = 'aws-lambda-list-
functions' as X; config from
cloud.resource where api.name
= 'aws-iam-list-roles' as Y;
config from cloud.resource
where api.name = 'aws-iam-get-
policy-version' AND json.rule
= isAttached is true and
document.Statement[?any(Effect
equals Allow and (Action equals
"*" or Action contains :*
or Action[*] contains :*)
and (Resource equals "*" or
Resource[*] anyStartWith "*")
and Condition does not exist)]
exists as Z; filter '$.X.role
equals $.Y.role.arn and
$.Y.attachedPolicies[*].policyName
equals $.Z.policyName'; show Z;

Prisma™ Cloud Release Notes 370 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Microsoft Defender for Cloud set to

Off for DNS
Identifies Azure Microsoft Defender for
Cloud which has defender setting for
DNS set to Off. Enabling Azure Defender
provides advanced security capabilities
like providing threat intelligence, anomaly
detection, and behavior analytics in the Azure
Microsoft Defender for Cloud. Defender
for DNS monitors the queries and detects
suspicious activities without the need for
any additional agents on your resources.
It is highly recommended to enable Azure
Defender for DNS.

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= pricings[?any(name equals Dns
and properties.pricingTier does
not equal Standard)] exists

AWS DocumentDB Cluster is not enabled

with data encryption in transit
Identifies Amazon DocumentDB Clusters for
which data encryption in transit is disabled.
Each DocumentDB Cluster is associated
with a Cluster Parameter Group. It is highly
recommended to implement in-transit
encryption in order to protect data from
unauthorized access as it travels through the
network, between clients and the cluster.

config from cloud.resource

where api.name = 'aws-
docdb-db-cluster-parameter-
group' AND json.rule =
parameters.tls.ParameterValue
equals "disabled" as X; config
from cloud.resource where
api.name = 'aws-docdb-db-
cluster' AND json.rule = Status
equals available as Y; filter
'$.X.DBClusterParameterGroupName
equals
$.Y.DBClusterParameterGroup';
show Y;

Prisma™ Cloud Release Notes 371 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Load Balancer SSL proxy permits SSL

policies with weak cipher suites
Identifies GCP SSL Load Balancers that
permit SSL policies with weak cipher suites.
GCP default SSL policy uses a minimum TLS
version of 1.0 and a Compatible profile, which
allows the widest range of insecure cipher
suites.
To prevent usage of insecure features, SSL
policies should use at least TLS 1.2 with the
MODERN profile; or the RESTRICTED profile,
because it effectively requires clients to use
TLS 1.2 regardless of the chosen minimum
TLS version; or a CUSTOM profile that does
not support any of the following features:
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA

config from cloud.resource

where api.name = 'gcloud-
compute-target-ssl-proxy' as
X; config from cloud.resource
where api.name = 'gcloud-
compute-ssl-policies' as Y;
filter "$.X.sslPolicy does not
exist or ($.Y.sslPolicies[?
(@.profile=='COMPATIBLE')].selfLink
contains $.X.sslPolicy)
or ($.Y.sslPolicies[?
((@.profile=='MODERN'||
@.profile=='CUSTOM')
&& (@.minTlsVersion!
='TLS_1_2'))].selfLink
contains $.X.sslPolicy
or ($.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_GCM_SHA256'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_GCM_SHA384'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_CBC_SHA'

Prisma™ Cloud Release Notes 372 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy))"; show
X;

GCP Load Balancer HTTPS proxy permits SSL

policies with weak cipher suites
Identifies GCP HTTPS Load Balancers that
permit SSL policies with weak cipher suites.
GCP default SSL policy uses a minimum TLS
version of 1.0 and a Compatible profile, which
allows the widest range of insecure cipher
suites.
To prevent usage of insecure features, SSL
policies should use at least TLS 1.2 with the
MODERN profile; or the RESTRICTED profile,
because it effectively requires clients to use
TLS 1.2 regardless of the chosen minimum
TLS version; or a CUSTOM profile that does
not support any of the following features:
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA

config from cloud.resource where

api.name = 'gcloud-compute-
target-https-proxies' as X;
config from cloud.resource
where api.name = 'gcloud-
compute-ssl-policies' as Y;
filter "($.Y.sslPolicies[?
(@.profile=='COMPATIBLE')].selfLink
contains $.X.sslPolicy)
or ($.Y.sslPolicies[?
((@.profile=='MODERN'||
@.profile=='CUSTOM')
&& (@.minTlsVersion!
='TLS_1_2'))].selfLink
contains $.X.sslPolicy

Prisma™ Cloud Release Notes 373 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

or ($.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_GCM_SHA256'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_GCM_SHA384'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_128_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_AES_256_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy
or $.Y.sslPolicies[?
(@.profile=='CUSTOM' &&
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
in @.enabledFeatures)].selfLink
contains $.X.sslPolicy))"; show
X;

Policy Updates-Metadata Azure Security Center system updates

monitoring is set to disabled
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes.
Current Name— Azure Security Center
system updates monitoring is set to disabled
Updated Name— Azure Microsoft Defender
for Cloud system updates monitoring is set to
disabled
Updated Description— Identifies the Azure
Microsoft Defender for Cloud (previously
known as Azure Security Center and Azure
Defender) policies which have system updates
monitoring is set to disabled. It retrieves
a daily list of available security and critical
updates from Windows Update or Windows
Server Update Services. The retrieved list
depends on the service that’s configured for
that virtual machine and recommends that
the missing updates be applied. For Linux
systems, the policy uses the distro-provided
package management system to determine

Prisma™ Cloud Release Notes 374 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

packages that have available updates. It also

checks for security and critical updates from
Azure Cloud Services virtual machines.
Impact— No impact on alerts.

Azure Security Center disk encryption

monitoring is set to disabled
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes.
Current Name— Azure Security Center disk
encryption monitoring is set to disabled
Updated Name— Azure Microsoft Defender
for Cloud disk encryption monitoring is set to
disabled
Updated Description— Identifies the Azure
Microsoft Defender for Cloud (previously
known as Azure Security Center and Azure
Defender) policies which have disk encryption
monitoring set to disabled. Enabling disk
encryption for virtual machines will secure the
data by encrypting it. It is recommended to
set disk encryption monitoring in Microsoft
Defender for Cloud security policy.
Impact— No impact on alerts.

Azure Security Center adaptive application

controls monitoring is set to disabled
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes.
Current Name— Azure Security Center
adaptive application controls monitoring is set
to disabled
Updated Name— Azure Microsoft Defender
for Cloud adaptive application controls
monitoring is set to disabled
Updated Description— Identifies the Azure
Microsoft Defender for Cloud (previously
known as Azure Security Center and Azure
Defender) policies which have adaptive
application controls monitoring set to
disabled. Adaptive Application Controls will
make sure that only certain applications can

Prisma™ Cloud Release Notes 375 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

run on your VMs in Microsoft Azure. This

will prevent any malicious, unwanted, or
unsupported software on the VMs.
Impact— No impact on alerts.

Azure Security Center endpoint protection

monitoring is set to disabled
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes.
Current Name— Azure Security Center
endpoint protection monitoring is set to
disabled
Updated Name— Azure Microsoft Defender
for Cloud endpoint protection monitoring is
set to disabled
Updated Description— Identifies the Azure
Microsoft Defender for Cloud (previously
known as Azure Security Center and Azure
Defender) policies which have endpoint
protection monitoring set to disabled.
Enabling endpoint Protection will make sure
that any issues or shortcomings in endpoint
protection for all Microsoft Windows virtual
machines are identified so that they can, in
turn, be removed.
Impact— No impact on alerts.

Azure Security Center security configurations

monitoring is set to disabled
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes.
Current Name— Azure Security Center
security configurations monitoring is set to
disabled
Updated Name— Azure Microsoft Defender
for Cloud security configurations monitoring
is set to disabled
Updated Description— Identifies the Azure
Microsoft Defender for Cloud (previously
known as Azure Security Center and Azure
Defender) policies which have security
configurations monitoring set to disabled.

Prisma™ Cloud Release Notes 376 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Security configurations will enable the daily

analysis of operating system configurations.
The rules for hardening the operating system
like firewall rules, password and audit policies
are reviewed. Recommendations are made for
setting the right level of security controls.
Impact— No impact on alerts.

Azure Security Center JIT network access

monitoring is set to disabled
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes.
Current Name— Azure Security Center JIT
network access monitoring is set to disabled
Updated Name— Azure Microsoft Defender
for Cloud JIT network access monitoring is set
to disabled
Updated Description— Identifies the Azure
Microsoft Defender for Cloud (previously
known as Azure Security Center and Azure
Defender) policies which have JIT network
access monitoring set to disabled. Enabling JIT
Network Access will enhance the protection
of VMs by creating a Just in Time VM. The JIT
VM with NSG rule will restrict the availability
of access to the ports to connect to the VM
for a pre-set time and only after checking the
Role Based Access Control permissions of the
user. This feature will control the brute force
attacks on the VMs.
Impact— No impact on alerts.

Policy Updates-RQL Azure Microsoft Defender for Cloud email

notification for subscription owner is not set
Changes— The policy RQL has been updated
to only look for subscriptions where Defender
is enabled and then check for email setting.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= 'securityContacts is empty or
securityContacts[*].properties.email

Prisma™ Cloud Release Notes 377 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

is empty or
securityContacts[*].properties.alertsToAdm
equals Off'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= (securityContacts is empty or
securityContacts[*].properties.email
is empty or
securityContacts[*].properties.alertsToAdm
equal ignore case
Off) and pricings[?
any(properties.pricingTier
equals Standard)] exists

Impact— Low. Previously generated alert for

subscription where Defender is not enabled
will be resolved as 'Policy_Updated'.

Azure Security Center contact phone number

not set
Changes— The policy name, description, and
remediation steps have been updated due to
vendor UI setting changes. The policy RQL
has been updated to consider only defender
enabled subscriptions.
Current Name— Azure Security Center
contact phone number not set
Updated Name— Azure Microsoft Defender
for Cloud security contact phone number is
not set
Updated Description— Identifies
Subscriptions that are not set with security
contact phone number for Azure Microsoft
Defender for Cloud (previously known as
Azure Security Center and Azure Defender).
It is recommended to set security contact
phone number to receive notifications
when Microsoft Defender for Cloud detects
compromised resources.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-

Prisma™ Cloud Release Notes 378 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

center-settings' AND json.rule

= 'securityContacts is
empty or securityContacts[?
any(properties.phone is empty)]
exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-security-
center-settings' AND json.rule
= (securityContacts is
empty or securityContacts[?
any(properties.phone is
empty)] exists) and pricings[?
any(properties.pricingTier equal
ignore case Standard)] exists

Impact— Low. Previously generated alert for

subscription where Defender is not enabled
will be resolved as 'Policy_Updated'.

GCP HTTPS Load balancer is configured with

SSL policy having TLS version 1.1 or lower
Changes— The policy is modified to make
it compliant with the CIS requirement to
exclude alerting for SSL policy with profile
type 'RESTRICTED'.
Current RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
ssl-policies' as X; config
from cloud.resource where
api.name = 'gcloud-compute-
target-https-proxies' as Y;
filter "($.Y.sslPolicy exists
and $.X.sslPolicies is not
empty) and ($.X.sslPolicies[?
(@.minTlsVersion!
='TLS_1_2')].selfLink contains
$.Y.sslPolicy)" ; show Y;

Updated RQL—

config from cloud.resource where

api.name = 'gcloud-compute-
ssl-policies' as X; config
from cloud.resource where
api.name = 'gcloud-compute-
target-https-proxies' as Y;
filter "($.Y.sslPolicy exists

Prisma™ Cloud Release Notes 379 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

and $.X.sslPolicies is not

empty) and ($.X.sslPolicies[?
((@.profile=='MODERN'||
@.profile=='CUSTOM')
&& @.minTlsVersion!
='TLS_1_2')].selfLink contains
$.Y.sslPolicy)" ; show Y;

Impact— Low. The alerts associated with the

profile type RESTRICTED will be resolved as
'Policy_Updated'.

REST API Updates

CHANGE DESCRIPTION

Removal of Update Access Key The following endpoint has been removed:
API Endpoint
PUT /access_keys/{id}

New Features Introduced in 22.6.2

• New Features
• New Policies and Policy Updates
• REST API Updates

New Features

Feature Description

Change in Existing Behavior Alert Count on Earlier on Prisma Cloud, when an asset
Policy Violations generated an alert for a policy violation, the
alert was counted towards the most severe
This change was first announced in the look
violation. For example, for an asset that had
ahead that was published with the 22.5.2
violations for low, medium, and high severity
release.
policies, the alert was only counted in the
high category although it was also violating
medium and low severity policies. In this
method of counting alerts, when you view
the total count of failed checks it adds up to
the sum of all low, medium, and high severity
failures.
The above method of counting alerts is
modified to display the total count of policy
violations for each severity. So, using the
same example, if an asset has violations for

Prisma™ Cloud Release Notes 380 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

low, medium, and high severity policies,

the alert will now be counted in each of
the three categories. Therefore, when
you view the total count of failed checks
and compare it to the sum total of each
category, the sum will be higher. This count
is displayed on several places on the Prisma
Cloud management console such as on the
Compliance > Overview, Asset Inventory
(Inventory > Assets), and Alerts > Overview.
This change in how Prisma Cloud count
assets that failed policy checks will not
be updated for any compliance reports
generated before your Prisma Cloud instance
is upgraded to the current release. This
means that the count displayed in the table
on Compliance > Reports is a snapshot of
the previous counting method for reports
generated earlier. The count for failed checks
in these reports will not match the data in the
Compliance > Overview page when you filter
for the time period for which the report was
generated.

Skips API Ingestion when Cloud Billing on When the Cloud Asset Inventory (CAI) service
GCP is Disabled is enabled and if Cloud Billing is disabled for
a project by default, Prisma Cloud skips the
ingestion of GCP APIs. This is true when the
project is onboarded as a standalone or a
child project of an organization, but not for a
master service account (MSA).
Impact— If you do not enable CAI, Prisma
Cloud will ingest all the GCP APIs even if
Cloud Billing is disabled for a project.

Change in Existing Behavior Resolution of All the resources for gcloud-compute-

Undeletes for Google Cloud Resources networks-subnets-list and gcloud-compute-
networks-list will be deleted once and then
This change was announced in the look ahead
regenerated on the management console.
that was published with the 22.6.1 release.
Existing alerts corresponding to
these resources will be resolved as
Resource_Updated, and new alerts will be
generated against policy violations.
Impact— You may notice a reduced count
for the number of alerts. However, the alert
count will return to the original numbers once
the resources for gcloud-compute-networks-

Prisma™ Cloud Release Notes 381 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

subnets-list and gcloud-compute-networks-

list start ingesting data again.

Prisma Cloud Data Security Download and The file size for malware scanning is now
Scan Files up to 100MB for Malware increased from 20MB to 100MB. The
uncompressed file size must be less than
100MB.

Prisma Cloud Data Security Support for Big Prisma Cloud supports the following file types
Data File Types for data profile and data patterns:
• .avro
• .ORC
• .parquet
The size of the .avro, .ORC, or .parquet files
must be less than 2.5GB.

API Ingestions Amazon Managed Workflows for Apache

Airflow
aws-mwaa-environment
Additional permissions required:
• airflow:GetEnvironment

• airflow:ListEnvironments

AWS Systems Manager

aws-ssm-association
Additional permissions required:
• ssm:ListAssociations

• ssm:DescribeAssociation

The Security Audit role includes the

permissions.

Azure Batch Account

azure-batch-account
Additional permission required:

Prisma™ Cloud Release Notes 382 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Batch/batchAccounts/r
ead

The Reader role includes the permission.

Azure Data Shares

azure-data-shares-account
Additional permission required:

Microsoft.DataShare/accounts/re
ad

The Reader role includes the permission.

Azure Red Hat OpenShift

azure-redhat-openshift-cluster
Additional permission required:

Microsoft.RedHatOpenShift/openSh
iftClusters/read

The Reader role includes the permission.

Google Cloud Run Revision

gcloud-cloud-run-revisions-list
No new permissions, the Project Viewer role
includes the required permissions.

Google Data Catalog

gcloud-data-catalog-taxonomy
Additional permissions required:
• datacatalog.taxonomies.list

• datacatalog.taxonomies.getIam
Policy

• datacatalog.taxonomies.get

The Viewer role includes the permissions.

Multi-region resources are not

supported for Asia, EU, and US.

Prisma™ Cloud Release Notes 383 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Data Catalog

gcloud-data-catalog-entry-group
Additional permissions required:
• datacatalog.entryGroups.list

• datacatalog.entryGroups.getIa
mPolicy

• datacatalog.entryGroups.get

The Viewer role includes the permissions.

Multi-region resources are not

supported for Asia, EU, and US.

Google Security Command Center

gcloud-security-command-center-
organization-source
Additional permissions required:
• securitycenter.sources.list

• securitycenter.sources.getIam
Policy

The Viewer role includes the permissions.

OCI Compute
oci-compute-vnics
Additional permissions required:
• inspect vnic-attachments

• inspect vnics

You must add the permissions manually.

OCI Compute
oci-compute-vnicattachments
Additional permission required:

Prisma™ Cloud Release Notes 384 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

inspect vnic-attachments

You must add the permission manually.

OCI Networking
oci-networking-dns-tsigkeys
Additional permissions required:
• inspect dns-tsig-keys

• read dns-tsig-keys

You must add the permissions manually.

Update API Ingestion—Amazon VPC The following API is updated with a new
Attribute attribute authorizationRules which
contains the authorization rules for Client
VPN endpoint.
aws-ec2-client-vpn-endpoint
Additional permissions required:
• ec2:DescribeClientVpnEndpoint
s

• ec2:DescribeClientVpnAuthoriz
ationRules

The Security Audit role includes the

permissions.
Impact— No impact on alerts.

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.6.3.

Policy Updates Description

New Policy AWS Lambda Function resource-based policy

is overly permissive
Identifies Lambda Functions that have overly
permissive resource-based policy. Lambda
functions having overly permissive policy
could lead to lateral movement in account or
privilege being escalated when compromised.

Prisma™ Cloud Release Notes 385 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

It is highly recommended to have the least

privileged access policy to protect the Lambda
Functions from unauthorized access.

cconfig from cloud.resource

where api.name = 'aws-lambda-
list-functions' AND json.rule
= policy.Statement[?any(Effect
equals Allow and Principal
equals "*" and Condition
does not exist and (Action
equals "*" or Action equals
lambda:*))] exists

Azure MySQL database flexible server SSL

enforcement is disabled
Identifies Azure MySQL database flexible
servers for which the SSL enforcement is
disabled. SSL connectivity helps to provide
a new layer of security by connecting
database server to client applications using
the Secure Sockets Layer (SSL). Enforcing SSL
connections between the database server and
client applications helps protect against 'man
in the middle' attacks by encrypting the data
stream between the server and application.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-mysql-
flexible-server' AND json.rule
= properties.state equal
ignore case "Ready" and
require_secure_transport.value
equal ignore case "OFF"

Azure MySQL database flexible server using

insecure TLS version
Identifies Azure MySQL database flexible
servers which are using insecure TLS version.
As a security best practice, use the newer TLS
version as the minimum TLS version for Azure
MySQL database flexible server. Currently,
Azure MySQL database flexible server
supports TLS 1.2 version which resolves the
security gap from its preceding versions.

config from cloud.resource

where cloud.type = 'azure'

Prisma™ Cloud Release Notes 386 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AND api.name = 'azure-mysql-

flexible-server' AND json.rule
= properties.state equal
ignore case "Ready" and
require_secure_transport.value
equal ignore case "ON" and
(tls_version.value does not
equal ignore case "TLSV1.2"
and tls_version.value does not
equal ignore case "TLSV1.3"
and tls_version.value
does not equal ignore
case "TLSV1.2,TLSV1.3"
and tls_version.value
does not equal ignore case
"TLSV1.3,TLSV1.2")

Policy Updates-Metadata AWS Lambda function communicating with

ports known to mine Monero
Changes— The policy description is updated
for typos and the cloud is changed from ANY
to AWS.
Updated Description— This policy
identifies AWS Lambda function which is
communicating with ports known to mine
Monero.AWS Lambda functions when
infected with Denonia malware installs a
XMRig mining software which is used for
mining Monero. It is highly recommended to
restrict Lambda function to known hosts or
services only.
Impact— No impact on alerts.

Policy Updates—RQL AWS Certificate Manager (ACM) has

certificates with Certificate Transparency
Logging disabled
Changes— The policy RQL has been updated
to check for valid ACM certificate and added
remediation support.
Additional permission required to remediate
the alert:

acm:UpdateCertificateOptions

Prisma™ Cloud Release Notes 387 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-acm-
describe-certificate' AND
json.rule = 'type does
not equal IMPORTED and
(options.certificateTransparencyLoggingPre
equals DISABLED or
options.certificateTransparencyLoggingPref
does not exist)'

Updated RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-acm-
describe-certificate' AND
json.rule = 'type does
not equal IMPORTED and
(options.certificateTransparencyLoggingPre
equals DISABLED or
options.certificateTransparencyLoggingPref
does not exist) and
status equals ISSUED and
_DateTime.ageInDays($.notAfter)
< 1'

Remediation CLI—

aws acm update-certificate-

options --region ${region}
--certificate-arn
${certificateArn} --options
CertificateTransparencyLoggingPreference=E

Impact— Low. Alerts will get resolved for

expired or ACM certificates which does not
have status as ISSUED.

AWS Customer Master Key (CMK) rotation is

not enabled
Changes— The policy RQL has been updated
to check only for KMS symmetric keys.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name='aws-kms-get-
key-rotation-status' AND
json.rule='keyMetadata.keyState
equals Enabled and

Prisma™ Cloud Release Notes 388 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

keyMetadata.keyManager
equals CUSTOMER and
(rotation_status.keyRotationEnabled
is false or
rotation_status.keyRotationEnabled
equals null)'

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name='aws-kms-get-key-
rotation-status' AND json.rule
= keyMetadata.keyState
equals Enabled and
keyMetadata.keyManager
equals CUSTOMER and
(rotation_status.keyRotationEnabled
is false or
rotation_status.keyRotationEnabled
equals "null") and
keyMetadata.customerMasterKeySpec
equals SYMMETRIC_DEFAULT

Impact— Medium. The alerts will be resolved

as ‘Policy_Updated’ for KMS resource that is
configured with asymmetric keys.

AWS Network Load Balancer (NLB) is not

using the latest predefined security policy
Changes— The policy RQL has been updated
to include the latest "ELBSecurityPolicy-
TLS13-1-2-2021-06" security policy
and exclude the legacy security policy
“ELBSecurityPolicy-2016-08”.
Updated Description— This policy identifies
Network Load Balancers (NLBs) which are not
using the latest predefined security policy. A
security policy is a combination of protocols
and ciphers. The protocol establishes a secure
connection between a client and a server
and ensures that all data passed between
the client and your load balancer is private.
A cipher is an encryption algorithm that uses
encryption keys to create a coded message.
So it is recommended to use the latest
predefined security policy which uses only
secured protocol and ciphers.

Prisma™ Cloud Release Notes 389 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= state.code equals active
and type equals "network"
and listeners[?any(protocol
equals TLS and sslPolicy
exists and sslPolicy does not
contain ELBSecurityPolicy-
TLS13-1-0-2021-06 and
sslPolicy does not contain
ELBSecurityPolicy-2016-08)]
exists

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= state.code equals active
and type equals "network"
and listeners[?any(protocol
equals TLS and sslPolicy
exists and sslPolicy does not
contain ELBSecurityPolicy-
TLS13-1-2-2021-06)] exists

Impact— Low. The alerts will be resolved

as ‘Policy_Updated’ for AWS Network Load
Balancer that are configured with the latest
"ELBSecurityPolicy-TLS13-1-2-2021-06"
security policy.

AWS RDS Instance with copy tags to

snapshots disabled
Changes— The policy RQL has been updated
to ignore RDS Instance with Neptune Engine.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-rds-
describe-db-instances' AND
json.rule = dbinstanceStatus
equals available and
(copyTagsToSnapshot is false
or copyTagsToSnapshot does
not exist) and engine does not

Prisma™ Cloud Release Notes 390 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contain aurora and engine does

not contain docdb

Updated RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-rds-
describe-db-instances' AND
json.rule = dbinstanceStatus
equals available and
(copyTagsToSnapshot is false
or copyTagsToSnapshot does
not exist) and engine does not
contain aurora and engine does
not contain docdb and engine
does not contain neptune

Impact— Low. The alerts will be resolved as

‘Policy_Updated’ for Neptune DB resources.

Azure Application Gateway allows TLSv1.1 or

lower
Changes— The policy name, description, RQL,
and recommendation are updated as vendor
support for TLS versions has been updated.
Current RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-application-
gateway' AND json.rule =
" ['properties.sslPolicy']
does not exist or
(['properties.sslPolicy'].policyType
== Predefined and
['properties.sslPolicy'].policyName !
= AppGwSslPolicy20170401S ) or
(['properties.sslPolicy'].policyType
== Custom and
['properties.sslPolicy'].minProtocolVersio
= TLSv1_2)"

Updated RQL—

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-application-
gateway' AND json.rule =
['properties.sslPolicy']
does not exist or
(['properties.sslPolicy'].
['policyType'] equal

Prisma™ Cloud Release Notes 391 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

ignore case Predefined and

(['properties.sslPolicy'].
['policyName'] equal ignore
case AppGwSslPolicy20150501
or ['properties.sslPolicy'].
['policyName'] equal ignore
case AppGwSslPolicy20170401))
or (['properties.sslPolicy'].
['policyType'] equal
ignore case Custom and
(['properties.sslPolicy'].
['minProtocolVersion'] equal
ignore case TLSv1_0 or
['properties.sslPolicy'].
['minProtocolVersion'] equal
ignore case TLSv1_1))

Impact— Previously generated alerts for

resources which are configured with TLS new
predefined policy (TLSv1.3) will be resolved as
‘Policy_Updated’.

GCP Firewall rule allows all traffic on

Microsoft-DS port (445)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. CLI has been modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(445,445) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Prisma™ Cloud Release Notes 392 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(445,445) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on

MongoDB port (27017)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. CLI has been modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(27017,27017)

Prisma™ Cloud Release Notes 393 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

or (ports does not exist and

(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(27017,27017)
or (ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on Oracle

DB port (1521)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. CLI has been modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-

Prisma™ Cloud Release Notes 394 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(1521,1521) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(1521,1521) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on MySQL

DB port (3306)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. CLI has been modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Prisma™ Cloud Release Notes 395 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(3306,3306) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(3306,3306) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on SMTP

port (25)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. CLI has been modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:

Prisma™ Cloud Release Notes 396 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(25,25) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)) )] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(25,25) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on

PostgreSQL port (5432)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. Remediation CLI has

Prisma™ Cloud Release Notes 397 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

been modified to disable the vulnerable

firewall rule instead of deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(5432,5432) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(5432,5432) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

Prisma™ Cloud Release Notes 398 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Firewall rule allows all traffic on

NetBIOS-SSN port (139)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. Remediation CLI has
been modified to disable the vulnerable
firewall rule instead of deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(139,139) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(139,139) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Prisma™ Cloud Release Notes 399 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on DNS

port (53)
Changes— The RQL for the policy is modified
to include IPv6 checks.
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'disabled is
false and (sourceRanges[*]
contains 0.0.0.0/0 or
sourceRanges[*] contains ::/0)
and allowed[?any(ports contains
_Port.inRange(53,53) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(53,53) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on FTP

port (21)

Prisma™ Cloud Release Notes 400 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes— The RQL for the policy is modified

to include IPv6 checks.
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'disabled is
false and (sourceRanges[*]
contains 0.0.0.0/0 or
sourceRanges[*] contains ::/0)
and allowed[?any(ports contains
_Port.inRange(21,21) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(21,21) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on SSH

port (22)
Changes— The RQL for the policy is modified
to include IPv6 checks.
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'disabled is
false and (sourceRanges[*]

Prisma™ Cloud Release Notes 401 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contains 0.0.0.0/0 or
sourceRanges[*] contains ::/0)
and allowed[?any(ports contains
_Port.inRange(22,22) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(22,22) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on RDP

port (3389)
Changes— The RQL for the policy is modified
to include IPv6 checks.
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'disabled is
false and (sourceRanges[*]
contains 0.0.0.0/0 or
sourceRanges[*] contains ::/0)
and allowed[?any(ports contains
_Port.inRange(3389,3389) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists'

Prisma™ Cloud Release Notes 402 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(3389,3389) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on POP3

port (110)
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. Remediation CLI has
been modified to disable the vulnerable
firewall rule instead of deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(110,110) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)) )]
exists'

Prisma™ Cloud Release Notes 403 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(110,110) or
(ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp)))]
exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall with Inbound rule overly

permissive to All Traffic
Changes— The RQL for the policy is modified
to check if the firewall rule is disabled and
include IPv6 checks. Remediation CLI has
been modified to disable the vulnerable
firewall rule instead of deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and

Prisma™ Cloud Release Notes 404 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

allowed[*].IPProtocol equals
all'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(IPProtocol equals
"all")] exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low impact on existing alerts.

GCP Firewall rule allows inbound traffic from

anywhere with no specific target set
Changes— The RQL for the policy is modified
to include IPv6 checks. Also, the policy
recommendation steps are modified to reflect
the latest CSP changes.
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule = 'disabled is false
and direction equals "INGRESS"
and allowed[*] exists and
(sourceRanges[*] contains
0.0.0.0/0 or sourceRanges[*]
contains ::/0) and
targetTags[*] does not exist
and targetServiceAccounts[*]
does not exist'

Prisma™ Cloud Release Notes 405 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule = 'disabled is false
and direction equals "INGRESS"
and allowed[] exists and
(sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
targetTags[*] does not exist
and targetServiceAccounts[*]
does not exist'

Impact— Low impact on existing alerts.

If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-
Features Introduced in June 2022 for details on new Configuration Build policies, updates to
add build rules for existing Configuration Run policies, and policy deletions.

REST API Updates

No REST API updates for 22.6.2.

New Features Introduced in 22.6.1

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates

New Features

FEATURE DESCRIPTION

API Ingestions AWS IAM

aws-iam-oidc-provider
Additional permissions required:
• iam:ListOpenIDConnectProvider
s

• iam:GetOpenIDConnectProvider

Prisma™ Cloud Release Notes 406 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS Lambda
aws-lambda-code-signing-config
Additional permission required:

lambda:ListCodeSigningConfigs

AWS Lambda
aws-lambda-list-functions
Additional permission required:

lambda:GetFunctionUrlConfig

AWS Route53 Resolver

aws-route53resolver-query-logging-config-
association
Additional permission required:

route53resolver:ListResolverQuer
yLogConfigAssociations

AWS Route53 Resolver

aws-route53resolver-query-logging-config
Additional permissions required:
• route53resolver:ListResolverQ
ueryLogConfigs

• route53resolver:ListTagsForRe
source

Azure HPC Cache

azure-hpc-cache
Additional permissions required:
• Microsoft.StorageCache/caches
/read

• Microsoft.StorageCache/Subscr
iption/caches/read

Prisma™ Cloud Release Notes 407 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure Media Service

azure-media-service-account
Additional permission required:

Microsoft.Media/mediaservices/r
ead

Azure Service Fabric

azure-service-fabric-cluster
Additional permission required:

Microsoft.ServiceFabric/clusters
/read

Azure Virtual Network

azure-network-effective-nsg
Additional permission required:

Microsoft.Network/networkInterfa
ces/effectiveNetworkSecurityGrou
ps/action

The Network Contributor role includes the

permission and do not need to be explicitly
granted if you have provided this role to
Prisma Cloud.

Azure Virtual Network

azure-network-effective-route-table
Additional permission required:

Microsoft.Network/networkInterfa
ces/effectiveRouteTable/action

The Network Contributor role includes the

permission and do not need to be explicitly
granted if you have provided this role to
Prisma Cloud.

Google Certificate Authority Service

gcloud-certificate-authority-revocation-lists

Prisma™ Cloud Release Notes 408 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

• privateca.certificateRevocati
onLists.list

• privateca.certificateRevocati
onLists.getIamPolicy

Google Compute Engine

gcloud-compute-backend-bucket
Additional permission required:

compute.backendBuckets.list

Google Compute Engine

gcloud-compute-external-backend-service
Additional permission required:

compute.backendServices.list

OCI Big Data Service

oci-bigdataservice-instances
Additional permissions required:
• inspect bds-instances

• read bds-instances

OCI Data Integration

oci-dataintegration-workspaces
Additional permissions required:
• inspect dis-workspaces

• read dis-workspaces

OCI Data Science

oci-datascience-projects
Additional permissions required:

Prisma™ Cloud Release Notes 409 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• inspect data-science-projects

• read data-science-projects

Update Support for Azure Virtual Network To support ingestion for these Azure Virtual
API Ingestions Network APIs:

azure-network-effective-nsg

azure-network-effective-route-t
able

The Azure onboarding Terraform templates

now include granular permissions for:
• Microsoft.Network/networkInte
rfaces/effectiveNetworkSecuri
tyGroups/action

• Microsoft.Network/networkInte
rfaces/effectiveRouteTable/ac
tion

The Network Contributor role in Azure

includes these two permissions, and do not
need to be explicitly granted if you have
provided this role to Prisma Cloud.

Permissions in the Azure Terraform Template The Azure Terraform template in Monitor
and Monitor & Protect modes, used for
onboarding Azure Subscriptions and Azure
Tenant with Management Groups on Prisma
Cloud includes the following permission:

Microsoft.ContainerRegistry/regi
stries/listCredentials/action

This permission is required in the Prisma

Cloud custom role to support the Drift
Detection capabilities on Code Security.

Change in Existing Behavior Support for When you onboard using granular permission,
Google Cloud API Ingestions you must provide additional permissions for
the following GCP APIs:

Prisma™ Cloud Release Notes 410 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Google PubSub
gcloud-pubsub-subscription
Additional permission required:

pubsub.subscriptions.get

gcloud-pubsub-topic
Additional permission required:

pubsub.topics.get

• Google Dataproc Clusters

gcloud-dataproc-clusters-list
Additional permission required:

dataproc.clusters.get

These permissions are part of the

predefined Viewer role and are
automatically included if they are
using that primitive role.

New Policies and Policy Updates

No new policies or policy updates for 22.6.1.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for Australian Energy Sector Cyber The Australian Energy Sector Cyber Security
Security Framework (AESCSF) Framework (AESCSF) provides a set of
cybersecurity guidelines specifically tailored
to the Australian Energy sector. This
framework enables the owners and operators
of energy infrastructure in Australia to
assess, evaluate, prioritize, and improve their
cybersecurity posture.
The framework involves the analysis of two
aspects:
• Criticality assessment
• Cyber security capability and maturity self-
assessment

Prisma™ Cloud Release Notes 411 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Support for Australian Cyber Security Centre The Australian Cyber Security Centre
(ACSC) Information Security Manual (ISM) (ACSC) produces the Information Security
Manual (ISM). ISM outlines a cyber security
framework that you can apply by using the
risk management framework to protect
information and systems from cyber threats.
The ISM is intended for Chief Information
Security Officers, Chief Information Officers,
cyber security professionals, and information
technology managers.

Support for Australian Cyber Security Centre The Australian Cyber Security Centre’s
(ACSC) Essential Eight (ACSC) Essential Eight is a risk management
framework that prioritizes eight mitigation
strategies taken from the recommended
ACSC’s Strategies to Mitigate Cyber Security
Incidents:
The essential eight security controls are:
• Application Control — to control the
execution of unauthorized software
• Configure Macros — to block untrusted
macros
• Patch Application — to remediate known
security vulnerabilities
• Application Hardening — to protect against
vulnerable functionality
• Restrict Admin Permissions — to limit
powerful access to systems
• Patch Operating Systems — to remediate
known security vulnerabilities
• Multi-Factor Authentication — to protect
against risk activities
• Daily Backups — to maintain the availability
of critical data

Update New Zealand Information Security Prisma Cloud has extended the compliance
Manual (NZISM v3.4) support for other cloud accounts including
Azure, Alibaba, GCP, OCI, along with AWS.

REST API Updates

No REST API updates for 22.6.1.

Prisma™ Cloud Release Notes 412 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Features Introduced in May 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in May 2022.
• New Features Introduced in 22.5.2
• New Features Introduced in 22.5.1

New Features Introduced in 22.5.2

• New Features
• New Policies and Policy Updates
• REST API Updates

New Features

FEATURE DESCRIPTION

Burndown Widgets in Adoption Advisor The Adoption Advisor now includes two new
widgets for risk and incident burndown.
These widgets show you the number of
high severity misconfigurations or risks and
incidents detected in your cloud environment,
and your team’s progress on remediating
these issues. The count of remediated risks
and incidents includes alerts that are in the
resolve, dismiss, or snoozed states.

API Ingestions Amazon EKS

aws-eks-node-group
Additional permissions required:
• eks:ListClusters

• eks:DescribeNodegroup

• eks:ListNodegroups

Prisma™ Cloud Release Notes 413 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Amazon Batch
aws-batch-compute-environment
Additional permission required:

batch:DescribeComputeEnvironmen
ts

Amazon Lake Formation

aws-lake-formation-setting
Additional permission required:

lakeformation:GetDataLakeSettin
gs

Azure App Service

azure-app-service-domain
Additional permission required:

Microsoft.DomainRegistration/dom
ains/Read

Azure App Service

azure-app-service-environment
Additional permission required:

Microsoft.Web/hostingEnvironment
s/Read

Azure App Service

azure-app-service-plan
Additional permission required:

Microsoft.Web/serverfarms/Read

Azure Compute
azure-vm-start-time
No new permissions, the Reader role includes
the required permissions.

Prisma™ Cloud Release Notes 414 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Stackdriver Logging

gcloud-logging-bucket
Additional permission required:

logging.buckets.list

Google Network Intelligence Center

gcloud-network-intelligence-center-firewall-
insight
Additional permission required:

recommender.computeFirewallInsig
hts.list

Google Managed Microsoft AD

gcloud-managed-microsoft-ad-domain
Additional permissions required:
• managedidentities.domains.lis
t

• managedidentities.domains.get

• managedidentities.domains.get
IamPolicy

• managedidentities.sqlintegrat
ions.list

OCI Data Flow

oci-dataflow-applications
Additional permissions required:
• inspect dataflow-application

• read dataflow-application

This API is not supported in ap-

hyderabad-1 region.

OCI Streaming

Prisma™ Cloud Release Notes 415 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

oci-streaming-streampools
Additional permissions required:
• inspect stream-pools

• read stream-pools

OCI Streaming
oci-streaming-streams
Additional permissions required:
• inspect streams

• read streams

Update Azure Storage

azure-storage-account-list
This API has been updated to show the
following new field in the resource JSON:

advancedThreatProtectionSettings

Azure Advanced threat protection

settings are not supported in
Azure China.

Update gcloud-storage-buckets-list API For new ingestion of this API, the metadata
ingestion will no longer include the timeCreated
attribute for the bucket. In RQL, the key will
not be available in the json.rule attribute
for auto completion and you cannot define
custom policies based on this key. If you have
any saved searches including the timeCreated
attribute, they will now not return resources.

New Policies and Policy Updates

See the look ahead updates for planned changes and policy updates in 22.6.1.

POLICY UPDATES DESCRIPTION

Prisma™ Cloud Release Notes 416 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies Azure Virtual Desktop session host is not

configured with managed identity
Identifies Virtual Desktop session hosts
that are not configured with managed
identity. Managed identity can be used to
authenticate to any service that supports
Azure AD authentication, without having
credentials in your code. Storing credentials
in a code increases the threat surface in case
of exploitation and also managed identities
eliminate the need for developers to manage
credentials. So as a security best practice, it is
recommended to have the managed identity
to your Virtual Desktop session hosts.

config from cloud.resource where

api.name = 'azure-virtual-
desktop-session-host' AND
json.rule = session-hosts[*]
is not empty and session-
hosts[*].properties.resourceId
exists as X; config from
cloud.resource where api.name
= 'azure-vm-list' AND json.rule
= powerState equal ignore
case "PowerState/running"
as Y; filter '$.X.session-
hosts[*].properties.resourceId
equal ignore case $.Y.id and
($.Y.identity does not exist or
$.Y.identity.type equal ignore
case None)'; show Y;

AWS IAM Policy permission may cause

privilege escalation
Identifies AWS IAM Policy which have
permission that may cause privilege
escalation. AWS IAM policy having weak
permissions could be exploited by an attacker
to elevate privileges. It is recommended
to follow the principle of least privileges
ensuring that AWS IAM policy does not have
these sensitive permissions.

config from cloud.resource where

cloud.type = 'aws' and api.name
= 'aws-iam-get-policy-version'
AND json.rule = isAttached is
true and document.Statement[?
any(Effect equals Allow

Prisma™ Cloud Release Notes 417 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

and (Action contains

iam:CreatePolicyVersion
or Action contains
iam:SetDefaultPolicyVersion or
Action contains iam:PassRole
or Action contains
iam:CreateAccessKey or Action
contains iam:CreateLoginProfile
or Action contains
iam:UpdateLoginProfile
or Action contains
iam:AttachUserPolicy or Action
contains iam:AttachGroupPolicy
or Action contains
iam:AttachRolePolicy
or Action contains
iam:PutUserPolicy or Action
contains iam:PutGroupPolicy
or Action contains
iam:PutRolePolicy or Action
contains iam:AddUserToGroup
or Action contains
iam:UpdateAssumeRolePolicy or
Action contains iam:*))] exists

Azure Spring Cloud service is not configured

with virtual network
Identifies Azure Spring Cloud services that
are not configured with a virtual network.
Spring Cloud configured with a virtual
network isolates apps and service runtime
from the internet on your corporate network
and provides control over inbound and
outbound network communications for Azure
Spring Cloud. As best security practice, it is
recommended to deploy Spring Cloud service
in a virtual network.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-spring-
cloud-service' AND json.rule
= properties.powerState
equals Running and sku.tier
does not equal Basic and
properties.networkProfile.serviceRuntimeSu
does not exist

Policy Updates—RQL GCP Firewall rule allows all traffic on HTTP

port (80)

Prisma™ Cloud Release Notes 418 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes— The RQL is modified to check if

the firewall rule is disabled and includes IPv6
check. The remediation CLI is modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(80,80) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)) )] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(80,80) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Impact— Low.

Prisma™ Cloud Release Notes 419 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Firewall rule allows all traffic on Telnet

port (23)
Changes— The RQL is modified to check if
the firewall rule is disabled and includes IPv6
check. The remediation CLI is modified to
disable the vulnerable firewall rule instead of
deleting it.
Additional permissions required:
• compute.firewalls.update

• compute.networks.updatePolicy

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name='gcloud-compute-
firewall-rules-list' AND
json.rule= 'sourceRanges[*]
contains 0.0.0.0/0 and
allowed[?any(ports contains
_Port.inRange(23,23) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)) )] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(80,80) or (ports
does not exist and (IPProtocol
contains tcp or IPProtocol
contains udp)))] exists

Updated CLI—

gcloud compute --project=

${account} firewall-rules update
${resourceName} --disabled

Prisma™ Cloud Release Notes 420 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Low impact on new alerts that were

generated based on IP checks included in the
updated RQL.

REST API Updates

CHANGE DESCRIPTION

Last Updated Timestamps for List Alert V2 The lastUpdated attribute is now added to the
API List Alerts V2 response for the POST /v2/
alert endpoint.
This attribute contains a timestamp to indicate
when an alert was last updated. It also
includes a timestamp for resource updates,
policy updates, alert rule updates, alert status
changes, and so on.

New Features Introduced in 22.5.1

• New Features
• New Policies and Policy Updates
New Features

FEATURE DESCRIPTION

Update Onboarding Cloud Accounts UI The cloud accounts onboarding has an

updated UI and Prisma Cloud displays
the onboarding information in a new and
improved way.

Prisma™ Cloud Release Notes 421 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

resource.state RQL Attribute You can now use the optional source/
dest.resource.state RQL attribute to find
resources that are active, for example an EC2
instance that has state as running or inactive
or an EC2 instance that has state as stopped
on Prisma Cloud. The available values are
Active or Inactive.
For example:

config from network where

source.network = '0.0.0.0/0'
and address.match.criteria
= 'full_match' and
dest.resource.type = 'Instance'
and dest.cloud.type = 'AWS' and
dest.resource.state = 'Active'

When source/dest.resource.state is not

specified in the query, then the RQL query
displays both Active and Inactive resources in
the result.

Change in Existing Behavior Resolve All the resources for gcloud-container-

Undeletes for Google Cloud Resources describe-clusters, gcloud-compute-nat,
and gcloud-iam-service-accounts-list will
be deleted once and then regenerated on
the management console. Existing alerts
corresponding to these resources will be
resolved as Resource_Updated and new alerts
will be generated against policy violations.

API Ingestions Amazon ECR

aws-ecr-registry-scanning-configuration
Additional permission required:

ecr:GetRegistryScanningConfigura
tion

AWS ACM Private Certificate Authority

aws-acm-pca-certificate-authority
Additional permissions required:
• acm-pca:ListTags

• acm-pca:GetPolicy

Prisma™ Cloud Release Notes 422 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• acm-pca:ListCertificateAuthor
ities

Azure Data Box Gateway

azure-databox-gateway
Additional permission required:

Microsoft.DataBoxEdge/dataBoxEdg
eDevices/read

Azure Availability Sets

azure-vm-availability-set
Additional permission required:

Microsoft.Compute/availabilitySe
ts/read

Azure Notification Hubs

azure-notification-hub-namespace
Additional permission required:

Microsoft.NotificationHubs/Names
paces/read

Azure Notification Hubs

azure-notification-hub
Additional permission required:

Microsoft.NotificationHubs/Names
paces/NotificationHubs/read

Azure Local Network Gateways

azure-local-network-gateways
Additional permission required:

Microsoft.Network/localnetworkga
teways/read

Prisma™ Cloud Release Notes 423 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Azure NetApp Files

azure-netappfiles-account
Additional permission required:

Microsoft.NetApp/netAppAccounts/
read

Azure Database for PostgreSQL

azure-postgresql-flexible-server
Additional permissions required:
• Microsoft.DBforPostgreSQL/fle
xibleServers/read

• Microsoft.DBforPostgreSQL/fle
xibleServers/firewallRules/re
ad

• Microsoft.DBforPostgreSQL/fle
xibleServers/configurations/r
ead

Azure Database for MySQL

azure-mysql-flexible-server
Additional permissions required:
• Microsoft.DBforMySQL/flexible
Servers/read

• Microsoft.DBforMySQL/flexible
Servers/firewallRules/read

• Microsoft.DBforMySQL/flexible
Servers/configurations/read

OCI IAM
oci-iam-identityproviders
Additional permission required:

inspect identity-providers

Prisma™ Cloud Release Notes 424 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Essential Contacts

gcloud-essential-contacts-project-contact
Additional permission required:

essentialcontacts.contacts.list

Google Service Directory

gcloud-service-directory-namespace
Additional permissions required:
• servicedirectory.namespaces.l
ist

• servicedirectory.namespaces.g
etIamPolicy

Google Organization Policy

gcloud-organization-policy-project-constraint
Additional permissions required:
• orgpolicy.constraints.list

• orgpolicy.policy.get

Google Access Approval

gcloud-access-approval-org-approval-setting
Additional permission required:

accessapproval.settings.get

Change in Existing Behavior gcloud-compute- Prisma Cloud displays the gcloud-compute-

internal-lb-backend-service API Ingestion internal-lb-backend-service region on the
Investigate page.
This change will cause a one-time delete of
resources and alerts, which will be re-opened.

