diff --git a/docs/en/enterprise-edition/rn/_graphics/most-imp-vulnerabilities-cve-details-1.png b/docs/en/enterprise-edition/rn/_graphics/most-imp-vulnerabilities-cve-details-1.png new file mode 100644 index 0000000000..d12acde21e Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/most-imp-vulnerabilities-cve-details-1.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/search-view-by-cve.png b/docs/en/enterprise-edition/rn/_graphics/search-view-by-cve.png new file mode 100644 index 0000000000..e1bb3c7d9d Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/search-view-by-cve.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-cluster-name-filter-1.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-cluster-name-filter-1.png new file mode 100644 index 0000000000..008a8188bf Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-cluster-name-filter-1.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-cluster-name-filter-2.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-cluster-name-filter-2.png new file mode 100644 index 0000000000..690d953b7b Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-cluster-name-filter-2.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-dashboard-vul-assets-1.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-dashboard-vul-assets-1.png new file mode 100644 index 0000000000..4483a27c46 Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-dashboard-vul-assets-1.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-dashboard-vul-assets-2.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-dashboard-vul-assets-2.png new file mode 100644 index 0000000000..01fdc81d5b Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-dashboard-vul-assets-2.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-1.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-1.png new file mode 100644 index 0000000000..ef88e17a77 Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-1.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-2.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-2.png new file mode 100644 index 0000000000..5af95e7f17 Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-2.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-3.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-3.png new file mode 100644 index 0000000000..4e498b2442 Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-db-filters-3.png differ diff --git a/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-funnel-1.png b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-funnel-1.png new file mode 100644 index 0000000000..68b7627c27 Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/vulnerabilities-funnel-1.png differ diff --git a/docs/en/enterprise-edition/rn/limited-ga-features-prisma-cloud/limited-ga-features-prisma-cloud.adoc b/docs/en/enterprise-edition/rn/limited-ga-features-prisma-cloud/limited-ga-features-prisma-cloud.adoc index 2334c5c1e2..223de6cee7 100644 --- a/docs/en/enterprise-edition/rn/limited-ga-features-prisma-cloud/limited-ga-features-prisma-cloud.adoc +++ b/docs/en/enterprise-edition/rn/limited-ga-features-prisma-cloud/limited-ga-features-prisma-cloud.adoc @@ -4,37 +4,23 @@ Review the Prisma Cloud features that have Limited General Availability (LGA) on The LGA features are not available on all stacks and are subject to change by the GA release. If you want a specific feature enabled, contact Prisma Cloud Customer Support. - [cols="50%a,50%a"] |=== |FEATURE |DESCRIPTION +|*Tag-based RBAC with Resource Lists* +//RLP-143394 + +|Tag-based Role-based access control (RBAC) with Resource Lists builds on Prisma Cloud’s existing RBAC capabilities, which allow your System Administrators to define limited access to cloud assets by introducing support for https://docs.prismacloud.io/en/enterprise-edition/assets/pdf/tag-based-rbac-resource-lists-lga.pdf[Tag-based Resource Lists for Roles]. + + |*Auto-Dismiss Alerts* //PCSUP-24226 |Enable *Auto-Actions* in Prisma Cloud to efficiently tackle tasks such as auto-dismissal of alerts with specific tags, defined in a resource list. When creating alert rules you have the option to automatically take action when a policy is violated by auto-dismissing alerts on assigned targets. Once enabled, these options are displayed as additional steps in the alert rule creation process. For example, if you enable *Auto-Actions*, the options to *Configure Auto-Actions* is displayed. You can optionally configure *Auto-Action* to include Reason and Authorization details. //Auto-Actions can be enabled on your tenant by contacting Prisma Cloud Customer Support. - -|*Managed Security Service Provider* -//RLP-145507 - -|Prisma Cloud introduces a rich set of features that enable you to deliver security at scale. The Managed Security Service Provider (MSSP) offering allows you to administer large customer groups efficiently by enabling you to: - -* Manage