Prisma™ Cloud Release Notes 425 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

New Policies AWS IAM policy overly permissive to Lambda

service
Identifies the IAM policies that are overly
permissive to Lambda service. AWS provides
serverless computational functionality
through their Lambda service. Serverless
functions allow organizations to run code
for applications or backend services without
provisioning virtual machines or management
servers. It is recommended to follow the
principle of least privileges, ensuring that
only restricted Lambda services for restricted
resources.

config from cloud.resource where

cloud.type = 'aws' and api.name
= 'aws-iam-get-policy-version'
AND json.rule = isAttached is
true and document.Statement[?
any(Effect equals Allow and
(Action equals lambda:* or
Action[*] equals lambda:*)
and (Resource equals * or
Resource[*] equals *) and
Condition does not exist)]
exists

AWS Lambda IAM policy overly permissive to

all traffic
Identifies AWS Lambda IAM policies that
are overly permissive to all traffic. It is
recommended that the Lambda should be
granted access restrictions so that only
authorized users and applications have access
to the service.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-iam-get-policy-version'
AND json.rule = isAttached is
true and document.Statement[?
any((Condition.ForAnyValue:IpAddress.aws:So
contains 0.0.0.0/0 or
Condition.IpAddress.aws:SourceIp
contains 0.0.0.0/0 or
Condition.IpAddress.aws:SourceIp

Prisma™ Cloud Release Notes 426 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contains ::/0 or
Condition.ForAnyValue:IpAddress.aws:Source
contains ::/0) and Effect
equals Allow and Action
anyStartWith lambda:)] exists

AWS Lambda function communicating with

ports known to mine Monero
Identifies AWS Lambda function which are
communicating with ports known to mine
Monero. AWS Lambda functions when
infected with Denonia malware installs a
XMRig mining software which is used for
minning Monero. It is highly recommended to
restrict Lambda function to known hosts or
services only.

network from vpc.flow_record

where source.publicnetwork IN
( 'Internet IPs' , 'Suspicious
IPs' , 'AWS IPs', 'Azure IPs',
'GCP IPs' ) and protocol IN
( 'TCP' ) and dest.port =
3333 and dest.resource IN
( resource where role IN ( 'AWS
Lambda' ) ) and bytes > 0

AWS RDS PostgreSQL exposed to local file

read vulnerability
Identifies AWS RDS PostgreSQL which
are exposed to local file read vulnerability.
AWS RDS PostgreSQL installed with
vulnerable 'log_fdw' extension is exposed
to local file read vulnerability, due to which
attacker could gain access to local system
files of the database instance within their
account, including a file which contained
credentials specific to PostgreSQL. It is
highly recommended to upgrade AWS RDS
PostgreSQL to the latest version.

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-rds-
describe-db-instances' AND
json.rule = dbinstanceStatus
equals available and
engine equals postgres and

Prisma™ Cloud Release Notes 427 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

engineVersion is member of
('13.2','13.1','12.6','12.5','12.4','12.3'

AWS Aurora PostgreSQL exposed to local file

read vulnerability
Identifies AWS Aurora PostgreSQL which
are exposed to local file read vulnerability.
AWS Aurora PostgreSQL installed with
vulnerable 'log_fdw' extension is exposed
to local file read vulnerability, due to which
attacker could gain access to local system
files of the database instance within their
account, including a file which contained
credentials specific to Aurora PostgreSQL. It is
highly recommended to upgrade AWS Aurora
PostgreSQL to the latest version.

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-rds-
describe-db-instances' AND
json.rule = dbinstanceStatus
equals available and engine
equals aurora-postgresql and
engineVersion is member of
('10.11','10.12','10.13','11.6','11.7','11

Azure Recovery Services vault is not

configured with managed identity
Identifies Recovery Services vaults that
are not configured with managed identity.
Managed identity can be used to authenticate
to any service that supports Azure AD
authentication, without having credentials
in your code. Storing credentials in a code
increases the threat surface in case of
exploitation and also managed identities
eliminate the need for developers to manage
credentials. So as a security best practice, it is
recommended to have the managed identity
to your Recovery Services vault.

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-recovery-
service-vault' AND json.rule =
properties.provisioningState
equals Succeeded and (identity

Prisma™ Cloud Release Notes 428 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

does not exist or identity.type

equal ignore case "None")

GCP Firewall rule exposes GKE clusters by

allowing all traffic on port 10250
Identifies GCP Firewall rule allowing all traffic
on port 10250 which allows GKE full node
access. The port 10250 on the kubelet is
used by the kube-apiserver (running on hosts
labeled as Orchestration Plane) for exec and
logs. As per security best practice, port 10250
should not be exposed to the public.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(10250,10250)
or (ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp or
IPProtocol contains "all")))]
exists as X; config from
cloud.resource where api.name
= 'gcloud-container-describe-
clusters' AND json.rule =
status equals RUNNING as Y;
filter '$.X.network contains
$.Y.networkConfig.network' ;
show X;

Permissions required to run the CLI:

• compute.firewalls.update

• compute.networks.updatePolicy

Policy Updates—RQL AWS Network Load Balancer (NLB) is not

using the latest predefined security policy
Changes— AWS updated the recommended
security policy for network load balancer

Prisma™ Cloud Release Notes 429 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

configured with TLS. Due to this change, the

policy RQL, description, and recommendation
steps have been updated accordingly.
Updated Description— Identifies Network
Load Balancers (NLBs) are not using the
latest predefined security policy. A security
policy is a combination of protocols and
ciphers. The protocol establishes a secure
connection between a client and a server
and ensures that all data passed between
the client and your load balancer is private.
A cipher is an encryption algorithm that uses
encryption keys to create a coded message. It
is recommended to use the latest predefined
security policy which uses only secured
protocol and ciphers.
It is recommended to use ELBSecurityPolicy-
TLS13-1-0-2021-06 policy if you
require Forward Secrecy (FS) and use
ELBSecurityPolicy-2016-08 policy to meet
compliance and security standards that
require disabling certain TLS protocol versions
or to support legacy clients that require
deprecated ciphers.
Current RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= 'type equals network and
listeners[?any(protocol equals
TLS and sslPolicy exists and
(sslPolicy does not contain
ELBSecurityPolicy-FS-1-2-
Res-2020-10 and sslPolicy does
not contain ELBSecurityPolicy-
TLS-1-2-Ext-2018-06))] exists'

Updated RQL—

config from cloud.resource

where cloud.type = 'aws' AND
api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= state.code equals active
and type equals "network"
and listeners[?any(protocol
equals TLS and sslPolicy
exists and sslPolicy does not
contain ELBSecurityPolicy-

Prisma™ Cloud Release Notes 430 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

TLS13-1-0-2021-06 and
sslPolicy does not contain
ELBSecurityPolicy-2016-08)]
exists

Impact— Medium. The alerts for resources

which had older security policy will be
resolved as ‘Policy_Updated’ and new alerts
will be created if the security policy for
network load balancer configured with TLS is
not the same as recommended by AWS.

GCP User managed service accounts have

user managed service account keys
Changes— The policy RQL is updated to
exclude Prisma-cloud specific service account
and the description is modified based on the
updated RQL.
Updated Description— Identifies user
managed service accounts that use user
managed service account keys instead of
Google-managed. For user-managed keys,
the User has to take ownership of key
management activities. Even after owner
precaution, keys can be easily leaked by
common development malpractices like
checking keys into the source code or leaving
them in downloads directory or accidentally
leaving them on support blogs/channels. It
is recommended to limit the use of User-
managed service account keys and instead
use Google-managed keys which can not be
downloaded.

This policy might alert the service

accounts which are not created
using Terraform for cloud account
onboarding. These alerts are valid
because no user-managed service
account should be used for cloud
account onboarding.

Current RQL—

config from cloud.resource

where api.name = 'gcloud-iam-
service-accounts-keys-list' as
X; config from cloud.resource
where api.name = 'gcloud-iam-
service-accounts-list' as Y;

Prisma™ Cloud Release Notes 431 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

filter '($.X.name contains

iam.gserviceaccount.com and
$.X.name contains $.Y.email
and $.X.keyType contains
USER_MANAGED)' ; show X;

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-iam-
service-accounts-keys-list' as
X; config from cloud.resource
where api.name = 'gcloud-
iam-service-accounts-list'
as Y; filter '($.X.name
does not contain prisma-
cloud and $.X.name contains
iam.gserviceaccount.com and
$.X.name contains $.Y.email
and $.X.keyType contains
USER_MANAGED)' ; show X;

Impact— Medium. The RQL modification will

resolve alerts associated with Prisma-cloud
specific service accounts.

Policy Updates—Metadata AWS EMR cluster is not enabled with local

disk encryption using CMK
Changes— The policy name and description
are updated.
Current Name— AWS EMR cluster is not
enabled with local disk encryption using CMK
Updated Name— AWS EMR cluster is not
enabled with local disk encryption using
Custom key provider
Updated Description— Identifies AWS EMR
clusters that are not enabled with local
disk encryption using Custom key provider.
Applications using the local file system on
each cluster instance for intermediate data
throughout workloads, where data could be
spilled to disk when it overflows memory.
With Local disk encryption at place, data at
rest can be protected.
Impact— No impact on existing alerts.

Azure Policies

Prisma™ Cloud Release Notes 432 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes— The recommendations steps for

the following policies are updated as per the
Azure UI changes:
• Azure SQL databases Defender setting is
set to Off
• Azure SQL server Defender setting is set to
Off
• Azure SQL Databases with disabled Email
service and co-administrators for Threat
Detection
• Azure SQL Server ADS Vulnerability
Assessment 'Also send email notifications
to admins and subscription owners' is
disabled
• Azure SQL Server ADS Vulnerability
Assessment is disabled
• Azure SQL Server ADS Vulnerability
Assessment 'Send scan reports to' is not
configured
• Azure SQL Server ADS Vulnerability
Assessment Periodic recurring scans is
disabled
Impact— No impact on existing alerts.

Policy Deletions Azure Policies

Changes— The following policies are deleted
because the Setting feature is no longer
available in the Azure UI:
• Azure SQL Server threat logs retention is
less than 91 days
• Azure SQL Database with Threat Retention
less than or equals to 90 days
• Azure SQL Server threat detection alerts
not enabled for all threat types
• Send alerts on field value on SQL
Databases is misconfigured
• Threat Detection types on SQL databases
is misconfigured
Impact— Previously generated alerts will be
resolved as Policy_Deleted.
The compliance mapping for the above
listed policies is removed due to which the

Prisma™ Cloud Release Notes 433 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

compliance score can get affected. The

affected compliance standards are:
APRA, CMMC_1_02, CSA_CCM_V4,
HITRUST942, ISO_27002_2013,
ISO_27017_2015, LGPD, NIST_800_171R2,
NIST_800_172, NIST_800_53_R4_AZU_LEG,
NIST_800_53_R5_AZURE, NIST_CSF_V_1_1,
PCIDSS_321, AZURE_CCPA, AZURE_PIPEDA,
MLPS20_AZURE, AZURE_CSA_CCM_V301,
AZURE_HITRUST_V93, AZURE_NIST_CSF,
AZURE_SOC2, CIS_AZURE_120,
CIS_AZURE_V1.1, ISO_27018_2019
Impact— Low impact on existing alerts.

Features Introduced in April 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in April 2022.
• New Features Introduced in 22.4.2
• New Features Introduced in 22.4.1

New Features Introduced in 22.4.2

• New Features
• New Policies and Policy Updates
• REST API Updates
New Features

FEATURE DESCRIPTION

Prisma Cloud Data Security—Scan Resources When scanning files for data security, files are
By True File Type now identified based on the True File Type as
determined by file metadata, regardless of the
file extension for all supported file types.

Prisma™ Cloud Release Notes 434 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Alerts are generated whenever a file that is

scanned based on the True File Type, violates
a Prisma Cloud Data Security policy.
Previously, the Data Security Settings page,
displayed the aggregate file size for all files
supported for Sensitive Data Scan and
Malware Scan based on their file extensions
under their respective columns. With True File
Type, the page now displays the aggregate
file size for all eligible files based on their True
File Type, regardless of their file extensions.
Prisma Cloud Data Security still only supports
files up to 20MB.

While adding a data policy, if you select the

File Extension checkbox, Prisma Cloud Data
Security will only scan files based on True File
Type, regardless of their file extensions.

Prisma™ Cloud Release Notes 435 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Auto Completion Updates for Amazon VPC On the Investigate page, the RQL config
API RQL Query query for aws-describe-vpc-endpoints
API displays the appropriate fields under
policyDocument.Statement[] during auto-
completion. For example, if you want
to construct the following RQL query
config from cloud.resource where api.name
= 'aws-describe-vpc-endpoints' AND
json.rule = serviceName ends with ".s3" and
policyDocument.Statement[].Condition.StringEquals.aws:Princi
is not member of (o-0hc9vcq8o1,
o-slnhz39n91), you can see
`policyDocument.Statement[].Condition.StringEquals.aws:Pr
appear in the list automatically.

Change in Existing Behavior Prisma Cloud The feature which shows the objects that
Data Security—Object Scan for Glacier Deep belong to Glacier Deep Archive and Glacier
Archive and Glacier Flexible Retrieval Storage Flexible Retrieval (formerly Glacier) as Un-
Classes supported storage class in Inventory is
disabled and objects that belong to these two
storage classes will display as Not Supported.

Update Permissions in the GCP Terraform The GCP Terraform template in Monitor
Template & Protect mode, used for onboarding GCP
accounts on Prisma Cloud, now includes the

Prisma™ Cloud Release Notes 436 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

following permissions to support VM image

scanning

compute.disks.create

compute.images.get

compute.images.list

compute.images.useReadOnlycompute.instances

compute.instances.delete

compute.instances.get

compute.instances.list

compute.instances.setTagscompute.networks.g

compute.networks.use

compute.networks.useExternalIp

compute.subnetworks.use

compute.subnetworks.useExternalIp

Update AWS CFT Permissions and API Token If you are using the Code Security module on
Duration Prisma Cloud, the AWS CFTs for onboarding
commercial, Gov and China accounts have
been updated to include permissions for
detecting when resources that are managed
using IaC templates, like Terraform or
CloudFormation, are modified manually using
CLI or Console.

Prisma™ Cloud Release Notes 437 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

The permission updates include the addition

of:And the managed policy is added.

lambda:GetLayerVersion

lambda:GetEventSourceMapping

lambda:GetFunction

s3:ListBucket

sns:GetSubscriptionAttributes

AWSCloudFormationReadOnlyAccess

API token duration key is also added

MaxSessionDuration : 43200; the
default was 3600 seconds previously and was
not included in the CFT.

API Ingestions Amazon Lex

aws-lexv2-bot
Additional permissions required:
• lex:ListTagsForResource

• lex:ListBotVersions

• lex:ListBots

• lex:DescribeBotVersion

• lex:DescribeBot

Amazon Lex
aws-lex-bot
Additional permissions required:
• lex:GetBot

• lex:GetBots

• lex:GetBotVersions

Prisma™ Cloud Release Notes 438 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• lex:ListTagsForResource

Amazon DocumentDB
aws-docdb-db-cluster
Additional permissions required:
• rds:DescribeDBClusters

• rds:ListTagsForResource

Azure App Service

azure-app-service
Additional permission required:

Microsoft.Web/sites/config/list/
action

Azure Virtual Network

azure-vmss-instance-public-ips
Additional permissions required:
• Microsoft.Compute/virtualMach
ineScaleSets/read

• Microsoft.Compute/virtualMach
ineScaleSets/publicIPAddresse
s/read

Azure Virtual Network

azure-vmss-network-interface
Additional permissions required:
• Microsoft.Compute/virtualMach
ineScaleSets/read

• Microsoft.Compute/virtualMach
ineScaleSets/networkInterface
s/read

Azure Virtual Desktop

Prisma™ Cloud Release Notes 439 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

azure-virtual-desktop-workspace
Additional permissions required:
• Microsoft.DesktopVirtualizati
on/workspaces/read

• Microsoft.DesktopVirtualizati
on/workspaces/providers/Micro
soft.Insights/diagnosticSetti
ngs/read

Azure Virtual Desktop

azure-virtual-desktop-session-host
Additional permissions required:
• Microsoft.DesktopVirtualizati
on/hostpools/read

• Microsoft.DesktopVirtualizati
on/hostpools/sessionhosts/rea
d

• Microsoft.DesktopVirtualizati
on/hostpools/sessionhostconfi
gurations/read

Google Cloud Recommendation

gcloud-recommender-iam-service-account-
insight
Additional permission required:

recommender.iamPolicyInsights.l
ist

Google Organization Policy

gcloud-organization-policy-organization-
constraint
Additional permissions required:
• orgpolicy.constraints.list

• orgpolicy.policy.get

Prisma™ Cloud Release Notes 440 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Certificate Authority Service

gcloud-certificate-authority-certificate
Additional permissions required:
• privateca.caPools.list

• privateca.certificates.list

OCI Data Catalog

oci-datacatalog-catalogs
Additional permissions required:
• inspect data-catalogs

• read data-catalogs

OCI Containers And Artifacts

oci-containers-artifacts-containerrepo
Additional permissions required:
• inspect repos

• read repos

OCI has a limit of 50 policy

statements. With the addition
of the following new APIs,
Prisma Cloud will have 56 policy
statements in the Terraform
file. To successfully ingest these
new OCI APIs, you will have to
request a service limit increase
on the policy statements.

OCI Functions
oci-functions-applications
Additional permissions required:
• inspect fn-app

• read fn-app

Prisma™ Cloud Release Notes 441 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

OCI Service Connector Hub

oci-serviceconnectorhub-serviceconnectors
Additional permissions required:
• inspect serviceconnectors

• read serviceconnectors

OCI Database
oci-oracledatabase-databases
Additional permissions required:
• inspect db-systems

• inspect db-homes

• inspect databases

Update API Ingestion—Amazon EC2 Amazon EC2

aws-ec2-describe-instances
This API is updated to include the following
new fields in the resource JSON when
ingestPublicOwnedAMIs is set to false
for a tenant:
• platformDetails

• imageName

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.5.1.

POLICY UPDATES DESCRIPTION

New Policies Instance affected by OMIGOD vulnerability is

exposed to network traffic from the internet
Identifies VM instances installed with Open
Management Infrastructure (OMI) version
vulnerable for remote code execution
(CVE-2021-38647) vulnerability, also known

Prisma™ Cloud Release Notes 442 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

as OMIGOD Vulnerability and exposed

to network traffic from the Internet. It is
recommended to upgrade OMI to the latest
version and limit exposure to the Internet.

network from vpc.flow_record

where bytes > 0 AND
source.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2021-38647')) AND
destination.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

Azure Service bus namespace configured

with overly permissive network access
Identifies Azure Service bus namespaces
(premium tier) configured with overly
permissive network access. By default, Service
bus namespaces are accessible from the
Internet as long as the request comes with
valid authentication and authorization. With
an IP firewall, you can further restrict it to
only a set of IPv4 addresses or IPv4 address
ranges. With virtual networks, the network
traffic path is secured on both ends. It is
recommended to configure the Service bus
namespace with an IP firewall or by virtual
network so that the Service bus namespace is
accessible only to restricted entities.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
service-bus-namespace' AND
json.rule = sku.tier equals
"Premium" and properties.status
equals "Active" and
networkRuleSets[*].properties.defaultActio
equals "Allow" and
networkRuleSets[*].properties.publicNetwor
equals Enabled

GCP VPC network not configured with DNS

policy with logging enabled
Identifies GCP VPC network that is not
configured with logging enabled DNS policy.

Prisma™ Cloud Release Notes 443 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Monitoring of Cloud DNS logs provides

visibility to DNS names requested by the
clients within the VPC. These logs can be
monitored for anomalous domain names and
evaluated against threat intelligence. It is
recommended to enable DNS logging for all
the VPC networks.

config from cloud.resource

where cloud.type = 'gcp'
AND api.name = 'gcloud-
compute-networks-list' as X;
config from cloud.resource
where api.name = 'gcloud-
dns-policy' as Y; filter
'not($.Y.networks[*].networkUrl
contains $.X.name and
$.Y.enableLogging is true)';
show X;

Policy Updates—Metadata AWS API gateway request parameter is not

validated
Changes— The policy description has been
improvised to be more precise.
Current Description— This policy identifies
the AWS API gateways for with the
request parameters are not validated. It
is recommended to validate the request
parameters in the URI, query string, and
headers of an incoming request to focus
on the validation efforts specific to your
application.
Updated Description— This policy identifies
the AWS API gateways for which the request
parameters are not validated. When the
validation fails, API Gateway fails the request,
returns a 400 error response to the caller,
and publishes the validation results in
CloudWatch Logs. It is recommended to
perform basic validation of an API request
before proceeding with the integration
request to block unvalidated calls to the
backend.
Impact— No impact on policy behavior or
existing alerts.

GCP Kubernetes engine clusters have client

certificate disabled

Prisma™ Cloud Release Notes 444 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes— The cloud type for this policy was

incorrect after converting the policy from
run-build to build. It is now updated to GCP,
which is the correct cloud type.
Impact— No impact on policy behavior or
existing alerts.

Policy Updates—RQL GCP Kubernetes Engine Clusters have Master

authorized networks disabled
Changes— Auto-remediation CLI has been
added to the policy. The RQL has been
updated to check clusters with status
'RUNNING'. The recommendation steps have
also been updated to match the latest UI
changes.
Permission required for CLI execution:

container.clusters.update

Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-container-describe-
clusters' AND json.rule =
'masterAuthorizedNetworksConfig.
[*] is empty or
masterAuthorizedNetworksConfig.enabled
equals false'

Updated RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-container-
describe-clusters' AND json.rule
= status equals RUNNING and
(masterAuthorizedNetworksConfig.
[*] is empty or
masterAuthorizedNetworksConfig.enabled
equals "false")

Impact— If auto-remediation is enabled

for the policy, the alerts will be resolved
as ‘REMEDIATED’ or ‘Resource_Updated’.
Previously generated alerts with cluster
state other than ‘RUNNING’ will be resolved
automatically.

Prisma™ Cloud Release Notes 445 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

REST API Updates

CHANGE DESCRIPTION

List User Role Types API for Permission To view the list of roles associated with
Groups Assignments administrators/users who have access to
Prisma Cloud, the following new API endpoint
is available:

GET /user/role/type

When called, it returns an array of all roles

administrators/users can belong to.
It includes the following role types:

[ "SYSTEM_ADMIN",
"ACCOUNT_ADMIN",
"ACCOUNT_READ_ONLY",
"SSO_ADMIN",
"CLOUD_PROVISIONING_ADMIN",
"TENANT_PROVISIONING_ADMIN",
"PRISMA_SERVICE_USER",
"ACCOUNT_AND_CLOUD_PROVISIONING_ADMIN",
"BUILD_AND_DEPLOY_SECURITY",
"BUILD_AND_DEPLOY_SECURITY_CI",
"COMPUTE_ADMIN",
"NETWORK_SECURITY_OPERATOR",
"NETWORK_SECURITY_OPERATOR_READ_ONLY",
"COMPUTE_ACCOUNT_ADMIN",
"DEVELOPER",
"COMPUTE_ACCOUNT_READ_ONLY" ]

New Features Introduced in 22.4.1

• New Features
• New Policies and Policy Updates
New Features

FEATURE DESCRIPTION

API Ingestions Amazon Neptune

aws-neptune-db-instance
Additional permissions required:
• rds:DescribeDBInstances

• rds:ListTagsForResource

Prisma™ Cloud Release Notes 446 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Amazon Neptune
aws-neptune-db-cluster
Additional permissions required:
• rds:DescribeDBClusters

• rds:ListTagsForResource

AWS MediaStore*aws-mediastore-container*
Additional permissions required:
• mediastore:ListTagsForResourc
e

• mediastore:ListContainers

• mediastore:GetCorsPolicy

• mediastore:GetContainerPolicy

Google Access Approval

gcloud-access-approval-project-approval-
setting
Additional permission required:

accessapproval.settings.get

Google Essential Contacts

gcloud-essential-contacts-organization-
contact
Additional permission required:

essentialcontacts.contacts.list

Google Service Directory

gcloud-service-directory-namespace-service
Additional permissions required:

Prisma™ Cloud Release Notes 447 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• servicedirectory.endpoints.li
st

• servicedirectory.namespaces.l
ist

• servicedirectory.services.get
IamPolicy

• servicedirectory.services.lis
t

OCI Bastion
oci-bastion
Additional permissions required:
• inspect bastion-family

• read bastion-family

Azure App Service

azure-app-service
Additional permission required:

"Microsoft.Web/sites/config/list
/action"

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.4.2.

POLICY UPDATES DESCRIPTION

New Policies Azure Microsoft Defender for Cloud set to

Off for Containers
Identifies Azure Microsoft Defender for Cloud
that has defender setting for Containers
set to Off. As a best practice, enable Azure
Defender for Containers.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
security-center-settings'

Prisma™ Cloud Release Notes 448 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AND json.rule = pricings[?

any(name equals Containers and
properties.pricingTier does not
equal Standard)] exists

- Instance affected by SpringShell vulnerability

is exposed to network traffic from the
internet
Identifies instances installed with the Java
Spring Framework version vulnerable to
arbitrary code execution (CVE-2022-22963
or CVE-2022-22965) and are exposed to
network traffic from the Internet. As a best
practice, upgrade the Java Spring Framework
version to the latest version to limit exposure
to the Internet.

network from vpc.flow_record

where bytes > 0 AND
source.resource IN ( resource
where finding.type IN
( 'Host Vulnerability' ) AND
finding.source IN ( 'Prisma
Cloud' ) AND finding.name
IN ('CVE-2022-22963',
'CVE-2022-22965')) AND
destination.publicnetwork IN
('Internet IPs', 'Suspicious
IPs')

This policy is effective only when

Prisma Compute is enabled in
your environment.

GCP Firewall rule exposes GKE clusters by

allowing all traffic on read-only port (10255)
Identifies GCP Firewall rule that allows all
traffic on read-only port (10255), which
exposes GKE clusters. In GKE, Kubelet
exposes a read-only port 10255 which shows
the configurations of all pods on the cluster at
the /pods API endpoint. GKE itself does not
expose this port to the Internet because the
default project firewall configuration blocks
external access. However, it is possible to
inadvertently expose this port publicly on
GKE clusters by creating a Google Compute
Engine VPC firewall for GKE nodes that

Prisma™ Cloud Release Notes 449 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

allows traffic from all source ranges on all

the ports. This configuration publicly exposes
all pod configurations, which might contain
sensitive information.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
firewall-rules-list' AND
json.rule = disabled is false
and direction equals INGRESS
and (sourceRanges[*] equals ::0
or sourceRanges[*] equals
0.0.0.0 or sourceRanges[*]
equals 0.0.0.0/0 or
sourceRanges[*] equals ::/0 or
sourceRanges[*] equals ::) and
allowed[?any(ports contains
_Port.inRange(10255,10255)
or (ports does not exist and
(IPProtocol contains tcp or
IPProtocol contains udp or
IPProtocol contains "all")))]
exists as X; config from
cloud.resource where api.name
= 'gcloud-container-describe-
clusters' AND json.rule =
status equals RUNNING as Y;
filter '$.X.network contains
$.Y.networkConfig.network' ;
show X;

New Configuration Policies for Build-Time The following new policies are being available
Checks to scan your environments monitored by the
Code Security module on Prisma Cloud.
• Deletion protection disabled for load
balancer
• Deletion protection disabled for load
balancer
• RDS instances do not have Multi-AZ
enabled
• AWS QLDB ledger has deletion protection
is disabled
• AWS WAF does not have associated rules
• AWS WAF Web Access Control Lists
logging is disabled
• AWS Kinesis Video Stream not encrypted
using Customer Managed Key

Prisma™ Cloud Release Notes 450 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS FSX Windows filesystem not

encrypted using Customer Managed Key
• AWS Image Builder component not
encrypted using Customer Managed Key
• AWS S3 Object Copy not encrypted using
Customer Managed Key
• AWS Doc DB not encrypted using
Customer Managed Key
• AWS EBS Snapshot Copy not encrypted
using Customer Managed Key
• AWS S3 bucket Object not encrypted
using Customer Managed Key
• AWS Sagemaker domain not encrypted
using Customer Managed Key
• AWS EBS Volume not encrypted using
Customer Managed Key
• AWS Lustre file system not configured
with CMK key
• AWS Elasticache replication group not
configured with CMK key
• WAF enables message lookup in Log4j2
• AWS EBS volumes are not encrypted
• EBS volumes do not have encrypted
launch configurations
• Not all data stored in Aurora is securely
encrypted at rest
• AWS resources that support tags do not
have Tags
• Not all data stored in the EBS snapshot is
securely encrypted
• Active Directory is not used for
authentication for Service Fabric
• Secure transfer required is not enabled
• Azure Key Vault Keys does not have
expiration date
• Azure Key Vault secrets does not have
expiration date
• Azure resources that support tags do not
have tags
• RSASHA1 is used for Zone-Signing and
Key-Signing Keys in Cloud DNS DNSSEC
• Boot disks for instances do not use CSEKs

Prisma™ Cloud Release Notes 451 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Default Service Account is used at project

level
• Google storage buckets are not encrypted
• GCP resources that support labels do not
have labels
• GitHub organization security settings do
not include 2FA capability
• GitHub organization security settings do
not include SSO
• GitHub organization security settings do
not have IP allow list enabled
• GitHub branch protection rules do not
include signed commits
• Github merge requests should require at
least 2 approvals
• Gitlab branch protection rules allows force
pushes
• Gitlab organization has groups with no
two factor authentication configured
• NGINX Ingress annotation snippets
contains LUA code execution
• NGINX Ingress has annotation snippets
• NGINX Ingress has annotation snippets
which contain alias statements
• AWS Postgres RDS have Query Logging
disabled
• AWS WAF2 does not have a Logging
Configuration
• Storage Account name does not follow
naming rules
• AWS IAM policies that allow full
administrative privileges are created
• AWS Elasticsearch is not configured inside
a VPC
• AWS S3 bucket ACL grants READ
permission to everyone
• AWS IAM policy documents do not allow *
(asterisk) as a statement’s action
• AWS S3 Buckets has block public access
setting disabled
• AWS S3 Bucket BlockPublicPolicy is set to
True

Prisma™ Cloud Release Notes 452 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS S3 bucket IgnorePublicAcls is set to

True
• AWS S3 bucket RestrictPublicBucket is set
to True
• AWS S3 Bucket has an ACL defined which
allows public WRITE access
• AWS API gateway methods are publicly
accessible
• AWS IAM role allows all services or
principals to be assumed
• Azure Network Security Group allows all
traffic on SSH (port 22)
• Azure SQL Servers Firewall rule allow
ingress access from 0.0.0.0/0
• Azure application gateway does not have
WAF enabled
• Azure storage account has a blob
container that is publicly accessible
• Azure storage account does allow public
access
• Azure AKS cluster network policies are not
enforced
• Azure App Service Web app does not have
a Managed Service Identity
• Azure App Service Web app doesn’t use
latest .Net framework version
• Azure App Service Web app does not use
latest PHP version
• Azure App Service Web app does not use
latest Python version
• Azure App Service Web app does not use
latest Java version
• Azure RDP Internet access is not
restricted
• GCP SQL database is publicly accessible
• GCP SQL database instance does not have
backup configuration enabled
• GCP IAM user are assigned Service
Account User or Service Account Token
creator roles at project level
• GCP IAM Service account does have
admin privileges

Prisma™ Cloud Release Notes 453 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• GCP SQL Instances do not have SSL

configured for incoming connections
• GCP Cloud SQL database instances have
public IPs
• Azure Storage account Encryption CMKs
Disabled
• Azure SQL Server ADS Vulnerability
Assessment (VA) 'Send scan reports to' is
not configured
• Azure SQL Server ADS Vulnerability
Assessment (VA) 'Also send email
notifications to admins and subscription
owners' is disabled
• Azure SQL servers which doesn’t have
Azure Active Directory admin configured
• Azure Virtual Machines does not utilise
Managed Disks
• AWS CloudWatch Log groups encrypted
using default encryption key instead of
KMS CMK
• AWS CloudWatch Log groups not
configured with definite retention days
• AWS EC2 instance detailed monitoring
disabled
• AWS Amazon RDS instances Enhanced
Monitoring is disabled
• AWS Secrets Manager secret is not
encrypted using KMS CMK
• Azure Application Gateway Web
application firewall (WAF) policy rule for
Remote Command Execution is disabled

New Configuration Policies for Run-Time and • Verify CloudFront Distribution Viewer
Build-Time Checks Certificate is using TLS v1.2
• Ensure cosmosdb does not allow
privileged escalation by restricting
management plane changes
• Ensure Front Door WAF prevents message
lookup in Log4j2
• Ensure Application Gateway WAF
prevents message lookup in Log4j2
• Ensure that 'Send email notification for
high severity alerts' is set to 'On'

Prisma™ Cloud Release Notes 454 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Ensure 'Enable connecting to serial ports'

is not enabled for VM Instance
• Ensure that IP forwarding is not enabled
on Instances
• Ensure Compute instances are launched
with Shielded VM enabled
• Ensure Cloud Armor prevents message
lookup in Log4j2

Policy Updates—RQL The following policies have been deleted:

Azure Microsoft Defender for Cloud is set to
Off for Kubernetes
Azure Microsoft Defender for Cloud is set to
Off for Container Registries
Changes— The two services Microsoft
Defender for Kubernetes and container
registries have been replaced with Microsoft
Defender for Containers. The corresponding
policies and compliance references have been
deleted.
Impact— Previously generated alerts will be
resolved as Policy_Deleted.

Azure Security Center Defender plans is set

to Off
Changes— The policy RQL has been updated
to factor deprecated features in the query.
The policy recommendation has also been
updated.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-
security-center-settings'
AND json.rule = pricings[?
any(properties.pricingTier
does not equal Standard and
(properties.deprecated does not
exist or properties.deprecated
is false))] exists

Impact— Previously generated alerts will be

resolved as Policy_Updated.

GCP VM instance with the external IP

address

Prisma™ Cloud Release Notes 455 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Changes— The RQL has been updated.

Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
instances-list' AND json.rule
= 'status equals RUNNING and
networkInterfaces[*].accessConfigs
exists and (name does not start
with gke- and name does not
contains default-pool)'

Updated to—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
instances-list' AND json.rule
= status equals RUNNING and
networkInterfaces[*].accessConfigs
exists and (name does not start
with gke- and name does not
contain default-pool)

Impact— No impact on existing alerts.

GCP GCR Container Vulnerability Scanning is

disabled
Changes— The RQL, recommendation steps,
and API have been modified: The RQL has
been updated to match the updated JSON
response of the gcloud-services-list
API. The recommendation steps have been
updated to reflect the latest UI updates. In
addition, the gcloud-services-list API
has been modified and due to the ingestion
change, the policy is updated to match the
API change.
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-services-
list' AND json.rule = services[?
any( config.name contains
containerscanning.googleapis.com
and state contains ENABLED)]
does not exist

Prisma™ Cloud Release Notes 456 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated to—

config from cloud.resource

where cloud.type = 'gcp'
AND api.name = 'gcloud-
services-list' AND json.rule
= services[?any(name contains
containerscanning.googleapis.com
and state contains ENABLED)]
does not exist

Impact— Previously generated alerts will be

resolved as Policy_Updated. This has a low
impact on alerts.

GCP BigQuery dataset is publicly accessible

Changes— The gcloud-bigquery-
dataset-list API is moved to Cloud Asset
Inventory which changes the access control
list to IAM binding in the JSON response. As
a result of the ingestion change, the policy is
modified to match the updated API response
change. In addition, the recommendation
steps have also been updated to reflect the
latest UI updates.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-bigquery-dataset-
list' AND json.rule = "acl[?
(@.entity.iamMember=='allUsers'
||
@.entity.identifier=='allAuthenticatedUser
exists"

Updated to—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-bigquery-
dataset-list' AND json.rule
= iamPolicy.bindings[?
any(members[*] equals
"allUsers" or members[*] equals
"allAuthenticatedUsers")]
exists

Impact— No impact on existing alerts.

Prisma™ Cloud Release Notes 457 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

16 New Anomaly Policies that Map to MITRE There are 16 new UEBA Anomaly policies to
ATT&CK v10.0 detect user activity from the TOR anonymity
network. Each policy corresponds to one of
the different service groups available in AWS,
Azure, and GCP—for example—analytics,
containers, compute, security, storage, and
web. All the policies are classified as high
severity and identify defense evasion and
impact attack tactics listed in the MITRE
ATT&CK framework. The policies are disabled
by default, but customers can manually enable
them according to their security needs and
the cloud services used in their environments.
Here’s the list of UEBA policies:
• Suspicious activity in Security services
• Suspicious activity in Networking services
• Suspicious activity in Analytics services
• Suspicious activity in Monitoring /
Management services
• Suspicious activity in Database services
• Suspicious activity in Compute services
• Suspicious activity in Storage services
• Suspicious activity in Application
Integration services
• Suspicious activity in Containers services
• Suspicious activity in AI / ML services
• Suspicious activity in Migration services
• Suspicious activity in Dev Tools services
• Suspicious activity in Web services
• Suspicious activity in IoT services
• Suspicious activity in Media services
• Suspicious login activity

Features Introduced in March 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in March 2022.
• New Features Introduced in 22.3.2
• New Features Introduced in 22.3.1

Prisma™ Cloud Release Notes 458 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features Introduced in 22.3.2

• New Features
• Changes in Existing Behavior
• New Policies and Policy Updates
• REST API Updates
New Features

FEATURE DESCRIPTION

Azure Custom Roles Prisma Cloud now gives you the ability to
create custom roles which enable you to
onboard your cloud accounts with a granular
set of permissions and enforce the principle of
least privilege.
When you view the status of Cloud Accounts,
you can now review the details on missing
permissions.

Access Control Settings Prisma Cloud now includes a new navigation

menu in Settings called Access Control. The
Roles, Users, Access Keys, and SSO pages
have all been consolidated under this location,
and are accessible as tabs in the header.
In addition, an Add button is now included
which handles unified actions across these
tabs, enabling you to perform various
operations such as creating a role or access
key from a single location.

Prisma™ Cloud Release Notes 459 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Automatically Receive Detailed Reports With When you configure your alert rules to
Email Alerts instantly send emails, a detailed report is
automatically included as an attachment.

API Ingestions AWS Storage Gateway

aws-storage-gateway-cached-volume
Additional permissions required:
• storagegateway:ListVolumes

• storagegateway:DescribeCached
iSCSIVolumes

Prisma™ Cloud Release Notes 460 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS Storage Gateway

aws-storage-gateway-tape
Additional permissions required:
• storagegateway:ListTapes

• storagegateway:DescribeTapes

AWS XRAY
aws-xray-encryption-config
Additional permission required:

xray:GetEncryptionConfig

Azure Virtual Network

azure-network-natgateway
Additional permission required:

Microsoft.Network/natGateways/r
ead

Azure Data Catalog

azure-datacatalog-catalog
Additional permission required:

Microsoft.DataCatalog/catalogs/
read

Google Cloud Bigtable

gcloud-bigtable-instance-cluster-backup-list
Additional permissions required:
• bigtable.backups.list

• bigtable.backups.getIamPolicy

Google Cloud Spanner backups

gcloud-cloud-spanner-instance-backup

Prisma™ Cloud Release Notes 461 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permission required: None

Google Secrets Manager

gcloud-secretsmanager-secrets-version
Additional permission required:

secretmanager.versions.list

Google VPC
gcloud-compute-org-firewall-policy
Additional permission required:

compute.firewallPolicies.list

Google Certificate Authority Service

gcloud-certificate-authority-ca
Additional permissions required:
• privateca.caPools.list

• privateca.certificateAuthorit
ies.list

OCI API Management

oci-apimanagement-apigateway
Additional permissions required:
• inspect api-gateways

• read api-gateways

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

New Policies AWS IAM Access analyzer is not configured

Identifies AWS regions that do not have IAM
Access Analyzer configured. AWS IAM Access
Analyzer helps you identify the resources in

Prisma™ Cloud Release Notes 462 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

your organization and accounts, such as IAM

roles, that are shared with an external entity
so that you can identify unintended access to
your resources and data. As a best practice,
configure Access Analyzer in all regions of
your account.

config from cloud.resource where

cloud.type = 'aws' AND api.name
= 'aws-access-analyzer' AND
json.rule = status equals
ACTIVE as X; config from
cloud.resource where api.name
= 'aws-region' AND json.rule =
optInStatus does not equal not-
opted-in as Y; filter '$.X.arn
contains $.Y.regionName'; show
X; count(X) less than 1

Azure Spring Cloud app end-to-end TLS is

disabled
Identifies Azure Spring Cloud apps that have
end-to-end TLS disabled. Enabling end-to-
end TLS and or SSL will secure traffic from
ingress controller to apps. After you enable
end-to-end TLS and load a certificate from the
key vault, all communications within Azure
Spring Cloud are secured with TLS. As a best
practice, use end-to-end TLS to secure the
traffic from Spring Cloud apps.

config from cloud.resource

where api.name = 'azure-spring-
cloud-service' AND json.rule =
properties.powerState equals
Running and sku.tier does
not equal Basic as X; config
from cloud.resource where
api.name = 'azure-spring-
cloud-app' AND json.rule =
properties.provisioningState
equals Succeeded and
properties.enableEndToEndTLS
is false as Y; filter '$.X.name
equals $.Y.serviceName'; show
Y;

Azure Spring Cloud app system-assigned

managed identity is disabled

Prisma™ Cloud Release Notes 463 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Identifies Azure Spring Cloud apps that have

system assigned managed identity disabled.
System assigned managed identity can be
used to authenticate any service that supports
Azure AD authentication, without having
credentials in your code. Storing credentials
in code increases the threat surface in case
of exploitation which managed identities
eliminate the need for. As a best practice,
assign system managed identity to your Spring
Cloud apps.

config from cloud.resource

where api.name = 'azure-spring-
cloud-service' AND json.rule
= properties.powerState
equals Running as X; config
from cloud.resource where
api.name = 'azure-spring-
cloud-app' AND json.rule =
properties.provisioningState
equals Succeeded and
identity does not exist as
Y; filter '$.X.name equals
$.Y.serviceName'; show Y;

GCP API key not restricted to use by

specified Hosts and Apps
Identifies GCP API keys that are not restricted
by any specific hosts or apps. Unrestricted
keys are insecure because they can be viewed
publicly, such as within a browser, or they
can be accessed on a device where the key
resides. As a best practice, restrict API key
usage to trusted hosts, HTTP referrers, and
apps.

config from cloud.resource

where cloud.type = 'gcp'
AND api.name = 'gcloud-
api-key' AND json.rule =
(restrictions.browserKeyRestrictions
does not exist and
restrictions.serverKeyRestrictions
does not exist and
restrictions.androidKeyRestrictions
does not exist and
restrictions.iosKeyRestrictions
does not exist) or
(restrictions.browserKeyRestrictions
exists and
(restrictions.browserKeyRestrictions[?

Prisma™ Cloud Release Notes 464 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

any(allowedReferrers[*]
equals "*")] exists or
restrictions.browserKeyRestrictions[?
any(allowedReferrers[*]
equals "*.[TLD]")] exists or
restrictions.browserKeyRestrictions[?
any(allowedReferrers[*] equals
"*.[TLD]/*")] exists)) or
(restrictions.serverKeyRestrictions
exists and
(restrictions.serverKeyRestrictions[?
any(allowedIps[*] equals
0.0.0.0)] exists or
restrictions.serverKeyRestrictions[?
any(allowedIps[*] equals
0.0.0.0/0)] exists or
restrictions.serverKeyRestrictions[?
any(allowedIps[*]
equals ::/0)] exists or
restrictions.serverKeyRestrictions[?
any(allowedIps[*] equals ::0)]
exists))

Policy Updates—Metadata Azure Network Watcher Network Security

Group (NSG) flow logs are disabled
Changes— The policy recommendation
has been updated to include end-to-end
configuration information. The policy RQL
has also been updated to remove $ to be
consistent across all RQLs.
Updated RQL—

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-network-nsg-list' AN
D json.rule = flowLogsSettings d
oes not exist or flowLogsSetting
s.enabled is false

Impact— No impact on existing alerts.

Azure App Service Web app doesn’t have a

Managed Service Identity
Changes— The policy RQL has been updated
to exclude user assigned identities App
Service from reporting because, App Service
can be assigned with user assigned identities.
The policy description and recommendation

Prisma™ Cloud Release Notes 465 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

have also been updated to reflect the

changes.
Updated RQL—

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-app-service' AND jso
n.rule = kind starts with app an
d (identity.type does not exist
or (identity.type exists and ide
ntity.type does not contain Syst
emAssigned and identity.type doe
s not contain UserAssigned))

Impact— Previously generated alerts for App

Services using user assigned identities will be
resolved as Policy_Updated.

AWS RDS instance with copy tags to

snapshots disabled
Changes— The policy was reporting false
positive alerts for AWS DocumentDB
instances as the copyTagsToSnapshot feature
was not supported for DocDB. The policy
RQL has been updated to ignore docdb
engine instances.
Current—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-rds-
describe-db-instances' AND
json.rule = 'dbinstanceStatus
equals available and
(copyTagsToSnapshot is false
or copyTagsToSnapshot does
not exist) and engine does not
contain aurora'

Updated to—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-rds-
describe-db-instances' AND
json.rule = dbinstanceStatus
equals available and
(copyTagsToSnapshot is false
or copyTagsToSnapshot does
not exist) and engine does not

Prisma™ Cloud Release Notes 466 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contain aurora and engine does

not contain docdb

Impact— Alerts for resources that have a

docdb engine instance will be resolved to
Policy_Updated.

Changes in Existing Behavior

FEATURE CHANGE

CSPM Alert API Rate Limits Prisma Cloud continues to enable rate
limiting on the API endpoints, in order to
ensure availability and scalability of Prisma
Cloud APIs. The following API rate limits are
implemented for the Alerts API endpoints
starting in 22.3.2:
• GET /v2/alert
• Request rate limit: 2/sec
• Burst limit: 10/sec
• POST /v2/alert
• Request rate limit: 2/sec
• Burst limit: 10/sec
• GET /alert/count/{status}
• Request rate limit: 2/sec
• Burst limit: 10/sec
• GET /alert
• Request rate limit: 2/sec
• Burst limit: 10/sec
• POST /alert
• Request rate limit: 2/sec
• Burst limit: 10/sec
• GET /alert/policy
• Request rate limit: 1/sec
• Burst limit: 5/sec
• POST /alert/policy
• Request rate limit: 1/sec
• Burst limit: 5/sec

Prisma™ Cloud Release Notes 467 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• GET /alert/{id}
• Request rate limit: 5/sec
• Burst limit: 10/sec
• POST /alert/jobs
• Request rate limit: 2/sec
• Burst limit: 10/sec
• POST /alert/policy/jobs
• Request rate limit: 1/sec
• Burst limit: 5/sec

Update permission in the aws-s3api-get- The aws-s3api-get-bucket-acl API has been

bucket-acl API updated to include the following permission:

s3:GetBucketOwnershipControls

This enables you to get the default ownership

settings for objects in your S3 buckets.

REST API Updates

CHANGE DESCRIPTION

CSPM Alert API Rate Limits See Changes in Existing Behavior for a
description of new CSPM Alert API rate limits.

Removal of Deprecated IaC Scan API V2 The deprecated IaC Scan API V2 has been
removed. A new Code Security API is
available for Infrastructure-as-Code security
checks.

New Features Introduced in 22.3.1

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates
New Features

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 468 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

License Support in Alarm Center Prisma Cloud includes a new License Alarm
Type, which raises an alarm based on the
following cases:
• License Usage— An alarm is raised on
the last day of the month if your monthly
usage is >80% (configurable limit) of the
credits purchased.
• License Expiry— An alarm is raised 1
month before your license expires (for non-
POC tenants).
• Module Activation Failure— An alarm is
raised for any module provisioning failures.

Update Prisma Cloud Data Security—New Prisma Cloud can now scan the following
File Extensions Supported for Malware types of file extensions on your storage
Scanning buckets for malware:
• .pdf
• .doc
• .docx
• .xls
• .xlsx
• .ppt
• .pptx
• .docm
• .dotm
• .xlm

Prisma™ Cloud Release Notes 469 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• .xlsm
• .xltm
• .pptm
• .potm
• .ppsm

Support for New Regions on OCI Prisma Cloud now ingests data for resources
deployed in the Jerusalem, Marseille, and
Singapore cloud regions on OCI.
To review a list of supported regions, select
Inventory > Assets, and choose Cloud Region
from the filter drop-down.

Support for the Abu Dhabi, Milan,

Stockholm, and Johannesburg
regions is released as a beta.

API Ingestions Amazon Neptune

aws-neptune-db-cluster-parameter-group
Additional permissions required:

rds:DescribeDBClusterParameters

rds:DescribeDBClusterParameterGr
oups

rds:ListTagsForResource

Amazon QuickSight
aws-quicksight-account-setting

Prisma™ Cloud Release Notes 470 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

quicksight:DescribeAccountSetti
ngs

Amazon VPC
aws-ec2-client-vpn-endpoint
Additional permission required:

ec2:DescribeClientVpnEndpoints

Google Certificate Authority Service

gcloud-certificate-authority-pool
Additional permissions required:

privateca.caPools.getIamPolicy

privateca.caPools.list

Google Compute Engine

gcloud-compute-instances-list
Additional permission required:

compute.instances.getIamPolicy

Google Compute Engine

gcp-compute-disk-list
Additional permission required:

compute.disks.getIamPolicy

Google Cloud IAM

gcloud-iam-workload-identity-provider
Additional permission required:

Prisma™ Cloud Release Notes 471 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

iam.workloadIdentityPoolProvider
s.list

Google Cloud IAM

gcloud-iam-workload-identity-pool
Additional permission required:

iam.workloadIdentityPools.list

The IAM Workload Identity

Prisma Cloud APIs provide only
the workload identity pools and
providers created under Workload
Identity Federation as part of the
IAM service.
Refer to api - gcloud-container-
describe-clusters for Workload
Identity Configuration details of
GKE Clusters.

OCI Web Application Firewall

oci-waf-webappfirewallpolicy
Additional permissions required:

Allow group ${oci_identity_group

.group.name} to inspect waf-poli
cy in tenancy

Allow group ${oci_identity_group

.group.name} to read waf-policy
in tenancy

Update Azure Service Bus

azure-service-bus-namespace
This API has been updated to show the
following new fields in the resource JSON:

publicNetworkAccess

disableLocalAuth

Prisma™ Cloud Release Notes 472 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

New Policies Azure MariaDB database server with SSL

connection disabled
Identifies MariaDB database servers for
which SSL enforce status is disabled. It is
recommended to enforce SSL for accessing
your database server.

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-database-
maria-db-server' AND json.rule
= properties.userVisibleState
equals Ready and
properties.sslEnforcement
equals Disabled

Azure MariaDB database server not using

latest TLS version
Identifies Azure MariaDB database servers
that are not using the latest TLS version for
SSL enforcement. As a best practice, use
the newer TLS version as the minimum TLS
version for the MariaDB database server.
Currently, Azure MariaDB supports TLS 1.2
version which resolves the security gap from
its preceding versions.

config from cloud.resource

where cloud.type = 'azure' AND
api.name = 'azure-database-
maria-db-server' AND json.rule
= properties.userVisibleState
equals Ready and
properties.sslEnforcement
equals Enabled and
properties.minimalTlsVersion
does not equal TLS1_2

Azure Key vault Private Endpoint Connection

is not configured
Identifies Key vaults that are not configured
with a private endpoint connection. It is

Prisma™ Cloud Release Notes 473 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

recommended to configure Private Endpoint

Connection to Key vaults.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-key-
vault-list' AND json.rule =
properties.provisioningState
equals Succeeded and
properties.privateEndpointConnections[*]
does not exist

Policy Updates—Metadata The policy name and description have been

updated to describe the policy better.
Current name— AWS RDS event subscription
disabled for DB instance
Updated to— AWS RDS Event subscription
All event categories and All instances
disabled for DB instance
Updated description— Identifies AWS RDS
event subscriptions for DB instance which
has 'All event categories' and 'All instances' as
disabled. As a best practice, enable 'All event
categories' for 'All instances' to get notified
when an event occurs for a DB instance.
Impact— No impact on existing alerts.

Policy Updates—RQL AWS SNS topic with cross-account access

Changes— The RQL has been updated to
ignore resources when SNS topic owner is
itself.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-sns-
get-topic-attributes' AND
json.rule = Policy.Statement[?
any(Effect equals Allow and
(Principal.AWS does not equal
* and Principal does not equal
* and Principal.AWS contains
arn))] exists

Updated to—

config from cloud.resource

where cloud.type = 'aws'

Prisma™ Cloud Release Notes 474 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AND api.name = 'aws-sns-

get-topic-attributes' AND
json.rule = Policy.Statement[?
any(Effect equals Allow and
(Principal.AWS does not equal
* and Principal does not equal
* and Principal.AWS contains
arn and Principal.AWS does not
contain $.Owner))] exists

Impact— Previously generated alerts for

resources where SNS topic owner was itself
will be resolved as Policy_Updated.

AWS IAM policy allows full administrative

privileges
Changes— The RQL has been updated to
check only if policy is attached to any user,
roles, or groups.
Current RQL—

config from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-iam-get-
policy-version' AND json.rule
= 'document.Statement[?
any(Action equals * and Resource
equals * and Effect equals
Allow)] exists and (policyArn
exists and policyArn does
not contain iam::aws:policy/
AdministratorAccess)'

Updated to—

cconfig from cloud.resource

where cloud.type = 'aws'
AND api.name = 'aws-iam-get-
policy-version' AND json.rule
= isAttached is true and
document.Statement[?any(Action
anyStartWith * and Resource
equals * and Effect equals
Allow)] exists and (policyArn
exists and policyArn does
not contain iam::aws:policy/
AdministratorAccess)

Impact— Previously generated alerts for

resources that are not attached to any
user, roles, or groups will be resolved as
Policy_Updated.

Prisma™ Cloud Release Notes 475 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

GCP Cloud Function HTTP trigger is not

secured
Changes— The RQL has been modified to
generate alerts only for HTTP triggers that are
not secure.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-cloud-function' AND j
son.rule = status equals ACTIVE
and httpsTrigger.securityLevel d
oes not equal SECURE_ALWAYS

Updated to—

config from cloud.resource where

cloud.type = 'gcp' AND api.name
= 'gcloud-cloud-function' AND j
son.rule = status equals ACTIVE
and httpsTrigger exists and http
sTrigger.securityLevel does not
equal SECURE_ALWAYS

Impact— Previously generated alerts

associated with non-HTTP triggers will be
resolved as Policy_Updated.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Update AWS CIS v1.3.0 and v1.4.0 The AWS S3 CloudTrail buckets for which
access logging is disabled policy has been
mapped to AWSCIS v1.3.0 and v1.4.0, section
3.6.
Impact— The compliance report score will be
impacted because a new mapping has been
added.

REST API Updates

CHANGE DESCRIPTION

Prisma™ Cloud Release Notes 476 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

CSPM Policy API Endpoints If you specify an RQL statement rather than
a search ID for the rule.criteria request body
This change was first announced in the look
parameter, the value of the rule.criteria
ahead that was published with the 22.2.2
attribute in the resulting response object will
release.
be a UUID and not the RQL itself. This change
affects the following API requests:
• POST /policy
• PUT /policy/{id}
You can use the UUID with the following
requests to determine the corresponding RQL
statement:
• GET /search/history
where the response object includes both
the UUID and RQL
• GET /search/history/{UUID}

Features Introduced in February 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in February 2022.
• New Features Introduced in 22.2.2
• New Features Introduced in 22.2.1

New Features Introduced in 22.2.2

• New Features
• New Policies and Policy Updates
• REST API Updates
New Features

FEATURE DESCRIPTION
GA
Knowledge Center Knowledge Center provides in-product and
in-context guidance based on your current
workflow without taking you away from the
Prisma Cloud app.
Access the Knowledge Center on the lower
left navigation to see content relevant to
what you are trying to accomplish at that
particular moment. The topics listed under the
Knowledge Center get auto-refreshed when
you move to a different page.

Prisma™ Cloud Release Notes 477 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Improved Alert Rule Workflow The improved and intuitive Add Alert Rule
modal with a faster loading UI provides
a better user experience. You can select
the optional Alert Notifications, Auto-
Remediation, or Auto-Actions ^Limited GA^
settings up front while creating an alert rule.

The Alert Rules also includes a summary page

where you can review your selection.

Prisma™ Cloud Release Notes 478 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

API Ingestions AWS Storage Gateway

aws-storage-gateway-fileshare
Additional permissions required:
• storagegateway:ListFileShares

• storagegateway:DescribeNFSFil
eShares

• storagegateway:DescribeSMBFil
eShares

AWS Storage Gateway

aws-storage-gateway-information
Additional permissions required:
• storagegateway:ListGateways

• storagegateway:DescribeGatewa
yInformation

• storagegateway:DescribeSMBSet
tings

Amazon Lightsail
aws-lightsail-instance
Additional permission required:

lightsail:GetInstances

On Prisma Cloud, the keyonlytags

tag value is only displayed for
the resources with key only tags
that are present in AWS Lightsail
instances.

Azure Log Analytics

azure-log-analytics-workspace
Additional permission required:

Prisma™ Cloud Release Notes 479 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.OperationalInsights/wo
rkspaces/read

Update AWS GuardDuty Detector API The aws-guardduty-detector API

is updated to include two new fields,
accountId and relationshipStatus in
the JSON as shown below:

"master": {
"accountId": "375187248419",
"relationshipStatus":
"Enabled"
}

Update Permission in the AWS CFT The AWS CFT for Monitor now includes
additional permissions for EKS Auditing for
onboarded cloud accounts. The AWS CFT
for Monitor and Protect includes additional
permissions for Agentless scanning on EC2 for
onboarded cloud accounts.

Removal of Support for Deprecated RQL The config where , event where , and
Query Format network where query formats are no longer
supported.
• Replace config where <rest of
the query> with config from
cloud.resource where <rest of
the query>
• Replace event where <rest of
the query> with event from
cloud.audit_logs where <rest of
the query>
• Replace network where <rest of
the query> with network from
vpc.flow_records where <rest of
the query>

New Policies and Policy Updates

See the look ahead updates for planned features and policy updates for 22.3.1.

POLICY UPDATES DESCRIPTION

Prisma™ Cloud Release Notes 480 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Policy Updates Improved Anomalous Compute Provisioning

Policy For improving the detection capability
and reducing the false negative rate of the
Anomalous Compute Provisioning policy,
it has been moved from subject-based
modeling to cloud account-based modeling
for volumetric detection. The activity from
all subjects, for example, user accounts
belonging to the same account are now part
of the model. Those with no or low activity
during the training period qualify for anomaly
detection, provided there are sufficient events
at the account level.

REST API Updates

CHANGE DESCRIPTION

New Policy API Endpoint to Validate a Policy The following new Policy API endpoint is
Rule available. It enables you to validate a policy
rule without creating a policy:
• POST /policy/rule/validate

Host Findings Count in Network Anomaly The response object of the following API
Alerts request no longer includes the host findings
count:
• GET /alert/{id}
Specifically:
• For a network anomaly alert where
the source host is the reported
vulnerability, the response object
no longer includes attribute
metadata.anomalyDetail.srcHost.hostFindingCount.
• For a network anomaly alert where the
target host is the reported vulnerability:**
The response object no longer includes
attribute targetHostFinding.
• Response object attribute
metadata.anomalyDetail.features[.targetHost.details[].h
is null.
You can still access host findings data
through:
• GET /resource/external_finding

Prisma™ Cloud Release Notes 481 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Features Introduced in 22.2.1

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates
New Features

FEATURE DESCRIPTION

Network Exposure of Cloud Resources Prisma Cloud Network Security helps enhance
your network security posture within public
cloud environments. Its Network Analyzer
engine automatically calculates net effective
reachability of your cloud resources such as
EC2, RDS, and Redshift ENIs. In addition, it
helps detect unrestricted network access from
the Internet or external network domains.
Using the RQL query

config from network where

on the Investigate page, you can understand

the reachability of your cloud assets and
also validate if someone exploited the overly
permissive network access.

Prisma™ Cloud Release Notes 482 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Network exposure queries are

currently supported only on AWS.
Network exposure queries
are currently not available in
Government and China regions.

GA
Adoption Advisor Tracking and measuring your adoption of new
features and existing capabilities on Prisma
Cloud just got easier!
The Adoption Advisor is generally available
to all and gives visibility into your adoption
journey, identifies your unexplored features,
helps you make the most of your investment,
and provides guidance on where to take
action.

ServiceNow Test Incident Improvement The Prisma Cloud integration with

ServiceNow has been improved to generate
only one test incident for the Open,
Dismissed, or Resolved alert notification
states configured within a notification
template.
With this change, when you test a new
integration, only a single incident is sent to
your ServiceNow instance as it transitions
through the different alert states.

This change is only applicable to

the Incident and Security types in
ServiceNow.

Prisma™ Cloud Release Notes 483 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Change in Existing Behavior VM Count on The Asset Inventory page double counts the
Asset Inventory number of Azure VMs in your deployment.
To address this issue, the 22.2.1 release
includes a fix that will reduce the Azure VM
count in half (drop of around 50%) in the
Asset Inventory.
With this change, there is no impact on RQL
or licensing.

API Ingestions AWS CodeArtifact

aws-code-artifact-repository
Additional permissions required:
• codeartifact:ListRepositories

• codeartifact:DescribeReposito
ry

• codeartifact:GetRepositoryPer
missionsPolicy

• codeartifact:ListTagsForResou
rce

AWS CodeArtifact
aws-code-artifact-domain
Additional permissions required:
• codeartifact:ListDomains

• codeartifact:DescribeDomain

• codeartifact:GetDomainPermiss
ionsPolicy

• codeartifact:ListTagsForResou
rce

Azure Traffic Manager

azure-traffic-manager-profile
Additional permission required:

Prisma™ Cloud Release Notes 484 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Network/trafficManager
Profiles/read

Azure Quantum
azure-quantum-workspace
Additional permission required:

Microsoft.Quantum/Workspaces/Re
ad

Google Identity Aware Proxy

gcloud-identity-aware-proxy-client
Additional permissions required:
• clientauthconfig.brands.list

• clientauthconfig.clients.list
WithSecrets

OCI Networking
oci-networking-routetable
The permission required is:

inspect subnets

OCI Networking
oci-networking-internetgateway
The permission required is:

INTERNET_GATEWAY_READ

OCI Networking
oci-networking-drgattachment
The permission required is:

DRG_ATTACHMENT_READ

Prisma™ Cloud Release Notes 485 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

OCI Networking
oci-networking-drg
The permission required is:

DRG_READ

OCI Networking
oci-networking-localpeeringgateway
The permission required is:

LOCAL_PEERING_GATEWAY_READ

OCI Networking
oci-networking-natgateway
The permission required is:

NAT_GATEWAY_READ

OCI Networking
oci-networking-servicegateway
The permission required is:

SERVICE_GATEWAY_READ

OCI Networking
oci-networking-dns-zone
The permission required is:

DNS_ZONE_INSPECT

Update API Ingestion—SNS Subscription The following API will no longer be ingested
Attributes due to a high number of alerts generated:

aws-sns-get-subscription-attrib
utes

Prisma™ Cloud Release Notes 486 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Alerts will be resolved as

Policy_Updated.

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

New Policies Azure MySQL Database Server using insecure

TLS version
Identifies Azure MySQL Database Servers
which are using the insecure TLS version. As
a best practice, use the newer TLS version as
the minimum TLS version.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-mysql-server' AND js
on.rule = properties.sslEnforcem
ent equals Enabled and propertie
s.minimalTlsVersion does not equ
al TLS1_2

Azure Storage Account using insecure TLS

version
Identifies Azure Storage Accounts which are
using the insecure TLS version. As a best
practice, use the newer TLS version as the
minimum TLS version for Azure Storage
Accounts.

config from cloud.resource where

cloud.type = 'azure' AND api.na
me = 'azure-storage-account-list
' AND json.rule = properties.sup
portsHttpsTrafficOnly is true an
d properties.minimumTlsVersion d
oes not equal TLS1_2

GCP VM instance OS login overrides Project

metadata OS login configuration
Identifies GCP VM instances where the OS
Login configuration is overriding the project
OS Login configuration. Enabling OS Login
ensures that the SSH keys used to connect
to instances are mapped with IAM users.

Prisma™ Cloud Release Notes 487 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Revoking access to an IAM user will revoke

all the SSH keys associated with that user—it
facilitates centralized and automated SSH key
pair management which is useful in handling
cases like a response to compromised SSH
key pairs.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
project-info' AND json.rule =
commonInstanceMetadata.items[?
any(key contains "enable-
oslogin" and (value contains
"Yes" or value contains "Y"
or value contains "True"
or value contains "true" or
value contains "TRUE" or value
contains "1"))] exists as X;
config from cloud.resource
where api.name = 'gcloud-
compute-instances-list' AND
json.rule = (metadata.items[?
any(key exists and key contains
"enable-oslogin" and (value
contains "False" or value
contains "N" or value contains
"No" or value contains "false"
or value contains "FALSE" or
value contains "0"))] exists
and name does not start with
"gke-" and status equals
RUNNING) as Y;filter'$.Y.zone
contains $.X.name';show Y;

New Anomaly Policies There are 16 new UEBA anomaly policies to

detect user activity from the TOR anonymity
network. TOR is often used by hackers to
hide their identity so that their suspicious
operations like creating copies of VM images
won’t be traced back to them. Each policy
corresponds to one of the different service
groups available in AWS, Azure, and GCP—
for example—analytics, containers, compute,
security, storage, and web. All the policies
are classified as high severity and identify
defense evasion and impact attack tactics
listed in the MITRE ATT&CK framework. The
policies are disabled by default, but customers
can manually enable them according to their
security needs and the cloud services used in

Prisma™ Cloud Release Notes 488 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

their environments. Here’s the list of UEBA

policies:
• Suspicious activities in Security services
• Suspicious activities in Application
Integration services
• Suspicious activities in Networking
services
• Suspicious activities in Analytics services
• Suspicious activities in Monitoring /
Management services
• Suspicious activities in Database services
• Suspicious activities in Compute services
• Suspicious activities in Storage services
• Suspicious activities in AI / ML services
• Suspicious activities in Containers services
• Suspicious activities in Migration services
• Suspicious activities in IoT services
• Suspicious activities in Dev Tools services
• Suspicious activities in Media services
• Suspicious login activity
• Suspicious activities in Web services

Reduction of Alerts for Anomaly Policies The following anomaly policies have a
reduction from high to medium:
• Account hijacking attempts
• Excessive login failures
• Port scan activity (Internal)
• Port sweep activity (Internal)
• Spambot activity
• Unusual protocol activity (External)
• Unusual protocol activity (Internal)
• Unusual server port activity (External)
• Unusual server port activity (Internal)
• Unusual user activity
The following anomaly policies have a
reduction from high to low:
• Port scan activity (External)
• Port sweep activity (External)

Prisma™ Cloud Release Notes 489 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New CNS Policies AWS Redshift managed ENI reachable

from any untrust internet source Identifies
Network interfaces attached to the Redshift
cluster that are exposed to inbound traffic
from any untrusted Internet source. Redshift
clusters exposed to the Internet are prone to
external security threats. As a best practice,
restrict network interfaces that are attached
to the Redshift cluster to known hosts or
services only.

AWS RDS managed ENI reachable from any

untrust internet source Identifies Network
interfaces attached to RDS instances that are
exposed to inbound traffic from any untrusted
Internet source. RDS instances exposed to the
Internet are prone to external security threats.
As a best practice, restrict network interfaces
that are attached to the RDS instance to
known hosts or services only.

AWS EC2 instance allows outbound

unrestricted access (0.0.0.0/0) to the
internet Identifies EC2 instances that allow
unrestricted outbound traffic to the Internet.
As a best practice, restrict outbound traffic
and limit the access to known hosts or
services.

AWS EC2 instance that is internet reachable

with unrestricted access (0.0.0.0/0) other
than HTTP/HTTPS port Identifies AWS EC2
instances that are reachable from the Internet
with unrestricted access (0.0.0.0/0) other
than HTTP/HTTPS port. EC2 instances with
unrestricted access to the Internet enable bad
actors to use brute force on a system to gain
unauthorized access to the entire network. As
a best practice, restrict traffic from unknown
IP addresses and limit the access to known
hosts, services, or specific entities.

Delete AWS Security Group Related Policies Changes– The following config policies are
deleted because Cloud Network Analyzer
provides you alerts for resources which are
truly exposed to the Internet. You can create
custom policies to alert on specific ports:

Prisma™ Cloud Release Notes 490 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS Security Group overly permissive to

all traffic
• AWS Security Group allows all traffic on
SMTP port (25)
• AWS Security Group allows all traffic on
ports which are not commonly used
• AWS Network ACLs with Outbound rule
to allow All Traffic
• AWS Network ACLs with Inbound rule to
allow All Traffic
• AWS Security Group allows all traffic on
ICMP (Ping) protocol
• AWS Security Group Inbound rule overly
permissive to all traffic on all protocols (-1)
• AWS EC2 instance associated with a
public IP subnet
• AWS Security Group allows all traffic on
CIFS port (445)
• AWS Security Group allows all traffic on
MYSQL port (4333)
• AWS Security Group allows all traffic on
MYSQL port (3306)
• AWS Security Group allows all traffic on
DNS port (53)
• AWS Security Group allows all traffic on
PostgreSQL port (5432)
• AWS Security Group allows all traffic on
NetBIOS port (138)
• AWS Security Group allows all traffic on
Windows RPC port (135)
• AWS Security Group allows all traffic on
SQL Server port (1433)
• AWS Security Group allows all traffic on
VNC Server port (5900)
• AWS Security Group allows all traffic on
SQL Server port (1434)
• AWS Security Group allows all traffic on
VNC Listener port (5500)
• AWS Security Group allows all traffic on
Telnet port (23)
• AWS Security Group allows all traffic on
FTP-Data port (20)

Prisma™ Cloud Release Notes 491 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS Security Group allows all traffic on

FTP port (21)
• AWS Security Group allows all traffic on
NetBIOS port (137)
• AWS EC2 instances with Public IP and
associated with Security Groups have
Internet Access
• AWS Network ACLs allow ingress traffic
to server administration ports
• AWS Network ACLs with Inbound rule to
allow All ICMP IPv4
• AWS Network ACLs with Inbound rule to
allow All ICMP IPv6
• AWS Network ACLs with Outbound rule
to allow All ICMP IPv4
• AWS Network ACLs with Outbound rule
to allow All ICMP IPv6
• AWS Redshift clusters should not be
publicly accessible
Impact– Previously generated alerts will be
resolved as Policy_Deleted. The compliance
reports for the following are impacted:
APRA (CPS 234) Information Security, AWS
Foundational Security Best Practices standard,
CIS Amazon Web Services Foundations
Benchmark v 1.4.0, Cybersecurity Maturity
Model Certification (CMMC) v.1.02, Cloud
Security Alliance Cloud Controls Matrix (CCM)
Version 4.0.1, HITRUST v.9.4.2, ISO/IEC
27002:2013, ISO/IEC 27017:2015, ISO/IEC
27018:2019, Brazilian Data Protection Law
(LGPD), MAS TRM 2021, MLPS 2.0, MPAA
Content Protection Best Practices, NIST
SP 800-171 Revision 2, NIST SP 800-172,
NIST 800-53 Rev4, NIST 800-53 Rev 5,
NIST CSF, New Zealand Information Security
Manual (NZISM v3.4), PCI DSS v3.2.1, Risk
Management in Technology (RMiT), CCPA
2018, CSA CCM v3.0.1, GDPR, HITRUST CSF
v9.3, MITRE ATT

Delete Policies to Reduce Alert Fatigue The following policies are deleted to reduce
the number of alerts you receive:
• AWS EBS snapshot is not encrypted

Prisma™ Cloud Release Notes 492 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS SNS topic with server-side

encryption disabled
• AWS CloudWatch Log groups encrypted
using default encryption key instead of
KMS CMK
• AWS entities with risky permissions
• AWS SNS topic not configured with
secure data transport policy
• AWS CloudFormation stack configured
without SNS topic
• GCP Storage bucket encrypted using
default KMS key instead of a customer-
managed key
• AWS Lambda functions with tracing not
enabled
• AWS CloudWatch Log groups not
configured with definite retention days
• AWS Lambda Function is not assigned to
access within VPC
• AWS Lambda Environment Variables not
encrypted at-rest using CMK
• AWS RDS DB snapshot is encrypted using
default KMS key instead of CMK
• GCP Firewall rule logging disabled
• AWS SQS server side encryption not
enabled
• GCP Pub/Sub topic is not encrypted using
a customer-managed encryption key
• GCP GCE Disk snapshot not encrypted
with CSEK
• AWS EBS Volume is unattached
• AWS EC2 instance detailed monitoring
disabled
• Azure Virtual Machine is not assigned to
an availability set
• AWS Certificate Manager (ACM) has
unused certificates
• GCP storage bucket is not configured with
default Event-Based Hold
• AWS CloudFront Distributions with Field-
Level Encryption not enabled

Prisma™ Cloud Release Notes 493 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• AWS Elastic Load Balancer v2 (ELBv2)

with deletion protection feature disabled
• GCP compute engine image not encrypted
using customer-managed key
• AWS ECS/Fargate task definition
execution IAM Role not found
• Azure Virtual Machine Boot Diagnostics
Disabled
• AWS Elastic Load Balancer (Classic) with
connection draining disabled
• GCP VM instances without metadata,
zone or label information
• AWS KMS Customer Managed Key not in
use
• AWS ECS fargate task definition logging is
disabled
• AWS SNS topic encrypted using default
KMS key instead of CMK
Impact– All open alerts will be resolved
as Policy_Deleted. In addition, the reports
for the following standards are impacted:
APRA (CPS 234) Information Security, AWS
Foundational Security Best Practices standard,
Cybersecurity Maturity Model Certification
(CMMC) v.1.02, Cloud Security Alliance
Cloud Controls Matrix (CCM) Version 4.0.1,
HITRUST v.9.4.2, ISO/IEC 27002:2013,
ISO/IEC 27017:2015, ISO/IEC 27018:2019,
Brazilian Data Protection Law (LGPD), MAS
TRM 2021, MLPS 2.0, NIST SP 800-171
Revision 2, NIST SP 800-172, NIST 800-53
Rev4, NIST 800-53 Rev 5, NIST CSF, New
Zealand Information Security Manual (NZISM
v3.4), PCI DSS v3.2.1, Risk Management in
Technology (RMiT), CCPA 2018, CSA CCM
v3.0.1, HITRUST CSF v9.3, MITRE ATT&CK
version 6.3, MITRE ATT&CK v8.2, PIPEDA,
SOC 2, and MITRE ATT&CK v10.0.

Policy Deletion GCP sink not configured to export all log

entries This policy is deleted as GCP started
supporting two cloud logging buckets named
_Default and _Required. These two buckets
can’t be modified and when combined, store
all the logs specific to a GCP project.

Prisma™ Cloud Release Notes 494 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Previously generated alerts will be

resolved as Policy_Deleted.

Policy Updates—Metadata Reduce Severity of CIS Policies

Changes— Cloud Network Analyzer replaces
the following config policies to alert for
resources that are truly exposed to the
Internet; the severity of these policies are
changed from high to low:
• AWS Security Group allows all traffic on
RDP port (3389)
• AWS Security Group allows all traffic on
SSH port (22)
• AWS Default Security Group does not
restrict all traffic
Impact– No impact on existing alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Update Azure CIS v1.4.0 The Azure Storage Account using insecure
TLS version policy has been mapped to Azure
CIS v1.4.0, section 3.12.
Impact— No impact on existing alerts. The
compliance score may be impacted because a
new mapping has been added.

Change Anomaly Policies No Longer Mapped Anomaly policies are no longer mapped
to Compliance Standards to any compliance standard supported on
Prisma Cloud, except for the MITRE ATT&CK
framework.

REST API Updates

CHANGE DESCRIPTION

CSPM API for Adoption Advisor A new Adoption Advisor API enables you to
explore data about the security capabilities
you’ve adopted. It also uncovers unused
capabilities that might optimize your security
hygiene.

Prisma™ Cloud Release Notes 495 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Features Introduced in January 2022

Edit on GitHub
Learn what’s new on Prisma™ Cloud in January 2022.
• New Features Introduced in 22.1.2
• New Features Introduced in 22.1.1

New Features Introduced in 22.1.2

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates
New Features

FEATURE DESCRIPTION

Alert Details Updates The drill-downs for alerts have a new look and the navigation
in the console is updated. You can easily edit the policy that
triggered the alert, view the details on the resources and
the policy recommendations in separate tabs, and when you
select the Alert ID, the slide-out panel provides a better view
of the alert details.
In addition, the page load time is much faster.

Prisma™ Cloud Release Notes 496 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Length Limit for Field Names The number of characters in user role name, access keys,
and IP allow list names for Administrative users and Service
Account names on Prisma Cloud is now set to a maximum of
300 characters for each field.

Display Cloud Account Owner The account owner information of AWS Organization and
Details for AWS Organizations member accounts are now fetched from the AWS account
and Member Accounts and displayed on Settings > Cloud Accounts.

Note: For AWS standalone accounts this is not

supported.

API Ingestions AWS Data Pipeline

aws-datapipeline-pipeline
Additional permissions required:

datapipeline:DescribePipelines

datapipeline:GetPipelineDefinition

datapipeline:ListPipelines

Amazon S3
aws-s3api-get-bucket-acl
Additional permission required:

s3:GetBucketCORS

Azure Application Insights

azure-application-insights-component
Additional permission required:

Microsoft.Insights/Components/Read

Azure Storage Sync Services

azure-storage-sync-service
Additional permission required:

Prisma™ Cloud Release Notes 497 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

microsoft.storagesync/storageSyncServices/
read

The following OCI APIs are ingested:

OCI Bare Metal and VM Databases
oci-oracledatabase-bmvm-dbsystem
Network Load Balancer
oci-networking-loadbalancer
With the ingestion of these APIs, Prisma Cloud now includes
OCI Bare Metal and VM Databases and Network Load
Balancer as licensable assets that use Prisma Cloud credits.
These resources are added to the count of monitored
resources on the Licensing page of the Prisma Cloud
administrator console.

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

New Policies AWS RDS Cluster snapshot is accessible to public Identifies

AWS RDS Cluster snapshots which are publicly accessible.
Amazon Relational Database Service (Amazon RDS) is a web
service that makes it easier to setup and manage databases.
If RDS Cluster snapshots are inadvertently publicly shared,
any unauthorized user with AWS console access can gain
access to the snapshots and access sensitive data.

config from cloud.resource where

cloud.type = 'aws' and api.name=
'aws-rds-db-cluster-snapshots' AND
json.rule = dbclusterSnapshotAttributes[?
any( attributeName equals restore and
attributeValues[*] contains "all" )]
exists

Azure AD MFA is not enabled for the user Identifies Azure

users that do not have Active Directory Multi-Factor
Authentication (AD MFA) enabled. Azure AD MFA is a best
practice that adds an extra layer of protection on top of your
username and password. MFA provides increased security
for your Azure account settings and resources. As a best

Prisma™ Cloud Release Notes 498 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

practice, enable AD MFA using Conditional Access policies

to protect your users.

config from cloud.resource where api.name

= 'azure-active-directory-credential-
user-registration-details' AND json.rule
= isMfaRegistered is false as X; config
from cloud.resource where api.name
= 'azure-active-directory-user' AND
json.rule = accountEnabled is true as
Y; filter '$.X.userDisplayName equals
$.Y.displayName'; show X;

Azure Key Vault Key has no expiration date (Non-RBAC

Key vault) Identifies Azure Key Vault keys that do not have
an expiration date for the Non-RBAC Key vaults. As a best
practice, set an expiration date for each key and rotate your
keys regularly.

config from cloud.resource where

cloud.type = 'azure' AND api.name =
'azure-key-vault-list' and json.rule =
keys[?any(attributes.exp equals -1 and
attributes.enabled contains true)] exists
and properties.enableRbacAuthorization is
false

Azure Key Vault secret has no expiration date (Non-RBAC

Key vault) Identifies Azure Key Vault secrets that do not
have an expiry date for the Non-RBAC Key vaults. As a best
practice, set an expiration date for each secret and rotate the
secret regularly.

config from cloud.resource where

cloud.type = 'azure' AND api.name =
'azure-key-vault-list' and json.rule =
secrets[?any(attributes.exp equals -1 and
attributes.enabled contains true)] exists
and properties.enableRbacAuthorization is
false

Azure Service bus namespace configured with overly

permissive authorization rules Identifies Azure Service Bus
namespaces configured with overly permissive authorization
rules. Service Bus clients should not use a namespace level
access policy that provides access to all queues and topics in
a namespace.
As a best practice, follow the least privileged security model
to create access policies at the entity level for queues and

Prisma™ Cloud Release Notes 499 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

topics to provide access to only the specific entity. All

authorization rules except RootManageSharedAccessKey
should be removed from the Service bus namespace.

config from cloud.resource

where cloud.type = 'azure'
AND api.name = 'azure-service-
bus-namespace' AND json.rule =
authorizationRules[*] size greater than
1 and authorizationRules[?any(name does
not equal RootManageSharedAccessKey
and properties.rights contains Manage)]
exists

GCP API key not restricting any specific API Identifies GCP
API keys that are not restricting any specific APIs. API keys
that are insecure can be viewed publicly such as from a
browser, or accessed on a device where the key resides. As a
best practice, restrict API keys to use only APIs required by
an application.

config from cloud.resource where

cloud.type = 'gcp' AND api.name =
'gcloud-api-key' AND json.rule =
restrictions.apiTargets does not exist

GCP API key not rotating in every 90 days Identifies GCP

API keys that are created more than 90 days ago. Google
recommends using the standard authentication flow instead
of API Keys, but there are limited scenarios where API keys
are more appropriate. As a best practice, rotate your API
keys every 90-days to ensure that data cannot be accessed
with an old key that might have been lost, cracked, or stolen.

config from cloud.resource where

cloud.type = 'gcp' AND api.name =
'gcloud-api-key' AND json.rule =
"_DateTime.ageInDays(createTime) > 90"

Policy Updates—Metadata GCP VPC Flow logs for the subnet is set to off
Changes— The CLI command now requires the following
permission to enable GCP Flow logs to capture information
about the IP traffic going to-and-from networks in VPC
Subnets:

compute.subnetworks.update

Prisma™ Cloud Release Notes 500 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— If auto-remediation is enabled then alerts will be

resolved as Remediated.

GCP Kubernetes Engine private cluster has private endpoint

disabled
Changes— The RQL has been modified to be compliant
with the latest CIS guidelines. Also, the private cluster
check is modified to private endpoint check as the former is
now deprecated. And, the recommended steps have been
updated to reflect the latest UI changes.
Current name— GCP Kubernetes Engine Clusters not
configured with private cluster
Updated to— GCP Kubernetes Engine private cluster has
private endpoint disabled
Current description— This policy identifies Kubernetes
Engine Clusters which are not configured with the Private
cluster. Private cluster makes your master inaccessible
from the public internet and nodes do not have public IP
addresses, so your workloads run in an environment that is
isolated from the internet.
Updated to— This policy identifies GCP Kubernetes
Engine private clusters with private endpoint disabled.
A public endpoint might expose the current cluster and
Kubernetes API version and an attacker may be able to
determine whether it is vulnerable to an attack. Unless
required, disabling the public endpoint will help prevent such
threats, and require the attacker to be on the master’s VPC
network to perform any attack on the Kubernetes API. It is
recommended to enable the private endpoint and disable
public access on Kubernetes clusters.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name =
'gcloud-container-describe-clusters'
AND json.rule = 'privateCluster does not
exist or privateCluster is false'

Updated to—

config from cloud.resource where

cloud.type = 'gcp' AND api.name =
'gcloud-container-describe-clusters'
AND json.rule = status equals RUNNING
and privateClusterConfig exists and
privateClusterConfig.enablePrivateEndpoint
does not exist

Prisma™ Cloud Release Notes 501 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Previously generated alerts will be resolved as

Policy_Updated.

Azure Key Vault secret has no expiration date (Non-RBAC

Key vault)
Changes— In CIS v1.4.0 section 8.3, the guideline name was
changed and RBAC validation was introduced. The policy
name and its RQL is updated to implement the name change
and RBAC check.
Current name— Azure Key Vault secrets have no expiration
date
Updated to— Azure Key Vault secret has no expiration date
(Non-RBAC Key vault)
Impact— Previously generated alerts for Non-RBAC key
vaults will be resolved as Policy_Updated.

Azure Key Vault Key has no expiration date (RBAC Key

vault)
Changes— In CIS v1.4.0 section 8.3, the guideline name was
changed and RBAC validation was introduced. The policy
name and its RQL is updated to implement the name change
and RBAC check.
Current name— Azure Key Vault Key have no expiration
date
Updated to— Azure Key Vault Key has no expiration date
(RBAC Key vault)
Impact— Previously generated alerts for Non-RBAC key
vaults will be resolved as Policy_Updated.

AWS SQS queue access policy is overly permissive

The RQL has been updated to include the Condition
statement when reporting the AWS SQS resources.
Current name—

config from cloud.resource where

cloud.type = 'aws' AND api.name =
'aws-sqs-get-queue-attributes' AND
json.rule = attributes.Policy.Statement[?
any(Principal equals * and Effect equals
Allow)] exists

Prisma™ Cloud Release Notes 502 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Updated to—

config from cloud.resource where

cloud.type = 'aws' AND api.name = 'aws-
sqs-get-queue-attributes' AND json.rule =
attributes.Policy.Statement[?any(Effect
equals Allow and Action anyStartWith
sqs: and (Principal.AWS contains * or
Principal equals *) and Condition does
not exist)] exists

Impact— Previously generated alerts for resources

which has the Condition statement will be resolved as
Policy_Updated.

Policy{Unhandled element The AWS entities with risky permissions policy is deleted to
parmname} Deletions avoid duplicate alert after releasing the new OOTB policies
for AWS. It can be replaced by the following new AWS
policies for specific entity types:
• AWS EC2 instance with IAM write access level
• AWS Lambda Function with IAM write access level
• Elasticbeanstalk Platform with IAM write access level
• ECS Task Definition with IAM write access level
• Okta User with IAM write access level
• IAM User with IAM write access level
• AWS EC2 instance with IAM permissions management
access level
• AWS Lambda Function with IAM permissions
management access leve
• Elasticbeanstalk Platform with IAM permissions
management access level
• ECS Task Definition with IAM permissions management
access level
• Okta User with IAM permissions management access
level
• IAM User with IAM permissions management access
level
• AWS EC2 instance with org write access level
• AWS Lambda Function with org write access level
• Elasticbeanstalk Platform with org write access level
• ECS Task Definition with org write access level
• Okta User with org write access level
• IAM User with org write access level

Prisma™ Cloud Release Notes 503 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Impact— Previously generated alerts will be resolved as

Policy_Deleted.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Support for Azure Security The Azure Security Benchmark (ASB) is a set of best
Benchmark (V3) practices for improving the security of workloads, data, and
services on Azure. ASB is part of a set of holistic security
guidelines that includes:
• Cloud Adoption Framework
• Azure Well-Architected Framework
• Microsoft Security Best Practices
• Microsoft Cybersecurity Reference Architectures (MCRA)

Updates for Azure Key Vault The following Azure Key Vaults related policies have been
Policies updated to include mappings for RBAC and Non-RBAC user
roles:
• Azure Key Vault secret has no expiration date (Non-
RBAC Key vault)
• Azure Key Vault Key has no expiration date (Non-RBAC
Key vault)
Impact— No impact on alerts.

The updated compliance benchmarks are: APRA,

azure_pipeda, azure_mitre_attack_framework,
CIS_Azure_130, cis_azure,
NIST_800_172, CMMC_1_02,
mlps20_azure, LGPD, CIS_Azure_120,
NIST_800_53_R4_Azu_leg, NIST_CSF_v_1_1,
CIS_Azure_131, CIS_Azure_140,
NIST_800_171R2, CSA_CCM_v4,
HITRUST942, NIST_800_53_R5_Azure,
azure_mitre_attack_v8_framework, azure_ccpa,
ISO_27017_2015, PCIDSS_321, and
ISO_27002_2013.

REST API Updates

CHANGE DESCRIPTION

Prisma™ Cloud Release Notes 504 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Removal of Deprecated The following deprecated integration endpoints have been

Integration API Endpoints removed except for integrations with Okta, Tenable, and
Qualys:
• DELETE /integration/{id}
• POST /integration
• PUT /integration/{id}
• GET /integration
• GET /integration/{id}
• GET /integration/name
• POST /integration/test
A new Integration API is available to replace all the
endpoints above except GET /integration/name

Removal of Deprecated The following deprecated notification template endpoints

Notification Template API has been removed:
Endpoints
• DELETE /notification/template/{id}
• POST /notification/template
• PUT /notification/template/{id}
• GET /notification/template/{id}
• GET /notification/template
• POST /notification/template/clone/{id}
A new Notification Template API is available to replace the
endpoints above.
The following deprecated endpoints have been removed
with no replacement:
• GET /template/servicenow/{integrationId}/
{incidentType}/fields
• GET /template/servicenow/{integrationId}/
{incidentType}/fields/{objectName}/
{referenceField}/suggestions
• GET /template/servicenow/{integrationId}/
types
• GET /template/fields/jira/projects/
{integrationId}/types
• GET /template/fields/jira/{integrationId}/
{project}/{issueType}
• GET /template/fields/jira/issues/
{integrationId}/{projectKey}

Prisma™ Cloud Release Notes 505 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• GET /template/fields/jira/{integrationId}/
{project}/{issueType}/users/{searchKey}
• GET /template/fields/jira/{integrationId}/
{project}/{issueType}/{jiraEndpoint}/
{fieldType}/{field}

Removal of Access Key API The following endpoint no longer supports the ability to
Ability to Update Expiration update the access key expiration timestamp:
Timestamp
• PUT /access_keys/{id}

Removal of Deprecated Alert The following deprecated alert rules API endpoint has been
Rules Endpoint to List Alert removed:
Rules
• GET /alert/rules
The following alert rules API endpoint provides similar
functionality:
• GET /v2/alert/rule

Enterprise Settings API A new request body parameter accessKeyMaxValidity exists

for the following enterprise settings endpoint:
• POST /settings/enterprise
You can use this parameter to set the maximum number of
days an access key is valid.
Further, accessKeyMaxValidity is available through the
response object of the following endpoints:
• GET /settings/enterprise
• POST /settings/enterprise

Role Info in Login Refresh The response object for the following endpoint now includes
Session Endpoint Response a roles attribute, which contains a list of permissions based
on the user role type:
• GET /auth_token/extend

New Features Introduced in 22.1.1

• New Features
• New Policies and Policy Updates
• New Compliance Benchmarks and Updates
• REST API Updates
New Features

FEATURE DESCRIPTION

Prisma™ Cloud Release Notes 506 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Limited GA Adoption Advisor Tracking and measuring your adoption of new features and
existing capabilities on Prisma Cloud just got easier!
The Adoption Advisor gives visibility into your adoption
journey, identifies your unexplored features, helps you make
the most of your investment, and provides guidance on
where to take action.

Code Security The all new Code Security module is here for Prisma Cloud
Enterprise Edition! To proactively improve the security
posture of cloud infrastructure as you create, deploy
and maintain your business impacting resources using
IaC templates and automation pipelines, use the Code
Security module to identify and protect from vulnerabilities,
misconfigurations and compliance violations in IaC templates
such as Terraform, CloudFormation, Helm.
These capabilities enable you to be tightly embedded in
DevOps workflows and tooling to provide fast feedback and
enforce guardrails in code during the development lifecycle.
Armed with a centralized view of all misconfigurations across
scanned repositories on the Prisma Cloud administrative
console that provides filtering and searching to find
code blocks and owners, you can review and address
misconfigurations or violations very quickly. See Features
Introduced in January 2022 for more.

Prisma™ Cloud Release Notes 507 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Refreshed Enterprise Settings The Enterprise Settings page is refreshed to provide a better
UI user experience.