and operate a large number of tenants from a single console -* Dynamically create and delete tenants on demand -* Efficiently segment and manage customers into industry defined groups such as Healthcare, Finance etc. -* Segment tenants by reallocating credits as needed, between tenants under management -* Isolate customer data in adherence with established security best practices -* Get centralized visibility into security telemetry such as incidents, attack paths and misconfigurations - -Learn more about how https://docs.prismacloud.io/en/enterprise-edition/assets/pdf/mssp-lga.pdf[MSSP] can help you effectively meet the security requirements of large customer groups. - -//*AXA* placeholder -//RLP-143394 -//Description - |*Cloud Account Group Details Included in CSV Download File* //RLP-141935, RLP-134460 diff --git a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc index 5d806c0f54..55097c4645 100644 --- a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc +++ b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc @@ -1,26 +1,53 @@ [#ida01a4ab4-6a2c-429d-95be-86d8ac88a7b4] == Look Ahead—Planned Updates to Secure the Infrastructure -Review any changes planned in the next Prisma Cloud release to ensure the security of your infrastructure. +Review changes planned in the next Prisma Cloud release to ensure the security of your infrastructure. -Read this section to learn about what is planned in the 24.8.2 CSPM Platform, Agentless Container Host, Agentless Host Security, CIEM, Data Security, and CDEM releases. +Read this section to learn about what is planned in the 24.9.1 CSPM Platform, Agentless Container Host, Agentless Host Security, CIEM, Data Security, and CDEM releases. -The Look Ahead announcements are for an upcoming release and it is not a cumulative list of all announcements. +The Look Ahead announcements are for an upcoming release and is not a cumulative list of all announcements. [NOTE] ==== -The details and functionality listed below are a preview and the actual release date is subject to change. +The details and functionalities listed below are a preview and the actual release date is subject to change. ==== -//* <> +* <> * <> * <> * <> * <> -* <> +//* <> //* <> * <> +[#announcement] +=== Announcement + +[cols="50%a,50%a"] +|=== +|*Change* +|*Description* + +|*Prisma Cloud Release Schedule Updated from a Bi-weekly to a Monthly Release* +//RLP-148595 + +|Starting with the 24.10.1 release, Prisma Cloud release schedule will transition from a bi-weekly to a monthly cadence to ensure continuous deliver of high-quality features and enhancements. + +* Enhance Quality: A longer development cycle enables the Prisma Cloud team to focus on thorough testing and quality assurance, ensuring that each release meets the highest standards. + +* Incorporate Feedback: With more time between releases, we can better integrate your feedback and suggestions into our product roadmap, leading to features that truly meet your organization's security needs. + +* Optimize Resources: This change helps allocate resources more effectively, allowing the Prisma Cloud team to work on more feature improvements for you. + +*Impact—* Prisma Cloud will release new features, enhancements, and security updates on a monthly basis starting in October 2024 (no more .2 releases). Each release will be accompanied by detailed release notes to keep you informed of what's new. + +If you have any questions or feedback, contact your Prisma Cloud Customer Support representative. + +//Thank You for your support and we appreciate your understanding and support as we make this transition. Our goal is to provide you with the best possible product and experience. If you have any questions or feedback, please do not hesitate to reach out to our support team. +//Improved Communication: We are committed to continue keeping you updated on our progress and any upcoming features. Expect regular updates and insights into our development process. + +|=== [#changes-in-existing-behavior] === Changes in Existing Behavior @@ -30,15 +57,19 @@ The details and functionality listed below are a preview and the actual release |*Feature* |*Description* +|*Audit Logs Warning* +//RLP-148505 -|*Multiselect Disabled for Alert Rule Name Filter* -//RLP-147561 +|Starting with the 24.9.1 release, if you have configured your AWS account or organization to ingest audit logs through EventBridge, you may see a `Rule does not exist on EventBus default in ` warning message. -|Starting with 24.8.2 release, you will no longer be able to select multiple alert rules in the *Alert Rule Name* filter on the *Alerts > Overview* page. The multiselect option will be disabled to eliminate inconsistent results when filtering more than one alert rule. +This warning is due to performance enhancements in the EventBridge rule configuration, which do not affect system functionality. -When using the `POST/alerts/policy` API, make sure to include only one *Alert Rule Name* in the filters attribute of the request body schema. +To resolve the warning, download the CloudFormation Template (CFT) from *Misconfigurations > Near Real-Time Visibility > Edit* and update your CFT stack in AWS. For detailed instructions, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-aws/configure-audit-logs#:~:text=Time%20Visibility.