Length Limit for User Profile The number of characters in username, first name, and last
Name Fields name for Administrative users and Service Account names
on Prisma Cloud is now set to a maximum of 300 characters
for each field.

Prisma™ Cloud Release Notes 508 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Operator for Wildcard The like operator is added to enable wildcard (*) support
Support in RQL Attributes so that all available permissions in your cloud accounts are
displayed.
The following example uses the like operator:

config from iam where dest.cloud.account L

IKE 'account-dev-3'

In this example, the results displayed will match all of the

available permissions in account-dev-3.

If you want to see the exact result for the search

value, use the = operator.

Automatic Time Zone The time zone is now set automatically for Prisma Cloud
Detection— Change in administrators. It is derived from the user’s web browser and
Behavior is based on the operating system that is used to access the
Prisma Cloud administrative console.
The Time Zone field that allowed you to select the timezone
is removed from the User Profile, Settings > Users > Service
Account, and Settings > SSO pages.

API Ingestions *aws-waf-classic-global-web-acl-resource and aws-waf-v2-

global-web-acl-resource for Log4j vulnerability*In addition to
the existing APIs for

aws-waf-classic-global-web-acl-resource

and

aws-waf-v2-global-web-acl-resource

, now the following API is also ingested to protect from Log4j

vulnerability:

wafv2:ListResourcesForWebACL

AWS AppSync
aws-appsync-graphql-api
Additional permissions required:

appsync:ListGraphqlApis

Prisma™ Cloud Release Notes 509 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Amazon DAX
aws-dax-cluster
Additional permissions required:
• dax:DescribeClusters

• dax:ListTags

Amazon DocumentDB
aws-docdb-db-cluster-parameter-group
Additional permissions required:
• rds:DescribeDBClusterParameters
• rds:DescribeDBClusterParameterGroups

• rds:ListTagsForResource

Amazon FSx
aws-fsx-file-system
Additional permissions required:

fsx:DescribeFileSystems

Amazon RDS
aws-rds-db-cluster-parameter-group
Additional permissions required:
• rds:DescribeDBClusterParameters

• rds:DescribeDBClusterParameterGroups

• rds:ListTagsForResource

Amazon QuickSight
aws-quicksight-dataset
Additional permissions required:
• quicksight:ListDataSets

Prisma™ Cloud Release Notes 510 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• quicksight:ListTagsForResource

Amazon QuickSight
aws-quicksight-datasource
Additional permissions required:
• quicksight:ListDataSources

• quicksight:ListTagsForResource

Update AWS ECR Ingestion to ingest public repositories The

API has been updated with the following information:
New API name:

aws-ecr-public-repositories

New permissions added to the CFT templates:

• ecr-public:DescribeRepositories

• ecr-public:GetRepositoryCatalogData

• ecr-public:GetRepositoryPolicy

• ecr-public:ListTagsForResource

Update Amazon Cognito*The following new permission is

required to ingest the *aws-cognito-identity-pool API:

cognito-identity:DescribeIdentityPool

Without this permission, identity pool resources will not

be ingested and all the existing resources will be marked as
deleted.

Update Amazon EC2*The following new permission is

required to ingest the disableApiTermination field in the
*aws-ec2-describe-instances API:

ec2:DescribeInstanceAttribute

Amazon Simple Email Service

Prisma™ Cloud Release Notes 511 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

aws-ses-identities
Additional permissions required:
• ses:GetIdentityDkimAttributes

• ses:GetIdentityPolicies

• ses:ListIdentityPolicies

• ses:ListIdentities

AWS Web Application Firewall (WAF) and WAFv2

aws-waf-classic-web-acl-resource
aws-waf-v2-web-acl-resource

Azure Cognitive Services

azure-cognitive-services-account
Additional permission required:

Microsoft.CognitiveServices/accounts/read

Azure Virtual Network Gateway

azure-virtual-network-gateway
Additional permission required:

Microsoft.Network/virtualNetworkGateways/r
ead

Azure Virtual Network

azure-private-link-service
Additional permission required:

Microsoft.Network/privateLinkServices/read

Azure Virtual Network

azure-bastion-host
Additional permission required:

Prisma™ Cloud Release Notes 512 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Microsoft.Network/bastionHosts/read

Azure Machine Learning

azure-machine-learning-workspace
Additional permission required:

Microsoft.MachineLearningServices/workspac
es/read

Azure Recovery Services

azure-recovery-service-backup-protected-item
Additional permission required:

Microsoft.RecoveryServices/Vaults/backupPr
otectedItems/read

Azure Recovery Services

azure-recovery-service-vault
Additional permission required:

Microsoft.RecoveryServices/Vaults/read

Azure Web Application Firewall

azure-application-gateway-waf-policy
Additional permission required:

Microsoft.Network/ApplicationGatewayWebApp
licationFirewallPolicies/read

Google API Key

gcloud-api-key
Additional permission required:

apikeys.keys.list

Google Cloud Data Fusion

Prisma™ Cloud Release Notes 513 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

gcloud-datafusion-instance
Additional permission required:
• datafusion.instances.list

• datafusion.instances.getIamPolicy

Google Container Analysis

gcloud-container-analysis-vulnerability-summary
Additional permission required:
• containeranalysis.occurrences.list

Google Cloud Data Fusion

gcloud-datafusion-instance
Additional permission required:
• datafusion.instances.list

• datafusion.instances.getIamPolicy

Google Cloud Memorystore

gcloud-redis-instances-list
Additional permission required:
• redis.instances.list

Google Compute Engine

gcloud-ssl-certificate
Additional permission required:

compute.sslCertificates.list

Google Cloud DNS

gcloud-dns-policy
Additional permission required:

dns.policies.list

Prisma™ Cloud Release Notes 514 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Google Cloud Armor

gcloud-armor-security-policy
Additional permission required:

compute.securityPolicies.list

Google Cloud Resource Manager

gcloud-organization-project-info
Additional permission required:

resourcemanager.projects.list

Google Stackdriver Monitoring

gcloud-monitoring-notification-channel
Additional permission required:

monitoring.notificationChannels.list

Update Google Cloud Tasks and Google Cloud Run

Permissions
The gcloud-cloud-task and gcloud-
cloud-run-services-list APIs now require
the cloudtasks.locations.list and
run.locations.list permissions .

OCI Containers And Artifacts

oci-containers-artifacts-kubernetes-cluster-nodepool
Additional permission required:

inspect cluster-node-pools

OCI Networking
oci-networking-subnet
Additional permission required:

inspect subnets

Prisma™ Cloud Release Notes 515 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Policies and Policy Updates

POLICY UPDATES DESCRIPTION

New Policies AWS AppSync attached WAFv2 WebACL is not configured

with AMR for Log4j Vulnerability This policy identifies
AppSync attached with WAFv2 Web Access Control List
(ACL) that are not configured with AWS Managed Rules
(AMR) for Log4j vulnerability. As per AWS, configure
the AppSync attached with WAFv2 Web ACL with
AMR AWSManagedRulesKnownBadInputsRuleSet and
AWSManagedRulesAnonymousIpList to protect from Log4j
vulnerability (CVE-2021-44228).

config from cloud.resource where

api.name = 'aws-appsync-graphql-api'
AND json.rule = wafWebAclArn is not
empty as X; config from cloud.resource
where api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGroupStatement
contains AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroupStatement.n
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn equals
$.X.wafWebAclArn'; show X;

AWS AppSync not configured with AWS Web Application

Firewall v2 (AWS WAFv2) This policy identifies AWS
AppSync that is not configured with AWS Web Application
Firewall (WAF). It is recommended to enable the AWS WAF
service on API Gateway to protect against application layer
attacks. To block malicious requests to your API Gateway,
define the block criteria in the WAF Web Access Control List
(ACL).

config from cloud.resource where

cloud.type = 'aws' AND api.name = 'aws-
appsync-graphql-api' AND json.rule =
wafWebAclArn does not exist

AWS API Gateway Rest API attached WAFv2 WebACL

is not configured with AMR for Log4j Vulnerability This
policy identifies AWS API Gateway Rest API attached with
AWS Web Application Firewall v2 (WAFv2) Web ACL
that are not configured with AWS Managed Rules (AMR)

Prisma™ Cloud Release Notes 516 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

for Log4j vulnerability. As per AWS, configure the API

Gateway Rest API attached with WAFv2 Web ACL with
AWS AMR AWSManagedRulesKnownBadInputsRuleSet and
AWSManagedRulesAnonymousIpList to protect from Log4j
vulnerability (CVE-2021-44228).

config from cloud.resource where api.name

= 'aws-apigateway-get-stages' AND
json.rule = webAclArn is not empty
as X; config from cloud.resource
where api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGroupStatement
contains AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroupStatement.n
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn equals
$.X.webAclArn'; show X;

AWS ALB attached WAFv2 WebACL is not configured

with AMR for Log4j Vulnerability This policy identifies
AWS Application Load Balancer (ALB) attached with
WAFv2 Web ACL that are not configured with AWS
Managed Rules (AMR) for Log4j vulnerability. As per
AWS, configure the ALB attached with WAFv2 WebACL
with AMR AWSManagedRulesKnownBadInputsRuleSet and
AWSManagedRulesAnonymousIpList to protect from Log4j
vulnerability (CVE-2021-44228).

config from cloud.resource where api.name

= 'aws-elbv2-describe-load-balancers'
AND json.rule = scheme equals internet-
facing and type equals application
as X; config from cloud.resource
where api.name = 'aws-waf-v2-web-
acl-resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGroupStatement
contains AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroupStatement.n
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter
'$.Y.resources.applicationLoadBalancer[*]
contains $.X.loadBalancerArn'; show X;

AWS CloudFront attached WAFv2 WebACL is not

configured with AMR for Log4j Vulnerability This policy
identifies the AWS CloudFront attached with WAFv2

Prisma™ Cloud Release Notes 517 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Web ACL that are not configured with AWS Managed

Rules (AMR) for Log4j vulnerability. As per AWS, configure
the CloudFront attached with WAFv2 Web ACL with
AMR AWSManagedRulesKnownBadInputsRuleSet and
AWSManagedRulesAnonymousIpList to protect from Log4j
vulnerability (CVE-2021-44228).

config from cloud.resource where api.name

= 'aws-cloudfront-list-distributions'
AND json.rule = webACLId is not empty
as X; config from cloud.resource
where api.name = 'aws-waf-v2-global-
web-acl-resource' AND json.rule = NOT
( webACL.rules[*].statement.managedRuleGroupStatement
contains AWSManagedRulesAnonymousIpList
and
webACL.rules[*].statement.managedRuleGroupStatement.n
contains
AWSManagedRulesKnownBadInputsRuleSet )
as Y; filter '$.Y.webACL.arn equals
$.X.webACLId'; show X;

AWS WAF Classic (Regional) in use This policy identifies

AWS Classic that are in use. It is recommended to configure
the AWS WAFv2 service to protect against application-layer
attacks. To block malicious requests, define the block criteria
in the WAFv2 Web ACL, which has more capability than the
WAF Classic.

config from cloud.resource where

api.name = 'aws-waf-classic-web-
acl-resource' AND json.rule =
resources.apiGateway[*] exists or
resources.applicationLoadBalancer[*]
exists

AWS CloudFront not configured with AWS Web

Application Firewall v2 (AWS WAFv2) This policy identifies
AWS CloudFront that are not configured with AWS WAFv2.
It is recommended to configure the AWS WAFv2 service
on CloudFront to protect against application-layer attacks.
To block malicious requests to your CloudFront, define the
block criteria in the WAFv2 Web ACL.

config from cloud.resource where

api.name = 'aws-waf-classic-global-
web-acl-resource' as X; config from
cloud.resource where api.name = 'aws-
cloudfront-list-distributions' AND
json.rule = webACLId is not empty as

Prisma™ Cloud Release Notes 518 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Y; filter '$.X.webACL.webACLId equals

$.Y.webACLId'; show Y;

AWS API Gateway REST API not configured with AWS

Web Application Firewall v2 (AWS WAFv2) This policy
identifies AWS API Gateway REST API that is not configured
with AWS WAF. It is recommended to enable the AWS
WAF service on API Gateway REST API to protect against
application layer attacks. To block malicious requests to your
API Gateway REST API, define the block criteria in the WAF
Web ACL.

config from cloud.resource where

cloud.type = 'aws' AND api.name = 'aws-
apigateway-get-stages' AND json.rule =
webAclArn does not exist or webAclArn
does not start with arn:aws:wafv2

Azure Application Gateway Web application firewall (WAF)

policy rule disabled for Remote Command Execution
This policy identifies Azure Application Gateway Web
Application Firewall (WAF) policies that have the ‘Remote
Command Execution’ rule disabled, which is known for Log4j
vulnerability. It is recommended to define the criteria in
the WAF policy with the ‘Remote Command Execution’
rule under managed rules to help detect and mitigate Log4j
vulnerability.

config from cloud.resource where

cloud.type = 'azure' AND api.name
= 'azure-application-gateway-
waf-policy' AND json.rule =
properties.policySettings.state
equals Enabled and
properties.managedRules.managedRuleSets
is not empty and
properties.managedRules.managedRuleSets[*].ruleGroupO
any(ruleId equals 944240 and state
equals Disabled)] exists and
properties.applicationGateways[*] is not
empty

Azure Front Door Web application firewall (WAF) policy

rule for Remote Command Execution is disabled This policy
identifies Azure Front Door WAF policies that have the
‘Remote Command Execution’ rule disabled, which is known
for Log4j vulnerability. It is recommended to define the
criteria in the WAF policy with the ‘Remote Command

Prisma™ Cloud Release Notes 519 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Execution’ rule under managed rules to help detect and

mitigate Log4j vulnerability.

config from cloud.resource where

api.name = 'azure-frontdoor-
waf-policy' AND json.rule =
properties.policySettings.enabledState
equals Enabled and
properties.managedRules.managedRuleSets
is not empty and
properties.managedRules.managedRuleSets[*].ruleGroupO
any(action equals Block and ruleId
equals 944240 and enabledState equals
Disabled)] exists as X; config from
cloud.resource where api.name =
'azure-frontdoor' AND json.rule =
properties.frontendEndpoints[*].properties.webApplica
exists and properties.provisioningState
equals Succeeded as Y; filter
'$.Y.properties.frontendEndpoints[*].properties.webAp
contains $.X.name'; show X;

Azure Front Door does not have the Azure Web application
firewall (WAF) enabled This policy identifies Azure
Front Doors that do not have Azure WAF enabled. It is
recommended to configure the Azure WAF service on the
Front Doors to protect against application-layer attacks. To
block malicious requests to your Front Doors, define the
block criteria in the WAF rules.

config from cloud.resource where

api.name = 'azure-frontdoor' AND
json.rule = properties.provisioningState
equals Succeeded as X; config from
cloud.resource where api.name = 'azure-
frontdoor-waf-policy' as Y; filter
'$.X.properties.frontendEndpoints[*].properties.webAp
does not exist or
($.X.properties.frontendEndpoints[*].properties.webAp
contains $.Y.name and
$.Y.properties.policySettings.enabledState
equals Disabled)'; show X;

GCP Cloud Armor rule not configured with cve-canary

This policy identifies GCP Cloud Armor rules where cve-
canary is not enabled. The preconfigured cve-canary
WAF rule can help detect and block exploit attempts of
CVE-2021-44228 and CVE-2021-45046 to address the
Apache Log4j vulnerability. It is recommended to create a

Prisma™ Cloud Release Notes 520 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Cloud Armor security policy with rule blocking Apache Log4j

exploit attempts.

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-armor-
security-policy' AND json.rule =
rules[*].match.expr.expression does
not contain cve-canary or rules[?
any(match.expr.expression contains cve-
canary and action equals allow)] exists

OCI IAM policy with full administrative privileges across

the tenancy to non Administrator This policy identifies IAM
policies with full administrative privileges across the tenancy
to non Administrators. It is recommended to practice the
principle of least privilege, which limits users' access rights
strictly to only what is required to do their jobs.

config from cloud.resource where

cloud.type = 'oci' AND api.name = 'oci-
iam-policy' AND json.rule = lifecycleState
equals ACTIVE and (statements[*] contains
"to manage all-resources in tenancy" or
statements[*] contains "to manage all-
resources IN TENANCY") and name does not
contain "Tenant Admin Policy"

Policy Updates—Metadata AWS CloudFront origin protocol policy does not enforce
HTTPS-only
Changes— The RQL has been updated to report only custom
origins that supports HTTPS communication; it ignores
website endpoints from S3 buckets, EC2 instances, and
custom websites. The policy description has been updated
with newer standards.
Current—

config from cloud.resource where

cloud.type = 'aws' AND api.name =
'aws-cloudfront-list-distributions'
AND json.rule = (origins.items[*]
contains "customOriginConfig")
and (origins.items[?
(@.customOriginConfig.originProtocolPolicy)]
does not contain "https-only")

Updated to—

config from cloud.resource where

cloud.type = 'aws' AND api.name =

Prisma™ Cloud Release Notes 521 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

'aws-cloudfront-list-distributions'
AND json.rule = enabled is true
and origins.items[*] contains
customOriginConfig and origins.items[?
any(customOriginConfig.originProtocolPolicy
does not contain https-only and
( domainName contains ".data.mediastore."
or domainName contains ".mediapackage."
or domainName contains ".elb." ))] exists

Impact— Low impact on existing alerts. Alerts with custom

origins related to S3 buckets, EC2 instances, and custom
websites will be resolved as Policy_Updated.

Azure Network Security Group allows all traffic on ports

which are not commonly used
Changes— The RQL has been updated to include the
existence check for the destinationPortRange parameter
which will increase the accuracy of results.
Current—

config from cloud.resource where

cloud.type = 'azure' AND api.name=
'azure-network-nsg-list' AND json.rule
= securityRules[?any(access equals
Allow and direction equals Inbound and
(sourceAddressPrefix equals Internet
or sourceAddressPrefix equals * or
sourceAddressPrefix equals 0.0.0.0/0
or sourceAddressPrefix equals ::/0) and
(protocol equals Tcp or protocol equals
Udp or protocol equals Icmp or protocol
equals *) and (destinationPortRange is
not member of (20, 21, 22, 23, 25, 53,
80, 135, 137, 138, 443, 445, 1433, 1434,
3306, 3389, 4333, 5432, 5500, 5900, ) or
destinationPortRanges[*] is not member
of (20, 21, 22, 23, 25, 53, 80, 135, 137,
138, 443, 445, 1433, 1434, 3306, 3389,
4333, 5432, 5500, 5900, *) ))] exists

Updated to—

config from cloud.resource where

cloud.type = 'azure' AND api.name=
'azure-network-nsg-list' AND json.rule
= securityRules[?any(access equals
Allow and direction equals Inbound and
(sourceAddressPrefix equals Internet
or sourceAddressPrefix equals * or
sourceAddressPrefix equals 0.0.0.0/0
or sourceAddressPrefix equals ::/0) and
(protocol equals Tcp or protocol equals

Prisma™ Cloud Release Notes 522 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Udp or protocol equals Icmp or protocol

equals *) and ((destinationPortRange
exists and destinationPortRange is not
member of (20, 21, 22, 23, 25, 53, 80,
135, 137, 138, 443, 445, 1433, 1434,
3306, 3389, 4333, 5432, 5500, 5900, *))
or (destinationPortRanges is not empty
and destinationPortRanges[*] is not
member of (20, 21, 22, 23, 25, 53, 80,
135, 137, 138, 443, 445, 1433, 1434,
3306, 3389, 4333, 5432, 5500, 5900,
*))) )] exists

Impact— Previously reported alerts may be resolved as

Policy_Updated.

Azure App Service Web app doesn’t use latest Java version
Changes— The RQL has been updated to consider Java
8 and Windows web app service for Java. The policy
description and recommendation steps have been updated
accordingly.
Updated to—

config from cloud.resource where

cloud.type = 'azure' AND api.name =
'azure-app-service' AND json.rule =
'properties.state equals Running and
((config.isJava11VersionLatest exists
and config.isJava11VersionLatest equals
false) or (config.javaVersion exists
and (config.javaVersion does not equal
1.8 and config.javaVersion does not
equal 11)) or (config.linuxFxVersion
is not empty and config.linuxFxVersion
contains JAVA and config.linuxFxVersion
contains 8 and config.linuxFxVersion
does not contain 8-jre8) or
(config.linuxFxVersion is not empty
and config.linuxFxVersion contains
JBOSSEAP and config.linuxFxVersion
does not contain 7-java8) or
(config.linuxFxVersion is not empty and
config.linuxFxVersion contains TOMCAT and
config.linuxFxVersion does not contain -
jre8))'

Impact— New alerts might be triggered for Java 8 and

Windows web app services that uses Java.

Azure SQL Server ADS Vulnerability Assessment is disabled

and

Prisma™ Cloud Release Notes 523 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

SQL servers which do not have Azure Active Directory

admin configured
The severity of the above policies has been changed from
Medium to Low.
Impact— No impact on alerts.

SQL databases has encryption disabled

Changes— The policy name, description, and
recommendation have been updated to maintain uniformity
across all policies. The RQL syntax has also been updated.
Current name— SQL databases has encryption disabled
Updated to— Azure SQL database TDE encryption disabled

config from cloud.resource where cloud.typ

e = 'azure' AND api.name = 'azure-sql-db-l
ist' AND json.rule = transparentDataEncryp
tion is false

Impact— No impact on existing alerts.

Update policy names and remediation actions for Microsoft

Defender for Cloud (previously Azure Security Centre)
Changes— The policy names and remediation actions for
Microsoft Defender for Cloud (previously Azure Security
Centre) have been updated for the following policies to
reflect the recent changes of CIS v1.4.0:
• Azure Security Center Defender set to Off for Servers
• Azure Security Center Defender set to Off for App
Service
• Azure Security Center Defender set to Off for Azure SQL
database servers
• Azure Security Center Defender set to Off for SQL
servers on machines
• Azure Security Center Defender set to Off for Storage
• Azure Security Center Defender set to Off for
Kubernetes
• Azure Security Center Defender set to Off for Container
Registries
• Azure Security Center Defender set to Off for Key Vault
• Azure Security Center WDATP integration Disabled
• Azure Security Center MCAS integration Disabled

Prisma™ Cloud Release Notes 524 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• Azure Security Center automatic provisioning of

monitoring agent is set to Off
• Azure Security Center contact email not set
• Azure Security Center send email notifications set to 'Off'
• Azure Security Center email notification for subscription
owner is not set

GCP Kubernetes Engine Clusters Client Certificate is set to

Disabled
Changes— The policy name and RQL are modified to
support the latest CIS guideline to check if the clusters are
configured with the old method of authentication. The policy
metadata is updated as per the latest UI.
Current Policy Name— GCP Kubernetes Engine Clusters
Client Certificate is set to Disabled
Updated Policy Name— GCP Kubernetes Engine Cluster
Client Certificate is not disabled
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name =
'gcloud-container-describe-clusters' AND
json.rule = 'masterAuth.clientKey does
not exist or masterAuth.clientCertificate
does not exist'

Updated to—

config from cloud.resource where

cloud.type = 'gcp' AND api.name =
'gcloud-container-describe-clusters'
AND json.rule = status equals RUNNING
and (masterAuth.clientKey exists or
masterAuth.clientCertificate exists)

Impact— Low impact on existing alerts.

Updates to the CLI for remediable GCP firewall policies

The CLI of the following policies are updated to disable the
firewall rule instead of deleting the rule:
• GCP Firewall rule allows all traffic on SSH port (22)
• GCP Firewall rule allows all traffic on RDP port (3389)
• GCP Firewall rule allows inbound traffic from anywhere
with no specific target set
• GCP Default Firewall rule is overly permissive (except
http and https)

Prisma™ Cloud Release Notes 525 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Additional permissions required:

compute.firewalls.update

compute.networks.updatePolicy

Impact— No direct impact on alerts. If you have enabled

auto-remediation for the policy, alerts will be resolved as
‘Remediated’.

Updates to the RQL and CLI for GCP Firewall Policies

GCP Firewall rule allows all traffic on DNS port (53)
Change— The RQL is modified to check if the firewall rule
is disabled and include IPv6 checks. The CLI is updated to
disable the firewall rule instead of deleting the rule.
Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name='gcloud-
compute-firewall-rules-list' AND
json.rule= 'sourceRanges[*] contains
0.0.0.0/0 and allowed[?any(ports contains
_Port.inRange(53,53) or (ports does not
exist and (IPProtocol contains tcp or
IPProtocol contains udp)) )] exists'

Updated to—

config from cloud.resource where

cloud.type = 'gcp' AND api.name='gcloud-
compute-firewall-rules-list' AND
json.rule= 'disabled is false and
(sourceRanges[*] contains 0.0.0.0/0
or sourceRanges[*] contains ::/0)
and allowed[?any(ports contains
_Port.inRange(53,53) or (ports does not
exist and (IPProtocol contains tcp or
IPProtocol contains udp)))] exists'

Impact— Low impact on existing alerts.

GCP Firewall rule allows all traffic on FTP port (21)

Change— The RQL is modified to check if the firewall rule
is disabled and include IPv6 checks. The CLI is updated to
disable the firewall rule instead of deleting the rule.

Prisma™ Cloud Release Notes 526 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Current RQL—

config from cloud.resource where

cloud.type = 'gcp' AND api.name='gcloud-
compute-firewall-rules-list' AND
json.rule= 'sourceRanges[*] contains
0.0.0.0/0 and allowed[?any(ports contains
_Port.inRange(21,21) or (ports does not
exist and (IPProtocol contains tcp or
IPProtocol contains udp)) )] exists'

Updated to—

config from cloud.resource where

cloud.type = 'gcp' AND api.name='gcloud-
compute-firewall-rules-list' AND
json.rule= 'disabled is false and
(sourceRanges[*] contains 0.0.0.0/0
or sourceRanges[*] contains ::/0)
and allowed[?any(ports contains
_Port.inRange(21,21) or (ports does not
exist and (IPProtocol contains tcp or
IPProtocol contains udp)))] exists'

GCP storage bucket is not configured with default Event-

Based Hold
Changes— The recommendation steps are updated to be
compliant with the latest UI updates on Google Cloud
Platform.
Impact— No impact on alerts as the change includes only
metadata modifications.

OCI IAM policy with full administrative privileges across the

tenancy to non Administrator
Update— The policy is updated to map to OCI CIS v1.0.0 and
v1.1.0 requirement 1.2.
Impact— The compliance score will change.

Policy Deletions AWS entities with risky permissions This policy is being
deprecated and we are adding policies that identify write
permissions for different services on AWS that are risky.
Impact— All existing alerts related to this policy will be
removed. To activate all the new policies verify your global
policy defaults for automatically enabling policies based on
severity by selecting Settings > Enterprise Settings > Auto
enable default policies of the type.

Prisma™ Cloud Release Notes 527 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS SNS subscription is not configured with HTTPS

The policy has been deleted due to a high volume of SNS
subscriptions and its impact on Time to Ingest (TTI). Support
for aws-sns-get-subscription-attribute will be discontinued,
and compliance standards referred by this policy are also
deleted.
Impact— Alerts generated for these policies will be resolved
as Policy_Deleted.

New IAM Policies Learn about the new IAM out-of-the-box (OOTB) policies.

AWS EC2 instance with IAM write access level

Identifies IAM write permissions that are defined as risky
permissions. This policy minimizes security risks in your
AWS account by ensuring that the AWS EC2 instances
provisioned in your account don’t have a risky set of write
permissions.

AWS Lambda Function with IAM write access level

Identifies IAM write permissions that are defined as risky
permissions in your AWS account. This policy minimizes
security risks by ensuring that the AWS Lambda Function
instances provisioned in your AWS account don’t have a
risky set of write permissions.

Elasticbeanstalk Platform with IAM write access level

Identifies IAM write permissions that are defined as
risky permissions. This policy minimizes security risks by
ensuring that the AWS Elasticbeanstalk Platform instances
provisioned in your AWS account don’t have a risky set of
write permissions associated with it.

ECS Task Definition with IAM write access level

Identifies IAM write permissions that are defined as risky
permissions. This policy minimizes security risks by ensuring
that the AWS ECS Task Definition instances provisioned
in your AWS account don’t have a risky set of write
permissions associated with it.

Okta User with IAM write access level

Identifies IAM write permissions that are defined as risky
permissions. This policy minimizes security risks by ensuring
that the Okta users in your AWS account don’t have a risky
set of write permissions associated with it.

Prisma™ Cloud Release Notes 528 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

IAM User with IAM write access level

Identifies IAM write permissions that are defined as risky
permissions. This policy minimizes security risks by ensuring
that the IAM Users in your AWS account don’t have a risky
set of write permissions associated with it.

AWS EC2 instance with IAM permissions management

access level
Identifies IAM permissions management access that are
defined as risky permissions. This policy minimizes security
risks by ensuring that the AWS EC2 instances provisioned
in your AWS account don’t have a risky set of write
permissions associated with it.

AWS Lambda Function with IAM permissions management

access level
Identifies IAM permissions management access that are
defined as risky permissions. This policy minimizes security
risks by ensuring that the AWS Lambda Function instances
provisioned in your AWS account don’t have a risky set of
write permissions associated with it.

Elasticbeanstalk Platform with IAM permissions

management access level
Identifies IAM permissions management access that are
defined as risky permissions. This policy minimizes security
risks by ensuring that the AWS Elasticbeanstalk Platform
instances provisioned in your AWS account don’t have a
risky set of write permissions associated with them.

ECS Task Definition with IAM permissions management

access level
Identifies IAM permissions management access that
are defined as risky permissions. This policy minimizes
security risks by ensuring that the AWS ECS Task Definition
instances provisioned in your AWS account don’t have a
risky set of write permissions associated with them.

Okta User with IAM permissions management access level

Identifies IAM permissions management access that are
defined as risky permissions. This policy minimizes security
risks by Ensure that the Okta Users in your AWS account

Prisma™ Cloud Release Notes 529 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

don’t have a risky set of write permissions to minimize

security risks.

IAM User with IAM permissions management access level

Identifies IAM permissions management access that are
defined as risky permissions. This policy minimizes security
risks by ensuring that the IAM Users in your AWS account
don’t have a risky set of write permissions.

AWS EC2 instance with org write access level

Identifies org write access that is defined as risky
permissions. This policy ensures that the AWS EC2 instances
provisioned in your AWS account don’t have a risky set of
write permissions.

AWS Lambda Function with org write access level

Identifies org write access that is defined as risky
permissions. This policy minimize security risks by ensuring
that the AWS Lambda Function instances provisioned
in your AWS account don’t have a risky set of write
permissions.

Elasticbeanstalk Platform with org write access level

Identifies org write access that is defined as risky
permissions. This policy minimize security risks by
ensuring that the AWS Elasticbeanstalk Platform instances
provisioned in your AWS account don’t have a risky set of
write permissions.

ECS Task Definition with org write access level

Identifies org write access that is defined as risky
permissions. This policy minimize security risks by ensuring
that the AWS ECS Task Definition instances provisioned
in your AWS account don’t have a risky set of write
permissions.

Okta User with org write access level

Identifies org write access that is defined as risky
permissions. This policy ensures that the Okta Users in your
AWS account don’t have a risky set of write permissions.

IAM User with org write access level

Prisma™ Cloud Release Notes 530 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Identifies org write access that is defined as risky

permissions. This policy minimize security risks by ensuring
that the IAM Users in your AWS account don’t have a risky
set of write permissions.

AWS Lambda Layer Version that is publicly accessible

through IAM policies
Identifies the AWS Lambda Layer Version resources which
are publicly accessible through IAM policies. This policy
prevents the exposure of sensitive data by ensuring that the
AWS Lambda Layer Version resources provisioned in your
AWS account are not publicly accessible from the Internet.

AWS ECR Repository that is publicly accessible through

IAM policies
Identifies the AWS ECR Repository resources which are
publicly accessible through IAM policies. This minimizes the
exposure of sensitive data by ensuring that the AWS ECR
Repository resources provisioned in your AWS account are
not publicly accessible from the Internet.

AWS Lambda Function that is publicly accessible through

IAM policies
Identifies the AWS Lambda Function resources which are
publicly accessible through IAM policies. This minimizes the
exposure of sensitive data by ensuring that the AWS Lambda
Function resources provisioned in your AWS account are not
publicly accessible from the Internet.

AWS S3 bucket that is publicly accessible through IAM

policies
Identifies the AWS S3 bucket resources which are publicly
accessible through IAM policies. This minimizes the exposure
of sensitive data by ensuring that the AWS S3 bucket
resources provisioned in your AWS account are not publicly
accessible from the Internet.

AWS SQS Queue that is publicly accessible through IAM

policies
Identifies the AWS SQS Queue resources which are publicly
accessible through IAM policies. This minimizes the exposure
of sensitive data by ensuring that the AWS SQS Queue
resources provisioned in your AWS account are not publicly
accessible from the Internet.

Prisma™ Cloud Release Notes 531 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

AWS SNS Topic that is publicly accessible through IAM

policies
Identifies the AWS SNS Topic resources which are publicly
accessible through IAM policies. This minimizes the exposure
of sensitive data by ensuring that the AWS SNS Topic
resources provisioned in your AWS account are not publicly
accessible from the Internet.

AWS Secret Manager Secret that is publicly accessible

through IAM policies
Identifies the AWS Secret Manager Secret resources which
are publicly accessible through IAM policies. This minimizes
the exposure of sensitive data by ensuring that the AWS
Secret Manager Secret resources provisioned in your AWS
account are not publicly accessible from the Internet.

AWS KMS Key that is publicly accessible through IAM

policies
Identifies the AWS KMS Key resources which are publicly
accessible through IAM policies. This minimizes the exposure
of sensitive data by ensuring that the AWS KMS Key
resources provisioned in your AWS account are not publicly
accessible from the Internet.

AWS EC2 with IAM wildcard resource access

Identifies AWS EC2 instances with the AWS resources which
are publicly accessible through IAM policies. This minimizes
the exposure of sensitive data by ensuring that the AWS
resources provisioned in your AWS account are not publicly
accessible from the Internet.

AWS Lambda Function with IAM wildcard resource access

Identifies AWS IAM permissions that contain an asterisk
(*) in the resource section of the policy statement. The
policy will identify those asterisks only in case using an
asterisk is not mandatory; this ensures that the AWS policies
don’t have an asterisk in the resource section of the policy
statement.

AWS Elasticbeanstalk Platform with IAM wildcard resource

access
Identifies AWS IAM permissions that contain an asterisk
(*) in the resource section of the policy statement. The
policy will identify those asterisks only in case using an

Prisma™ Cloud Release Notes 532 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

asterisk is not mandatory; this ensures that the AWS policies

don’t have an asterisk in the resource section of the policy
statement.

AWS ECS Task Definition with IAM wildcard resource

access
Identifies AWS IAM permissions that contain an asterisk
(*) in the resource section of the policy statement. The
policy will identify those asterisks only in case using an
asterisk is not mandatory; this ensures that the AWS policies
don’t have an asterisk in the resource section of the policy
statement.

Okta User with IAM wildcard resource access

Identifies Okta Users with AWS IAM permissions that
contain an apostrophe ('') in the resource section of the
policy statement. The policy will identify those apostrophes
only in case using an apostrophe is not mandatory; this
ensure that the AWS policies don’t have an apostrophe in
the resource section of the policy statement.

IAM User with IAM wildcard resource access

Identifies IAM Users with AWS IAM permissions that
contain an apostrophe '' in the resource section of the policy
statement. The policy will identify those apostrophes only in
case using an apostrophe is not mandatory; this ensures that
the AWS policies don’t have an apostrophe in the resource
section of the policy statement.

Azure AD user with effective permissions to create AWS

IAM users
Identifies Azure AD users that can create an AWS IAM user
as this can lead to a backdoor in the cloud environment. This
policy ensure that Azure AD users have the least privilege
access by granting only the permissions required to perform
a task, instead of providing excessive permissions.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK DESCRIPTION

Prisma™ Cloud Release Notes 533 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

NIST_800_53_R4, The AWS CloudFormation stack configured without SNS

NIST_800_53_R5, and topic policy has been removed from NIST_800_53_R4,
NIST_CSF NIST_800_53_R5, and NIST_CSF compliance benchmarks
because it was incorrectly mapped.
Impact— The compliance score will change.

CIS Azure v1.4.0 Prisma Cloud provides compliance support for CIS Microsoft
Azure Foundations Benchmark v1.4.0. The CIS Azure v1.4.0
has 9 sections with 115 requirements and Prisma Cloud
supports 86 requirements across all sections.

REST API Updates

CHANGE DESCRIPTION

Length Limit for Some User A 300-character limit now applies to request parameters
Profile API Request Body for user and account service names. This limit affects the
Parameters request body parameters for the User Profile API endpoints
shown below. The affected request body parameters are
listed after each endpoint:
• PUT /user/me
• firstName
• lastName
• POST /v3/user
• firstName
• lastName
• username
• PUT /v3/user
• firstName
• lastName
• username
• POST /v2/user
• firstName
• lastName
• PUT /v2/user
• firstName
• lastName

Prisma™ Cloud Release Notes 534 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

New Integration and New Integration API endpoints are available to replace the
Notification Template API endpoints that have been deprecated for all integrations
Endpoints except Okta, Qualys, and Tenable.
New Notification Template API endpoints are also available
to replace some of the deprecated Notification Template
endpoints.

Response Property for Some The property ResourceMetaModel.hasAlert has been

Resource and Search API removed. This property no longer appears in the response
Endpoints Removed objects for the following requests:
• POST /resource
• POST /search/config
• POST /search/config/page

Resource Discovery A new property ResourceMetaModel.createTs identifies

Timestamp Available Through the timestamp when Prisma Cloud first discovered a given
Search API Endpoints resource. This property is available in the response objects
for the following requests:
• POST /search/config
• POST /search/config/page

Prisma™ Cloud Release Notes 535 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Limited GA Features on Prisma Cloud

Edit on GitHub
Review the Prisma Cloud features that have limited general availability (LGA) on some stacks for
select customers.

The LGA features are not available on all stacks and are subject to change by the general
availability (GA) release.

LGA Features

FEATURE DESCRIPTION

Support for Onboarding IBM Cloud Prisma Cloud allows you to onboard and
protect your resources deployed on the
IBM cloud infrastructure from a single
console. Gain complete visibility and control
over potential risks within your IBM cloud
infrastructure across all the Multi-Zone
Regions (MZR).
You can now manage vulnerabilities, ensure
compliance, and provide runtime defense for
your resources in the IBM cloud.

Resource Tag Filter in Asset Inventory A new Resource Tag filter is now available
in the Prisma Cloud Asset Inventory, which
allows you to focus on assets based on the
resource tags present. Once you filter based
on the Resource Tag, the Asset Inventory
will display only the assets that contain the
Resource Tags you specified.

Resolved Alert Notification to External The alert notification system is enhanced

Integrations to send resolved notifications to external
integrations such as ServiceNow or Jira
(integrations that support the state change)
when you delete a cloud account or update an
alert rule on the Prisma Cloud administrative
console. For example, when the cloud
account or the alert rule associated with
an open alert is deleted, the alert status is
updated as resolved on Prisma Cloud and the
corresponding resolved notification will be
sent to the supported integration channels
where the open alert notification was sent.

Prisma™ Cloud Release Notes 536 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Look Ahead—Planned Updates on Prisma Cloud

Edit on GitHub
Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned in the 23.8.3 release. The Look Ahead
announcements are for an upcoming or next release and it is not a cumulative list of all
announcements.
Note that the details and functionality listed below are a preview and the actual release date is
subject to change.
• New Policies
• Policy Updates
• IAM Policy Updates
• API Ingestions
• Deprecation Notices

New Policies
Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud
System policies.

Access the Look Ahead for New Policies

To learn about the new policies that will be added in the next release:
1. Find the Prisma Cloud policies folder on GitHub.
The folder contains RQL based Config, Network, and Audit Event policies in JSON format.
View the GitHub repo.
2. Select the branch for which you want to review policy updates.
The Master branch represents rrent Prisma Cloud release that is generally available. You
can switch to a previous release or the next release branch, to review the policies that were
published previously or are planned for the upcoming release.
Because Prisma Cloud typically has 2 releases in a month, the release naming convention in
GitHub is PCS-<year>.<month>.<release-chronology, 1 or 2>. For example, PCS-23.8.3.
3. Review the updates.
Use the changelog.md file for a cumulative list of all policies that are added to a specific
release. The policies are grouped by new policies and updated policies.
Use the policies folder to review the JSON for each policy that is added or updated as listed in
the changelog. The filename for each policy matches the policy name listed in the changelog.
Within each policy file, the JSON field names are described aptly to help you easily identify the
characteristic it represents. The JSON field named searchModel.query provides the RQL for
the policy.

Prisma™ Cloud Release Notes 537 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Policy Updates

POLICY UPDATES DESCRIPTION

Updates to Attack Path Policy Names All Attack Path policy names are being revised
to use a new format to help you identify the
risks and impact better.
Impact— No impact since only the policy
names will be updated.

Policy Updates—RQL

AWS Elastic Load Balancer v2 (ELBv2) with Changes— The policy RQL will updated to
listener TLS/SSL is not configured not trigger an alert when the HTTP listener
requests are redirected to HTTPS URL.
Severity— Low
Policy Type— Config
Current RQL—

config from cloud.resource where

api.name = 'aws-elbv2-describe-
load-balancers' AND json.rule
= state.code contains active
and listeners[?any( protocol
equals HTTP or protocol equals
TCP or protocol equals UDP
or protocol equals TCP_UDP )]
exists as X; config from
cloud.resource where api.name
= 'aws-elbv2-target-group' AND
json.rule = targetType does
not equal alb and protocol
exists and protocol is not
member of ('TLS', 'HTTPS')
as Y; filter '$.X.listeners[?
any( protocol equals HTTP or
protocol equals UDP or protocol
equals TCP_UDP )] exists or
( $.X.listeners[*].protocol
equals TCP and
$.X.listeners[*].defaultActions[*].targetG
contains $.Y.targetGroupArn)';
show X;

Updated RQL—

config from cloud.resource

where api.name = 'aws-elbv2-
describe-load-balancers'
AND json.rule = state.code

Prisma™ Cloud Release Notes 538 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

contains active and listeners[?

any( protocol is member
of (HTTP,TCP,UDP,TCP_UDP)
and defaultActions[?
any( redirectConfig.protocol
contains HTTPS)] does not
exist )] exists as X; config
from cloud.resource where
api.name = 'aws-elbv2-
target-group' AND json.rule
= targetType does not equal
alb and protocol exists
and protocol is not member
of ('TLS', 'HTTPS') as Y;
filter '$.X.listeners[?
any( protocol equals HTTP or
protocol equals UDP or protocol
equals TCP_UDP )] exists or
( $.X.listeners[].protocol
equals TCP and
$.X.listeners[].defaultActions[*].targetGr
contains $.Y.targetGroupArn)';
show X;

Impact— Low. Existing alerts where the

Listener requests are redirected to HTTPS
URL will be resolved.

GCP VM instance configured with default Changes— The policy RQL will updated to
service account check for Default Service Accounts with
editor role.
Severity— Informational
Policy Type— Config
Current RQL—

config from cloud.resource

where cloud.type = 'gcp' AND
api.name = 'gcloud-compute-
instances-list' AND json.rule
= (status equals RUNNING
and name does not start with
"gke-") and serviceAccounts[?
any( email contains
"compute@developer.gserviceaccount.com")]
exists

Updated RQL—

config from cloud.resource

where api.name = 'gcloud-
projects-get-iam-user' AND
json.rule = user contains
"compute@developer.gserviceaccount.com"

Prisma™ Cloud Release Notes 539 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

and roles[*] contains

"roles/editor" as X; config
from cloud.resource where
api.name = 'gcloud-compute-
instances-list' AND json.rule
= (status equals RUNNING
and name does not start with
"gke-") and serviceAccounts[?
any( email contains
"compute@developer.gserviceaccount.com")]
exists as Y; filter
'$.Y.serviceAccounts[*].email
contains $.X.user'; show Y;

Impact— Low. Existing alerts where they

do not have editor role attached to default
service account will be resolved.

IAM Policy Updates

Prisma Cloud will update the following Azure IAM out-of-the-box (OOTB) policies:

POLICY NAME DESCRIPTION CURRENT RQL UPDATED RQL

Azure VM instance With access to config from config from

associated managed 'Microsoft.KeyVault' iam where iam where
identities with Key service, an adversary source.cloud.type source.cloud.type
Vault management can elevate the = 'Azure' AND = 'Azure' AND
access (data access is access of the VM grantedby.cloud.entity.type
grantedby.cloud.entity.t
not included) instance, expanding IN ( 'System IN ( 'System
the surface of the Assigned', Assigned',
'User 'User
attack and granting
Assigned' ) Assigned' )
access to cloud AND AND
resources with dest.cloud.service.name
dest.cloud.service.name
sensitive information = =
'Microsoft.KeyVault'
'Microsoft.KeyVault'
AND AND
source.cloud.service.name
source.cloud.service.nam
= =
'Microsoft.Compute'
'Microsoft.Compute'
AND
action.name
DOES NOT END
WITH 'read'

Azure Managed Managed identities config from config from

Identity (user provide an automatic iam where iam where
assigned or system way for applications source.cloud.type source.cloud.type
assigned) with to connect to = 'Azure' AND = 'Azure' AND
resources that grantedby.cloud.entity.type
grantedby.cloud.entity.t
IN ( 'System IN ( 'System

Prisma™ Cloud Release Notes 540 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

broad Key Vault support Azure Active Assigned', Assigned',

management access Directory (Azure 'User 'User
AD) authentication. Assigned' ) Assigned' )
AND AND
Providing Key Vault
dest.cloud.service.name
dest.cloud.service.name
management access = =
lets non-human 'Microsoft.KeyVault'
'Microsoft.KeyVault'
identities manage AND AND
key vaults. The least dest.cloud.resource.name
dest.cloud.resource.name
privilege model = '*' = '*' AND
should be enforced action.name
and unused sensitive DOES NOT END
WITH 'read'
permissions should
be revoked.

Azure Service Service Principles config from config from

Principals with provide an automatic iam where iam where
broad Key Vault way for applications source.cloud.type source.cloud.type
management access to connect to = 'Azure' = 'Azure'
resources that grantedby.cloud.entity.type
grantedby.cloud.entity.t
support Azure Active = 'Service = 'Service
Directory (Azure Principal' Principal'
AND AND
AD) authentication.
dest.cloud.service.name
dest.cloud.service.name
Providing Key Vault = =
management access 'Microsoft.KeyVault'
'Microsoft.KeyVault'
lets non-human AND AND
identities manage dest.cloud.resource.name
dest.cloud.resource.name
key vaults. The least = '*' = '*' AND
privilege model action.name
should be enforced DOES NOT END
WITH 'read'
and unused sensitive
permissions should
be revoked

Azure AD users with Providing Key Vault config from config from
broad Key Vault access lets users iam where iam where
management access manage key vaults. source.cloud.type source.cloud.type
The least privilege = 'Azure' AND = 'Azure' AND
model should be source.cloud.resource.type
source.cloud.resource.ty
enforced and unused = 'user' AND = 'user' AND
sensitive permissions dest.cloud.service.name
dest.cloud.service.name
= =
should be revoked
'Microsoft.KeyVault'
'Microsoft.KeyVault'
AND AND
dest.cloud.resource.name
dest.cloud.resource.name
= '*' = '*' AND
action.name
DOES NOT END
WITH 'read'

Prisma™ Cloud Release Notes 541 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

API Ingestions

SERVICE API DETAILS

Amazon EFS aws-efs-access-point

Additional permission required:
• elasticfilesystem:DescribeAcc
essPoints

You must manually add or update the CFT

template to enable the above permission.

Amazon Inspector aws-inspector-v2-account-status

Additional permission required:
• inspector2:BatchGetAccountSta
tus

The Security Audit role includes the

permission.

AWS Systems Manager aws-ssm-custom-inventory-entry

Additional permissions required:
• ssm:GetInventory

• ssm:GetInventorySchema

• ssm:ListInventoryEntries

The Security Audit role only includes

ssm:ListInventoryEntries

.
You must manually add or update the CFT
template to enable the following permissions:
• ssm:GetInventory

• ssm:GetInventorySchema

Google Binary Authorization gcloud-binary-authorization-attestor

Additional permissions required:

Prisma™ Cloud Release Notes 542 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• binaryauthorization.attestors
.list

• binaryauthorization.attestors
.getIamPolicy

The Viewer role includes the permissions.

Google Cloud Build gcloud-cloud-build-github-enterprise-config-

v1
Additional permission required:
• cloudbuild.integrations.list

The Viewer role includes the permission.

Google Cloud Build gcloud-cloud-build-private-worker-pool

Additional permission required:
• cloudbuild.workerpools.list

The Viewer role includes the permission.

Google Stackdriver Monitoring gcloud-monitoring-uptime-check-config

Additional permission required:
• monitoring.uptimeCheckConfigs
.list

The Viewer role includes the permission.

Deprecation Notices

Deprecated Endpoints or Deprecated

Sunset Replacement Endpoints
Parameters Release Release

Prisma Cloud CSPM REST API 23.6.1 23.9.1 • AWS

for Cloud Accounts
• POST /cas/v1/aws_account
The following endpoints are • PUT /cas/v1/aws_account/{id}
deprecated for the AWS, GCP,
and Azure cloud types: • POST /cas/v1/cloud_account/
status/aws
• POST /cloud/{cloud_type}

Prisma™ Cloud Release Notes 543 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• PUT /cloud/{cloud_type}/ • Azure

{id}
• POST /cas/v1/azure_account
• POST /cloud/status/
• PUT /cas/v1/azure_account/{id}
{cloud_type}
• POST /cas/v1/cloud_account/
You can continue status/azure
to use the above • GCP
endpoints for the
Alibaba and OCI • POST /cas/v1/gcp_account
cloud accounts. • PUT/cas/v1/gcp_account/{id}
• POST /cas/v1/cloud_account/
status/gcp

Prisma Cloud CSPM REST API - - NA

for Alerts
Some Alert API request
parameters and response
object properties are now
deprecated.
Query parameter risk.grade is
deprecated for the following
requests:
• GET /alert
• GET /v2/alert
• GET /alert/policy
Request body parameter
risk.grade is deprecated for the
following requests:
• POST /alert
• POST /v2/alert
• POST /alert/policy
Response object property
riskDetail is deprecated for the
following requests:
• GET /alert
• POST /alert
• GET /alert/policy
• POST /alert/policy
• GET /alert/{id}
• GET /v2/alert
• POST /v2/alert

Prisma™ Cloud Release Notes 544 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Response object property

risk.grade.options is deprecated
for the following request:
• GET /filter/alert/
suggest

Prisma™ Cloud Release Notes 545 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Prisma Cloud Known Issues

Edit on GitHub
Review the list of known issues and deprecation notice on Prisma Cloud.
The following table lists the known issues on Prisma Cloud for the CSPM capabilities. For
deprecation notices or upcoming changes, see Look Ahead - Planned Updates on Prisma Cloud.
If you have also adopted the Compute and Microsegmentation capabilities, review the respective
sections in the Release Notes.

ISSUE ID DESCRIPTION

RLP-104295 Prisma Cloud has fully adopted Microsoft Authentication Library

(MSAL) for monitoring Azure instances. However, in very rare cases,
you might come across log entries for calls from Prisma Cloud to Active
Directory Authentication Library (ADAL) endpoints. These entries can
be disregarded. A fix will be implemented to resolve these erroneous
entries.

RLP-90184 The behavior of filters on the Alerts Overview page is slightly different
from that on the Asset Inventory and Asset Explorer pages. On the
Alerts Overview page when you select the Asset Class, Resource
Type, and Service Name filters, the alerts displayed are a combination
of those three selected filters. Whereas on the Asset Inventory and
Asset Explorer pages, the preference is given to Resource Type over
Service Name when both those filters are selected due to which the
assets for which alerts are displayed on the Asset Inventory and Asset
Explorer pages do not match those displayed on the Alerts Overview
page.

RLP-78777 The AWS Global Accelerator service returns an Access Denied error
with the error assumed-role/PrismaCloudReadOnlyRole/redlock is not
authorized to perform: iam:CreateServiceLinkedRole on resource. The
issue occurs because the aws-global-accelerator-accelerator
API requires you to enable the service-linked IAM role to ingest
metadata. To resolve the error, add the role to include the required
permissions.
Workaround: If you do not want to enable the service-linked role, create
a support ticket with Palo Alto Networks Technical Support to disable
the AWS Global Accelerator service API.

RLP-73807 In Unified Asset Inventory, Compute alerts are not displayed in the
Resource Explorer audit trail.

RLP-72605 The list of alert counts that correspond to a policy are inaccurate when
you select more than one alert rule name. This issue is seen on:

Prisma™ Cloud Release Notes 546 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

• The Alerts > Overview, when you select multiple Alert Rule Names
in the filter, the results for the number of alerts that correspond to a
policy is not accurate. The Alert Rule Filter works as expected when
you select only one Alert Rule Name.
• When you use the POST/alerts/policy API, make sure to include
only one Alert Rule Name for the filters attribute in the request
body schema.

RLP-75376 PCDS Azure only— If you have enabled public access from selected IP
addresses on storage account with Prisma Cloud NAT IPs and Azure
outbound IPs added to the allow list, ingestion fails with 403 error
(permission denied).

RLP-65612 PCDS Azure only— The Inventory page may display 400 error if data is
not available.

RLP-65602 PCDS Azure only— During onboarding when you enter the Client ID and
Secret, if the Secret exceeds the specified length, a bad request error
displays.

RLP-68751 In Unified Asset Inventory, only System Administrators can view

the Compute assets and not other users. Compute alerts will not be
accessible on Alerts pages for all users except System Administrators.

RLP-65286 When integrating Prisma Cloud with Jira, if the Jira issueType field
uses space as a separator between the words, such as Service
Request or New Feature , a 500 Internal Server error occurs
while configuring Typeahead fields such as Reporter or Assignee, in
a Notification Template. You will be unable to create a Notification
Template for Jira with the Typeahead fields.
Workaround: Rename the field to remove the space or add an
underscore. For example, ServiceRequest or New_Feature. You can
then add Typeahead fields in a Notification Template.

RLP-65216 If you have configured multiple flow logs for a VPC and if any of the flow
logs are incorrectly configured, the flow log status on Prisma Cloud is
reported as a warning (Amber). This status does not impact ingestion for
all the correctly configured flow logs.

RLP-62558 The resource name displayed on the Alerts L2 page does not match the
name displayed for the same resource on the Asset Explorer page.

RLP-60005 Prisma Cloud may not process some of the delete bucket events, due
to which the buckets that you have deleted in the AWS console will be
visible in the Prisma Cloud Inventory page.

RLP-55036 When changing the Maximum time before access keys expire value for
access keys, it may take up to 15 minutes for the updates to take effect.

Prisma™ Cloud Release Notes 547 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

RLP-40248 When you create an alert rule and specify target resource tags, Prisma
Cloud processes only a single resource tag key/value pair properly.
Proper processing of multiple resource tags or resource tags with
multiple values is not guaranteed. This behavior exists whether you
create the alert rule through the Prisma Cloud console or through the
CSPM API.

RLP-27427 Applies to Prisma Cloud Data Security only

Malware report is not available in PDF format.

RLP-25117 Applies to Prisma Cloud Data Security only The Dashboard displays
an error when you select an account group that does not contain any
accounts.

RLP-19480 The Business Unit Report does not support multi-byte characters used in
languages such as Japanese.

RLP-19470 The Business Unit Report csv file lists all enabled policies even when
there are no open alerts, because there are no resources to scan.

RLP-14469 When you enable Dataflow compression for a cloud account, the
subnetwork creation status may display a failure message on the
onboarding status page. This error displays because the time threshold
to create the subnetwork and report completion exceeds the response
time threshold on Prisma Cloud.
Workaround— Click to the previous page and click next to load the
status page again.

RLP-13485 If you have the maximum number of VPCs (5) already created in the
project and you then enable flowlog compression, the onboarding fails
because Prisma Cloud is unable to add the network needed to enable
Dataflow compression. When this happens the remediation steps in the
message that displays is incorrect.

RLP-9723 The integration status check for Jira displays as yellow instead of red
even if the integration is misconfigured.

— Dashboard widgets don’t load for a large data set where the time
window is also large.

— The aws-ecs-describe-task-definition and aws-emr-

describe-cluster APIs now run once every 24 hours to generate
alerts. If you have cloud accounts with a significant amount of ECS/EMR
resources, the resource status is updated once a day.

— The configuration build policies are displayed even if you have not
enabled Code Security module.

Prisma™ Cloud Release Notes 548 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

— Currently when you edit default policies in the Code Security module,
the policy is duplicated with the updated metadata. Both the unedited
policy and the edited policy are then visible on Projects when the
Status- Suppressed (for the original policy) and Errors (for the edited
policy) are enabled.

— AWS CloudTrail in the Osaka region (ap-northeast-3) do not display on

the Prisma Cloud administrative console.
This issue requires a fix on AWS. When fixed on AWS, the issue will be
automatically resolved on Prisma Cloud.

Prisma™ Cloud Release Notes 549 ©2023 Palo Alto Networks, Inc.
Prisma™ Cloud Release Information

Prisma™ Cloud Release Notes 550 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release
Information
Edit on GitHub
Review this section to learn about all the exciting new features in the Prisma Cloud Compute
module.
Prisma™ Cloud is an API-based integration that provides security at all stages of the software
delivery process. It provides visibility in to your resources deployed across different environments,
and checks your adherence to compliance standards and security best practices for your assets at
runtime, and IaC templates and images even before the resources are deployed.
On Prisma Cloud Enterprise Edition, the Compute tab comprises the Cloud Workload Protection
(CWP) capabilities that help you secure your host, containers, and serverless deployments across
public cloud, private cloud and on-premises environments, throughout the application lifecycle.
It combines runtime protection with vulnerability management and compliance to secure cloud
native workloads across build, deploy and run stages of the lifecycle.
This release only includes fixes that are listed in Prisma Cloud Compute Known Issues. The
current Compute version is 31.00.xxx.
To review the current operational status and stay informed of any maintenance notifications, see
https://status.paloaltonetworks.com/.
To stay informed on the Compute capabilities added on Prisma Cloud Enterprise Edition, make
sure you review the following information:
• Features Introduced in August 2023
• Features Introduced in July 2023
• Features Introduced in June 2023
• Features Introduced in May 2023
• Features Introduced in April 2023
• Features Introduced in March 2023
• Features Introduced in February 2023
• Features Introduced in January 2023
• Features Introduced in December 2022
• Features Introduced in November 2022
• Features Introduced in September 2022
• Features Introduced in July 2022
• Features Introduced in June 2022
• Features Introduced in March 2022
• Features Introduced in February 2022

551
Prisma Cloud Compute Release Information

• Look Ahead — Planned Updates on Prisma Cloud Compute

• Prisma Cloud Compute Known Issues

Prisma™ Cloud Release Notes 552 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in August 2023

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in August
2023.
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on August 20, 2023. When upgraded, the version will be 31.00.129.
• Defender Upgrade
• New Features in Prisma Cloud Compute
• API Changes
• Deprecation Notice
• See also Known Issues

Defender Upgrade

Plan to Upgrade Defender Versions 22.06 With the v31.00.129 (Newton) release,
and Earlier Defender versions supported (n, n-1, and n-2)
are v31.xx.xxx, v30.xx.xxx, and v22.12.xxx.
To prepare for this update, you must upgrade
your Defenders from version v22.06.xx.xxx
(Kepler) or earlier to a later version. Failure to
upgrade Defenders will result in disconnection
of any Defender version below 22.12 such as
22.06.

New Features in Prisma Cloud Compute

Expanded Support for Red Hat’s Non-RPM The Prisma Cloud Intelligence Stream now
Content includes vulnerability data on non-RPM
content from Red Hat, including binaries,
Python scripts, JavaScript files, and Java JAR
files within layered products like OpenShift.
Rather than just flagging these as vulnerable,
Prisma Cloud can now leverage Red Hat’s
own detailed image analysis, enhancing
precision in threat detection.

Prisma™ Cloud Release Notes 553 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support of Registry Tags directly in Compute Added support for registry labels under
Collections collections to enable role-based access
control (RBAC). The scan results for deployed
images are now segregated with a Custom
label within collections. This enhancement
facilitates the association between the
registry and the scanned images pertaining to
that registry, along with registry-based role-
based access control (RBAC) for improved
security and management.

Support for Continuous Integration Added the ability for users to run CI scans
(CI) Scanning of Images on Linux Using on Linux using the containerd runtime. This
Containerd change benefits customers using Kubernetes
environments, which no longer support
Docker as they need to perform CI scans
without Docker.

GKE CIS Compliance Checks for Worker CIS Benchmark for Google Kubernetes Engine
Nodes (GKE) version 1.4.0 is now supported. This
update includes compliance checks for worker
nodes.

Deprecation Notice

End of Support for Docker Access Control The Docker Access Control at Defend >
Access > Docker and Access User role at
Manage > Authentication > Roles were

Prisma™ Cloud Release Notes 554 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

planned for End of Support in Newton

(v31.00.129) as announced in 22.06 Release
Notes. The deprecation is now extended
until the next release Newton Update 1
(v31.01.xxx), when the feature will be no
longer supported.

Support for Cloud Native Network The ability to create CNNS policies that
Segmentation (CNNS) Defenders use to limit traffic from containers
and hosts was planned for End of Support
in this release v31.00.129. The deprecation
notice is now extended until the next major
release code named O’Neal (v32.0.xxx).
The configuration settings on the console
(Compute > Defend > CNNS) and the
corresponding APIs for CNNS will be dropped
in v32.0.xxx.
Radar has a container and a host view, where
you can view the network topology for your
containerized apps and hosts respectively, and
this will continue to be available.
List of API endpoints that are no longer
supported:
• PUT, {{/api/v<VERSION>/policies/firewall/
network/container}}
• GET, {{/api/v<VERSION>/policies/firewall/
network}}
• GET, {{/api/v<VERSION>/audits/firewall/
network/container/download}}
• GET, {{/api/v<VERSION>/audits/firewall/
network/container}}
• GET, {{/api/v<VERSION>/audits/firewall/
network/host/download}}
• GET, {{/api/v<VERSION>/audits/firewall/
network/host}}

Support for Code Repo Scanning Scanning your code repositories from the
Prisma Cloud Compute Console at Compute >
Monitor> Vulnerabilities > Code repositories
and use of Twistcli for code repo scanning
was planned for End of Support in this release
v31.00.129. The deprecation notice is now
extended until the next major release code
named O’Neal (v32.0.xxx), when the support
will be dropped.

Prisma™ Cloud Release Notes 555 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

You must now use the Code Security

capabilities on Prisma Cloud to scan IaC
templates, code repositories, and CI pipelines
for misconfigurations and vulnerabilities.

API Changes

Support and Identification of Registry Asset Starting with 31.00, the value in the field type
in Registry Scan for an object returned in the API endpoint
response GET, api/vVERSION/registry is now
registry instead of image.
31.00 and onwards: type
shared.ScanType Possible values:
[registry,ciImage,container,host,agentlessHost,registry,serve
30.03 and earlier: type
shared.ScanType Possible values:
[image,ciImage,container,host,agentlessHost,registry,serverl

Prisma™ Cloud Release Notes 556 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in July 2023

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July
2023.
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on July 16, 2023. When upgraded, the version will be 30.03.122.
• New Features in Prisma Cloud Compute
• API Changes
• See also Known Issues

New Features in Prisma Cloud Compute

Feature Description

Enhancements

Package URL (pURL) Format Support for Prisma Cloud now adds package URLs
Vulnerabilities (pURL) for packages and vulnerabilities while
scanning the images using twistcli. This helps
to reliably reference the same software
package using a simple and expressive syntax
and conventions based on familiar URLs.
As you scan images with twistcli, you can filter
the CVEs based on the pURL format in the
CVE viewer.

Prisma™ Cloud Release Notes 557 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Registry Scan Scale Support Increased to Registry image scan limit has been increased
100k Images to 1,000,000 from 100,000 for all image
types.

Support for GitLab Container Registry Added support for scanning GitLab Container
Registry without using admin credentials
to manage and get a full list of all container
registries/images.

New Features in Agentless Security

Malware Support through Wildfire Added enhanced malware agentless scanning

Integration through an integration with Palo Alto
Networks Advanced WildFire, the industry’s
leading malware scanning feed. Malware
scanning is supported across all Cloud Service
Providers for Linux and Windows hosts
and Linux container images, covering files
suspected as Malware or Grayware. Malware
scanning supports ELF binaries in Linux
and supports binaries and shared libraries
in Windows, providing comprehensive
protection.

Scan Errors Visibility Improvements in To get the most out of agentless scanning,
Agentless Scanning this update categorizes issues during the
agentless scan process, provides detailed

Prisma™ Cloud Release Notes 558 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

information on their nature, source, and

troubleshooting steps, and offers a seamless
user interface experience. Easily understand
and resolve issues, improving scan coverage
and streamlining your scanning process.
As a side effect, this update might display
erroneous scan details, that would be auto-
remediated by a maximum of 2 agentless scan
cycles.

Added Support for Parallel Agentless Scans of Added the ability for agentless scanning
Accounts/Regions to scan accounts and regions within those
accounts in parallel.
The changes include the following
enhancements.
• The UI shows the status of an ongoing scan
for specific accounts. For example scanning
or completed.
• You can see the general progress of an
ongoing scan on the Compute Cloud
Accounts page instead of in the progress
bar.
• Your hub account is treated as an account
dedicated for agentless scanning, which is
used only to scan other accounts, and no
longer scans itself.
• You can manage the agentless scanning
configuration centrally for all target
accounts in the hub account configuration.
You aren’t required to duplicate the
configuration across all target accounts.
For example, you can set custom
networking configuration only on the hub
account.

New Features in Host Security

Enhanced the Syslog to include the same Added fields to enhance the syslog output in
fields as the API alignment with the API call responses. Fields
were added for container runtime audits, host
runtime audits, container incidents, and host
incidents.

Prisma™ Cloud Release Notes 559 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

API Changes

CHANGE DESCRIPTION

Registry Settings API supports GitLab Starting with 30.03, you no longer need to
Container Registry add GitLab Container Registry through Docker
V2 registry which required administrative
permissions to scan all images.
You can now directly add GitLab Container
Registry in the POST, settings/registry endpoint
by using the new schema gitlabRegistrySpec in
the request body.
To add, you must specify the following
parameters:
• version: Specify the value gitlab for GitLab
Container Registry.
• registry: Specify the GitLab registry URL
address. Example, for native registries,
you can specify the address as "https://
registry.gitlab.com"
• credentialID: Specify the GitLab credential
that you added in the credential store in
Prisma Cloud Compute. For example, an API
token that has atleast the read_api scope.
• gitlabRegistrySpec: Specify at least one of
the following fields:
• userID: Specify your GitLab user ID to add
all registries associated with it.
• projectIDs: Specify the project IDs to add all
registries associated with a GitLab project.
• groupIDs: Specify the group ID to add all
registries associated with a GitLab group.
• excludedGroupIDs: Specify the top-level
group IDs that you don’t want to add.
Old (30.02 and earlier releases)
Example request body schema:

{
"version": "2",
"registry": "",
"credentialID": "<GitLab
Token>",
"repository": "library/
ubuntu",

Prisma™ Cloud Release Notes 560 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

"tag": "16.04",
"os": "linux",
"cap": 5,
"scanners": 2,
"collections": ["All"]
}

New (in release 30.03)

Example request body schema showing
gitlabRegistrySpec that contains the userID to
add and scan all registries associated with it:

{
"version":"gitlab",
"registry":"https://
registry.gitlab.com",
"namespace":"",
"repository":"",
"tag":"",
"credentialID":"<GitLab
Token>",
"os":"linux",

"harborDeploymentSecurity":false,
"collections":["All"],
"cap":5,
"scanners":2,
"versionPattern":"",
"gitlabRegistrySpec":
{"userID":"14631394"}
}

Prisma™ Cloud Release Notes 561 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in June 2023

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June
2023.
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on June 25, 2023. When upgraded, the version will be 30.02.123.
• New Features in Prisma Cloud Compute
• API Changes
• Breaking Changes in API
• Deprecation Notice
• See also Known Issues

New Features in Prisma Cloud Compute

Feature Description

CVE Coverage Update

As part of the 30.00 release, Prisma Cloud has

rolled out updates to its vulnerability data for
Common Vulnerabilities and Exposures (CVEs)
in the Intelligence Stream. The new additions
are as follows:
• Fixed CVE-2023-2253 (Severity: high) -
Package: github.com/docker/distribution*
Upgrade to at least the 2.8.2-beta.1 version
of the package if you are running v2.8.x
release. If you use the code from the main
branch, update at least to the commit after
f55a6552b006a381d9167e328808565dd2bf77dc.

Enhancements

Container Runtime Types in Defender The Defender deployment workflows now

Deployment Workflow support Docker, CRI-O, and Containerd
container runtime types.
When installing a Defender using twistcli, pass
the --container-runtime flag with the selecttion
for the runtime that you use - docker, cri-o, or
containerd.

Prisma™ Cloud Release Notes 562 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support custom compliance checks Added support for custom compliance checks
on clusters running containerd runtime.

Added Support for Managed Identities in Added support for Azure Managed Identities
Azure to authenticate any Azure resources
that support AD authentication without
adding keys in Prisma Console. To use
this authentication method, add an Azure
role with required permissions to scan the
resources under Manage > Cloud accounts.

Support for New Operating Systems

Windows Server 2016 Reinstating the support for Defenders on

Windows 2016. For details on the extended
support from Microsoft, see the Microsoft
documentation.

Added new NAT gateway IP addresses Prisma Cloud is adding new NAT IP addresses
for the Compute SaaS Console Region in
GCP. The egress IPs for connections from The
Compute SaaS Console to the internet in us-
east 1 (South Carolina) are: 34.139.64.150
and 34.139.249.192.
Make sure to add these IP addresses to your
allow list. These IP addresses will be added to
the documentation.

New Features in Agentless Security

Encrypted volumes support in GCP with hub This feature adds the capability to scan
mode encrypted volumes in GCP with agentless
scanning when using hub mode.

New Features in Host Security

Prisma™ Cloud Release Notes 563 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Change in the format of runtime events Replaced the aggregated and rest macros with
information used in notification webhooks the following macros:
• aggregatedAlerts: Returns the aggregated
audit events in JSON format. It represents
the same data as the old aggregated macro
but in JSON format instead of text.
• dropped: Returns the number of alerts that
were dropped after the aggregation buffer
has reached its limit.
This change fixes an issue where some of
the aggregated alerts were missing fields like
ContainerID, Namespace, and User.
The aggregated and rest macros are still
available but are being deprecated after
the two upcoming releases following our
deprecation notice policy. For existing
settings of alert providers, you must edit the
alert structure and use the new macros.

API Changes

CHANGE DESCRIPTION

Add Backward Compatibility to api/v1/ The api/vVERSION/cloud/discovery/entities

cloud/discovery/entities API endpoint is now available as a supported
and backward-compatible route to view the
cloud discovered entities.

Monitor the status of an OnDemand and The new API endpoint api/vVERSION/
Regular registry scan registry/progress is available to view the
progress of onDemand and regular ongoing
registry scans. Set the request parameter
onDemand to true to view progress of
an ongoing on-demand scan. By default,
onDemand is set to false and shows the
progress of a regular scan.

Breaking Changes in API

CHANGE DESCRIPTION

Defender APIs modified to support the The following APIs have been enhanced to
containerd runtime include support for the containerd runtime

Prisma™ Cloud Release Notes 564 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

in addition to the existing Docker and CRI-O

runtimes:
• POST, /api/vVERSION/defenders/
daemonset.yaml
• POST, /api/vVERSION/defenders/helm/
twistlock-defender-helm.tar.gz
The cri boolean parameter (in the
common.DaemonSetOptions schema) in the
above endpoints has been replaced by the
common.ContainerRuntime schema in the 30.02
release, as shown below:
Old (30.01 and earlier releases)
Example request schema showing cri set to a
boolean value true for Docker and CRI-O:

{
"consoleAddr":"171.23.0.1",
"namespace":"twistlock",

"orchestration":"kubernetes",
"selinux":false,
"cri":true,
"privileged":false,
"serviceAccounts":true,
"istio":false,
"collectPodLabels":false,
"proxy":null,
"taskName":null,
"gkeAutopilot":false
}

New (in release 30.02)

From 30.02, you can set the following values
for container runtime:
• containerd
• crio
• docker
Example request schema showing cri is
replaced with containerRuntime:

{
"consoleAddr":"171.23.0.1",
"namespace":"twistlock",

"orchestration":"kubernetes",
"selinux":false,

"containerRuntime":"containerd",

Prisma™ Cloud Release Notes 565 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

"privileged":false,
"serviceAccounts":true,
"istio":false,
"collectPodLabels":false,
"proxy":null,
"taskName":null,
"gkeAutopilot":false
}

You must update existing scripts

that use either of the two
endpoints when you upgrade to
30.02 or a future release.

Deprecation Notice

Cloud Native Network Segmentation The ability to create CNNS policies

(CNNS) Deprecation that Defenders use to limit traffic from
containers and hosts is being deprecated.
The configuration settings on the console
(Compute > Defend > CNNS) and the
corresponding APIs for CNNS will be removed
in the next major release. Radar has a container
and a host view, where you can view the
network topology for your containerized apps
and hosts respectively, and this will continue to
be available.
List of deprecated API endpoints:
• PUT, /api/v<VERSION>/policies/firewall/
network/container
• GET, /api/v<VERSION>/policies/firewall/
network
• GET, /api/v<VERSION>/audits/firewall/
network/container/download
• GET, /api/v<VERSION>/audits/firewall/
network/container
• GET, /api/v<VERSION>/audits/firewall/
network/host/download
• GET, /api/v<VERSION>/audits/firewall/
network/host

Macros for Runtime Events Webhooks The aggregated and rest macros will be
deprecated. For the existing webhook
alerts, you can edit the custom JSON
body and replace #aggregated macro with

Prisma™ Cloud Release Notes 566 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

#aggregatedAlerts and #rest macro with

#dropped.

Prisma™ Cloud Release Notes 567 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in May 2023

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in May
2023.
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on May 23, 2023. When upgraded, the version will be 30.01.152.
• New Features in Prisma Cloud Compute
• API Changes
• End of Support Notifications
• See also Known Issues

New Features in Prisma Cloud Compute

Feature Description

Enhancements

Support for New Operating Systems • Support for TAS 4.0

• Support for Amazon Linux 2023
• Extended support for TalOS with Runtime
defense for containers; available on
Container Orchestrator Defenders.

New Features in Agentless Security

Support for Third-Party Packages on This feature adds support for scanning
Windows vulnerabilities on third-party packages on
Windows machines: Node-Node.js, Python,
Ruby-Gems, Java-JAR, and NuGet.

Selective Scanning of Hosts with Include Tags The new Include hosts by tag option allows
you to select a subset of your hosts for
scanning based on their tags. The tags
interface is enhanced to help you view and
manage your tags more easily. Additionally,
you can now use wildcards to exclude or
include hosts that match a certain tag pattern.
For example, you can use web-* to include all
hosts that have a tag starting with web-.

Agentless scanning in AWS: Specify a subnet You can now specify a subnet name and use
and use a private IP a private IP from that subnet to report the

Prisma™ Cloud Release Notes 568 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

agentless scanning results back to Prisma

Cloud.

New Features in Host Security

Discovery Date for Host Vulnerability Scan Add Discovery date for the vulnerabilities
Results discovered on the host.

API Changes

CHANGE DESCRIPTION

API URLs versioned as 30.01 Following the versioning number format for
30.xx, all the supported API endpoints will be
versioned as 30.01 in this release. If you are
using the 30.00 endpoints in your automation
workflows and scripts, they will continue to be
supported.

Feeds Supports the following APIs:

• feeds/custom/custom-vulnerabilities, GET
• feeds/custom/custom-vulnerabilities, PUT
• feeds/custom/malware, PUT

Settings Supports the following APIs:

• settings/certs, GET
• settings/custom-labels, POST
• settings/intelligence, GET
• settings/license, GET
• settings/logging, GET
• settings/logging, POST
• settings/logon, GET

Prisma™ Cloud Release Notes 569 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• settings/proxy, GET
• settings/proxy, POST
• settings/saml, GET
• settings/scan, GET
• settings/scan, POST

TAS Droplets Supports the following APIs:

• tas-droplets, GET
• tas-droplets/download, GET
• tas-droplets/progress, GET
• tas-droplets/scan, POST
• tas-droplets/stop, POST

Trust Data Supports the following APIs:

• trust/data, GET
• trust/data, PUT

End of Support Notifications

Notices

TLS Cipher Support Update Ends the support for the following TLS ciphers
for WAAS:
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA

AWS Announcement for Phase 1 AWS Lambda runtimes entered .NET Core
Deprecation of.NET Core 3.1 3.1 into phase 1 of deprecation on April 3
2023, and Prisma Cloud has updated the
supported AWS Lambda runtimes in the
system requirements.
See the AWS Lamba runtimes documentation
for more details.

Prisma™ Cloud Release Notes 570 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in April 2023

Edit on GitHub
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on Apr 23, 2023. When upgraded, the version will be 30.00.140.
• New Features in Prisma Cloud Compute
• API Changes
• DISA STIG Scan Findings and Justifications
• Backward Compatibility for New Features
• End of Support Notifications
• Changes in Existing Behavior
• See also Addressed Issues

New Features in Prisma Cloud Compute

Feature Description

CVE Coverage Update

As part of the 30.00 release, Prisma Cloud has

rolled out updates to its vulnerability data for
Common Vulnerabilities and Exposures (CVEs)
in the Intelligence Stream. The new additions
are as follows:
• Fixed CVE-2023-28840 (Severity: high) -
Package: github.com/docker/docker
Fixed by upgrading to docker version
v20.10.24.
• Fixed CVE-2023-27561 (Severity: high) -
Package: github.com/opencontainers/runc
Fixed by upgrading to runc v1.1.5.
• Fixed CVE-2023-28642 (Severity:
moderate) - Package: github.com/
opencontainers/runc
Fixed by upgrading to runc version v1.1.5.
• Fixed CVE-2023-28841 (Severity:
moderate) - Package: github.com/docker/
docker
Fixed by upgrading to docker version
v20.10.24.

Prisma™ Cloud Release Notes 571 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• Fixed CVE-2023-28842 Severity:

moderate - Package: github.com/docker/
docker
Fixed by upgrading to docker version
v20.10.24.
• Fixed CVE-2023-0361 (Severity: moderate)
- Package: gnutls
Fixed by upgrading the gnutls (RHEL 8
package)
• Fixed CVE-2023-25809 (Severity: low) -
Package: github.com/opencontainers/runc
Fixed by upgrading to runc version v1.1.5.

Enhancements

Tanzu Blobstore Update Improved the web interface to add and

configure a VMWare Tanzu blobstore under
Defend > Access > VMWare Tanzu blobstore.

Defender Settings Improved the web interface for the advanced

Defender settings under Manage > Defenders
> Settings.

Prisma™ Cloud Release Notes 572 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Collections Improved the web interface for Collections

(Manage > Collections and Tags). You can
now view a summary of each collection in the
sidecar, which covers resource data and usage
data of the collection.

New Features in Agentless Security

Agentless Scanning Support for Windows You can now use agentless scanning to
Hosts scan Windows hosts for vulnerabilities and
compliance issues on Amazon Web Services,
Google Cloud Platform, and Microsoft Azure.
Agentless scanning supports the following
versions of Windows.
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
Agentless scanning is not supported for
containers running on Windows hosts.

Support for Bottlerocket Agentless scanning for vulnerabilities and

compliance is now supported on Bottlerocket.

Support for Encrypted Volume Agentless You can now use agentless scanning with
Scanning with AWS Hub Accounts your AWS hub accounts to scan encrypted
volumes.

Support for Shared VPC in GCP Agentless scanning in GCP now supports
specifying a shared subnet to communicate
back to Prisma Cloud. Using a shared VPC
requires you to grant Prisma Cloud additional
permissions to create and manage the VPC. If
you are not using a shared VPC, you can use
the existing permission template to configure
agentless scanning.

New Features in Core

New Release Numbering Format Starting from this release, that is named
30.00.140, the Prisma Cloud versions have

Prisma™ Cloud Release Notes 573 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

a new release numbering format major

release.minor release.build. The major release
is a number 30, in this case, followed by the
minor release sequence that will start with 00
(first release), 01 (minor 1), 02 (minor 2), and
so on.
For example, the next maintenance release
will be 30.01.build, and maintenance update 2
will be 30.02.build.

Cloud Radar Improvements Improved filters and performance in Radars >

Cloud.

Runtime Protection Support for Photon OS Added runtime protection using Defenders for
4.0 Hosts your Photon OS 4.0 hosts.

Support Vulnerability Management for Added support for CentOS Stream 9 for
CentOS Stream 9 vulnerability scanning.

Support .NET NuGet Package Added support for vulnerability scanning

of the NuGet package for .NET for images,
functions, and hosts. For hosts, the scan is
supported using twistcli only.

Support OEL 7 Added support for Oracle Enterprise Linux 7

on x86.

Support for RHEL 9 Added support for RedHat Enterprise Linux 9

on x86 and on ARM.

Host VM Tags Collection Update VM tags are now identified during the
platform cloud discovery. You can create new
host collections using the tag metadata of
the cloud hosts. The tags propagate to your
images and containers belonging to the host.
Additional tags captured during Defender
deployment are appended to the existing
tag list and are also available to you when
creating new host collections.

New Features in Host Security

Prisma™ Cloud Release Notes 574 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support for CBL-Mariner on Hosts Added support for CBL-Mariner 2.0 on

x86 for vulnerability scanning, compliance
scanning, and runtime protection. Prisma
Cloud tested CBL-Mariner on AKS running on
HCI environment.

New Features in Serverless Security

Cloud Account Onboarding includes To make it easier to configure serverless

Serverless Scanning scanning, you can now configure serverless
scanning when you add a new cloud account.
The change the serverless configuration,
select Compute > Manage > Cloud accounts,
click Edit.

New features in Web Application and API Security (WAAS)

Customizable CAPTCHA for WAAS Bot You can now embed a custom reCAPTCHA
Protection page branded to fit your application and
protect your website from spam and abuse.
The WAAS Bot Protection is available on
Defend > WAAS > Active Bot Detection.

Prisma™ Cloud Release Notes 575 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Amazon EC2 Auto Scaling Support for WAAS The agentless app firewall permissions
Agentless template for AWS has been revised to include
a policy to support Auto Scaling of EC2
instances. To enable auto scaling, you must
update your AWS CloudFormation permission
template.

API Changes

CHANGE DESCRIPTION

Adds Cache-control Header for all API Adds a header Cache-control: no-store in the
Responses API response to control storing of cache for all
API requests.

Supports Amazon EC2 Auto Scaling in WAAS agentless deployment now supports
WAAS Agentless Deployment automatic scaling of WAAS observers to
handle a large amount of network traffic or
sudden increase of traffic volume.
By default, the feature is disabled. You can
enable the feature by using the PUT method in
the following API endpoint:
/api/vVERSION/policies/firewall/app/
agentless
• autoScalingEnabled: Enables the auto
scaling using Amazon EC2 Auto Scaling
feature for a VPC observer handling
multiple network instances.

Default: False

• autoScalingMaxInstances: Specifies
the maximum deployed instances for
autoscaling deployment.

Values: 1 - 10. Default: 0

Breaking Changes in API

Cloud Discovery API Endpoint Updates for Response Pagination
The GET, /api/vVERSION/cloud/discovery API endpoint now returns a paginated response of 50
results instead of all results in a single response.
This change is implemented in n-2 versions.

Prisma™ Cloud Release Notes 576 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

The request and response schema of this API are updated. In the reponse, the entities object
in GET, /api/vVERSION/cloud/discovery is moved to another endpoint GET, /api/v1/cloud/
discovery/entities. For more information, see the new parameters.

DISA STIG Scan Findings and Justifications

Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender
images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of
the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved
UBI8-minimal scan findings. Any discrepancies are addressed or justified.

Backward Compatibility for New Features

FEATURE NAME Unsupported Component DETAILS

(Defender/twistcli)

Customizable CAPTCHA page Defenders Previous versions of

for WAAS Bot Protection Defenders will not support
customizing eCAPTCHA for
WAAS Bot protection.

End of Support Notifications

Notices

End of Support for the Serverless Scan API The /api/vVERSION/settings/serverless-scan

Endpoint API route is no longer supported.

Changes in Existing Behavior

Defender Upgrade Based on Collection Filter The API endpoint /api/vVERSION/

defenders/upgrade supports upgrading to
all the eligible Defenders by filtering based
on the query parameter collections that
are assigned to your user role. This change
was introduced in 22.12.694 build. If you
are upgrading from a version earlier than
22.12.694 to 30.00, this behavior will now be
in effect.

API Discovery Retention Policy On the WAAS API Discovery database, if the
database has reached its storage capacity and
new path entries are added for API endpoints,
the Console utilizes the 'Last Observed' date
to remove older entries and improve the

Prisma™ Cloud Release Notes 577 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

utilization of the available resources. When an

image or an API endpoint is deleted from the
database, an alert is generated, and the details
are written to the Console logs.
This change was introduced in 22.12.582. If
you are upgrading from a version earlier than
22.12.582 to 30.00, this retention policy will
now be in effect.

Name Resolution Change in AKS Clusters Previous versions show the value of the server
field of the cluster kubeconfig file with the
node running the Defender. Now, daemonset
Defenders report the same cluster name
displayed in the Azure portal in their scans.
This change only applies to nodes in resource
groups using the default format Azure assigns
to AKS node resource groups. If you have
a custom name for the AKS node resource
group or the name can’t be resolved, the value
of the server field of the cluster kubeconfig file
is shown.

API Versioning with new Release Numbering Starting with version 30.xx, each maintenance
Format release (like 30.01, 30.02, and so on) may
contain new features and improvements. As a
result, the URLs for the APIs will be updated
to reflect the version.
You can use different .xx versions of the
API at the same time for your automation
requirements as we continue to support
backward compatibility for two major
including minor (maintenance) release
versions behind the current one (n-2). For
example, while on build 30.01, you can
continue to use the API paths such as api/
v30.00, api/v22.12, and api/v22.06 due to
backward compatibility.
Though we recommend you to update scripts
to use the current or new API paths, you
won’t need to worry about making changes to
your code immediately when a new major or
minor (maintenance) release is announced.

Prisma™ Cloud Release Notes 578 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in March 2023

Edit on GitHub
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on Mar 12, 2023. When upgraded, the version will be 22.12.694.
• New Features in Prisma Cloud Compute
• Addressed Issues

New Features in Prisma Cloud Compute

Feature Description

CVE Coverage Update

As part of the 22.12 release, Prisma Cloud has

rolled out updates to its vulnerability data for
Common Vulnerabilities and Exposures (CVEs)
in the Intelligence Stream. The new additions
are as follows:
• Fixed CVE-2023-25173 and
CVE-2023-25153 (Severity - Moderate):
the containerd package is used in the
Prisma Cloud Defender and for Agentless
Scanning. To address the vulnerability,
upgrade to containerd version v1.6.18 or
v1.5.18 as needed.
• Fixed CVE-2022-1996 (Severity - Critical)
is included in the Intelligence Stream feed.
The Go-Restful package is a transitive
dependency that is pulled with k8s.io/
client-go and k8s.io/kube-openapi
and is not being used directly in the
Compute Defender and Console, thus it is
suppressed.

Enhancements

GKE Autopilot Clusters Improved testing to support the automatic

updates of GKE Autopilot clusters. The latest
three Prisma Cloud releases are tested daily
using the latest GKE Autopilot version for
continued support.

Defender Upgrade All Improvements When you select to upgrade all Defenders
(Manage > Defenders > Deployed Defenders),

Prisma™ Cloud Release Notes 579 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

you can only upgrade the Defenders that

are eligible for an upgrade and for which you
have the permission to upgrade based on the
collections that are assigned to your Prisma
Cloud role. A confirmation dialog displays
to confirm the upgrade. This change applies
to upgrades for Host and Single Container
Defenders on Linux and Windows.

Oracle Cloud Added support to scan images and containers

running on cloud hosts in the supported
Oracle Cloud environments.

Prisma™ Cloud Release Notes 580 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in February 2023

Edit on GitHub
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on Feb 15, 2023. When upgraded the version will be 22.12.582.
• New Features in Prisma Cloud Compute
• Addressed Issues

New Features in Prisma Cloud Compute

Feature Description

CVE Coverage Update

As part of the 22.12 release, Prisma Cloud has

rolled out updates to its vulnerability data for
Common Vulnerabilities and Exposures (CVEs)
in the Intelligence Stream. The new additions
are as follows:
• Fixed CVE-2022-41717 and
CVE-2022-27664: Updated the golang.org/
x/net Go module to v0.5.0. WAAS
deployments were affected if you have a
HTTP2 applications and have deployed
WAAS to inspect HTTP2 traffic. Upgrade
your Prisma Cloud Defenders if you use
WAAS to inspect HTTP2 traffic.
• Fixed CVE-2023-0247: Updated the bits-
and-blooms/bloom Go module to v3.3.1.
• CVE-2022-41721 is included in the
Intelligence Stream feed. Prisma Cloud
doesn’t use MaxBytesHandler and this
vulnerability doesn’t impact Prisma Cloud
components. You can continue to run any
of the supported Prisma Cloud releases
without risk from this vulnerability. To
remove the vulnerability alert, upgrade
to the latest 22.12 release. If you are
not ready to upgrade right away, add an
exception in the default Ignore Twistlock
Components rule. Go to Defend >
Vulnerabilities > Images > Deployed to add
the exception to suppress the vulnerability
alerts for CVE-2022-41721.

Prisma™ Cloud Release Notes 581 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• CVE-2022-1996 is included in the

Intelligence Stream feed. The Go-Restful
package is a transitive dependency that
is pulled with k8s.io/client-go and `k8s.io/
kube-openapi`and is not being used
directly in the Compute Defender and
Console, thus it is suppressed.
• The ubi-minimal base image packages are
updated to the latest.

Enhancements

Added support for cgroupv2: • Scans:

• Full support for cgroup v1 and cgroup
v2.
• Hybrid mode not supported: this will
not fail the scan, but the scan will
run without the process limitation
protection.
• WAAS:
• In-Line firewall:
• Full support for cgroup v1 and
cgroup v2.
• Hybrid mode: partially supported. It
is supported if the memory and CPU
controllers are both under the legacy
hierarchy (v1). Otherwise, the firewall
will fail.
• Out-Of-Band firewall:
• Only cgroup v1 is fully supported.
• Cgroup v2: not supported. The
firewall will run but the memory limit
of the defender’s cgroup will not be
increased.
• Hybrid mode: partially supported.
Same as WAAS In-Line.
• Support: cgroup v2 is not supported for
Talos and other operating systems that
don’t have systemd.

Added support for Oracle Enterprise Linux You can now run Defenders on OEL 8 and 9
(OEL) 8 and 9. hosts. Prisma Cloud now also protects OEL
containers and images.

Prisma™ Cloud Release Notes 582 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Added support for Red Hat Enterprise Linux 9 You can now run Defenders on RHEL 9 hosts.
on X86 architecture. Prisma Cloud now also protects RHEL 9
containers and images.

Added support for Rocky Linux 8 and 9. You can now run Defenders on hosts running
Rocky Linux 8 and 9. Prisma Cloud now also
protects Rocky Linux containers and images.

Added support for Windows Server 2022. • Container Defenders support the following
features for Windows Server 2022.
• Windows compliance scans
• Vulnerability scans
• Registry scans
• Runtime scans
• CNNS
• Windows metadata scans in Alibaba,
AWS, Azure, and GCP
• Host Defenders support the following
features for Windows Server 2022.
• Windows compliance scans
• Vulnerability scans
• WAAS scans
• Windows metadata scans in Alibaba,
AWS, Azure, and GCP

Improved registry scan logs. Registry scan logs (Manage > Logs > Console)
now include information about registry scans
that failed if there is no Defender available to
scan the registry.

Added WAAS support for whitespace in JSON

(body) Firewall exception.

Add log when package manager files are Added a log in cases when during image scan,
missing in the scan the package manager folders required for
the scan (e.g, /var/lib/dpkg) don’t exist. The
log will appear either in the Defender logs or
twistcli stdout. In these cases, the scan might
end with 0 vulnerabilities for this image.

Added support for custom tagging agentless You can specify up to ten tags as a part of the
scanners and resources created within your advanced agentless configuration. These tags
accounts. are added to any previously existing resource
tags.

Prisma™ Cloud Release Notes 583 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Updated the agentless scanning onboarding

instructions for AWS and GCP to include
setting up agentless using hub and target
accounts.

Introduced a new column Last changed to API The discovered API Change history log is
Discovery with the date of the latest change shown in the details pane.
to the API.