-,Configure%20Details.,-Click%20Download%20EventBridge[Configure Audit Logs]. -|*Change in Amazon EC2 Ingestion* +*Impact—* Updating the CFT will result in an increase in the number of EventBridge rules enabling Prisma Cloud to ingest only the relevant audit logs. + + +|*Amazon EC2 Ingestion* //RLP-145171 |Starting with the 24.9.1 release, Prisma Cloud will no longer ingest private Amazon Machine Images (AMIs) owned by other accounts unless they are actively used by EC2 instances within the current account. @@ -48,6 +79,16 @@ When using the `POST/alerts/policy` API, make sure to include only one *Alert Ru If you have any questions, contact your Prisma Cloud Customer Success Representative. +|*Audit Logs Retention Period* +//RLP-146965, RLP-147876 + +|Starting with the 24.9.1 release, audit logs from the AWS, Azure, GCP cloud service providers, and Prisma Cloud will be purged from the live system after 120 days or when the total number of logs exceeds 1.2 billion, whichever comes first. + +*Impact—* Once the logs are purged, they will not be accessible via RQL queries on the *Investigate* page in Prisma Cloud. However, the data on the logs will be retained in an archived, encrypted format for the duration of your contract. + +To retrieve any purged data, contact your Prisma Cloud Customer Success Representative. + + |=== [#new-policies] @@ -68,7 +109,7 @@ The folder contains RQL based Config, IAM, Network, and Audit Event policies in + The *Master* branch represents the Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release. + -Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-... For example, PCS-24.8.2. +Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-... For example, PCS-24.9.1. . Review the updates. + @@ -80,7 +121,6 @@ Use the *policies* folder to review the JSON for each policy that is added or up [#policy-updates] === Policy Updates - [cols="50%a,50%a"] |=== @@ -90,33 +130,61 @@ Use the *policies* folder to review the JSON for each policy that is added or up |*Description* |*AWS SageMaker endpoint data encryption at rest not configured with CMK* -//RLP-147139 +//RLP-148554 -tt:[24.8.2] +|*Changes—* The policy severity will be updated. -|*Changes—* The policy description is revised as follows: +*Current Policy Severity—* High -*Current Policy Name—* AWS SageMaker endpoint data encryption at rest not configured +*Updated Policy Severity—* Informational + +*Policy Type—* Config + +*Impact—* Low -*Updated Policy Name—* AWS SageMaker endpoint data encryption at rest not configured with CMK -*Current Policy Description—* This policy identifies AWS SageMaker Endpoints not configured with data encryption at rest. +|*Azure Key Vault Firewall is not enabled* +//RLP-148542 + +|*Changes—* The policy RQL will be updated to reduce false positives and only generate alerts if public access is enabled. + +*Current RQL—* +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = properties.networkAcls.ipRules[*].value does not exist AND properties.publicNetworkAccess does not equal ignore case "disabled" +---- +*Updated RQL—* +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = (properties.publicNetworkAccess does not equal ignore case disabled and properties.networkAcls does not exist) or (properties.publicNetworkAccess does not equal ignore case disabled and properties.networkAcls.defaultAction equal ignore case allow ) +---- +*Policy Type—* Config -AWS SageMaker Endpoint configuration defines the resources and settings for deploying machine learning models to SageMaker endpoints. By default, SageMaker Endpoints are not encrypted at rest. Enabling the encryption helps protect the integrity and confidentiality of the data on the storage volume attached to the ML compute instance that hosts the endpoint. +*Impact—* Low. Open alerts where the public access is enabled and network ACLs default action is denied will be resolved. -It is recommended to set encryption at rest to mitigate the risk of unauthorized access and potential data breaches. -*Updated Policy Description—* This policy identifies AWS SageMaker Endpoints not configured with data encryption at rest. +|*Azure App Service Web app doesn't use latest TLS version* +//RLP-148541 -AWS SageMaker Endpoint configuration defines the resources and settings for deploying machine learning models to SageMaker endpoints. By default, SageMaker encryption uses transient keys if a KMS key is not specified, which does not provide the control and management benefits of AWS Customer Managed KMS Key. Enabling the encryption helps protect the integrity and confidentiality of the data on the storage volume attached to the ML compute instance that hosts the endpoint. +|*Changes—* The updated Policy RQL will not alert for minTlsVersion of 1.3. -It is recommended to set encryption at rest to mitigate the risk of unauthorised access and potential data breaches. +*Current Description—* This policy identifies Azure web apps which are not set with latest version of TLS encryption. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections. -*Policy Severity—* High +*Updated Description—* This policy identifies Azure web apps which are not set with latest version of TLS encryption. App service currently allows the web app to set TLS versions 1.0, 1.1, 1.2 and 1.3. It is highly recommended to use the latest TLS greater than 1.1 version for web app secure connections. + +*Current RQL—* +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = kind starts with "app" AND config.minTlsVersion does not equal "1.2" +---- + +*Updated RQL—* +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = kind starts with app and config.minTlsVersion is member of ('1.0', '1.1') +---- *Policy Type—* Config -*Impact—* No impact on alerts. +*Policy Severity—* Low + +*Impact—* Low. Alert for Azure App Service Web app with minTlsVersion equals 1.3 will be resolved. |=== @@ -130,237 +198,239 @@ It is recommended to set encryption at rest to mitigate the risk of unauthorised |*Service* |*API Details* -|*Amazon Bedrock* -//RLP-147120 +|*Amazon Redshift* +//RLP-148150 -|*aws-bedrock-foundation-model* +|*aws-redshift-serverless-workgroup* -Additional permissions required: +Additional permission required: + +* `redshift-serverless:ListWorkgroups` + +The Security Audit role includes the above permission. -* `bedrock:ListFoundationModels` -* `bedrock:GetFoundationModel` +|*AWS Security Hub* +//RLP-148149 + +|*aws-securityhub-enabled-products-for-import* + +Additional permission required: -The Security Audit role include the above permissions. You must manually update the CFT template to enable them. +* `securityhub:ListEnabledProductsForImport` + +The Security Audit role includes the above permission. |*Amazon Bedrock* -//RLP-147118 +//RLP-148145 -|*aws-bedrock-custom-model* +|*aws-bedrock-model-invocation-logging-configuration* -Additional permissions required: +Additional permission required: -* `bedrock:ListCustomModels` -* `bedrock:GetCustomModel` -* `bedrock:ListTagsForResource` +* `bedrock:GetModelInvocationLoggingConfiguration` -The Security Audit role includes the permissions. +The Security Audit role includes the above permission. |*Amazon Bedrock* -//RLP-147113 +//RLP-148144 -|*aws-bedrock-agent* +|*aws-bedrock-provisioned-model-throughput* Additional permissions required: -* `bedrock:ListAgents` -* `bedrock:GetAgent` +* `bedrock:ListProvisionedModelThroughputs` +* `bedrock:GetProvisionedModelThroughput` * `bedrock:ListTagsForResource` -The Security Audit role includes the permissions. +The Security Audit role includes the `bedrock:ListTagsForResource` permission. -|*AWS Resource Groups and Tagging* -//RLP-146625 +The Security Audit role does not include the `bedrock:ListProvisionedModelThroughputs` and `bedrock:GetProvisionedModelThroughput` permissions. You must manually add them to the CFT template to enable them. -|*aws-resourcegroupstaggingapi-report-creation* +|*Amazon Bedrock* +//RLP-148141 -Additional permission required: +|*aws-bedrock-model-customization-job* -* `tag:DescribeReportCreation` +Additional permissions required: -The Security Audit role does not include the above permission. You must manually update the CFT template to enable them. +* `bedrock:ListModelCustomizationJobs` +* `bedrock:GetModelCustomizationJob` +* `bedrock:ListTagsForResource` -|*AWS Resource Groups and Tagging* -//RLP-146624 +The Security Audit role includes the `bedrock:ListTagsForResource` permission. -|*aws-resourcegroupstaggingapi-compliance-summary* +The Security Audit role does not include the `bedrock:ListModelCustomizationJobs` and `bedrock:GetModelCustomizationJob` permissions. You must manually add them to the CFT template to enable them. -Additional permission required: +|*Amazon Bedrock* +//RLP-148135 -* `tag:GetComplianceSummary` +|*aws-bedrock-knowledgebase* -The Security Audit role does not include the above permission. You must manually update the CFT template to enable them. +Additional permissions required: -|*Azure App Service Plan* -//RLP-146757 +* `bedrock:ListKnowledgeBases` +* `bedrock:GetKnowledgeBase` +* `bedrock:ListTagsForResource` -|*azure-app-service-plan-diagnostic-settings* +The Security Audit role includes the `bedrock:ListTagsForResource` permission. -Additional permissions required: +The Security Audit role does not include the `bedrock:ListKnowledgeBases` and `bedrock:GetKnowledgeBase` permissions. You must manually add them to the CFT template to enable them. + +|*Azure Databricks* +//RLP-147853 + +|*azure-databricks-access-connectors* + +Additional permission required: -* `Microsoft.Web/serverfarms/Read` -* `Microsoft.Insights/DiagnosticSettings/Read` +* `Microsoft.Databricks/accessConnectors/read` -The Reader role includes the permissions. +The Reader role includes the above permission. |*Azure Active Directory* -//RLP-131015 +//RLP-128447 -|*azure-active-directory-authentication-methods-registration-campaign* +|*azure-active-directory-admin-consent-request-policy* Additional permission required: -* `Policy.ReadWrite.AuthenticationMethod` - -The Reader role includes the permission. +* `Policy.Read.All` +The Global Reader role includes the above permission. |*Azure Active Directory* -//RLP-128436 +//RLP-128079 -|*azure-active-directory-subscribed-sku* +|*azure-active-directory-cross-tenant-access-default-settings* Additional permission required: -* `Organization.Read.All` +* `Policy.Read.All` -The Reader role includes the permission. +The Global Reader role includes the above permission. -|tt:[Update] *Azure Storage* +|*Azure Active Directory* +//RLP-127879 -//RLP-146499, RLP-146500, RLP-146501, RLP-146502 +|*azure-active-directory-configured-external-identity-provider* -|The following APIs will be updated to include the `StorageAccountId` and `StorageAccountName` fields in the JSON resource configuration. This enhancement facilitates improved cross-referencing in RQL queries. +Additional permission required: -* `azure-storage-account-blob-diagnostic-settings` -* `azure-storage-account-file-diagnostic-settings` -* `azure-storage-account-queue-diagnostic-settings` -* `azure-storage-account-table-diagnostic-settings` +* `IdentityProvider.Read.All` -|*Google BigLake* -//RLP-146984 +//The External Identity Provider Administrator or External ID user flow administrator role includes the above permission. -|*gcloud-biglake-catalog-database-table* +|*Google Cloud Batch Job* +//RLP-148101 -Additional permissions required: +|*gcloud-cloud-batch-job* -* `biglake.catalogs.list` -* `biglake.databases.list` -* `biglake.tables.list` +Additional permission required: -The Viewer role includes the permissions. +* `batch.jobs.list` -|*Google BigLake* -//RLP-146983 +The Viewer role includes the above permission. -|*gcloud-biglake-catalog-database* +|*Google Bare Metal Solution* +//RLP-148100 + +|*gcloud-bare-metal-solution-volume-lun* Additional permissions required: -* `biglake.catalogs.list` -* `biglake.databases.list` +* `baremetalsolution.instances.list` +* `baremetalsolution.luns.list` -The Viewer role includes the permissions. +The Viewer role includes the above permissions. -|*Google BigLake* -//RLP-146982 +|*Google Bare Metal Solution* +//RLP-148099 -|*gcloud-biglake-catalog* +|*gcloud-bare-metal-solution-nfs-share* Additional permission required: -* `biglake.catalogs.list` +* `baremetalsolution.nfsshares.list` -The Viewer role includes the permission. +The Viewer role includes the above permission. -|*Google BigQuery Data Transfer* -//RLP-146981 +|*Google Bare Metal Solution* +//RLP-148098 -|*gcloud-bigquery-data-transfer-config* +|*gcloud-bare-metal-solution-volume* Additional permission required: -* `bigquery.transfers.get` - -The Viewer role includes the permission. - -|*Google Cloud Domains* -//RLP-128080 +* `baremetalsolution.volumes.list` -|*gcloud-cloud-domains* - -Additional permissions required: +The Viewer role includes the above permission. -* `domains.registrations.list` -* `domains.registrations.getIamPolicy` +|*Google Bare Metal Solution* +//RLP-148097 -The Viewer role includes the permissions. +|*gcloud-bare-metal-solution-network* -|*Google Cloud VMware Engine* -//RLP-124735 +Additional permission required: -|*gcloud-vmware-engine-external-address* +* `baremetalsolution.networks.list` -Additional permissions required: +The Viewer role includes the above permission. -* `vmwareengine.privateClouds.list` -* `vmwareengine.externalAddresses.list` +|*Google Bare Metal Solution* +//RLP-147865 -The Viewer role includes the permissions. +|*gcloud-bare-metal-solution-instance* -|=== +Additional permission required: -[#new-compliance-benchmarks-and-updates] -=== New Compliance Benchmarks and Updates +* `baremetalsolution.instances.list` -[cols="50%a,50%a"] -|=== -|*Compliance Benchmark* -|*Description* - -|*SEBI - Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF)* -//RLP-147789, RLP-147728 +The Viewer role includes the above permission. -|Prisma Cloud now supports Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) released by the Securities and Exchange Board of India (SEBI). CSCRF aims to establish a unified framework that encompasses various strategies to safeguard REs (Regulated Entities) and Market Infrastructure Institutions (MIIs) against cyber risks and