Prisma™ Cloud Release Notes 584 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in January 2023

Edit on GitHub
The host, container, and serverless capabilities on the Compute tab are being upgraded starting
on Jan 29, 2023. When upgraded the version will be 22.12.427.
• New Features in Prisma Cloud Compute
• API Changes
• Addressed Issues
• Backward Compatibility for New Features

New Features in Prisma Cloud Compute

Feature Description

CVE Coverage Update

As part of the 22.12 release, Prisma Cloud has

rolled out updates to its vulnerability data for
Common Vulnerabilities and Exposures (CVEs)
in the Intelligence Stream. The new additions
are as follows:
• CVEs in Go packages are now detected
in the package scope for more accurate
results, and not only in the module scope.
To read more about Go modules and
packages, see Modules overview.
• Fix date improvement. For any feed
collected by IS that does not provide a fix
date for CVE, Prisma Cloud Compute will
determine the fix date as the date when
the fix for the CVE was first seen by the
Intelligence Stream.
• Fixed versions enriched for fixed
vulnerabilities.
• New PRISMA-IDs have increased 131%
since the Kepler major release.
• Fast addition of CVEs (pre-filled CVEs).
CVEs were added to the Intelligence
Stream on an average of 13 days
before they were analyzed in the NVD.
As an example, a Kubernetes CVE
(CVE-2022-3172) was published on
September 16, 2022. The CVE was added

Prisma™ Cloud Release Notes 585 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

to the Prisma Cloud Intelligence stream on

September 19, 2022. And at this time in
December 2022, the CVE is still reserved in
MITRE and not analyzed in NVD.

New Features in the Core Platform

Filter Defender by TAS Foundation ID Added a new field value tasFoundations

under Manage > Defenders > Deployed
Defenders in the Prisma Cloud Compute
user interface to filter Defenders by TAS
Foundation ID. You can use this value in the
fields query parameter of the API endpoint
GET, /api/vVERSION/defenders to filter
Defenders by TAS Foundation ID.

Support for Talos Linux - container Orchestrator Defenders for Talos Linux are
vulnerabilities and compliance now supported. Talos Linux Defenders allow
you to perform vulnerability and compliance
scans for running containers and perform
registry scans. To deploy on Talos Linux
cluster, use the new "Talos Linux deployment"
toggle in the Defenders deployment page, or
the new --talos flag in twistcli.
The following functionality is not available.
• Scanning of underlying hosts.
• Runtime scanning.
• Agentless scanning.
• Automatic recognition of the cluster name.
• Block policies.

Auto Import Prisma Cloud Accounts for The Cloud accounts onboarded in the
Agentless Scans Platform are now auto-imported under
Manage > Cloud accounts with the default
settings including agentless scanning and
cloud discovery enabled. Both individual
accounts and the accounts of an organization
are auto-imported for compute workload
scanning.
Note: The number of accounts onboarded per
customer is limited to 5K.

Prisma™ Cloud Release Notes 586 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support for AWS SQS Notification in Added support for AWS SQS as an alert
Compute Alerts trigger under Compute > Manage > Alerts >
Add profile. Prisma Compute users can now
use the AWS SQS integration configured
in the Prisma platform to send compute
workloads alerts to AWS SQS.

To use this feature, create an AWS SQS

queue and add this Amazon SQS integration
under SaaS > Settings > Integrations > Add
Integration.

Support for Orchestrators Review the system requirements for the

supported operating systems, hypervisors,
runtimes, tools, and orchestrators.

Vulnerability Scanning of Debian 11 Defenders now scan distroless container

Distroless Images images for vulnerabilities and display the
results on Monitor > Vulnerabilities >
Images along with other scans. The following
distroless images are supported.
• gcr.io/distroless/static-debian11` – latest
• gcr.io/distroless/base-debian11` – latest
• gcr.io/distroless/cc-debian11` – latest

Prisma™ Cloud Release Notes 587 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• gcr.io/distroless/python3-debian11` –
latest
• gcr.io/distroless/java-base-debian11` –
latest
• gcr.io/distroless/java11-debian11` – latest
• gcr.io/distroless/java17-debian11` – latest
• gcr.io/distroless/nodejs-debian11` – 14,
16, 18, latest

Immediate Image Registry Scanning You can now trigger a specific image scan in
the registry and get immediate results. This
allows you to scan the images as soon as they
are added to the registry, without waiting for
the scheduled scans. Triggering the scan is
done using the Scan Registry API, and this API
scan will not interrupt the ongoing scheduled
scans that are run from under Monitor >
Vulnerabilities > Images > Registries.
The registry must first be configured in the
registry settings to scan images.

Deployment Date and Elapsed Time for You can now view the deployment date and
Deployed Image the elapsed time since the image was first
deployed in a container.
See the image details view in the Vulnerability
Explorer and Radar to determine the start
time of a vulnerable image.

Prisma™ Cloud Release Notes 588 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support for More Registry Entries You can now add up to 19,999 registry
entries to Defend > Vulnerabilities > Images
> Registry settings. And on Monitor >
Vulnerabilities > Images > Registries, view
scan results for a maximum of 100,000
images.
NOTE: When you upgrade to Lagrange, if you
have configured 20,000 entries or more, you
cannot add or update any registry settings
until you are within the limit of 20,000. To
add or modify any registry settings, you must
delete the entries that exceed the limit.

Individual Effects per Protection for The Container runtime policy rules now allow
Container Runtime Policy individual effect per protection, such as. anti-
malware, crypto miners, reverse shell attacks,
etc. instead of one global effect for each
section - Processes, Networking, File System,
and Anti-malware. The effect includes the
following options: Disabled/Alert/Prevent/
Block according to the supported effects for
each detection.

Prisma™ Cloud Release Notes 589 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

To allow for individual effects

per protection, the container
runtime rule schema of the rules
has changed. Refer to the API
Container runtime policy page
for the updated schema.
As a result, if you manually export
rules from 22.06 or older versions
of Console to 22.12 Console, the
operation will fail.
The existing rules will be migrated
into the new schema by taking
the single global effect from each
section of the rule (Processes,
Networking, and File system) and
setting that effect to each one
of the detections in that section.
For example, if the Networking
section effect was "Alert", now
each one of the detections under
Networking - Networking activity
from modified binaries, Port
scanning, and Raw sockets will
get the "Alert" effect.
To support the effect conversion
for Defenders from supported
previous versions, or when
fetching the rules using an API
of a previous version, we convert
from an individual effect per
detection to a single effect per
section. In the conversion, we will
take the least severe effect for
the detections that are enabled
and set it as the section effect.
For detections with the Disabled
effect the toggle will be disabled.

FIPS 140-2 Certification The FIPS 140-2 Level 1 BoringCrypto GoLang

branch has been merged into GoLang 1.19.
You can deploy the Console and Defender
to enforce the use of the FIPS validated
cryptographic libraries and cipher suites.

Custom Certificate Trust for Registry You can now enter a custom self-signed
Scanning certificate while configuring the registry
scans, this allows Prisma Cloud to validate the
registry.

Prisma™ Cloud Release Notes 590 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Custom CA certificate validation is supported

only for non-Docker nodes (Defenders
running on CRI runtime) and for the following
providers:
• Docker registry v2
• JFrog Artifactory (On-prem)
• Harbor
• Sonatype Nexus

Support for JFrog Artifactory Registry Scan Fixed an error with JFrog artifactory registry
on JFrog Cloud scan running on JFrog Cloud. With Lagrange,
the Defenders support registry scans and on-
demand scans running on both JFrog On-
prem and JFrog Cloud.

Vulnerability Assessment for Go Packages CVEs in Go packages are now detected at the
package level for more accurate results, and
not only at the module level. To read more
about Go modules and packages, see Modules
overview.

Immediate Alerts for Registry Scan Added support for sending immediate
Vulnerabilities alerts for registry images vulnerabilities.
When configuring alerts under Compute
> Manage > Alerts, the "Immediately alert
for vulnerabilities" toggle now applies not
only to deployed images and hosts but
also to registry images. Furthermore, the
existing trigger for "Image vulnerabilities
(registry and deployed)" is now split into 2
triggers: "Deployed images vulnerabilities" and
"Registry images vulnerabilities", to allow you
to configure your alert profile as granular as
your environment requires.

Prisma™ Cloud Release Notes 591 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

If you already have an alert

profile with Deployed image
vulnerabilities (registry and
deployed) along with Immediately
alert for vulnerabilities enabled,
then post Lagrange upgrade
you might, depending on your
environments, start getting loads
of immediate alerts for vulnerable
registry images along with
immediate alerts for deployed
images.

Risk-Factor Based Actions Vulnerability rules for images and hosts

can now trigger different actions such as
alert, block, and fail based on risk factors.
All the vulnerabilities that match either the
severity thresholds or the risk factors will
be listed in the scan results under Monitor
> Vulnerabilities > Images > Deployed/
Registries/CI.

Exceptions for Base Image Vulnerabilities For deployed and CI images, you can now
exclude base image vulnerabilities introduced
by the base images or the middleware
image while configuring the Vulnerability
Management rules under Defend >
Vulnerabilities > Images > Deployed/CI. To
use this feature, you need to first specify the

Prisma™ Cloud Release Notes 592 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

base image under Defend > Vulnerabilities >

Images > Base images.

When you enable this feature, the

vulnerabilities that come from the base
images will not be included on the scan
results view under Monitor > Vulnerabilities >
Images > Deployed/Registries/CI.

Alert Trigger Enhancements for Google The following new fields were added to
Security Command Center existing alert triggers for Google SCC.
• Image vulnerabilities (deployed): Includes
the following properties.
• Collections
• Cluster Name
• Account ID
• Container runtime: Includes the following
properties.
• Collections
• Cluster Name
• Account ID
• Incidents: Includes the following
properties.
• Collections
• Cluster Name
• Account ID
The container and image compliance trigger
was added for Google SCC. This new trigger
sends full data with every scan.

Path and Layer Information in Syslog Output The image scan syslog output that the Prisma
Cloud Console produces now includes two
new fields: package_path and layer.
The host scan syslog output that the Prisma
Cloud Console produces now includes one
new field: package_path.

Prisma™ Cloud Release Notes 593 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

The twistcli command line interface JSON

output also shows the following new fields.
• For the images type:
• package_path
• layer
• For the hosts type:
• package_path
• For the tas type
• package_path

Regional STS Endpoint Support for Defender AWS recommends the use of a regional
on AWS STS endpoint over the use of the global
STS endpoint sts.amazonaws.com.
When onboarding your AWS cloud
account, you can now use a regional
sts.REGION.amazonaws.com STS endpoint.
Then, your deployed Defenders don’t need
to access the global STS endpoint. Defenders
can get the STS token from the regional STS
endpoint to perform scans such as registry
scans. To enable regional STS endpoints, refer
to the AWS documentation.

Support to Generate Vulnerability Reports by You can filter the Vulnerability (CVE) results
Package and Risk Factors in the Vulnerability Explorer (Monitor >
Vulnerabilities > Vulnerability Explorer)
to view the vulnerabilities present in your
deployments in a package pivot. Similarly, you
can also filter using risk factors.

Support for Distro-level Exclusions in Package vulnerability scans now account

Package Vulnerability Scans for any exclusions based on vendor-
specific distributions. For the packages you
install through the operating system, the

Prisma™ Cloud Release Notes 594 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

vulnerability scans show you only the vendor-

specific analysis, if it exists. If you don’t install
the packages through the operating system
package manager, the scan shows the relevant
vulnerabilities for the packages. Your scan
results might change and you can review the
results under Monitor > Vulnerabilities.

Dedicated Defenders for Blobstore Scanning To specialize the function of the Defenders
in Tanzu environments, you can now deploy
dedicated Defenders that only perform
blobstore scanning and are deployed on
dedicated Linux VMs. Use the dedicated
scanners if you want to avoid using the
Defenders installed on the Diego cells
to perform the blobstore scanning. The
dedicated Blobstore scanning Defenders are
not supported on Windows VMs.

Upgrade Confirmation for Defenders on When you upgrade to v22.12, the Defenders
Tanzu in Tanzu environments are automatically
upgraded and the user confirmation for
upgrading to subsequent versions becomes
available. To upgrade the Defenders in your
Tanzu environment starting with the next
update for v22.12, download the latest tile
from the Prisma Cloud Console and import it
into your environment using the Tanzu Ops
Manager. With this change, Tanzu Defender
upgrade is not available directly from the
Prisma Cloud Console.

Added Support for Tanzu Application Service You can now deploy Defenders to scan
(TAS) on Windows your Windows TAS environments. The
Defenders are deployed as addon software
on the Windows Diego cells of your TAS
environment, which is similar to how they
are deployed on Linux. You must now select
the Orchestrator deployment method to
deploy the TAS Defenders. Because of this
change you can filter your TAS Defenders by
foundation.
The following features are not available for
Defenders on Windows TAS environments.
• Scan of applications running Docker
images on TAS
• Use of a proxy to install a tile
• Cert-based authentication

Prisma™ Cloud Release Notes 595 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• Blobstore scanning: Defenders on

Windows can’t be scanners and Windows
droplets have no results.

New Fields to Splunk Alerts The following fields are added to Splunk
alerts.
• command - Shows the command which
triggered the runtime alert.
• namespaces - Lists the Kubernetes
namespaces associated with the running
image.
• startup process - Shows the executed
process activated when the container is
initiated.

In-Depth Scanning of Nested Java Archives In previous releases, Defenders scanned two
levels deep in nested Java Archives (JARs).
The latest version of Defender can scan
up to ten levels of nested JARs. While this
level of nesting is atypical, this capability
improved the scan accuracy by detecting the
vulnerabilities in the deepest nested jars. You
can view the vulnerabilities in your images
with the following steps.
1. Go to Monitor > Vulnerabilities > Images.
2. Filter the results to show your packages
using JARs.
3. Click on the shown results to see the
details.
4. Go to Package info and filter the results.

Twistcli Sandbox for Third-Party Assessment To help you augment and expand the
Tools compliance checks the twistcli sandbox now
enables you to run a third-party binary/script
of choice within the sandboxed container.
For example: ./twistcli sandbox --token "token"
--volume /opt/sandbox_testing_tools:/opt/
sandbox --analysis-duration 0.1m --third-party-
delay 0.2m --third-party-cmd "/opt/sandbox/
test_tool" --third-party-output /opt/sandbox/
output.txt --v <image:tag>
You can view the scan results on the mounted
volume and on Monitor > Runtime > Image
analysis sandbox. In this example the output
of the 3rd party testing tool will be written to

Prisma™ Cloud Release Notes 596 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

the /opt/sandbox_testing_tools/output.txt file

on the sandbox host.

Twistcli for ARM64 Mac twistcli is now supported on ARM64 Mac

machines.
Download the ARM64 Mac-compatible
version of twistcli from Manage > System >
Utilities, or using the API /util/osx/arm64/
twistcli.

New Features in Agentless Security

Agentless Vulnerability Scanning of You can now use agentless scanning to

Containers in AWS, Azure, and GCP identify vulnerabilities in your deployed
containers and images for AWS, Azure, and
GCP platforms, and view the results of the
agentless scans on Monitor > Vulnerabilities >
Images> Deployed.

Agentless Scanning for Oracle Cloud You can now onboard Oracle Cloud
Infrastructure Infrastructure accounts for agentless
scanning of your hosts on Oracle Cloud
Infrastructure (OCI). You can view the results
of the vulnerability scans on Monitor >
Vulnerabilities > Images> Deployed.

New Features in Host Security

Application Control for Hosts You can now set specific application control
rules to make sure your Linux hosts that are
protected by Defenders, can install or run

Prisma™ Cloud Release Notes 597 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

specific application versions. The Application

control rules allow you to define the match
criteria and the severity levels, and to enforce
compliance, you must attach the rule to your
compliance policy. In addition, you can import
the list of applications and versions from hosts
in your environment to easily create new
application control rules.

New Features in Serverless

Account Information and Filtering for You can now filter the Serverless functions
serverless functions for vulnerabilities and compliance issues
with specific Account IDs for each Cloud
provider. The account ID column is added
under Defend/Monitor > Vulnerabilities/
Compliance > Functions.

Existing customers won’t see the

Account ID until the customer’s
accounts are re-added to Prisma
Cloud.

New features in Web Application and API Security (WAAS)

Automated Patch for Known CVEs Introduced a capability in custom rules to

auto-apply virtual patches to known CVEs
vulnerabilities detected by Prisma Cloud
under Defend > WAAS > Container/Host
> In-Line/Out-Of-Band. You can override
the default effects by selecting User-
selected custom rules that are always applied
regardless of the global Auto-apply virtual
patches.

Prisma™ Cloud Release Notes 598 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Enhancement in API Discovery The Monitor > WAAS > API discovery is
enhanced to include all discovered resource
paths with HTTP method, instead of a per-app
view. The API discovery page now includes
Path risk factors to flag endpoints that have
sensitive, unauthenticated, or internet-
accessible data.

You can also protect all endpoints in an app

with a single click and download the API
specifications in JSON.
Create a WAAS rule under Defend > WAAS
> Sensitive data to identify and flag sensitive
data from incoming request and responses
from the discovered endpoints on the API
discovery page.

Allow list to Bypass Geo Access Control You can now add a specific network list to
bypass the IP-based or Geo-based access
control under Defend > WAAS > Container/
Host/App-Embedded/Agentless > Add/Edit
App > Access control > Network controls >
Exceptions allowing you to exempt specific
IPs from the access control rules.

Prisma™ Cloud Release Notes 599 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

JWT Parsing WAAS Custom rules expressions are

extended to support functions that validate
Java Web Tokens (JWTs) in both requests and
responses, in order to inspect the content for
malicious, sensitive, and insecure information,
and extract key values from the payload.

OWASP Mapping for WAAS Events WAAS events are now mapped to the
appropriate OWASP Top 10 risk and OWASP
API Top 10 risk. And, you can view event
summaries for each of these risks on the
WAAS Explorer.

Support TLS in Out-Of-Band Rules WAAS Out-Of-Band now supports TLS (1.0,
1.1, 1.2) protocol.

You can enable the TLS support for an

endpoint in Defend > WAAS > Container/
Host > Out-Of-Band and enter the TLS
certificate in PEM format.

Simplified Onboarding for VPC Traffic Setting up WAAS for agentless now comes
Mirroring with easier onboarding configuration for
AWS VPC traffic mirroring under Defend >
WAAS > Agentless that auto-deploys the

Prisma™ Cloud Release Notes 600 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Observers into the AWS instance and creates

sessions with the resources within your VPC
to monitor the incoming/outgoing traffic.

WAAS Defend Tabs Reorganized

WAAS defend tabs are now reorganized to
distinguish between Agentless and agent-
based OOB rules. Out-Of-Band tab is split
into Agentless that supports VPC traffic
mirroring, Container OOB, and Host OOB.
Monitor > Events > WAAS for out-of-band is
now changed to Monitor > Events > WAAS
for agentless, and the out-of-band events
are included along with the in-line events
under WAAS for containers, WAAS for App-
Embedded, WAAS for hosts, and WAAS for
serverless.

API Changes

CHANGE DESCRIPTION

Supports new body parameters for a You can use the following new optional
Defender daemonset script body parameters in POST, api/vVERSION/
defenders/helm/twistlock-defender-
helm.tar.gz and POST, api/vVERSION/
defenders/daemonset.yaml to create a
daemonset install script for a Defender with
customized parameters: * Annotations *
Tolerations * CPULimit * MemoryLimit *
PriorityClassName * RoleARN

API support for Agentless Scanning Adds support for agentless scanning for
vulnerabilities and compliance in hosts and
containers. You can use the following APIs:

Prisma™ Cloud Release Notes 601 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

POST, api/vVERSION/agentless/templates:
Downloads a tarball file containing the
agentless resource templates required with
the credential for onboarding. POST, api/
vVERSION/agentless/scan: Starts an agentless
scan. GET, api/vVERSION/agentless/progress:
Displays the progress of an ongoing scan.
POST, api/vVERSION/agentless/stop: Stops an
ongoing scan.

Improved Severity Assessment with Exploit Introduces a response parameter exploit for
Data better severity assessment and improved risk
factor calculation in the following APIs: * GET,
api/vVERSION/images * GET, api/vVERSION/
hosts * GET, api/vVERSION/serverless
The improved features include the following:
* Enriched PoC data that helps assigning a
vulnerability with a PoC published around
the web. * New risk factor, Exploit in the
wild, provides information about which CVEs
(from CISA KEV) have a proven risk of being
exploited. * Create alert/block policies for
exploits in the wild vulnerabilities, as well as
for CVEs with PoC. * Improved mechanism
for detecting Remote execution and DoS risk
factors.
New environmental risk factors that adds to
better and improved risk score calculation:
• Sensitive information: Provided in
environment variables or private keys and is
stored in image or serverless function.
• Root Mount: Indicates that the vulnerability
exists in a container with access to the host
filesystem.
• Runtime socket: Indicates that the
vulnerability exists in a container with
access to the host container runtime socket.
• Host Access: Indicates that the vulnerability
exists in a container with access to the host
namespace, network, or devices.
You can use the exploit data to understand the
exploit type, its kind, and get more information
from the source where it’s listed.

Support for Audit Records through APIs Adds support for Audits APIs to create and
store audit event records for all controls.

Prisma™ Cloud Release Notes 602 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

The following new API endpoints are now

supported:
• GET, api/vVERSION/audits/mgmt
• GET, api/vVERSION/audits/mgmt/filters
• GET, api/vVERSION/audits/mgmt/
download
• GET, api/vVERSION/audits/access
• GET, api/vVERSION/audits/access/
download
• GET, api/vVERSION/audits/admission
• GET, api/vVERSION/audits/admission/
download
• PATCH, api/vVERSION/audits/incidents/
acknowledge/{id}
• GET, api/vVERSION/audits/firewall/app/
app-embedded
• GET, api/vVERSION/audits/firewall/app/
app-embedded/download
• GET, api/vVERSION/audits/firewall/app/
app-embedded/timeslice
• GET, api/vVERSION/audits/firewall/app/
container
• GET, api/vVERSION/audits/firewall/app/
container/download
• GET, api/vVERSION/audits/firewall/app/
container/timeslice
• GET, api/vVERSION/audits/firewall/app/
host
• GET, api/vVERSION/audits/firewall/app/
host/download
• GET, api/vVERSION/audits/firewall/app/
host/timeslice
• GET, api/vVERSION/audits/firewall/app/
serverless
• GET, api/vVERSION/audits/firewall/app/
serverless/download
• GET, api/vVERSION/audits/firewall/app/
serverless/timeslice
• GET, api/vVERSION/audits/firewall/app/
agentless

Prisma™ Cloud Release Notes 603 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• GET, api/vVERSION/audits/firewall/app/
agentless/timeslice
• GET, api/vVERSION/audits/firewall/app/
agentless/download
• GET, api/vVERSION/audits/firewall/
network/container
• GET, api/vVERSION/audits/firewall/
network/container/download
• GET, api/vVERSION/audits/firewall/
network/host
• GET, api/vVERSION/audits/firewall/
network/host/download
• GET, api/vVERSION/audits/kubernetes
• GET, api/vVERSION/audits/kubernetes/
download
• GET, api/vVERSION/audits/runtime/app-
embedded
• GET, api/vVERSION/audits/runtime/app-
embedded/download
• GET, api/vVERSION/audits/runtime/
container
• GET, api/vVERSION/audits/runtime/
container/download
• GET, api/vVERSION/audits/runtime/
container/timeslice
• GET, api/vVERSION/audits/runtime/file-
integrity
• GET, api/vVERSION/audits/runtime/file-
integrity/download
• GET, api/vVERSION/audits/runtime/host
• GET, api/vVERSION/audits/runtime/host/
download
• GET, api/vVERSION/audits/runtime/host/
timeslice
• GET, api/vVERSION/audits/runtime/log-
inspection
• GET, api/vVERSION/audits/runtime/log-
inspection/download
• GET, api/vVERSION/audits/runtime/
serverless
• GET, api/vVERSION/audits/runtime/
serverless/download

Prisma™ Cloud Release Notes 604 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• GET, api/vVERSION/audits/runtime/
serverless/timeslice
• GET, api/vVERSION/audits/trust
• GET, api/vVERSION/audits/trust/download

Immediate Image Scanning Introduces a body parameter, onDemandScan,

that triggers an on-demand image scan without
interrupting the current or ongoing scan for
the following API: * POST, api/vVERSION/
registry/scan

The image’s registry must be

predefined in the registry settings.

Severity Level Based Report for Introduces a query parameter

Vulnerabilities normalizedSeverity for host, images,
registry, VMs, and serverless APIs to report
vulnerabilities based on severity level.
You can use the following APIs to report
vulnerabilities based on the normalized
severity:
• GET, api/vVERSION/images
• GET, api/vVERSION/images/download
• GET, api/vVERSION/hosts
• GET, api/vVERSION/hosts/download
• GET, api/vVERSION/serverless
• GET, api/vVERSION/serverless/download
• GET, api/vVERSION/registry
• GET, api/vVERSION/registry/download
• GET, api/vVERSION/vms,
• GET, api/vVERSION/vms/download

Supports Viewing 250 Reports or Entries Per The query parameter limit now supports a
Page page size of 250 entries or reports. The default
value is 50 entries or reports per page.
For example: Use the following way to
retrieve the first 250 reports with a limit query
parameter for an API endpoint /hosts:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/
json' \
-X GET \

Prisma™ Cloud Release Notes 605 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

‘https://<CONSOLE>/
api/v<VERSION>/hosts?
limit=250&offset=0’

Support for More Registry Entries You can now add or edit up to 19,999 registry
entries by using the following API: * POST,
api/vVERSION/settings/registry * PUT, api/
vVERSION/settings/registry

DISA STIG Scan Findings and Justifications Every release, we perform an SCAP scan of the
Prisma Cloud Compute Console and Defender
images. The process is based upon the U.S.
Air Force’s Platform 1 "Repo One" OpenSCAP
scan of the Prisma Cloud Compute images. We
compare our scan results to IronBank’s latest
approved UBI8-minimal scan findings. Any
discrepancies are addressed or justified.

Addressed Issues

ISSUE DESCRIPTION

- Fixed a JAR naming detection mismatch in

scan results to match with the CVE data
we have in the Intelligence Stream (IS).
The JAR names in Prisma under Monitor >
Vulnerabilities > Images/Hosts > Deployed/
CI now match with the Maven repo standards.
Now, when the GroupID of the JAR can’t be
found in the file and only the ArtifactID is
detected, we identify the JAR file by other
identifiers. Only the ArtifactID will be present
in the scan results.

- For any feed collected by IS that does not

provide a fix date for CVE, Prisma Cloud
Compute will determine the fix date as the
date when the fix for the CVE was first seen
by the Intelligence Stream. Therefore, the
calculation for the grace period will now start
with the date on which the CVE fix was seen
on the Intelligence Stream and not the CVE
publish date.
For example, if a CVE was first discovered
without a fix, and a fix was released later, the
grace period for fixing the CVE would start
from the date the fix was published, even

Prisma™ Cloud Release Notes 606 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

though the vendor feed didn’t provide us with

an explicit fix date.

For the feeds that provide a

fix date for the CVEs (such as
RHEL), the fix date will always
be determined as the fix date
provided by the vendor, and the
grace period will be calculated
using this fix date.

There will be no change in the fix date for the

existing CVEs in the IS, only the fix date for
the new CVE fixes starting from Lagrange will
change.
With this update, all supported version of
Console will receive the change for CVEs with
no fix date provided by the vendor, because
the change is on the Intelligence Stream (IS)
which is avialable to all supported versions of
Console.

- For some package types, the process for

inferring the fix status for CVEs that didn’t
have a fix status before is improved. The
package types improved are:
• jar
• python
• Application packages such as MySQL, Java,
Jenkins.

Prisma™ Cloud Release Notes 607 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

- Fixed the serverless compliance results CSV

report. The functions with no compliance/
vulnerability issues were not added to the
serverless compliance CSV report, this is now
fixed and the report now includes all functions
irrespective of Compliance/Vulnerabilities
issues.
A new "Compliance ID" column is added
to indicate the compliance-related issues
specifically.

- Python package info is updated to include the

path.

Backward Compatibility for New Features

With this release, Defenders running versions earlier than 22.01 will no longer be able to
connect to the console.

FEATURE NAME Unsupported Component DETAILS

(Defender/twistcli)

Risk-Factor Based Actions Defenders and twistcli Previous versions of

Defenders and twistcli will
not be able to enforce the
policy actions that are based
on risk factors.

Exceptions for Base Image Defenders and twistcli Previous versions of

Vulnerabilities Defenders and twistcli
will not be able to enforce
excluding base image
vulnerabilities from the scan
results.

Upgrade Confirmation for Defenders The confirmation for upgrade

Defenders on Tanzu will take effect for v22.12
(Lagrange) upgrades . The
first upgrade from 22.06
to 22.12 will still upgrade
existing Defenders.

Custom Certificate Trust for Defenders Previous versions of

Registry Scanning Defenders will not support
using the configured custom

Prisma™ Cloud Release Notes 608 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

CA certificate while scanning

the registry

Support for Distro-level Defenders The change will not apply for
Exclusions in Package scans performed by previous
Vulnerability Scans versions of Defenders.

Regional STS Endpoint Defenders Previous versions of

Support for Defender on Defenders will not support
AWS using regional STS endpoint
for scans in the cloud
account.

Path and Layer Information in twistcli Previous version of twistcli

Syslog Output will not support the path and
layer information in the JSON
scan results.

Individual Effects per Defenders Previous versions of

Protection for container Defenders will not support
Runtime Policy individual effects per
protection. The least severe
effect from the policy
configured in the Console
will be set as the single effect
which the old Defender will
use to enforce the policy.

Support for JFrog Artifactory Defenders Previous versions of

Registry Scan on JFrog Cloud Defenders will not be able
to scan JFrog Cloud registry.
Only the 22.12 Defenders
will be selected from the
scanners scope to scan the
JFrog Cloud registry.

JAR Vulnerability Detection Defenders The improvements will not

Improvement apply for scans performed
by previous versions of
Defenders.

Vulnerability Assessment for Defenders The improvements will not

Go Packages apply for scans performed
by previous versions of
Defenders.

FIPS 140-2 certification Defenders Previous versions of

Defenders will not be FIPS
140-2 compliant.

Prisma™ Cloud Release Notes 609 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

In-Depth Scanning for Nested Defenders The improvements will not

Java Archives apply for scans performed by
old Defenders

JWT Parsing Defender Previous versions of

Defenders will not parse JWT
payloads and extract the
entire payload or a specific
attribute.

[Out of Band] Support TLS in Defender Previous versions of

WAAS Out of Band Rules Defenders will not support
TLS in out of band rules.

Auto Apply WAAS Virtual Defender Previous versions of

Patches Based on CVEs in Defenders will not apply a
Image Scan WAAS virtual patch to the
application firewall.

Allow list to Bypass Geo Defender Previous versions of

Access Control Defender will not support
an "allow list" to bypass Geo
Access Control.

Application Control for Linux Defender Previous versions of

Hosts Defender will not control
which applications and
versions are allowed to run
on your hosts.

Prisma™ Cloud Release Notes 610 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in December 2022

Edit on GitHub
The host, container, and serverless capabilities on the Compute tab are being upgraded on
December 8, 2022. When upgraded the version will be 22.06.229.
This release includes fixes, and there are no new features in this release.
• Addressed Issues

Addressed Issues

ISSUE DESCRIPTION

- Addressed the following issues:

• Fixed CVE-2022-42898 vulnerability
found in krb5-libs package in Red Hat
Enterprise Linux (RHEL) 8 for the Prisma
Cloud Console and the Defender.

Prisma™ Cloud Release Notes 611 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in November 2022

Edit on GitHub
The host, container, and serverless capabilities on the Compute tab are being upgraded on Prisma
Cloud Enterprise Edition on November 07, 2022 for 22.06.224, and November 20, 2022 for
22.06.228.
This release includes fixes, and there are no new features in this release.
• Addressed Issues

Addressed Issues

ISSUE DESCRIPTION

- Addressed the following issues:

• CVE-2022-1304 out-of-bounds read/write
vulnerability found in e2fsprogs package in
Red Hat Enterprise Linux.
• CVE-2016-3709 a Cross-site scripting
(XSS) vulnerability found in libxml2
package in Red Hat Enterprise Linux.

PCSUP-12237 fixed in 22.06.228 Fixed an error in the credit usage utilization

for WAAS. With this fix, when container/host
Defenders are disconnected for 24 hours, the
usage of the credit is automatically stopped
until the Defenders reconnect.

PCSUP-11455 fixed in 22.06.228 Setting the collection scope for greater than
6000 collections under runtime policy rules
would freeze, this is now fixed.

PCSUP-11825 Fixed an issue with incorrect health state for a

Defender deployed on a container.

— Addressed the following issues:

• CVE-2022-41716 vulnerability detected in
Google Go Windows environment variable
- exec.cmd syscall
• CVE-2020-7711 vulnerability detected in a
vendor package - 'goxmldsig.'
• CVE-2022-40674 vulnerability detected in
a vendor package - 'expat'

Prisma™ Cloud Release Notes 612 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• Go update to version 1.18.7. The version

includes security fixes.

PCSUP-10977 Fixed a DNS resolution error when running a

twistcli image scan with the --tarball option.

PCSUP-10621 Fixed an issue with incorrect cluster

information in image scan results on Monitor
> Vulnerabilities > Deployed.

PCSUP-10618 Fixed an issue where errors were reported in

scan results when the cloud service provider
APIs are disabled.
Now when the APIs for the service are
disabled on the CSP, cloud discovery or
registry scanning do not display these as
errors in scan results. The messages are added
to the console logs.

— Fixed the rule scope selection for Out-of-

Band WAAS rule.
When adding a new Out-of-Band WAAS
rule, you were unable to choose a container
name in the rule scope, or save an Out-of-
Band WAAS rule with a scope that included
a namespace selection, or did not include an
image selection. These issues are now fixed.

Prisma™ Cloud Release Notes 613 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in September 2022

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
September 2022.
The host, container, and serverless capabilities on the Compute tab are being upgraded on Prisma
Cloud Enterprise Edition on October 2, 2022. When upgraded, the version will be 22.06.213.
• New Features in Prisma Cloud Compute
• Addressed Issues
• Supported Host Operating Systems and Orchestrators
• End of Support Notifications
• Breaking Change Notification

New Features in Prisma Cloud Compute

Feature Description

HTTPS Proxy Support for Agentless Scanning Agentless scanning now supports connections
over an HTTPS proxy server. If you use
custom certificates for authentication, you
can now configure custom certificates for the
connection to Console when using Agentless
scanning.

Support for Embedding a Defender in a Prisma Cloud Compute now supports

CloudFormation Fargate Task embedding a Defender to a CloudFormation
Fargate task in the YAML format, in addition
to the JSON format. You can use a full
CloudFormation template that contains other
objects in addition to the Fargate task to
generate a protected Fargate task definition.
Use the Console (Compute > Manage >
Defenders > Deploy > Defenders) or the
APIs (/api/22.06/defenders/fargate.yaml, /
api/22.06/defenders/fargate.json) to
complete the workflow.

Cloud Native Network Segmentation The Cloud Native Network Firewall (CNNF)
is now renamed as Cloud Native Network
Segmentation (CNNS) in Compute > Radars
> Settings , and you can create policies for
enforcing Layer 4 communication from hosts

Prisma™ Cloud Release Notes 614 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

and containers on Compute > Defend >

CNNS.

Update for CVE-2022-36085 As part of the 22.06.213 release,

Prisma Cloud has rolled out an update
to the vulnerability data stream for
CVE-2022-36085. After updating to the
enhanced intelligence feed, you may see
alerts on vulnerabilities in Prisma Cloud
components and Defender images of releases
22.06 or older versions. We have determined
that Prisma Cloud components are not
impacted by these vulnerabilities. There is no
risk to continue running any of the supported
Prisma Cloud releases.

Addressed Issues

ISSUE DESCRIPTION

PCSUP-10988 Fixed an internal error that failed to refresh

the vulnerability statistics under Compute
> Monitor > Vulnerabilities > Vulnerability
Explorer.

PCSUP-10841 Fixed an issue with permissions in the AWS

Gov template for agentless scanning.

PCSUP-10791 Fixed an issue with editing WAAS rules. On

upgrade to 22.06, you could not update or
modify WAAS rules configured to protect the
same port for multiple protocols, such as TLS,
HTTP2, and gRPC.With this fix, such rules can
now be modified.

PCSUP-10632 Fixed an issue that caused Defender to

incorrectly report the Host OS as SLES15SP1
instead of SLES15.

PCSUP-10507 Fixed two issues with Defenders running on

containerd/CRI-O nodes:
Defenders attempted to scan host file
systems during image scans for containers
that changed to the host mount namespace.
This issue is fixed.
Defenders attempted to scan the host
filesystem as some parent directory was

Prisma™ Cloud Release Notes 615 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

a symlink. The issue was fixed by ignoring

the images scans running from the host
namespace to avoid false binary detections.

Supported Host Operating Systems and Orchestrators

Review the full system requirements for all supported operating systems and orchestrators.

TYPE DESCRIPTION

Additional Orchestrators on x86 Architecture • Google Kubernetes Engine (GKE) version

1.24.2 with containerd version 1.6.6
• Elastic Kubernetes Service (EKS) version
1.6.6
• Azure Kubernetes Service (AKS) with
containerd version 1.6.4+azure-4 running
on Linux
• AKS version 1.24.3 running with
containerd version 1.6.6+azure on
Windows
• Lightweight Kubernetes (k3s) version
v1.24.4+k3s1 with containerd v1.6.6-k3s1
• Openshift version 4.11 with CRIO /1.24.1
• Rancher Kubernetes Engine (RKE) version
1.24.4+rke2r1 with containerd 1.6.6-k3s1

End of Support Notifications

Notices

Maven system dependencies With the End of Support for Maven system
dependencies, Defender injection for Java
functions is now implemented using the
bundle as a Maven internal repository. With
this update, <systemPath> dependency is
no longer used.

Compile dependency in Gradle 7.0 With the End of Support for compile
dependency in Gradle 7.0, Defender
injection for Java functions is updated to an
implementation dependency using an internal
repository.

Prisma™ Cloud Release Notes 616 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Breaking Change Notification

Breaking Change in Lagrange On upgrade to the next release, code named

Lagrange that is planned for the end of
this CY, if you have configured an alert
profile on Compute > Manage > Alerts and
enabled Image vulnerabilities (registry and
deployed) and Immediately alert for deployed
resources, you will now receive immediate
alerts for vulnerable registry images along
with immediate alerts for deployed images.

The volume of immediate alerts that are

generated maybe much higher than what
you’ve seen in the previous releases because
support for immediate alerting for registry
images is being added in Lagrange. With this
change, the Image vulnerabilities (registry and
deployed) option is being separated into two:
Deployed images vulnerabilities and Registry
images vulnerabilities, and both these triggers
will be automatically enabled on upgrade, if
the original trigger was enabled in the alert
profile.

Prisma™ Cloud Release Notes 617 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in July 2022

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July
2022.
The host, container, and serverless capabilities on the Compute tab are being upgraded on Prisma
Cloud Enterprise Edition on July 31, 2022. When upgraded, the version will be 22.06.197.
• New Features in Prisma Cloud Compute
• DISA STIG Scan Findings and Justifications
• API Changes
• Addressed Issues
• Supported Host Operating Systems and Orchestrators
• Changes in Existing Behavior
• End of Support and Deprecation Notifications
• Backward Compatibility for New Features

New Features in Prisma Cloud Compute

Feature Description

New Features in the Core Platform

CVE Coverage Update As part of the 22.06 release, Prisma Cloud has
rolled out updates to its vulnerability data for
Common Vulnerabilities and Exposures (CVEs)
in the Intelligence Stream. The new additions
are as follows:
• Support for Github Security Advisories
vulnerabilities including Go, Java, and
Python vulnerabilities.
• Increase of 152% new PRISMA-IDs since
the Joule major release.
• Faster addition of CVEs (pre-filled CVEs).
The pre-filled CVEs were added to the
Intelligence Stream on an average of 56
days before they were analyzed in the
NVD. As an example, the SpringShell
CVE (CVE-2022-22965) was published
on March 31, 2022, and the NVD
analysis was completed on April 8, 2022.
‘PRISMA-2022-0130’ was published for

Prisma™ Cloud Release Notes 618 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

the vulnerability on March 30, 2022, and

was changed to the CVE as soon as it was
published in the NVD.

New Filters in the Vulnerability Explorer On the Vulnerability Explorer, you can
now generate a vulnerabilities report using
new filters such as CVSS score and severity
threshold. In addition to viewing the filtered
results for deployed images, registry images,
hosts, and functions under Vulnerability
(CVE) results, on Monitor > Vulnerabilities >
Vulnerability Explorer, you can also download
a detailed report for CVEs in a CSV format or
a detailed report for impacted resources in a
CSV format from the Vulnerability Explorer.

Vulnerability Scan Report for Registry Images With the vulnerabilities report for registry
images (Monitor > Vulnerabilities > Images >
Registries), you can review the top 10 critical
CVEs discovered in your registry images and
search by a CVE ID to view the results for
both registry and deployed images that are
impacted by a CVE.

Prisma™ Cloud Release Notes 619 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

ARM64 Architecture Support You can now deploy Defenders to protect

AWS workloads based on the Linux ARM64
architecture.
With ARM64 support, you can secure your
deployments and enhance the cost savings for
compute and network-intensive workloads
that use cloud-native compute offerings such
as the AWS Graviton processor.
To use Prisma Cloud on ARM64 architecture,
see the system requirements.

Compliance Alert Triggers for Slack You can now trigger and send vulnerabilities
detected for container and image compliance,
and host compliance to your Slack integration.

Integrate with Azure Active Directory Using Prisma Cloud Compute now uses the
SAML 2.0 Microsoft Graph API for integrating with
Azure Active Directory (AD) resources. This
transition is inline with the deprecation
notice from Microsoft of the Azure AD
Graph API and the Azure Active Directory
Authentication Library (ADAL).
For authenticating users on the Prisma
Cloud Console, you must replace the
Directory.Read.All permission for
Azure Active Directory Graph with the
Directory.Read.All permission for the
Microsoft Graph API.

OIDC User Identity Mapping You can map OIDC identities to Prisma Cloud
users as required by the specification. Instead
of using the default sub attribute, you can
now use like email or username .

Prisma™ Cloud Release Notes 620 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Improvements in Runtime Protection The container model learning is improved to

reduce false positive audits when a binary is
modified during container creation. The grace
time for binaries added after the container
has started is now at 10 seconds. Additionally,
for CI/CD environments where dedicated
containers are used to pull images, you can
now allow pulling images.
For example, if a container was started with
podman as one of its startup processes, the
Dockerfile will allow this action and ignore
runtime audits.

Enhanced Coverage for Certificate You can now authenticate with Azure using a
Authentication with Azure certificate for the following integrations:
• Cloud discovery
• Azure Key Vault
• ACR registry scanning
• Azure serverless function scanning
• Azure VM image scanning

GKE Autopilot Deployment Improvement When deploying Defenders into your

Kubernetes deployment for GKE Autopilot ,
you have a new toggle in the console and
a corresponding twistcli flag that makes
the workflow easier. The improvements
automatically remove the mounts that are
not relevant to the Autopilot deployment and
enable you to add the annotation required to
deploy Defenders successfully.
On the console, Manage > Defenders >
Deploy > Defenders, select Kubernetes and
enable the Nodes use Container Runtime
Interface (CRI), not Docker and GKE Autopilot
deployment.
The --gke-autopilot flag in twistcli adds the
annotation to the YAML file or Helm chart.
For example:

./twistcli defender export

kubernetes --gke-autopilot --
cri --cluster-address <console
address> --address https://
<console address>:8083

Prisma™ Cloud Release Notes 621 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

New Features in Container Security

Vulnerability and Compliance Scanning for App-Embedded Defenders can now scan the
Workloads Protected by App-Embedded workloads they protect for vulnerabilities and
Defenders compliance issues. They can also collect and
report package information and metadata
about the cloud environments in which they
run.
Go to Monitor > Vulnerabilities > Images
> Deployed and Monitor > Compliance
> Images > Deployed to review the scan
reports.

Improved Visibility for CaaS Workloads For CaaS (Container as a Service) workloads
Protected by App-Embedded Defenders protected by the App-Embedded Defenders,
you can now view more metadata on the
cloud environment on which it is deployed,
forensics, and runtime audits on the Monitor
> Runtime > App-Embedded observations
page. You can filter the workloads in the table
by a number of facets, including collections,
account ID, and clusters.

Prisma™ Cloud Release Notes 622 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Runtime File System Audits for App- App-Embedded Defender runtime defense
Embedded Defenders now includes support for container file
systems so that you can continuously monitor
and protect containers from suspicious file
system activities and malware.

Automatically Extract Fargate Task To streamline the embed flow and eliminate
Entrypoint at Embed-Time manual intervention (that is updating task
definitions to explicitly specify entrypoints),
Prisma Cloud can automatically find the image
entrypoint and set it up in the protected task
definition.
Now, when Prisma Cloud generates a
protected task definition , it knows the
entrypoint and/or cmd instructions of the
container image during the first run of the
App-Embedded Defender.

Prisma™ Cloud Release Notes 623 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

CloudFormation Template (CFT) Support for You can now generate protected Fargate task
Fargate Task Definitions definitions in the CFT format for embedding
an App-Embedded Defender.

Additional Checks for CIS Benchmark for In 22.06, we’ve added support for more
OpenShift checks from the CIS OpenShift benchmark.

Prisma™ Cloud Release Notes 624 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support for Vulnerability and Compliance Windows Container Defender on hosts

Scanning for Windows Containers with the containerd runtime can now scan
Windows containers for vulnerabilities and
compliance issues. This is supported on AKS
only.
In addition, deployed Windows Container
Defenders can now be configured to scan
Windows images in registries.
twistcli for Windows has also been
extended to scan Windows images on
Windows hosts with containerd installed.

Support for Google Artifact Registry You can now scan Google Artifact Registries .

Registry Scanning Enhancements Enhanced registry scanning progress status

within the Prisma Cloud Console UI and logs.

Prisma™ Cloud Release Notes 625 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

The enhancements provide the option to

choose whether to stop or continue an
in-progress scan when saving the registry
settings.
After you , Prisma Cloud automatically scans
the images within for vulnerabilities using an
improved flow.

Scan Image Tar Files with twistcli twistcli can scan image tarballs for the
Docker Image Specification v1.1 and later.

This enhancement enables support for

vendors who deliver container images as tar
files, not via a registry, and the integration
with Kaniko, a tool that builds images in a
Kubernetes cluster from a Dockerfile without
access to a Docker daemon.

Rule to Allow Activity in Attached Sessions When you start a session inside pods or
containers running in your deployment using
commands such as kubectl exec or docker
exec, you can now explicitly specify whether
the rule should allow the activity in attached
sessions. This option on Defend Runtime
Container Policy > Add rule > Processes helps
you reduce the volume of alerts generated for
the allowed activities and processes.
When enabled, process, network, and
filesystem activity executed in an attached
session such as kubectl exec, is explicitly
allowed without additional runtime analysis.
Only Defender versions 22.06 or later will
support this capability.

New Features in Agentless Security

Support for Microsoft Azure Agentless scanning is now available for

vulnerability scanning and compliance
scanning on Azure. .

Prisma™ Cloud Release Notes 626 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Support for Google Cloud Agentless scanning is now available for

vulnerability scanning and compliance
scanning on Google Cloud.

Compliance and Custom Compliance Support With agentless scanning you can now scan
hosts from all three major cloud providers
—AWS, Azure, and Google Cloud—against
compliance benchmarks. In addition to out of-
the-box checks, you can apply user defined
custom compliance checks and scan against
the host file system.

Unpatched OS Detection In addition to vulnerabilities and compliance

scanning, you can now track pending OS
security updates in this release with agentless
scanning.

Prisma™ Cloud Release Notes 627 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Unscanned Cloud Account Detection You can now easily discover regions within
AWS, Azure, or Google Cloud accounts where
agentless scanning is not enabled, and enable
scanning for those cloud accounts.

Proxy Support In this release, you can manage how scanners

connect to the Prisma Cloud Console for
agentless scanning. If you use a proxy, you
can configure the proxy configuration in the
scan settings for accounts under Manage >
Cloud Accounts.

New Features in Host Security

Auto-Defend Host Process Update When you set up the process to automatically
deploy Defenders on hosts, this update
ensures that Host Defenders are not deployed
on container hosts. Hosts running containers

Prisma™ Cloud Release Notes 628 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

require Container Defenders to protect and

secure both the host and the containers on it.

CIS Linux Benchmark Update The CIS Linux Benchmark now includes 13
additional checks. You can find the additional
controls in the Defend > Compliance > Hosts
> CIS Linux template.

New Features in Serverless Security

Runtime Protection for Azure Functions Serverless Defenders now offer runtime
protection for Azure Functions. Functions
implemented in C# (.NET Core) 3.1 and 6.0
are supported.

New features in Web Application and API Security (WAAS)

WAAS Out of Band Detection Out of band is a new mode for deploying
Web Application and API Security (WAAS).
It enables you to inspect HTTP messages to
an application based on a mirror of the traffic,
without the need for setting up WAAS as an
inline proxy, so that you can receive alerts
on malicious requests such as OWASP top
alerts, bot traffic, and API events. It provides
you with API discovery and alerting without
impacting the flow, availability, or response
time of the protected web application.
Out of band detection also allows you to
extend your WAAS approach:
• You can monitor your resources deployed
on AWS with VPC traffic mirroring from
workloads. This option gives you the

Prisma™ Cloud Release Notes 629 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

flexibility to monitor environments without

deploying Defenders.
• If you have deployed Defenders in your
environment, but are not using the
WAAS capabilities on Compute, you
can mirror traffic for an out of band
inspection without requiring any additional
configuration.
After you configure a custom rule for out of
band mode (Defend > WAAS > Out of band),
all the detections are applied on a read-only
copy of the traffic. And you can view the out
of band traffic details on Monitor > WAAS >
API observations > Out of band observations.

OpenAPI Definition File Scanning You can scan OpenAPI 2.X and 3.X definition
files in either YAML or JSON formats,
and generate a report for any errors or
shortcomings such as structural issues, gaps
in adherence to security guidelines and best
practices.
You can initiate a scan through twistcli, upload
a file to the Console, or import a definition
file in to a WAAS app. The scan reports are
available under Monitor > WAAS > API
definition scan.

Prisma™ Cloud Release Notes 630 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Automatic Port Detection of WAAS When you enable the automatic detection
Applications for Containers or Hosts of ports in WAAS Container, Host, or Out
of band rules, you can secure ports used by
unprotected web applications. The automatic
detection of ports makes it easier to deploy
WAAS at scale because you can protect
web applications without the knowledge
of which ports are used. Additionally, you
can add specific ports to the protected
HTTP endpoints within each app in your
deployment.

Customization of Response Headers You can append or override names and values
in HTTP response headers for Containers,
Hosts, and App Embedded deployments that
are sent from WAAS protected applications.

Prisma™ Cloud Release Notes 631 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

WAAS Actions for HTTP Messages that You can now apply the Alert, Prevent, or
Exceed Body Inspection Limits Ban WAAS actions for HTTP messages that
exceed the body inspection limit and ensure
that messages that exceed the inspection
limit are not forwarded to the protected
application.
To enforce these limitions, you must have a
minimum Defender version of 22.01 (Joule).
And with custom rules ( Defend > WAAS >
Out of band), you can apply Disable or Alert
actions for HTTP messages that exceed the
body inspection limit.

Attacker IP Addition to a Network List When a WAAS event includes an attacker IP

address, you can now directly click a link to
add the attacker IP address to an existing or
new network list from Monitor > Events >
Aggregated WAAS events > Attacker.

Prisma™ Cloud Release Notes 632 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Regex Match in Forensics Message When defining a custom rule, you can now
define a regular expression to match for
strings and include the matched information
in the forensics message.

Defender Compatibility with Custom Rules To make it easier to review and make sure
that all Defenders meet the minimum version
requirement for a rule, you can now view the
minimum Defender version required to use
each rule. The Defender version information
is displayed in a new column within the
custom rules table.

Prisma™ Cloud Release Notes 633 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

WAAS Proxy Error Statistics On Radar > WAAS connectivity monitor

you can view WAAS proxy statistics for
blocked requests, count of requests when the
inspection limit was exceeded, and parsing
errors.

DISA STIG Scan Findings and Justifications

Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender
images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of
the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved
UBI8-minimal scan findings. Any discrepancies are addressed or justified.

API Changes

CHANGE DESCRIPTION

New API Endpoints GET /stats/vulnerabilities/

download
Introduces a new API endpoint that downloads
a detailed report for CVEs in a CSV format.

GET /stats/vulnerabilities/
impacted-resources/download
Introduces a new API endpoint that downloads
a detailed report for impacted resources in a
CSV format.

Prisma™ Cloud Release Notes 634 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

PUT policies/firewall/app/out-of-
band
Introduces a new API endpoint that updates
or edits a WAAS custom rule for out of band
traffic.

GET policies/firewall/app/out-of-
band
Introduces a new API endpoint that discovers
and detects the HTTP traffic for an existing
WAAS out of band custom rule.

GET policies/firewall/app/out-of-
band/impacted
Introduces a new API endpoint that fetches the
impacted resources list for an existing WAAS
out of band custom rule.

POST waas/openapi-scans
Introduces a new API endpoint that scans the
API definition files and generates a report for
any errors, or shortcomings such as structural
issues, compromised security, best practices,
and so on. API definition scan supports
scanning OpenAPI 2.X and 3.X definition files
in either YAML or JSON formats.

GET profiles/app-embedded
Introduces a new API endpoint that fetches the
app-embedded runtime metadata.

GET profiles/app-embedded/download
Introduces a new API endpoint that downloads
the app-embedded runtime profiles in a CSV
format.

GET util/arm64/twistcli
Introduces a new API endpoint that downloads
an x64 bit Linux ARM architecture twistcli in a
ZIP format.

Changes to Existing API Endpoints GET /stats/vulnerabilities

Introduces a change in the existing API
endpoint that fetches the vulnerabilities
(CVEs) affecting an environment. The data

Prisma™ Cloud Release Notes 635 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

for each CVE, such as impacted packages,

highest severity, and so on, is now based
on the entire environment irrespective of
the collections filter, assigned collections, or
assigned accounts.
Also, the impacted resources and distribution
counts are not retrieved and are returned as
zero when you apply filters or are assigned
with specific collections or accounts.

GET /stats/vulnerabilities/
impacted-resources
Introduces new optional query parameters
such as pagination and resource type to the
existing API endpoint. To enable backward
compatibility, if you don’t use these optional
query parameters, the API response will display
results without pagination and registry images,
and similar to the response in the previous
releases (Joule or earlier).

Addressed Issues

ISSUE DESCRIPTION

PCSUP-9587 Fixed an issue where a Defender scanning

a non-docker (CRI-O) registry incorrectly
reported all custom compliance checks as
passed.

PCSUP-9555 Fixed error that overwrote the

communication port after upgrading a
Defender with a custom port from the Prisma
Cloud Console UI.

PCSUP-9523 Fixed an issue with sending automatic emails

for alerts to recipients in the dynamic email
list, which is based on custom labels that you
define as metadata on your cloud resource.
When setting up an alert profile, when
you now you enter a custom label in the
Recipients - Dynamic list based on labels
(Optional) within the Alert Profile, the drop-
down list displays the list of eligible email
addresses.With this fix, the alert notification is
sent to both the static and dynamic recipients

Prisma™ Cloud Release Notes 636 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

you have configured on the alert profile

(Compute > Manage > Alerts > Manage >
Add Alert Profile).

PCSUP-9482 Fixed an issue wherein the Defenders blocked

application deployments on SELinux due to
incorrect SELinux labeling on proxy runc.
With this fix, the original runc SELinux label is
applied to the created runc proxy binary.

PCSUP-9247 Fixed an issue of duplicate or missing system

rules for WAAS.

PCSUP-9069 Fixed issue with the scanned images filter.

With this fix the filter lists all the tags when
multiple images have the same digest.

PCSUP-8519 Fixed an issue that showed different fixes for

the same CVE on a single image. Each CVE
vulnerability is now consolidated and grouped
according to OS version for each image and
package.

PCSUP-8811 Fixed an issue where XSS was not detected

due to query key/value parsing.

Fixed an issue where fixedDate for Windows

vulnerabilities did not update.

The Intelligence Stream is updated to fix an

issue where some Red Hat Enterprise Linux
(RHEL) packages were incorrectly reported as
vulnerable.

Security Fixes In accordance with the security assurance

policy, this release contains updates to
resolve older vulnerabilities in packaged
dependencies:
Console & Defender:
• Upgraded Go Lang version
• Removed mongodb-tools binaries
• Containerd updates for Kubernetes
(github.com/containerd/containerd)
• Open Policy Agent updates (github.com/
open-policy-agent/opa)

Prisma™ Cloud Release Notes 637 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• Runc updates (github.com/

opencontainers/runc)
• Kubernetes (k8s.io/kubernetes)
• Mongod
• Mongodb Go driver (go.mongodb.org/
mongo-driver)
• AWS SDK for Go (github.com/aws/aws-
sdk-go)
• Dependency updates for:** Package xz
(github.com/ulikunitz/xz)
• YAML for Go package (gopkg.in/
yaml.v3)
Defender
• github.com/docker/distribution
• github.com/tidwall/gjson
Console
• Dependency updates for
com.google.code.gson_gson

Supported Host Operating Systems and Orchestrators

Prisma Cloud now supports hosts running x86 architecture on multiple platforms and hosts
running ARM64 architecture on AWS.
Review the full system requirements for all supported operating systems and orchestrators.

TYPE DESCRIPTION

Hosts on x86 Architecture In this release, Prisma Cloud added support

for the following host operating systems on
x86 architecture:
• Bottlerocket OS 1.7
• Latest Amazon Linux 2
• Latest Container-Optimized OS on Google
Cloud
• Ubuntu 22.04 LTS

Hosts on ARM64 In this release, Prisma Cloud added support

for the following host operating systems on
ARM64 architecture running on AWS:
• Amazon Linux 2
• Ubuntu 18.04 LTS

Prisma™ Cloud Release Notes 638 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• Debian 10
• RHEL 8.4
• CentOS 8
• Photon OS 4

Orchestrators • Google Kubernetes Engine (GKE) version

1.23.7 with containerd version 1.5.11
• GKE version 1.24.1 running on ARM64
architecture. For the full announcement,
refer to our blog.
• VMware Tanzu Kubernetes Grid Integrated
(TKGI) version 1.14
• VMware Tanzu Kubernetes Grid
Multicloud (TKGM) version 1.5.1 on
Photon 3 and Ubuntu 20.04.03 LTS

Changes in Existing Behavior

CHANGE DESCRIPTION

No Image Scanning for Short-lived Containers For short-lived containers, that is, when
a container is created and immediately
terminated, the image will not be scanned. In
previous versions, the image was scanned by
monitoring pull events from the registry.

Update Permissions in AWS Agentless An additional permission is added to AWS

Scanning Template agentless scanning template.
For existing accounts that are enabled for
agentless scans you will need to update the
permissions.

Change in Prisma Cloud UI Credentials for AWS, GCP, and Azure cloud
accounts are now under Manage > Cloud
Accounts.

Scanning Process Impact on Artifact In 22.01 update 2, we updated how the

Metadata in JFrog Artifactory scanning process impacts artifact metadata
in JFrog Artifactory. The scanning process no
longer updates the Last Downloaded date
for all manifest files of all the images in the
registry.
In 22.06, we’ve further refined how this
works:

Prisma™ Cloud Release Notes 639 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

As part of the process for evaluating which

images should be scanned, in addition to
reviewing the manifest files, Prisma Cloud also
examines the actual images. Now the Last
Downloaded date won’t change unless the
image is actually pulled and scanned.
"Transparent security tool scanning" is
not supported for anything other than
Local repositories. If you select anything
other than Local in your scan configuration
(including virtual repositories backed by local
repositories), then Prisma Cloud automatically
uses the Docker API to scan all repositories
(local, remote, and virtual). When using
Docker APIs, the Last Downloaded field
in local JFrog Artifactory registries will be
impacted by scanning.
If you’ve got a mix of local, remote, and virtual
repositories, and you want to ensure that
the Last Downloaded date isn’t impacted by
Prisma Cloud scanning, then create separate
scan configurations for local repositories and
remote/virtual repositories.

Serial Number Field for Incidents will be The data collection for incidents in the Prisma
Empty Cloud Compute database is capped to 25,000
incidents or 50 MB, whichever limit is reached
first.
After the upgrade to 22.06, if the size of your
incident collection exceeds this limit, then the
oldest incidents that exceed the limit will be
dropped.
As part of this change, the serial number field
for incidents will now be empty. The serial
number was a running count of the incidents
according to the size of the data collection.
Now that the collection is capped, the serial
number is no longer available. To uniquely
identify incidents, use the ID field instead.

Use Category Field to Identify Incident Type A new field category is now available for
incidents alert integration with Webhook and
Splunk to identify the incident type.

Update Existing App-Embedded Collections With 22.06, all App-Embedded collections

to Use App IDs Field including Fargate tasks, will be grouped
together in collections using the App ID field.

Prisma™ Cloud Release Notes 640 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Until now, collections of Fargate tasks were

specified using the Hosts field in vulnerability,
compliance, and incidents pages.
After upgrading to 22.06, update your existing
collections to use the App IDs field rather
than the Hosts field to maintain the correct
grouping of resources for filtering, assigning
permissions, and scoping vulnerability and
compliance policies.
Also, the CSV file export for vulnerability scan
results, compliance scan results, and incidents
has changed. Fargate tasks protected by App-
Embedded Defender will be reported under
the Apps column instead of the Hosts column.

End of Support and Deprecation Notifications

Notices

Openshift 3.11 End of Support RedHat has announced the EOL for Openshift
3.11. So, Openshift 3.11 is no longer
supported on Prisma Cloud.

Debian 9 End of Life Debian 9 (Stretch) has reached End of Life

(EOL), and CVE security vulnerabilities for
Debian 9 will no longer be available in the
Intelligence Stream feed.

Alert Notifications through External Starting with the Maxwell release, the
Integrations that Overlap on Prisma Cloud external integrations (alert profiles) in
Compute that overlap with the Prisma Cloud
platform will only be supported on the
platform.
Before the Maxwell release, you must set up
new integrations on Settings > Integrations
and delete the overlapping alert profiles
defined under Compute > Manage > Alerts
For the list of overlapping integrations, see
supported alert providers.

EOL for Windows Server 2016 Support for Windows Server 2022 will be
added with or before the Maxwell release
in 2023. With support for Windows Server
2022, Windows Server 2016 will no longer be
supported. Microsoft has announced the EOL
for Windows Server 2016 as of January,2022.

Prisma™ Cloud Release Notes 641 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Notices

Docker Access Control with the Access User Support for Docker Access Control is being
role deprecated along with the Access User role.
Support will be removed in the Newton
release.

Code Security module for Scanning Support for scanning your code repositories
from the Prisma Cloud Compute console
(Monitor > Vulnerabilities > Code
repositories) is being deprecated. Twistcli for
code rep scanning is also being deprecated.
You can use the Code Security module on
Prisma Cloud to scan code repositories
and CI pipelines for misconfigurations and
vulnerabilities.
Support for code repo scanning using Prisma
Cloud Compute will be removed in the
Newton release.

Backward Compatibility for New Features

FEATURE NAME UNSUPPORTED DETAILS

COMPONENT (DEFENDER/
TWISTCLI)

Support for Google Artifact Defender Old defenders will not be

Registry supported for scanning
Artifact Registry.

Registry Scan Enhancements Defender A new log record was

added for Defender finished
scanning image, which
adds pull, analysis and total
duration. For older defenders,
the following fields will be
zero: ImagePullDuration,
ImageAnalysisDuration,
ImageScanDuration.

Vulnerability and compliance Defender Old app-embedded

for Workloads Protected by Defenders (except for
App-Embedded Defenders ECS Fargate Defenders)
will not be supported for
vulnerabilities, compliance,

Prisma™ Cloud Release Notes 642 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

and package info. The images

running with these Defenders
will not be returned in the
GET images API. Also, for
old ECS Fargate Defenders,
the Environment → Apps
tab within the image dialog
will be empty, even though
there are running tasks and
their count is displayed on
the main images page under
the Apps column.

Runtime File System Defender Old app-embedded Defeders

Audits for App-Embedded will not be able to have the
Defenders filesystem capability, so the
workloads protected by them
can not be monitored for FS.

Rule to Allow Activity in Defenders Old Defenders will not

Attached Sessions support the new functionality
as they don’t have the
backend implementation part
of this toggle

Support ARM: Add Defenders, twistcli, Console Old defenders and consoles
vulnerabilities support for and Intelligence Stream won’t support ARM64
ARM to the IS ARM support since there isn’t any the
dedicated implementation.
The Intelligence Stream
is updated with ARM64
CVEs for all consoles, but
as we predict, it won’t be
common to get an ARM
related CVE for each x86
CVE. ARM64 Defenders
are required to scan ARM-
based images. Make sure
to assign the appropriate
collections in your Registry
Scanning Scope for x86_64
images and ARM64 images to
prevent errors in the registry
scanning. The ALL collection
automatically includes the
ARM64 Defenders.

Prisma™ Cloud Release Notes 643 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Windows defender for Defenders, twistcli Old Defendersand twistcli

Vulnerability and Compliance will not support the new
with Containers functionality as they
don’t have the updated
implementation

Improved Visibility for CaaS Defenders Old App-Embedded

workloads protected by App- Defenders will not be
Embedded Defenders supported, the new capability
of fetching the workload
cloud metadata to App-
Embedded profile

Authenticate with Azure Defenders We will have a problem with

Container Registry using using the new credential
certificate in scanning with older
defenders, they will not be
able to use this credential

Extract Fargate task twistcli New implementation for

Entrypoint and Command Fargate Task defenders in
Params, Support Fargate Task twistcli
Definition in CloudFormation
Template format

Support image tar files twistcli Old twistcli version doesn’t

scanning with twistcli have this implementation

Prisma™ Cloud Release Notes 644 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in June 2022

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June
2022.
The host, container, and serverless capabilities on the Compute tab are being upgraded on Prisma
Cloud Enterprise Edition on June 12, 2022. When upgraded, the version will be 22.01.890.
In accordance with the Security Assurance policy, this release includes the following security fixes.

Feature Description

Console & Defender • Upgraded Golang version

• Containerd updates for Kubernetes
(github.com/containerd/containerd)
• Open Policy Agent updates (github.com/
open-policy-agent/opa)
• Runc updates (github.com/
opencontainers/runc)
• Kubernetes (k8s.io/kubernetes)
• Mongod
• Mongodb Go driver
• (go.mongodb.org/mongo-driver)
• AWS SDK for Go (github.com/aws/aws-
sdk-go)
• Dependency updates
• github.com/ulikunitz/xz
• YAML for Go package (gopkg.in/
yaml.v3)

Defender • github.com/docker/distribution
• github.com/tidwall/gjson

The following issues are not displayed for Compute resources. Compute is not
vulnerable to these issues because it does not use the ssh package; the vulnerability is
in the implementation of the ssh server in the package.
• Console & Defender—CVE-2022-27191 for golang.org/x/crypto/ssh
• Console—CVE-2020-29652 for golang.org/x/crypto/ssh

Prisma™ Cloud Release Notes 645 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in March 2022

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in March
2022.
The host, container, and serverless capabilities on the Compute tab are being upgraded on Prisma
Cloud Enterprise Edition starting March 25,2022. When upgraded, the version will be 22.01.880.
• New Features in Prisma Cloud Compute
• Prisma Cloud Compute Known Issuesincludes fixes in 22.01.880.

New Features in Prisma Cloud Compute

Feature Description

AKS Version Support Update Prisma Cloud Compute adds support for
AKS 1.22.6 for Linux and Windows with
containerd. See system requirements.

Prisma™ Cloud Release Notes 646 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Features Introduced in February 2022

Edit on GitHub
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
February 2022.
The host, container, and serverless capabilities on the Compute tab are being upgraded on Prisma
Cloud Enterprise Edition on February 27, 2022. When upgraded, the version will be 22.01.857.

• New Features in Prisma Cloud Compute

• New Features in Prisma Cloud Compute
• New Features in Prisma Cloud Compute
• New Features in Prisma Cloud Compute
• New Features in Prisma Cloud Compute
• See also #unique_350

New Features in Prisma Cloud Compute

Feature Description

New Features in the Core Platform

CVE Coverage Update After updating to the enhanced intelligence

feed in this release, you may see alerts on
vulnerabilities in Prisma Cloud components and
Defender images of releases 21.08 or older.
The following vulnerabilities may cause an
alert on previous releases: CVE-2021-38297,
CVE-2021-41771 and CVE-2021-41772. We
have determined that Prisma Cloud components
are not impacted by these vulnerabilities.
There is no risk to continue running any of the
supported Prisma Cloud releases.
To ensure these vulnerability alerts do not
display, upgrade to the latest 22.01 release,
where applicable. If you are not ready to upgrade
right away, add an exception in the default
Ignore Twistlock Components rule (under
*Defend > Vulnerabilities > Images > Deployed)
to suppress these vulnerability alerts.

Prisma™ Cloud Release Notes 647 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Intelligence Stream Update The Intelligence Stream updates include

vulnerability information for SUSE SLES 12 and
15.

Support for Operating Systems

This release includes support for:
• Bottlerocket OS
• RHEL 6 (vulnerability coverage only)
• Photon OS 3
• K3s (K3s clusters are not shown in the
Containers Radar; the containers are
displayed under Non-cluster containers.)
• EKS using containerd
• AKS with Windows nodes using containerd
(supported for runtime defender and radar
visibility)
• GKE Autopilot (except for custom compliance
and Prevent effect in runtime policy)

Enhanced Scoping for Vulnerability Tags For enhanced exception and metadata reporting
on vulnerabilities, Prisma Cloud allows you to
granularly tag vulnerabilities based on CVE ID,
package, and resources.
Use the Manage > Collections and tags >
Tags page to assign a tag to a CVE for a single
package, or for all the packages affected by
it. You can assign a tag to a specific resource
such as ubuntu:18.04, resources defined
using wildcards (for example, ubuntu:*), and to
multiple resources across your environment. For
container images, when you assign the tag to a
base image, Prisma Cloud automatically assigns
the tag to all its descendant images.

Organization-Level Credentials for GCP You can now use your organization-level
credentials to enable Prisma Cloud to find
and scan all projects in your GCP organization
resource hierarchy. With the support for
organization-level credentials, capabilities
such as cloud discovery and registry scanning
are simplified and you do not need to create
credentials for each project.

Log DNS Queries in Forensics To investigate incidents and events that occur
in your environment, the forensics capabilities
with recording DNS queries are extended to

Prisma™ Cloud Release Notes 648 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

include containers, hosts, and App-Embedded

Defenders.

Cortex XDR Integration Cortex XDR is now a native alert provider to

which Prisma Cloud Compute can send runtime
audits and incidents. With this integration, you
can now create a new profile on Manage >
Alerts > Manage and send alerts to Cortex XDR.

Simplified Certificate Management for Console-Defender communication certificates

Console-Defender Communication are now automatically rotated one year before
expiration. During the year after rotation and
until expiration of the old certificates, Console
communicates with Defenders using both the
old and new certificates. This allows the entire
deployment to continue functioning without
the need for immediate redeployment of the
Defenders.
• Redeploy all Defenders within the year to
ensure that they acquire the new certificate.
The Console web interface helps you identify
which Defenders require redeployment.
• New Defenders deployed after rotation will
get the new certificate.
• Console CA certificate expiration alerts are
now sent 90 days in advance (increased from
30 days).

Prisma™ Cloud Release Notes 649 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

PII/Sensitive Information Sanitization for You can now you can filter sensitive information
Runtime Events included within Runtime events, such as
commands run inside protected workloads, and
ensure that it is not included in the Runtime
findings (including Forensics, Incidents, Audits.)
onManage > System > General.
For protecting user privacy as well as ensuring
that logs comply with relevant regulations (PCI,
GDPR, HIPAA, amongst others), you have two
options to scrub your sensitive Runtime data in
Prisma Cloud Compute,
• Default scrubbing configuration: automatically
scrub secrets from runtime events. This
configuration is enabled by default when you
upgrade the Console.
• Customize your own regex to detect and
scrub sensitive information, in addition to the
existing capabilities in WAAS.

Prisma™ Cloud Release Notes 650 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Splunk Integration You can now send alerts from Prisma Cloud
Compute Edition Console to Splunk and
consolidate alert notifications to enable your
operations teams. The alert integration with
Splunk uses the Splunk HTTP Event Collector
and the _json source type.
This enhancement is in addition to the existing
Prisma Cloud Enterprise Edition integration with
Splunk.

Quicker Vulnerability Alerting To supplement the existing vulnerability alerting

mechanism, you can now send alerts as soon as
new vulnerabilities are detected when:
• Deploying a new image/host with
vulnerabilities.
• Detecting new vulnerabilities when re-
scanning an existing image/host.

Extended RBAC Across Prisma Cloud RBAC capabilities across Prisma Cloud enable
Views you to limit data only to specify users and groups
based on the Resource List and Collections

Prisma™ Cloud Release Notes 651 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

assignments. These enhancements restrict views

after the first scan.

New Features in Container Security

Kubernetes auditing enhancements for Kubernetes auditing, which ingests audit data
EKS and AKS from Kubernetes clusters to help you identify
risks and security events, now supports AWS
EKS clusters and Azure AKS clusters.The
configuration settings on Defend > Access >
Kubernetes are enhanced to include AWS and
Azure, in addition to the existing GCP support.
Additionally, you can configure Kubernetes
auditing policy rules more granularly using a
cluster filter and apply rules to specific clusters.

The AWS CFT on Prisma Cloud

includes the additional permissions
for EKS Auditing for onboarded cloud
accounts. See to update the CFT
stack.

CIS Benchmarks Support CIS Benchmarks was extended to cover:

• CIS RedHat OpenShift Container Platform v4
Benchmark v1.1.0
• CIS Docker Benchmark v1.3.1
• CIS Kubernetes V1.20 Benchmark v1.0.0
The newly-added compliance checks are set
to ignore on preexisting compliance rules,
regardless of severity.

Compliance for containerd Containers All CRI runtime compliance checks are now
applicable for containerd containers also.
This feature is not supported on Bottlerocket OS.

Multiple Image Tags Support Image tags are now collected and presented for
image IDs with multiple, different tags.

Prisma™ Cloud Release Notes 652 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

AKS Windows containerd Node Support You can now install the Windows Container
Defender on your Azure Kubernetes Service
(AKS) Windows nodes with containerd runtime.
With Defenders deployed, you can view the
running containers and images on Radar and
leverage the runtime defense capabilities on
Prisma Cloud Compute for these containers;
Vulnerabilities and Compliance scanning are not
supported yet.

Harbor Registry Scanning Improvements The Harbor Registry scanning performance is

improved.

OpenShift Clusters Upgrade Seamlessly upgrade the OpenShift clusters

when Prisma Cloud Defender is installed. This
update will solve the issue mentioned in https://
access.redhat.com/solutions/5206691.
This will be supported starting with OpenShift
4.7, and Defenders v22.01.

Defenders on VMware Tanzu TAS Support for deploying Defenders on VMWare

Isolation Segments Tanzu TAS isolation segments (Network and
Compute Isolation) is now available.

Remote VMware Tanzu Blobstores Scan You can now scan remote VMWare Tanzu TAS
blobstores located in a different cloud controller
than the scanning Defender. This capability
provides flexibility when defining the blobstore
scanning Defenders, and eliminates the need to
deploy Defenders in all TAS environments where
you want to perform blobstore scanning.

Agentless Security Prisma Cloud Compute adds support for

vulnerability scanning on running EC2 hosts
on AWS. Agentless scans enable you to gain
visibility into running or stopped vulnerable hosts

Prisma™ Cloud Release Notes 653 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

in your cloud accounts without the need for

deploying Defenders.

For your scaling needs and flexibility in

protection modes, you can use Defenders and
agentless scanning where convenient.
Licensing for agentless scan is 1 credit per host.

The AWS CFT for Monitor and

Protect on Prisma Cloud includes the
additional permissions for Agentless
scanning on EC2 for onboarded
cloud accounts.

New Features in Host Security

Pre-Deployment Scan Support for Hosts You can now scan virtual machine (VM) images
on Azure and GCP on Azure and GCP to detect and harden against
vulnerabilities, compliance issues, and malware
at the pre-deployment stage. For example, if you
have an image with the vulnerable version of the
Apache log4j, the scan will detect and report this
security issue before you deploy any hosts using
the image.
Configure automatic scanning of the VM images
for public, marketplace or private libraries across
your Azure subscription or GCP projects on
Defend > Vulnerabilities > Host > VM images,
and review the scan results on Monitor >
Host > VM Images under Vulnerabilities and
Compliance.

Prisma™ Cloud Release Notes 654 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Collection of Cloud Provider Metadata for Windows Defenders now collect and report
Windows Virtual Machines cloud metadata the same way as Linux
Defenders. Cloud metadata includes things such
as the cloud provider where the Defender runs
(for example, AWS), and the name of the host on
which the Defender is deployed.

New features in WAAS

WAAS Explorer The new WAAS explorer dashboard on Monitor

> WAAS provides an overview of protection
coverage, web application and API security
posture, usage statistics and insights

WAAS Event IDs To enable findability, an Event ID will be

assigned to all new WAAS events so you can
reference and search within the Event Monitor.
End users who are denied access to a web
page can now view event IDs as part of WAAS
block pages, and in a new HTTP response

Prisma™ Cloud Release Notes 655 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

header (X-Prisma-Event-Id) when the option is

enabled for an app on a WAAS rule on Defend
WAAS<Rulename>Advanced settings.

Custom Rules-Extended Functionality The Allow action is now available for WAAS
custom rules. When allowed, requests override
actions set by other protections such as
application firewall, bot protection, API
protection can be applied for traffic that matches
WAAS and runtime rules.
The following transformation functions are
available for creating custom rules - lowercase,
compressWhitespace, removeWhitespace,
urlQueryDecode, urlPathDecode, unicodeDecode,
htmlEntityDecode, base64Decode,
replaceComments, removeCommentSymbols,
removeTags.

gRPC Support For API-based protection of gRPC messages,

WAAS now supports inspection of gRPC
messages.

Scanning for Unprotected Web Support for scanning unprotected web

Applications and APIs applications and APIs on hosts is now available.
Additionally, the scan for unprotected web
applications and APIs for both container and
hosts is enabled by default, and you have the
option to now disable the scan on Radar >
Settings.

API Observations Improvements On Monitor > WAAS > API observations, the
JSON body content is now added to the learning
model.
Schemes will be presented as part of the
observations and will be available for export in
an Open API specification V3 JSON.

Compatibility and Supportability Notifications

Prisma™ Cloud Release Notes 656 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

End of Support Notifications Operating Systems

• Ubuntu 16.04 (Xenial Xerus) is no longer
supported.
• Debian 9 (Stretch) is no longer supported.
• RHEL 6 as no longer supported. RHEL 6 is no
longer generally available as stated on the Red
Hat website.
Orchestrators
• GKE using Docker is no longer supported.
• Docker Swarm is no longer supported. You
must unistall Docker Swarm Defender before
the upgrade to 22.01.
Serverless Runtimes
• Python2 is no longer supported.
• Node.js 10 is no longer supported.
Other
• Cloud compliance has been removed.
• Kubernetes auditing for self managed clusters
will no longer be supported by Kubernetes
dynamic audit configuration, which was
deprecated in Kubernetes 1.19. It will use the
audit webhook backend instead.

Information on Backward Compatibility New features introduced in this release that will
not be supported by older versions of Defenders.
• Openshift - make changes to crio.conf via
Machine Config Operator only
• Remove PII data from FullProcCmd command
• Defender support for containerd on Windows
• Container compliance support for containers
running on containerd
• Update of Docker CIS to 1.3.1
The following new/modified checks aren’t
supported:1.1.4, 1.1.8, 1.1.12, 1.1.15, 1.1.16,
1.1.17, 1.1.18, 3.23, 3.24. 3.7, 3.8.The rest are
supported.
• Openshfit CIS v1.1.0 support
• Log DNS requests in Forensics

Prisma™ Cloud Release Notes 657 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

• Compute-XDR integration - phase 1

The integration will work with older
Defenders, however, the new fields that
were added for the integration (e.g. ip, port,
filepath) will only be collected on Defenders
• TAS - Scan external blobstores

Prisma™ Cloud Release Notes 658 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Look Ahead — Planned Updates on Prisma Cloud

Compute
Edit on GitHub
Review any deprecation notices and new features planned in the next Prisma Cloud Compute
release.
The latest release 31.00.129 is planned for August 20, 2023.

Prisma™ Cloud Release Notes 659 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Prisma Cloud Compute Known Issues

Edit on GitHub
Review the list of known and addressed issues and deprecation notice for the Compute
capabilities on Prisma Cloud Enterprise Edition.
The following table lists the known and addressed issues on Compute capabilities on Prisma Cloud
Enterprise Edition.

The list of addressed issues are not cumulative; only the issues that are fixed with the last
published release are included here.

Issue ID Description

Fixed in 31.00.129Fixed Harbor support Fixed an issue limiting the support of Prisma
Cloud Compute as a pluggable scanner in Harbor.
The support is now extended to instances where
the Defenders operate in a CRI environment.

Fixed in 31.00.129Fixed Missing version Fixed an issue that caused missing version
detection in JAR packages detection for jar packages when the version
name included a date, for example, 20171018.

Fixed in 31.00.129Agentless Scanning for Fixed an issue preventing agentless scanning of

Azure - Fixed error in onboarded Azure onboarded Azure government accounts
government accounts

Fixed in 31.00.129Agentless Scanning Fixed an issue caused when listing container

- Fixed being unable to scan containers details of containers on hosts using Docker as
when failing to list one container’s details the CRI. The issue led to agentless scanning not
discovering containers on the specified host. The
fix improves the scan process tolerance to errors
during the retrieval of containers metadata.

Fixed in 31.00.129Agentless Scanning - Added missing OS labels, both osDistro and

Fixed missing OS labels of hosts scanned osVersion, to hosts scanned by agentless
using agentless scanning scanning.

Fixed in 31.00.129Inconsistent reporting Fixed an issue where AKS cluster names were
of AKS cluster names and type not properly processed and the cluster was
incorrectly classified as a generic Kubernetes
cluster instead of an AKS cluster. Now, the
cluster names and their type are properly parsed
as AKS clusters.

Fixed in 30.03.122 Due to a bug in Azure API, disks created by the

agentless scanning process could potentially
remain dangling (unattached). These disks are

Prisma™ Cloud Release Notes 660 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

created with Delete with VM option which

should ensure that they are deleted once the
scanner VM has terminated.
Due to a bug in Azure API, the disks cleanup is
not always guaranteed which leaves some disks
under the PCCAgentlessScanResourceGroup as
unattached.
This fix explicitly deletes any dangling disks
after scanner instance termination as part of
the cleanup phase at the end of the agentless
scan cycle, thus ensuring no resources are left
unattached.

Fixed in 30.02.123 Fixed incorrect "Fix status" of the CVEs that

originated from National Vulnerability Database
(NVD). With this update, the "Fix status" for
such CVEs remains empty when there is no fix
available in the NVD, instead of calculating a
wrong fix status.

Fixed in 30.02.123 Fixed an issue with the Defenders and agentless

scans detecting an incorrect Kubernetes version.
The Kubernetes version in the scan results on
Prisma Console now matches the Kubernetes
version that is installed on the host.

Fixed in 30.02.123 Fixed a certificate error during the serverless

scan in GCP when TLS proxy is enabled. This was
addressed by adding support for global proxy in
GCP client.

Fixed in 30.01.152 Addressed an issue that caused the Console to

be unresponsive when a database restore was
unsuccessful. With this fix, when the database
restore fails, Console reverts the changes and
falls back to the database state before the
restore was initiated.

Fixed in 30.01.152 Fixed incorrect CVE matching to the base layer

for the binaries installed without a package
manager. There are differences in the results
between an image created by Dockerfile and an
image pulled by the registry. The vulnerabilities
scan results attribute correctly to the base layer
for the images built from a Dockerfile.

Fixed in 30.00.140 False "Passed" result caused when both alert

threshold and failure threshold are off, with
exceptions for specific CVEs. With this fix,

Prisma™ Cloud Release Notes 661 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

exceptions set to fail now fail as expected, even

when the thresholds are off.

Fixed in 30.00.140 App-embedded Defender scan results display

the removed or disconnected instances of the
images.

Fixed in 30.00.140 Missing Vulnerabilities of JARs on non-Maven

Packages.

Fixed in 30.00.140 Missing paths for Ruby packages in the scan

results. With this fix, the package path in
Monitor > Vulnerabilities/Compliance > Images
helps you identify where the package is installed
in your environment.

Fixed in 30.00.140 Missing Vulnerabilities for Oracle Linux.

PCSUP-9241 Fixed in 30.00.140 For the AWS US Gov region, alerts are not
forwarded successfully to the AWS Security
Hub integration. With this fix, the correct AWS
product ARN for US and China regions are used.

PCSUP-11309 The --tarball option in twistcli does not

scan for compliance checks. Currently, only
vulnerabilities are detected successfully.

— Windows hosts running Defender are reported

as unprotected. This issue occurs when Defender
is installed on Windows hosts in AWS and
Cloud Discovery is configured to scan your
environment for protected hosts.

— If you have the same custom compliance rule in

use in a host policy (effect: alert) and a container
policy (effect: block), the rules will enforce your
policy (as expected), but the audit message for
a blocked container will incorrectly refer to the
host policy and host rule name.

— On the Radar > Containers, K3s clusters are

not displayed when a Defender is deployed
with an empty cluster name. You can view the
containers within these clusters under Non-
cluster containers.

— A 404 Not Found error is displayed when

performing a sandbox image analysis using older

Prisma™ Cloud Release Notes 662 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

version of twistcli, such as v22.06, with the

22.12 console.

PCSUP-12197 For an application that originates from an OS

package, the vulnerability data for CVEs is
sourced from the relevant feed for the OS
package. In some cases, like with Amazon Linux
and Photon OS, this CVE information is provided
in security advisories such as Amazon Linux
Security Advisories (ALAS) for Amazon, and
PHSA for Photon. In such cases, the correlation
for the relevant vulnerabilities is limited.
As an example, when the application “python” is
sourced from an Amazon Python package, CVEs
found for the python application (as a binary)
will not be correlated with the relevant Amazon
CVEs from the ALAS.

- A 404 Not Found error is displayed when

performing a sandbox image analysis using older
version of twistcli, such as v22.06, with the
22.12 console.

- Compliance check 6361 fails for hosts running

RedHat Enterprise Linux (RHEL) 9. The check
to ensure the iptables package is installed fails
because iptables was deprecated in RHEL 9 and
replaced with the nftables package.

- The API endpoints discovered on App-embedded

deployments are missing workload values and
show zero vulnerabilities, although the protected
workload has vulnerabilities.

Prisma™ Cloud Release Notes 663 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Compute Release Information

Prisma™ Cloud Release Notes 664 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security
Release Information
Edit on GitHub
Review this section to learn about all the exciting new features in the Prisma Cloud Code Security
module.
Prisma™ Cloud is an API-based integration that provides security at all stages of the software
delivery process. It provides visibility in to your resources deployed across different environments,
and checks your adherence to compliance standards and security best practices for your assets at
runtime, and IaC templates and images even before the resources are deployed.
Prisma Cloud Code Security module identifies vulnerabilities, misconfigurations and compliance
violations inInfrastructure as Code ( IaC) templates, container images and git repositories.
To view the current operational status of Palo Alto Networks cloud services, see https://
status.paloaltonetworks.com/.
To stay informed on the Code Security capabilities added on Prisma Cloud Enterprise Edition,
make sure you review the following information:
• Features Introduced in 2023—Code Security
• Features Introduced in 2022—Code Security
• Look Ahead—Planned Updates on Prisma Cloud Code Security

665
Prisma Cloud Code Security Release Information

Features Introduced in 2023—Code Security

Edit on GitHub
Stay informed on the new capabilities and policies added to Prisma Cloud Code Security in 2023.
The following topic provides a snapshot of new features introduced for Code Security on Prisma
Cloud.
• Features Introduced in August 2023
• Features Introduced in July 2023
• Features Introduced in June 2023
• Features Introduced in May 2023
• Features Introduced in April 2023
• Features Introduced in March 2023
• Features Introduced in February 2023
• Features Introduced in January 2023

Features Introduced in August 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
August 2023.
The following new REST API endpoints are available for Prisma Cloud Code Security.
• REST API Updates

REST API Updates

FEATURE DESCRIPTION

Code Security Dashboard APIs Prisma Cloud Code Security (CCS) now
includes the following new Dashboard
endpoints that enable you to get details and
metrics for Code Security related issues:
• Common Errors By Policy
• Code Issues by Severity
• IaC Errors by Category
• Top Non-compliant Package Licenses
• Pull Requests over Time
• Top CVSS Score Vulnerabilities
• Top Repositories by Critical Error Count
• Code issues over time

Prisma™ Cloud Release Notes 666 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Features Introduced in July 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July
2023.
The following new features or enhancements are available for Prisma Cloud Code Security.
These capabilities help agile teams add security checks to their development process and enforce
security throughout the build lifecycle.
• New Features

New Features

FEATURE DESCRIPTION

Integrated View of Run and Build details for To help you as a Cloud Security Engineer
Alerts investigate issues from code to cloud, the
alert details now include information to trace
and attribute which build-time resource
has caused a policy violation for a runtime
resource deployed in your cloud account.
The alert details overview includes the IaC
resource details and information on the
build time resource. The new Traceability
information helps you connect an alert from
the production environment back to the origin
templates in your upstream development
environment.
To view the build-time details in an alert:
• You must enable a Configuration policy
with the subtype Run, Build and attach it to
an alert rule on Prisma Cloud.
• Your IaC templates must be onboarded
through a VCS integration.
• Terraform resources must include the
yor_trace tag so that your IaC resources
are tagged with a unique UUID for
tracing the relationship between the code
resource and the runtime resource that is
deployed from it. This is not necessary for
CloudFormation.

Prisma™ Cloud Release Notes 667 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

CSV Export support on Projects For further investigation for issues seen
on Projects (Code Security > Projects) you
can export the scan results across code
category views with configured filters as a
CSV report. The CSV report includes the
following information:
• Code Category: View the code category of
the issue.
• Status: View if the issue is Open,
Suppressed, Fixed, Passed or Fix Pending.
• Severity: View the severity of the issue.
• IaC Category or Risk Factor: View if
the issue is in code category of IaC
misconfigurations or Risk Factor for
Secrets and Vulnerabilities.
• Policy ID: View the Prisma Cloud policy ID
that is non-conformant.
• Policy Reference: Helps you navigate to
the policy reference guide to know more
about the non-conformant policy.
• Title: The policy name or CVE ID based on
the issue.

Prisma™ Cloud Release Notes 668 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Custom Policy: Verify if the non-

conformant policy is a custom policy.
• First Detection Date: Indicates when the
issue was first detected.
• Resource Name: The name of the resource
where the issue is found.
• Scan item: Only for issues in Code
Reviews, you can view information on Pull
Request ID, Pull Request Name, Commit
hash for VCS Pull Requests or CI/CD
branch and Run ID for CI/CD Runs.
• Source ID: This is the repository name.
• Suggested Fix: This shows if the scan
results have recommended fixes. For
IaC misconfigurations you will see if a fix
Exists. For Vulnerabilities you will see a
package version bump to.

Prisma™ Cloud Release Notes 669 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Features Introduced in June 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
June 2023.
The following new features or enhancements are available for Prisma Cloud Code Security.
These capabilities help agile teams add security checks to their development process and enforce
security throughout the build lifecycle.
• New Features

New Features

FEATURE DESCRIPTION

Projects Enhancements With this release on Projects (Code Security

> Projects) here are additional enhancements
helping you prioritize code issues.
• Grouping Issues: You can now group
the scan results by Resource or Policy
across code category views enabling you to
prioritize code issues.

• Sort: In addition to sorting the issues by

Severity you can now sort by highest issue
Count. You can sort issues across code
category views and grouping.

Prisma™ Cloud Release Notes 670 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Filter for Enforcement: Only for category

views of VCS Pull Requests and CI/CD
Runs you now can add an Enforcement
Level filter. Using the filter gives you a
quick insight to Soft and Hard Fail across
the Enforcement parameters.

Features Introduced in May 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
May 2023.
The following new features or enhancements are available for Prisma Cloud Code Security.
These capabilities help agile teams add security checks to their development process and enforce
security throughout the build lifecycle.
• New Features
• Changes in Existing Behavior

Prisma™ Cloud Release Notes 671 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

New Features

FEATURE DESCRIPTION

Code Security Dashboard Code Security dashboard (Dashboard >

Code Security) enables you to analyze error
trends across code integrations on Prisma
Cloud. While emphasizing the critical and
high severity code issues, the dashboard also
gives you an understanding of the potentially
vulnerable vectors in repositories, policy
errors including secrets, non-compliant
package licenses, vulnerabilities and IaC
misconfigurations. See the historical trend
for Code Issues and Pull Requests to make
informed decisions to prevent the recurrence
of the trend. The vectors for repositories,
policy errors, non-compliant package licenses,
CVEs and IaC misconfigurations ensure you
see the latest real time data after scans. The
error counts direct you to Code Security >
Projects where you get more context and
can take remediation action for the errors, as
necessary.