incidents. -You can now view this built-in standard and the associated policies on the *Compliance > Standards* page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. +|*OCI Web Application Firewall* +//RLP-148332 -|*NIST SP 800-171 Revision 3* -//RLP-147678 +|*oci-loadbalancer-waf* -|Prisma Cloud now supports the latest version of NIST SP 800-171 Revision 3. This updated includes significant updates to the publication’s control families, security controls and new Prisma cloud policies are mapped to the controls increasing the overall coverage. +Additional permissions required: -You can now view this built-in standard and the associated policies on the *Compliance > Standards* page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. +* `WEB_APP_FIREWALL_INSPECT` +* `WEB_APP_FIREWALL_READ` -|*Secure Controls Framework (SCF) - 2024.2* -//RLP-147607 +The Reader role includes the above permissions. -|Prisma Cloud has been updated to incorporate support for the Secure Controls Framework (SCF) - 2024.2, providing a comprehensive approach to both cybersecurity and privacy practices for safeguarding organizational information assets. The SCF's latest version elaborates on the refinement of current controls, introduces new controls tailored to counteract recent threats and technological advancements, ensures alignment with the most current compliance mandates, and integrates modifications driven by input from the community and industry professionals. +|=== -You can now view this built-in standard and the associated policies on the *Compliance > Standards* page with this support. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. -|*Update for CIS AWS Foundation Benchmark* -//RLP-140359 +//[#new-compliance-benchmarks-and-updates] +//=== New Compliance Benchmarks and Updates -|New Policy mappings are added to both Level 1 and Level 2 of CIS AWS Foundation benchmark v2.0.0 and CIS AWS Foundation benchmark v3.0.0 to improve policy mapping coverage. +//[cols="50%a,50%a"] +//|=== +//|*Compliance Benchmark* +//|*Description* -*Impact—* As new mappings are introduced, compliance scoring might vary. +//| -|*Update for GDPR* -//RLP-147541 +//| -|New Policy mappings are added to the GDPR compliance standard. +//|=== -*Impact—* As new mappings are introduced, compliance scoring might vary. -|*Update for CIS Microsoft Azure Foundation Benchmark* -//RLP-147541 +//[#rest-api-updates] +//=== REST API Updates -|New Policy mappings are added to both Level 1 and Level 2 of CIS Microsoft Azure Foundation benchmark v2.0.0 and CIS AWS Foundation benchmark v2.1.0 to improve policy mapping coverage. +//[cols="37%a,63%a"] +//|=== +//|*Change* +//|*Description* -*Impact—* As new mappings are introduced, compliance scoring might vary. +//| +//| -|=== +//|=== [#deprecation-notices] @@ -416,23 +486,6 @@ You can now view this built-in standard and the associated policies on the *Comp ** https://pan.dev/prisma-cloud/api/cspm/cve-overview-v-2/[GET /uve/api/v2/dashboard/vulnerabilities/cve-overview] - - -|tt:[*End of support for Azure Time Series Insights and Azure Data Catalog Services*] -//RLP-147490 - -|NA -|24.8.2 - -|The following APIs are planned for deprecation as Azure has announced the retirement of Azure Time Series Insights and Azure Data Catalog Services. Due to this, Prisma Cloud will no longer ingest metadata for the following APIs: - -* `azure-timeseriesinsights-environments` -* `azure-datacatalog-catalog` - -In RQL, the key will not be available in the `api.name` attribute auto-completion. - -*Impact—* If you have a saved search or custom policies based on these APIs, you must delete them manually. The policy alerts will be resolved as *Policy_Deleted*. - |tt:[*Resource Explorer API*] //RLP-131482, RLP-115752 @@ -442,7 +495,7 @@ In RQL, the key will not be available in the `api.name` attribute auto-completio * https://pan.dev/prisma-cloud/api/cspm/get-resource-raw/[POST /resource/raw] |23.9.2 -|24.10.2 +|24.10.1 |* https://pan.dev/prisma-cloud/api/cspm/get-asset-details-by-id/[POST /uai/v1/asset] diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-august-2024.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-august-2024.adoc index a061b5add1..5473477a6a 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-august-2024.