Prisma™ Cloud Release Notes 672 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Additional Read permissions for GitHub The GitHub app is being updated to improve
integration security coverage and visibility of your Git
and CI/CD security posture. If you have set
up the GitHub integration on Prisma Cloud
Code Security, you will be prompted to grant
additional Read permissions to the application
on GitHub.
Approving these permissions will enable you
to use the enhanced capabilities that security
teams can use to monitor and optimize their
Git and CI/CD Security posture across the
organization, when it becomes available.

Changes in Existing Behavior

FEATURE DESCRIPTION

Support for Multiple IaC Frameworks on Visual Editor is being enhanced to support
Visual Editor multiple IaC frameworks when creating
custom build policies. This support enables
you to differentiate between Terraform and
CloudFormation framework policies and is

Prisma™ Cloud Release Notes 673 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

creating support for Kubernetes framework

policies.

Projects View The Projects non-enhanced view is being

replaced with the enhanced view where you
can continue monitoring your code errors and
vulnerabilities.

Features Introduced in April 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
April 2023.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features
• Policy Updates
• Changes in Existing Behavior

New Features

FEATURE DESCRIPTION

Private Registries To increase the accuracy of dependency

trees and fix suggestions in SCA (Software
Composition Analysis) based on your
environment, you can now integrate your
private registries from Settings > Repositories
> Add Repositories > Package Registries >
Artifactory. Integrating Private Registries
helps you identify accurate dependency trees
for packages within your repositories. On the
console you can see a list of Private Registries
integrations (Settings > Repositories). You can
remediate vulnerabilities on Code Security
> Projects > Vulnerabilities and also make
informed decisions from Code Security >
Supply Chain after viewing the dependency
tree of a private registry.

Prisma™ Cloud Release Notes 674 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Validate Secrets during a Secrets scan When Prisma Cloud performs a secrets scan,
it can now validate certain secrets against
public APIs to see if the secret is still active.
This allows you to prioritize notifications on
secret exposure. Validation is off by default,
but you can enable it Settings > Code Security
Configuration > Validate Secrets. You can
access information on validation of secrets on
Projects > Secrets, using Resource Explorer
where prioritization of a valid secret is either
to Suppress it or perform a Manual Fix.
Alternatively you can run Checkov on your
repositories to filter potentially exposed
secrets.

Prisma™ Cloud Release Notes 675 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Multiple Integrations support from a single Prisma Cloud now supports multiple
Prisma Cloud account on Terraform Cloud integrations for Terraform Cloud Run
and Enterprise Run Task Task and Terraform Enterprise Run Task
organization from a single Prisma Cloud
account.

Policy Updates

POLICY UPDATES DESCRIPTION

High and Medium severity Secrets Policies Changes - The default severity for a few
Secrets Policies in Configuration Build Policies
now includes High and Medium severity. With

Prisma™ Cloud Release Notes 676 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

this change you can better prioritize secrets

found in your code.
The following policies are High severity:
• AWS Access Keys
• IBM Cloud IAM Key
• Azure Storage Account Access Keys
• Google Cloud Keys
• DigitalOcean Token
• Alibaba Cloud Keys
• Python Package Index Key
The following policies are Medium severity:
• Slack Token
• Basic Auth Credentials
• Private Key
• Artifactory Credentials
• Auth0 Token
• Stripe Access Key
• GitHub Token
• CircleCI Personal Token
• Cloudflare API Credentials
• Bitbucket Token
• Terraform Cloud API Token
Impact- The severity of the alerts generated
will match the assigned severity for the policy.

Changes in Existing Behavior

FEATURE DESCRIPTION

CycloneDX XML Output Format Update There is an update to CycloneDX XML output
format to match Python library updates where
all XML tags are namespaced. This update
helps with serialization and deserialization,
and it may have a breaking impact with
ingesting the SBOM documents.

Features Introduced in March 2023

Edit on GitHub

Prisma™ Cloud Release Notes 677 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
March 2023.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features
• Policy Updates

New Features

FEATURE DESCRIPTION

Custom Prisma Cloud Permission group for As a part of custom Prisma Cloud roles
Code Security capabilities for Code Security, administrators can now
define explicit permissions for Code Security
workflows from Permission Group (Settings
> Access Control > Add > Permission Group).
In addition to the existing System Admin
permission you can define roles for:
• View access Permissions: Provide view
access for Code Security Configuration,
Projects, Supply Chain and Development
Pipelines pages.
• Repository permissions: Provide integrate,
view, update and delete access to
Repositories.

Prisma™ Cloud Release Notes 678 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Enhancements to Audit Logs In addition to the existing Audit Logs

(Settings > Audit Logs), you can now see a
list of all actions initiated by Prisma Cloud
administrators on Code Security. The
actions on the Audit Logs help you identify
any configuration changes and activities
initiated on the repositories behalf of the
administrator. Here are the kind of actions
you can track.
• Suppression Management: Creating or
deleting a suppression rule for the default
branch on Projects (Code Security >
Projects)
• Enforcement: Adding a new Enforcement
rule or reconfiguring an existing
Enforcement rule by editing or deleting
the rule. This also includes modifying
the default thresholds of Enforcement
parameters.

Prisma™ Cloud Release Notes 679 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Repository: Addition, deletion and

updating integrated repositories.

Secrets Scanning on Git History In addition to the current scans run on your
repositories, Prisma Cloud now scans Git
history to find exposed secrets that are
deleted from code. You can view the scan
results in the resource block on Projects
(Code Security > Projects), Secrets code
category view. On Resource Explorer, you
can also see the commit history on when the
secret was added or removed.

Policy Updates

POLICY UPDATES DESCRIPTION

AWS EBS volume region with encryption is Changes- The Build remediation instructions
disabled are being updated.
Impact- No impact on Code Security findings.

Basic Auth Credentials Changes- The policy name is being updated.

Prisma™ Cloud Release Notes 680 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Current Policy Name- Basic Authentication

Credentials
Impact- No impact on Code Security findings.

Policy Deletions

AWS EC2 instance is not configured with Changes- This policy is deleted because
VPC resources are configured in VPC by default.
Impact- Code Security findings for this policy
will no longer be surfaced in scans.

My SQL server enables public network access Changes- This policy is a duplication of an
(duplication of CKV_AZURE_53) existing policy, therefore will be deleted.
Impact- Code Security findings for this policy
will no longer be surfaced in scans.

Features Introduced in February 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
February 2023.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features

New Features

FEATURE DESCRIPTION

Enforcement Thresholds You can now configure enforcement

thresholds for Vulnerabilities, Licenses, IaC,
Build integrity and Secrets. This update aligns
with the three new Code Security modules for
IaC Security, Software Composition Analysis
(SCA) and Secrets Security. For existing
customers, the Enforcement thresholds are
mapped to the new categories as follows:
• Images: Impacts on Vulnerabilities.
• Open Source: Impacts on Licenses.
• Supply Chain: Impacts on Build Integrity.
IaC and Secrets have no impact.

Prisma™ Cloud Release Notes 681 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Code Editor for Custom Secrets In addition to the custom policy for build-
time checks, Code Editor now helps you
define regular expression patterns for Custom
Secrets identified on the Prisma Cloud
console. The policy violation for custom
secrets will continue to be viewable on Code
Security > Projects.

Alert Rules for Detecting Drift With this release, for Drift Detection (Code
Security > Projects), you can now add alert
rules to identify policy drift violations for
account groups and policies to which you
would like to receive alerts within your AWS
and Azure cloud accounts. From the Prisma
Cloud console (Alerts > Overview), you can
access the alert summary and trace the origin
of the drift using the yor_trace tag viewable on
Traceability (Alerts > Overview > Alert Count
> Alert ID)

Prisma™ Cloud Release Notes 682 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Projects Enhancements Code Security > Projects on the Prisma Cloud

console is enhanced to help you address
security issues in your repositories more
easily. It now groups scan results by resources
and includes saved views with preset filters
that provide contextualized scan results. Each
view displays policy violations for a code
category so you can prioritize what to fix
across all your onboarded repositories.
• Overview: A centralized view of all your
scan results across all code categories with
automated solutions.
• IaC Misconfiguration: See scan results
for security issues within resources and
remediate the issue using automated
solutions on the Prisma Cloud console.
• Vulnerabilities: See scan results for CVE
with severity levels and policy violations
that may or may not have dependencies
within your code. Remediate the issue
by fixing the root or dependent versions
automatically recommended on the
console.

Prisma™ Cloud Release Notes 683 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Secrets: See scan results for package

security with severity levels of the policy
violations to remediate.
• License: See scan results for licensing
when using open-source in your code that
may have a dependency.
• Build Integrity: Make informed decisions
from the results of the scans in this
category that identify multiple owners
for the same repositories on integrated
platforms.
• VCS Pull Requests: A centralized view
with automated solutions for all your scan
results across open PRs.
• CI/CD Runs: A centralized view with
automated solutions for all your scan
results on runs of your integrated
repositories. You can also create multiple
customized views from the default views
or by defining a custom view. To access the
capabilities of Projects, you need to enable
the Enhanced on Code Security > Projects.

Prisma™ Cloud Release Notes 684 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Code Security Developer-Based Metering Prisma Cloud is introducing a new developer-

Plan based metering plan for Code Security. The
plan introduces an a-la-carte model which
includes three Code Security modules each
using credits per developer.
• Infrastructure as Code (IaC) Security: The
module requires 3 credits per developer
to help you with security throughout the
infrastructure lifecycle.
• Software Composition Analysis (SCA): The
model requires 4 credits per developer
where developers are equipped to find,
prioritize, and fix security vulnerabilities
and license compliance issues in open-
source dependencies.

Prisma™ Cloud Release Notes 685 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Secrets Security: The module requires 1

credit per developer to scan all files to
prevent exposing API keys, passwords,
certificates, tokens, and other sensitive
secrets with high fidelity using any of your
VCS integrations.
A credit per developer within each of the
modules is a user who actively commits on
Git, identified through a unique Git email
address with a contribution history to any
Git repositories in the last 90 days. Enable
one or more Code Security modules for an
enhanced shift-left experience on the Prisma
Cloud console (Settings > Code Security
Configuration) You can always choose to
reconfigure your licensing configuration
during the shift-left experience.

Prisma™ Cloud Release Notes 686 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Manage Network Tunnels for self-hosted Establish secure and managed access between
version control systems (VCS) your self-hosted version control systems
(VCS) and Prisma Cloud using Transporter.
After configuring a Transporter in your
environment, followed by authentication
from Prisma Cloud, Transporter establishes a
network tunnel through the WebSocket over
HTTPS. A single Transporter on the Prisma
Cloud can secure multiple VCS integrations,
or you can use multiple Transporters. This
feature will be available on request.

Prisma™ Cloud Release Notes 687 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Features Introduced in January 2023

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
January 2023.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features
• New Policies and Policy Updates
• Changes in Existing Behavior

New Features

FEATURE DESCRIPTION

Terraform Enterprise (Run Tasks) Integrate Terraform Enterprise (Run

Tasks)(Settings >Repositories > Add
Repository > Terraform Enterprise Cloud
(Run Tasks)) to seamlessly add policy-as-
code checks to your Terraform pipelines for
completely automated security guardrails and
enable you to collect feedback or directly
block insecure deployments.

Prisma™ Cloud Release Notes 688 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

CVE Severity The CVEs with Moderate and Important

severity will now be mapped as Medium and
Important, respectively. With this change, if
you have set the Enforcement threshold to
Medium or above for detecting violations or
failing the build for CVEs in your source code,
the volume of violations will be higher than
before.
For any VCS or CI/CD integrations where the
hard fail is implemented for CVEs that are
Medium or above in severity, the builds that
were passing earlier will now fail.

Terraform Cloud ( Run Tasks) With this release, for Terraform Cloud
( Run Tasks)(Settings > Repositories >
Add Repository > Terraform Cloud (Run
Tasks)) integration you can enable specific
configuration run tasks scan during Pre-
plan and Post-plan phase for selected or
all workspaces. Using your preferential
configuration, Prisma Cloud will perform a run
tasks scan on your selected (or all) workspaces
before or after Terraform Cloud generates a
plan.

Prisma™ Cloud Release Notes 689 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

This change does not impact your existing

configuration. You can continue to review and
manage the scan results on Projects (Code
Security > Projects)

New Policies and Policy Updates

New Policy Description

New Configuration Build Policies The following new build policy is available on
Prisma Cloud Code Security module:
• Cleartext credentials over unencrypted
channel should not be accepted for the
operation
• GCP Firewall with Inbound rule overly
permissive to All Traffic
• Rules used could create a double pipeline
• Detect images within GitLab CI workflows
• Container job does not use a non latest
version tag
• Pipeline image version is referenced via an
arbitrary tag
• Pipeline uses mutable development orbs
• Pipeline uses unversioned volatile orbs
• Pipeline uses netcat with an IP address
• Pipeline uses run command that is
vulnerable to shell injection
• Pipeline uses curl in a suspicious way

Prisma™ Cloud Release Notes 690 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Detect images within circleCI workflows

• Container job does not use a non latest
version tag
• Container job uses a version digest
• Set variable is marked as a secret"
• RoleBinding should not allow privilege
escalation to a ServiceAccount or Node on
other RoleBinding
• Granting create permissions to nodes/proxy
or pods/exec sub resources allows potential
privilege escalation
• No ServiceAccount/Node should have
impersonate permissions for groups/users/
service-accounts
• ServiceAccounts and nodes that can
modify services/status may set the
status.loadBalancer.ingress.ip field to exploit
the unfixed CVE-2020-8554 and launch
MiTM attacks against the cluster
• No ServiceAccount/Node should be able
to read all secrets
• GitHub branch protection does not dismiss
stale reviews
• GitHub branch protection does not restrict
who can dismiss a PR
• GitHub branch protection does not require
code owner reviews
• GitHub branch protection does not require
status checks
• GitHub branch protection does not require
conversation resolution
• GitHub branch protection does not require
push restrictions
• GitHub branch protection rules allow
branch deletions

Addition of Build Checks to Existing The following configuration policies now

Configuration Run Policies include build time checks. With this change,
these policies perform checks for Run, Build
configuration issues:
• AWS CloudFront attached WAFv2
WebACL is not configured with AMR for
Log4j Vulnerability

Prisma™ Cloud Release Notes 691 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• AWS Cloudfront Distribution with S3 have

Origin Access set to disabled
• AWS CloudFront web distribution with
default SSL certificate
• AWS Config must record all possible
resources
• AWS Config Recording is disabled
• AWS Database Migration Service endpoint
do not have SSL configured
• AWS EC2 Instance IAM Role not enabled
• AWS ElastiCache Redis cluster with Multi-
AZ Automatic Failover feature set to
disabled
• AWS route table with VPC peering overly
permissive to all traffic
• AWS S3 buckets are accessible to any
authenticated user
• GCP Cloud Function HTTP trigger is not
secured
• GCP Firewall with Inbound rule overly
permissive to All Traffic
• GCP GCR Container Vulnerability Scanning
is disabled

Changes in Existing Behavior

FEATURE DESCRIPTION

Terraform Cloud Run Tasks For Terraform Cloud Run Tasks, the
Enforcement Settings for IaC Scans were
enforced only when you had enabled the
checkbox to Make Prisma Cloud’s run tasks
mandatory. The Make Prisma Cloud’s run
tasks mandatory is now removed, to make
this behavior consistent with other VCS, IDE,
and CI/CD pipeline integrations for Code
Security.
Impact- If you have an existing Terraform
Cloud Run Task integration on Prisma Cloud
that was not set to mandatory, and have set
the Enforcement Settings threshold for Hard
Fail to anything other than Off such as Low
or above for IaC Scan, the run tasks will now
be mandatory. Builds that were passing earlier

Prisma™ Cloud Release Notes 692 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

will now fail when there is a violation above

the severity threshold detected in your IaC
files.

Prisma™ Cloud Release Notes 693 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Features Introduced in 2022—Code Security

Edit on GitHub
Stay informed on the new capabilities and policies added to Prisma Cloud Code Security in 2022.
The following topic provides a snapshot of new features introduced for Code Security on Prisma
Cloud.
• Features Introduced in December 2022
• Features Introduced in September 2022
• Features Introduced in August 2022
• Features Introduced in July 2022
• Features Introduced in June 2022
• Features Introduced in May 2022
• Features Introduced in April 2022
• Features Introduced in March 2022
• Features Introduced in January 2022

Features Introduced in December 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
December 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Policies and Policy Updates

New Policies and Policy Updates

New Policy Description

New Configuration Build Policies The following new build policy is available on
Prisma Cloud Code Security module:
AWS Security Group allows all traffic on all
ports

Features Introduced in September 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
September 2022.

Prisma™ Cloud Release Notes 694 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features
• New Policies and Policy Updates
• Changes in Existing Behavior
• REST API Updates

New Features

Feature Description

Software Composition Analysis (SCA) Software Composition Analysis (SCA) enables

you to continuously scan any open source
packages defined in your source code. The
scan enables you to find and fix vulnerabilities
in code and identify license violations earlier
in the development lifecycle so that you can
address risks in a timely manner. The scan
runs across all integrations of repositories, IDE
and CI/CD pipelines to give you:
• Contextual information on Bill of Materials
or Software Bill of Materials (SBOM),
an inventory list of all open source
packages and third-party components
your source code utilizes. (Code Security >
Development Pipelines)
• Visualization on direct and sub-
dependencies between open source
packages to help you identify
vulnerabilities outside root dependency.
(Code Security > Supply Chain)
• Information to identify potential software
license violations and manually fix or
suppress the issue. (Code Security >
Projects)
• A list of vulnerabilities identified on open
source packages that you can either
suppress or directly fix in code. (Code
Security > Projects)

Prisma™ Cloud Release Notes 695 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

New Policies and Policy Updates

Policy Updates Description

New Configuration Build Policies New build policies are available on Prisma
Cloud Code Security module for the following
categories:
• General - 123 policies
• IAM - 12 policies
• Networking - 34 policies
• Build Integrity - 18 policies
• Secrets - 57 policies
• Kubernetes - 13 policies
• Logging - 4 policies
• Public - 1 policy

Addition of Build Checks to Existing The following configuration policies now

Configuration Run Policies include build time checks. With this change,
these policies perform checks for Run, Build
configuration issues:
• AWS CloudTrail logging is disabled

Prisma™ Cloud Release Notes 696 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• AWS Lambda function URLs AuthType is

not defined
• AWS RDS PostgreSQL instances use a
vulnerable version of log_fdw extension
• AWS SSM Parameter is not encrypted
• Azure ACR is set to enable public
networking
• Azure Function app does not use the latest
version of TLS encryption
• GCP compute firewall ingress allow
unrestricted MySQL access
• GCP Private Google Access is not enabled
for IPV6
• GCP Google compute firewall ingress allow
unrestricted HTTP port 80 access
• GCP Google compute firewall ingress allow
unrestricted FTP access
• OCI security list allows ingress from
0.0.0.0/0 to port 3389
• OCI security groups rules allows ingress
from 0.0.0.0/0 to port 22
• OCI security list allows ingress from
0.0.0.0/0 to port 22
• OCI security group does not have stateless
ingress security rules

Build Policy Updates-Metadata The --anonymous-auth argument is not set to

False
Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Name— The --anonymous-auth
argument is not set to False
• Updated Name— The --anonymous-auth
argument is not set to False for Kubelet
Impact— No impact on alerts.

The --authorization-mode argument is set to

AlwaysAllow
Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Name— The --authorization-mode
argument is set to AlwaysAllow

Prisma™ Cloud Release Notes 697 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Updated Name— The --authorization-

mode argument is set to AlwaysAllow for
API server
Impact— No impact on alerts.

The --profiling argument is not set to False

Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Name— The --profiling argument
is not set to False
• Updated Name— The --profiling argument
is not set to False for scheduler
Impact— No impact on alerts.

The --tls-cert-file and --tls-private-key-file

arguments are not set appropriately
Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Name— The --tls-cert-file and --
tls-private-key-file arguments are not set
appropriately
• Updated Name— The --tls-cert-file and
--tls-private-key-file arguments for API
server are not set appropriately
Impact— No impact on alerts.

securityContext is not applied to pods and

contianers
Changes— The policy name has been updated
to fix the typo error.
• Current Name— securityContext is not
applied to pods and contianers
• Updated Name— securityContext is not
applied to pods and containers.
Impact— No impact on alerts.

Repository is not Private

Changes— The policy name and description
has been updated as follows:
Current Name— Repository is not Private
Updated Name— GitHub repository is not
Private

Prisma™ Cloud Release Notes 698 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Current Description— Ensure Repository is

Private
Updated Description— Ensure GitHub
repository is private

Changes in Existing Behavior

Change Description

Code Editor for With this release, you can Test your YAML policy template when creating a
Build Policies rule for a custom policy in build-time checks (Policies > Add Policy > Config).
Additionally, information such as Name and Severity will not be displayed in
the existing example of the YAML policy template on the console. However,
this information will still be visible in your YAML code file. For example, in
your VCS .

REST API Updates

CHANGE DESCRIPTION

Prisma Cloud Code Security The following new APIs are available for
Code Security that allow you to retrieve the
code review and integrated VCS repositories
metadata, list of affected resources for
suppression, BOM report and Checkov
version details, single repository and tag rule
details, and enforcement rules.
• BOMReport
• CheckovVersion
• PackagesAlerts

Prisma™ Cloud Release Notes 699 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Rules
• Repository
• DevelopmentPipeline
• TagRules: Returns the tag rule by OOTB ID

Features Introduced in August 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
August 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features

New Features

Feature Description

Software Bill of Materials Prisma Cloud can now generate a software

bill of materials (SBOM), in both CycloneDX
and CSV formats, that includes open source
packages, container images, and infrastructure
as code (IaC) resources that are passing and
failing policy checks. In addition to including a
full inventory of components, an SBOM also
include vulnerabilities, misconfigurations, and
known licenses for dependencies.

Multiple Token Support for Azure Repos The Azure repos integration (Settings >
Repositories > Add Repositories > Azure
Repos) on the Prisma Cloud console now
also supports multiple OAuth tokens. You
can onboard multiple organizations from the
same Azure Repos account (using a single user
token), or enable multiple tokens to onboard
multiple organizations associated with the

Prisma™ Cloud Release Notes 700 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

same Azure Repos account or different

accounts.
You can also reconfigure security scans
for the existing user tokens by reselecting
repositories, add more organizations using the
similar authorization workflow, and revoke
OAuth user tokens to delete a user token.

Resource Explorer Enhancements Resource Explorer has four tabs to give you
contextualized understanding of a resource
from code to cloud. Accessible on Code
Security > Projects and Code Security >
Supply Chain, each tab gives you specific
resource metadata:

• Details: Helps you understand the

connection between resources so that
you can make informed decisions if the
connection is a risk or if it is necessary.
• Errors: Enables you to review security
violations with the severity threshold for
packages and utilize the information to
either suppress or prioritize it.
• History: Provides detailed information
about a resource including suppression,
change logs, and fixes.
• Traceability: Enables you to explore
connections between build-time and
runtime resources.
Currently, you can review History and
Traceability details for IaC resources only, and
Errors are currently available for packages
only.

Prisma™ Cloud Release Notes 701 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Drift Detection for CloudFormation Prisma Cloud now automatically detects and
remediates drift between CloudFormation
and AWS runtime environments. This
enhancement augments the ability to identify
drift for resources deployed using Terraform
on AWS.
From the Prisma Cloud console, you can
also Fix Drift, apply the manual changes that
were made to the cloud resource and apply
them as code in a pull request back to the
CloudFormation template.

Usability Enhancements for Customizing For the default Prisma Cloud Configuration
Build Policy policies of subtype Build, you can now clone
the policy and modify the name or severity
level.
Further, when you use the code editor to
create a custom build policy, the metadata
includes an auto-completion list with only the
relevant options.

New Configuration Build Policies The following new build policies are available
on Prisma Cloud Code Security module:
• Non-compliant license type has been
found on your open source packages
• An unknown license type has been found
among your open source package licenses

Features Introduced in July 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July
2022.

Prisma™ Cloud Release Notes 702 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features
• REST API Updates

New Features

Feature Description

Development Pipelines Development pipelines provides a bird’s eye

view of your onboarded repositories and
latest scan results across all VCS and CI/CD
integrations.
This summary view (Code Security >
Development Pipelines) enables you to hone
in to what matters most to you:

• Focus on VCS repositories with the highest

rate of failed pull or merge requests.
• Review VCS repositories with the highest
activity based on active git users who
committed changes to the default branch
weekly andover the last 90 days.
• Assess the most recent code reviews that
triggered scans with the largest number of
critical alerts and failures.
• Scan the results for the last 1000 code
scans across all integrations.
• Define enforcement rules that determine
your quality criteria for all scans within a
repository.

New Configuration Build Policies The following new build policies will be
available on Prisma Cloud Code Security
module:
• GithHub Actions
ACTIONS_ALLOW_UNSECURE_COMMANDS
environment variable is set to true

Prisma™ Cloud Release Notes 703 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• GithHub Actions Run commands are

vulnerable to shell injection
• GithHub Actions curl is being with secrets
• GithHub Actions Netcat is being used with
IP address
• OpenAPI Security Definitions Object
should be set and not empty
• OpenAPI If the security scheme is not
of type 'oauth2', the array value must be
empty
• OpenAPI Security object needs to have
defined rules in its array and rules should
be defined in the securityScheme
• OpenAPI Security object for operations,
if defined, must define a security scheme,
otherwise it should be considered an error
• OpenAPI Security requirement not
defined in the security definitions
• Traced Azure resources are manually
modified
• Alibaba Cloud OSS bucket has transfer
Acceleration disabled
• Alibaba Cloud OSS bucket is not
encrypted with Customer Master Key
• Alibaba Cloud OSS bucket has versioning
disabled
• Alibaba Cloud Disk is not encrypted with
Customer Master Key
• Alibaba Cloud database instance
accessible to public
• Alibaba Cloud RAM password policy
maximal login attempts is more than 4
• Alibaba Cloud RAM password policy does
not prevent password reuse
• Alibaba Cloud RAM password policy does
not expire in 90 days
• Alibaba Cloud Kubernetes does not install
plugin Terway or Flannel to support
standard policies
• Alibaba Cloud Transparent Data
Encryption is disabled on instance
• Alibaba Cloud OSS bucket has access
logging enabled

Prisma™ Cloud Release Notes 704 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• Alibaba Cloud RDS Instance SQL Collector

Retention Period is less than 180
• Alibaba Cloud Action Trail Logging is not
enabled for all regions
• Alibaba Cloud Action Trail Logging is not
enabled for all events
• Alibaba Cloud RDS instance does not use
SSL
• Alibaba Cloud API Gateway API Protocol
does not use HTTPS

Updates to Existing Configuration Run The following new Build policies will be added
Policies to the existing Configuration Run policies:
• Alibaba Cloud OSS bucket accessible to
public
• Alibaba Cloud disk encryption is disabled
• Alibaba Cloud RAM password policy does
not have an uppercase character
• Alibaba Cloud RAM password policy does
not have a number
• Alibaba Cloud RAM password policy does
not have a minimum of 14 characters
• Alibaba Cloud RAM password policy does
not have a symbol
• Alibaba Cloud RAM password policy does
not expire in 90 days
• Alibaba Cloud RAM password policy does
not have a lowercase character
• Alibaba Cloud Security group allow
internet traffic to RDP port (3389)
• Alibaba Cloud Security group allow
internet traffic to SSH port (22)

Policy Deletions Google storage buckets are not encrypted

policy will be deleted from Prisma Cloud.
Applies only if you have enabled the Code
Security subscription on Prisma Cloud Impact— No impact on alerts.

REST API Updates

CHANGE DESCRIPTION

Prisma™ Cloud Release Notes 705 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

New API Endpoints for Code The following new API endpoints are available for
Security Prisma Cloud Code Security to fix code errors, set
policies and tag rules, search repositories, remediate
issues, and handle vulnerabilities:
• POST /code/api/v1/errors/supply-chain-
fix
• GET /code/api/v1/errors/files/{uuid}
• POST /code/api/v1/policies/definition/
{queryId}
• POST /code/api/v1/policies
• GET /code/api/v1/policies/table/data
• POST /code/api/v1/policies/{policyId}
• DELETE /code/api/v1/policies/
{policyId}
• POST /code/api/v1/policies/preview
• POST /code/api/v1/policies/clone/
{policyId}
• POST /code/api/v1/remediations/
buildtime
• GET /code/api/v1/remediations/
buildtime/{fixId}
• GET /code/api/v1/remediations/
buildtime/baseFile/{filename}
• GET /code/api/v1/repositories/search
• POST /code/api/v1/supply-chain/nodes
• GET /code/api/v1/tag-rules
• POST /code/api/v1/tag-rules
• GET /code/api/v1/tag-rules/{tagRuleId}
• PUT /code/api/v1/tag-rules/{tagRuleId}
• DELETE /code/api/v1/tag-rules/
{tagRuleId}
• POST /code/api/v1/tag-rules/affected-
resources
• GET /code/api/v1/vulnerabilities/
packages/files/{fileMetadataId}
• GET /code/api/v1/vulnerabilities/
packages/{packageUuid}/direct-sub-
dependencies

Prisma™ Cloud Release Notes 706 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• GET /code/api/v1/vulnerabilities/
packages/{packageUuid}
• POST /code/api/v1/vulnerabilities/
packages/license-violations
• POST /code/api/v1/vulnerabilities/
packages/search
• GET /code/api/v1/vulnerabilities/
packages/{packageUuid}/cves
See also Code Security API.

Features Introduced in June 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
June 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.
• New Features
• Changes in Existing Behavior

New Features

Policy Updates Description

Enforcement Thresholds and Scope Enforcement enables you to define the

thresholds for reducing unnecessary noise in
your code reviews and focusing on the most
critical issues across the following categories
— Open Source (SCA), Infrastructure as Code
(IaC), Secrets, Container Images, and Build
Integrity.
Based on best practice guidelines Prisma
Cloud provides default enforcement settings.
If you had previously configured any rules on
Settings > Code Security Configuration, these
are migrated as your thresholds and scope for
enforcement.
To modify the enforcement configuration
(Code Security > Projects > More Actions
> Enforcement) for all repositories that you
are monitoring using Prisma Cloud, you
must specify the severity —Critical, High,
Medium and Low—of policy violations for

Prisma™ Cloud Release Notes 707 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

which you want to soft fail, hard fail, or

enable bot comments to suggest fixes where
available.You can also add exceptions for
one or more repositories where you need a
more stringent or more lenient approach to
enforcement.

Terraform Cloud (Run Tasks) Integrate Terraform Cloud (Run

Tasks)(Settings > Add Repositories >
Terraform Cloud (Run Tasks)) to seamlessly
add policy-as-code checks to your Terraform
pipelines for completely automated security
guardrails and enable you to collect feedback
or directly block insecure deployments.

New Configuration Build Policies The following new build policies are available
on Prisma Cloud Code Security module:
• OCI private keys are hard coded in the
provider
• OpenStack hard coded password, token,
or application_credential_secret exists in
provider
• OpenStack Security groups allow ingress
from 0.0.0.0:0 to port 22 (tcp / udp)
• OpenStack Security groups allow ingress
from 0.0.0.0:0 to port 3389 (tcp / udp)
• Kubernetes ClusterRoles that grant
control over validating or mutating
admission webhook configurations are not
minimized
• Kubernetes ClusterRoles that
grant permissions to approve

Prisma™ Cloud Release Notes 708 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

CertificateSigningRequests are not

minimized
• Kubernetes Roles and ClusterRoles that
grant permissions to bind RoleBindings or
ClusterRoleBindings are not minimized
• Kubernetes Roles and ClusterRoles that
grant permissions to escalate Roles or
ClusterRole are not minimized
• AWS Lambda encryption settings
environmental variable is not set properly
• Provisioned resources are manually
modified
• Traced AWS resources are manually
modified

Updates to Existing Configuration Run The following new Build policies are added to
Policies the existing Configuration Run policies:
• OCI Block Storage Block Volume does not
have backup enabled
• OCI Block Storage Block Volumes are not
encrypted with a Customer Managed Key
(CMK)
• OCI Compute Instance boot volume has
in-transit data encryption is disabled
• OCI Compute Instance has Legacy
MetaData service endpoint enabled
• OCI Compute Instance has monitoring
disabled
• OCI Object Storage bucket does not emit
object events
• OCI Object Storage Bucket has object
Versioning disabled
• OCI Object Storage Bucket is not
encrypted with a Customer Managed Key
(CMK)
• OCI Object Storage bucket is publicly
accessible
• OCI IAM password policy for local
(non-federated) users does not have a
lowercase character
• OCI IAM password policy for local (non-
federated) users does not have a number

Prisma™ Cloud Release Notes 709 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• OCI IAM password policy for local (non-

federated) users does not have a symbol
• OCI IAM password policy for local
(non-federated) users does not have an
uppercase character
• OCI File Storage File Systems are not
encrypted with a Customer Managed Key
(CMK)
• OCI VCN has no inbound security list
• OCI VCN Security list has stateful security
rules
• OCI IAM password policy for local (non-
federated) users does not have minimum
14 characters

Build Policy Updates-Metadata AWS access keys and secrets are hard coded
in infrastructure
Changes— The cloud type for this policy is
updated from ANY to AWS.
Impact— No impact on alerts.

Azure Storage Account Access Keys

Changes— The cloud type for this policy is
updated from ANY to Azure.
Impact— No impact on alerts.

GCP resources that support labels do not

have labels
Changes— The cloud type for this policy is
updated from ANY to GCP.
Impact— No impact on alerts.

AWS S3 Bucket BlockPublicPolicy is set to

True
Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Policy Name— AWS S3 Bucket
BlockPublicPolicy is set to True
• Updated Policy Name— AWS S3 Bucket
BlockPublicPolicy is not set to True
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 710 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

AWS S3 bucket IgnorePublicAcls is set to

True
Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Policy Name— AWS S3 bucket
IgnorePublicAcls is set to True
• Updated Policy Name— AWS S3 bucket
IgnorePublicAcls is not set to True
Impact— No impact on alerts.

AWS S3 bucket RestrictPublicBucket is set to

True
Changes— The policy name has been updated
to support Prisma Cloud’s naming guidelines.
• Current Policy Name— AWS S3 bucket
RestrictPublicBucket is set to True
• Updated Policy Name— AWS S3 bucket
RestrictPublicBucket is not set to True
Impact— No impact on alerts.

S3 bucket MFA Delete is not enabled

Changes— The policy description and
recommendation details have been updated
to describe the policy better.
Updated Description— Ensure S3 bucket
MFA Delete is enabled.
Impact— No impact on alerts.

AWS IAM policies that allow full

administrative privileges are created
Changes— The severity level for this policy is
updated from Critical to Low .
Impact— No impact on alerts.

Lambda function’s environment variables

expose secrets
Changes— The severity level for this policy is
updated from High to Medium .
Impact— No impact on alerts.

Prisma™ Cloud Release Notes 711 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

SQS queue policy is public and access is not

restricted to specific services or principals
Changes— The severity level for this policy is
updated from Medium to High.
Impact— No impact on alerts.

Policy Deletions The following build policies are deleted from

Prisma Cloud:
Applies only if you have enabled the Code
Security subscription on Prisma Cloud • Secret Keyword
• Redshift clusters do not have AWS
Backup’s backup plan
• A retention period of less than 90 days is
not specified
• Secure transfer required is not enabled
Impact— No impact on alerts.

Changes in Existing Behavior

Change Description

Code Reviews With this release, new Enforcement options are available for code reviews.
and Pull With the enhancement, the ability to configure Code Reviews and Pull
Request Bot Request Bot Comments is no longer part of the Code Security Configuration
Comments for on Settings > Code Security Configuration. Instead, these capabilities are
Code Security now available as a part of Enforcement on Code Security > Projects > More
Configuration Actions > Enforcement.
This change does not impact your existing configuration. All your existing
configurations are migrated over as Enforcement settings. You can review
and manage the enforcement thresholds and exceptions from Code Security
> Projects > More Actions > Enforcement.

Features Introduced in May 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
May 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.

Prisma™ Cloud Release Notes 712 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Feature Description

Drift Detection In addition to continuously scanning your

repositories and viewing results directly on the
Prisma Cloud administrative console, you can
now view the results for drift detection in your
repositories (Code Security > Projects).Drifts are
inconsistencies in configuration that occur when
deployed resources are modified locally/manually
using the CLI or console, and these divergences from
the IaC templates are not recorded or tracked.Prisma
Cloud enables you to identify drift for resources
deployed using Terraform on AWS, and take
corrective action to eliminate divergence from code
for resources that are running.
You can take action directly from the Prisma Cloud
console to address drift. You can either suppress
drift by reverting the change on the running resource
from the Prisma Cloud console, or fix drift by
directly updating the template in your source code
repository to match the configuration on the running
resource.For example, to add the manual changes
implemented on a resource block for a resource
deployed on AWS, you can Fix Drift to raise a PR
and ensure that the code (template) is in sync with
your deployed resource.

Features Introduced in April 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
April 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.

Feature Description

Prisma™ Cloud Release Notes 713 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Code Editor for Build When creating a custom policy for build-time checks, you can
Policies now use a Code Editor to build a custom YAML policy template.
The Code Editor is the default view when you create a rule in
Configuration build policy (Policies > Add Policy > Config and as an
example a YAML policy template is available on the Prisma Cloud
console.

Features Introduced in March 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
March 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These
capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code)
model and enforce security throughout the build lifecycle.

Feature Description

IaC Tag and Trace Use the tagging capability to manage resource tags in the most cost
and time-efficient manner, and trace drift in configuration. Tracing
helps you identify what has changed and where, so that you can
keep cloud configurations synchronized with IaC templates.
Using Yor, an auto-tagging tool, all runtime resources are scanned,
and for every non-compliant resource, Yor auto creates a PR (Pull
Request) in the repository for you to review.You can then manage a
list of tag and tag rules for your IaC infrastructure on Code Security
> Projects > Manage Tags to enable or disable auto-created tags
from Yor ( yor_trace), manage out-of-the-box tags, and custom tags,
edit, clone, and delete custom tags, or add a new tag and a tag rule.

Prisma™ Cloud Release Notes 714 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Supply Chain Security To help you assess and mitigate the risks in your supply chain
(Code Security > Supply Chain) provides a view into how your Iac
templates and application security are connected. The dashboard
maps all of the components and processes of your software supply
chain to help you understand the threat surface, identify the risk
chains, and show you where you need to focus your security efforts.
The new supply chain graph leverages a new data model that uses
data from the current scanner findings, to provide you with real-time
discovery of potential misconfigurations and where vulnerabilities
exist in both code and in resources that are deployed. The graph
helps you visualize the files, resources, and pipeline components that
make up your code and ultimately, your cloud environments.

Code Security API The Prisma Cloud Code Security API is now available. This API
enables you to:
• Initiate Code Security scans of repositories you’ve added to
Prisma Cloud

Prisma™ Cloud Release Notes 715 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

• View the repositories you’ve connected to Code Security

• Manage Code Security suppression rules
• Fix or suppress Code Security policy violations

Features Introduced in January 2022

Edit on GitHub
Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in
January 2022.
The all new Cloud Code Security module is here for Prisma Cloud Enterprise Edition! With Code
Security capabilities agile teams can add security checks to their existing IaC (Infrastructure-as-
Code) model, ensuring security throughout the build lifecycle.

Feature Description

IaC Security in Git Integrate GitHub, GitLab, BitBucket and Azure repositories natively
Repositories, CI/CD with the Prisma Cloud platform for IaC Security. SaaS as well as on-
and IDEs premise versions of Git solutions, such as GitHub server and GitHub
cloud, are supported.

Visibility and In addition to continuously scanning your Git repositories and

Remediation viewing results directly on the Prisma Cloud administrative console,
you can export the results to different SIEM tools to support your
workflows.
You can also remediate and suppress issues through Pull Request
(PR) automation workflows in the Prisma Cloud administrative
console as well as special syntax in the actual IaC code. For example,
you can add a commented annotation in your source code and
suppress findings in IaC files.

Prisma™ Cloud Release Notes 716 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Unified Policies for The Out-of the-Box build policies on Prisma Cloud have been
Build-Time and Run- updated to include all IaC Security related policies from Bridgecrew.
Time Checks The name and descriptions of the Bridgecrew policies integrated on
Prisma Cloud have been updated to be consistent with the platform.

New Developer Use the new Developer role to enable developer-centric experiences
Role With Granular on the Prisma Cloud platform and foster collaboration between
Repository Access developers and SecOps. You can also manage access to Git
repositories and restrict access to IaC scan results from specified
repos and for selected users only.

Prisma™ Cloud Release Notes 717 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Look Ahead—Planned Updates on Prisma Cloud Code

Security
Edit on GitHub
Review any deprecation notices and policy changes planned in the next Prisma Cloud Code
Security release.
Read this section to learn about what is planned in the upcoming release. The Look Ahead
announcements are for an upcoming or next release and it is not a cumulative list of all
announcements.

The details and functionality listed below are a preview and the actual release date is
subject to change.

• Changes in Existing Behavior

• Policy Updates
• Deprecation Notices

Changes in Existing Behavior

FEATURE DESCRIPTION

Code Security has a New Name Starting with 23.8.3, Cloud Application
Security is the new name for the combination
of the Cloud Code Security capabilities and
the newly introduced CI/CD Security module.
CI/CD Security is available as a standard
a-la-carte option or as an add-on with the
Prisma Cloud Runtime Security Foundations
or Advanced bundles.
Owing to the name change, the path to
Projects, Development Pipelines and Supply
Chain will now be Application Security
instead of Code Security on the Prisma Cloud
administrative console. The change does
impact any existing workflows for scanning
and fixing issues.

New Policies for Cloud Application Security Starting with the 23.8.1 release, 125 new
(previously Cloud Code Security) Config policies of subtype Build that enable
the detection of CI/CD security risks will
be enabled by default and available on the
Policies page. With the release, the Code
Security capabilities are being renamed as

Prisma™ Cloud Release Notes 718 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Application Security, and also will introduce

CI/CD Security.
These new policies will not generate any
alerts until you enable the new CI/CD
Security capability on Settings > Application
Security Configuration. When you subscribe
the CI/CD Security capability, when it
becomes available, the alerts will display on
Application Security > CI/CD Risks.

Policy Updates

POLICY UPDATES DESCRIPTION

Migration of Build Integrity Policies to Changes - The Build Integrity policies for
Configuration Build Policies GitHub and GitLab Terraform Providers will
be migrated to IaC Misconfiguration Build
policies in the next release.
Here is the list of policies to be migrated:
• Ensure GitHub repository is Private
• Ensure GitHub repository has vulnerability
alerts enabled
• Ensure GitHub Actions secrets are
encrypted
• Ensure GitHub branch protection rules
requires signed commits
• Ensure Gitlab project merge requests has
at least 2 approvals
• Ensure Gitlab branch protection rules do
not allow force pushes
• Ensure Gitlab project prevents secrets
Impact- You will view policy violations for
these policies on Projects and Supply Chain
in IaC Misconfigurations code category.
Enforcement levels for IaC Misconfigurations
will now be applied to pipelines with these
findings.

Prisma™ Cloud Release Notes 719 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Deprecation Notices
Deprecation Notice

The following endpoints are deprecated in Replacement Endpoints

release 23.8.1 and will be sunset in release
• Add Policy
23.9.1:
• List Policies V2
• Save new policy
• Update Policy
• Get custom policies table data
• Delete Policy
• Update policy
• Update Policy
• Delete policy
• Pre-validate Policy Rule
• Policy Clone
• Validate policies - code-based No replacement endpoint for
• Policy Preview Preview Policy, currently.

Deprecation of Build Integrity Policies Changes - A few default Build Integrity

policies will be deprecated in the next release.
Here is the list of deprecated policies:
• Gitlab branch protection rules allows force
pushes
• Gitlab organization has groups with no two
factor authentication configured
• GitHub Actions
ACTIONS_ALLOW_UNSECURE_COMMANDS
environment variable is set to true
• GitHub Actions Run commands are
vulnerable to shell injection
• GitHub Actions curl is being with secrets
• GitHub Actions Netcat is being used with
IP address
• GitHub Actions artifact build do not have
cosign - sign execution in pipeline
• GitHub Actions artifact build do not have
SBOM attestation in pipeline
• GitHub Actions contain workflow_dispatch
inputs parameters
• Rules used could create a double pipeline
• Suspicious use of curl in a GitLab CI
environment
• GitHub organization security settings do
not include 2FA capability

Prisma™ Cloud Release Notes 720 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Deprecation Notice
• GitHub organization security settings do
not include SSO
• GitHub Repository doesn’t have
vulnerability alerts enabled
• GitHub Actions Environment Secrets are
not encrypted
• GitHub merge requests should require at
least 2 approvals
• GitHub organization webhooks do not use
HTTPs
• GitHub repository webhooks do not use
HTTPs
• GitHub branch protection rules do not
require linear history
• GitHub repository has less than 2 admins
• GitHub branch protection rules are not
enforced on administrators
• GitHub branch protection does not dismiss
stale reviews
• GitHub branch protection does not restrict
who can dismiss a PR
• GitHub branch protection does not require
code owner reviews
• GitHub branch protection does not require
status checks
• GitHub branch protection does not require
push restrictions
• GitHub branch protection rules allow
branch deletions
• Ensure container job uses a non latest
version tag
• Ensure container job uses a version digest
• Ensure set variable is not marked as a
secret
• BitBucket pull requests require less than
approvals
Impact- You will not view any policy
violations on Projects and Supply Chain.

Prisma™ Cloud Release Notes 721 ©2023 Palo Alto Networks, Inc.
Prisma Cloud Code Security Release Information

Prisma™ Cloud Release Notes 722 ©2023 Palo Alto Networks, Inc.
Get Help
Edit on GitHub
The following topics provide information on where to find more about this release and how to
request support:
• Related Documentation
• Request Support

723
Get Help

Related Documentation
Edit on GitHub
Refer to the following documentation on the Technical Documentation portal or search the
documentation for more information on our products:

Prisma™ Cloud Release Notes 724 ©2023 Palo Alto Networks, Inc.
Get Help

Request Support
Edit on GitHub
For contacting support, for information on support programs, to manage your account, or to open
a support case, go to https://support.paloaltonetworks.com.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.

Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com

Prisma™ Cloud Release Notes 725 ©2023 Palo Alto Networks, Inc.
Get Help

Prisma™ Cloud Release Notes 726 ©2023 Palo Alto Networks, Inc.