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-august-2024.adoc @@ -2,88 +2,148 @@ Learn what's new on Prisma® Cloud in August 2024. -* <> -* <> +//* <> * <> +* <> * <> * <> +//* <> * <> * <> -* <> * <> -//* <> +* <> +* <> -[#announcement] -=== Announcement +[#new-features] +=== New Features -[cols="50%a,50%a"] +[cols="30%a,70%a"] |=== |*Feature* |*Description* -|*Data Security Posture Management and Artificial Intelligence Security Posture Management* +|*Managed Security Service Provider* +//RLP-145507 -|Prisma Cloud Data Security Posture Management (DSPM) and Artificial Intelligence Security Posture Management (AI-SPM) are now generally available. +tt:[Secure the Infrastructure] -* https://docs.prismacloud.io/en/enterprise-edition/content-collections/data-security-posture-management/welcome/welcome[DSPM] enables you to discover, classify, protect, and govern data across your cloud environments. +tt:[24.8.2] -* https://docs.prismacloud.io/en/enterprise-edition/content-collections/data-security-posture-management/welcome-to-prisma-cloud-aispm/introduction-ai[AI-SPM] provides complete visibility in to your AI pipelines. It prioritizes misconfigurations and strengthens the overall integrity of your AI framework and minimizes the risk of data exposure and compliance breaches. +|Prisma Cloud https://docs.prismacloud.io/en/enterprise-edition/content-collections/mssp/mssp[Managed Security Service Provider] (MSSP) offering allows you to administer large customer groups efficiently by enabling you to: -|*DSPM Permissions and Default Permission Group* -//RLP-146508, RLP-147749 +* Manage and operate a large number of tenants from a single console. +* Dynamically create and delete tenants on demand. +* Efficiently segment and manage customers into industry defined groups such as Healthcare, Finance, and so on. +* Segment tenants by reallocating credits as needed, between tenants under management. +* Isolate customer data in adherence with established security best practices. +* Get centralized visibility into security telemetry such as incidents, attack paths, and misconfigurations. -|Prisma Cloud includes a new *Data Security Posture Management* permission that allows you to grant access to all the DSPM capabilities for Custom Permission Groups. For ease of use, Prisma Cloud also has a new *Data Security Posture Management* Default Permission Group, which includes this new permission. +//Learn more about how MSSP can help you effectively meet the security requirements of large customer groups. +//Prisma Cloud introduces a rich set of features that enable you to deliver security at scale. -|=== +|[Update] *Vulnerabilities Dashboard* +//RLP-148663 -[#end-of-sale] -=== End of Sale Notice +tt:[Secure the Infrastructure] -[cols="50%a,50%a"] -|=== -|*Feature* -|*Description* +tt:[24.8.2] -|*Prisma Cloud Data Security* +|The Vulnerabilities Dashboard includes a number of enhancements: -|With the GA of DSPM and AI-SPM, Prisma Cloud Data Security (PCDS) module is now in the End of Sale (EOS) status. Note the following important dates: +* The number of *Internet Exposed* assets are now displayed in the *Vulnerabilities Funnel*. ++ +image::vulnerabilities-funnel-1.png[] -* PCDS EOS will be effective on August 31, 2024. -* Prisma Cloud tenants will no longer be able to subscribe to the PCDS module after September 1, 2024. -* PCDS subscribed tenants can continue to use the PCDS module until its End of Life. -* End of Life/End of Support will be effective on August 31, 2025 (one year post EOS). +* Hover over the CVEs listed under *Most Important Vulnerabilities* to view more details about the CVE. ++ +image::most-imp-vulnerabilities-cve-details-1.png[] -|=== +* Previously, the Vulnerabiities Dashboard displayed vulnerabilities across all the cloud accounts. Now, you can filter vulnerabilities by *Account Group* or *Cloud Account*. As you select the values in the filter, the information displayed on the Dashboard automatically refreshes. ++ +image::vulnerabilities-db-filters-1.png[] ++ +image::vulnerabilities-db-filters-2.png[] ++ +Note that currently the *Vulnerabilities Burndown* widget does not support the new filters, so the information displayed under *Vulnerabilities Burndown* will not match your filter criteria. +//+image::vulnerabilities-db-filters-3.png[] +* You can edit a widget to filter by *Cluster Name* and *Cluster Namespace* and save that filter at the wdiget level. The *Cluster Namespace* option is presented only after you select enter a *Cluster Name*. ++ +image::vulnerabilities-cluster-name-filter-1.png[] -[#new-features] -=== New Features +* A new *Vulnerable Assets* widget provides a view of all your vulnerable assets across your application lifecycle by type. You can see how many packets, IaC files, registry images, host VM images, serverless functions, deployed image, and hosts have vulnerabilities across the different lifecycle. ++ +image::vulnerabilities-dashboard-vul-assets-1.png[] ++ +Hover over the tiles to get more details of where those hosts are, the provider, how many cloud accounts are associated, and how many vulnerabilities are associated with those assets. Click on an asset to navigate directly to *Search* page. ++ +image::vulnerabilities-dashboard-vul-assets-2.png[] -[cols="30%a,70%a"] -|=== -|*Feature* -|*Description* +* Along with the *Account Group* and *Cloud Account* filters, the *Search* page now supports the *Cluster Name* and *Cluster Namespace* filters. Make sure you first select a *Cluster Name* after which you can select a *Cluster Namespace*. ++ +image::vulnerabilities-cluster-name-filter-2.png[] -|*AI Assisted Queries* +* By default, the *View By* is set to *CVE* that displays all the CVEs that affect your assets. You can switch to *Asset*, which provides you a view of all the assets relevant to your search criteria instead of the CVEs. ++ +image::search-view-by-cve.png[] + +//* You can now download the CSV file from the Graph and you can also *Remediate* the vulnerability from the graph by *Submitting a Pull Request* or *Creating a ticket*. + + +//*Code to Cloud Tracing for Vulnerabilities* +//RLP-138941, Beta right now +//tt:[Secure the Infrastructure] +//tt:[24.8.2] +//Prisma Cloud now supports tracing of vulnerabilities from container images deployed in Runtime back to the specific root cause in Build (package manager file in a repository or a package being directly added). + +|*Support for Custom Build Bicep Policies* +//BCE-33806. Received from J.Bakst via Slack + +tt:[Secure the Source] + +tt:[24.8.2] + +|You can now create custom build Bicep policies through both the https://docs.prismacloud.io/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor[Code and Visual editors], offering you the flexibility to align with organizational requirements and preferences. + +|*Data Security Posture Management and Artificial Intelligence Security Posture Management* + +tt:[Secure the Infrastructure] + +tt:[24.8.1] + +|Prisma Cloud Data Security Posture Management (DSPM) and Artificial Intelligence Security Posture Management (AI-SPM) are now generally available. + +* https://docs.prismacloud.io/en/enterprise-edition/content-collections/data-security-posture-management/welcome/welcome[DSPM] enables you to discover, classify, protect, and govern data across your cloud environments. + +* https://docs.prismacloud.io/en/enterprise-edition/content-collections/data-security-posture-management/welcome-to-prisma-cloud-aispm/introduction-ai[AI-SPM] provides complete visibility in to your AI pipelines. It prioritizes misconfigurations and strengthens the overall integrity of your AI framework and minimizes the risk of data exposure and compliance breaches. + +|*DSPM Permissions and Default Permission Group* +//RLP-146508, RLP-147749 tt:[Secure the Infrastructure] tt:[24.8.1] +|Prisma Cloud includes a new *Data Security Posture Management* https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/prisma-cloud-admin-permissions[permission] that allows you to grant access to all the DSPM capabilities for Custom Permission Groups. For ease of use, Prisma Cloud also has a new *Data Security Posture Management* Default Permission Group, which includes this new permission. + +|*AI Assisted Queries* //RLP-146585, - To Do, JJ to share the doc link +tt:[Secure the Infrastructure] + +tt:[24.8.1] + |Enhancements to Prisma Cloud's query launcher allow you to use https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/launch-your-query[AI assisted queries] to retrieve saved searches from your current tenant. Going beyond keyword matching, AI powered semantic searches provide ease of use when launching investigations in Prisma Cloud. For instance, typing “public facing” as a query, returns results with “reachable from untrusted internet sources” as well, because the saved search matches the meaning of the query "public facing". AI assisted search can be toggled on and off as needed. Use the feedback buttons as shown in the image below to provide your feedback on this feature. image::ai-assisted-search.gif[] |*RQL for AWS Access Key Discovery* +//RLP-146594 tt:[Secure the Infrastructure] tt:[24.8.1] -//RLP-146594 - |Prisma Cloud's RQL enhancements help you discover detailed information about Access Keys held by users, their activity, rotation, and usage. Available for AWS, the following RQL query helps you enforce zero trust best practices in your cloud environment: * Queries the number of days passed since the last usage of an access key @@ -95,236 +155,822 @@ tt:[24.8.1] `source.cloud.accesskey.activekeys (<, >, =) (0, 1, 2)` |tt:[Update] *Cloud Network Analyzer* +//RLP-144795 tt:[Secure the Infrastructure] tt:[24.8.1] -//RLP-144795 - |Prisma Cloud *AWS EC2 instance with unrestricted outbound access to internet* CNA policy now ignores resources created by Prisma Cloud agentless scanning as those are very well restricted and short lived workloads that can only communicate back with Prisma Cloud. +//tt:[Update] *Vulnerability Dashboard* +//RLP-135217 +//tt:[Secure the Infrastructure] +//tt:[24.8.1] +//Vulnerability Dashboard now supports cloud account and cluster/namespace filters. -|tt:[Update] *Vulnerability Dashboard* -tt:[Secure the Infrastructure] +|*New AI and Machine Learning Category in Custom Build Policies* +//CAS feature enhancement update. received from J.Bakst + +tt:[Secure the Source] tt:[24.8.1] -//RLP-135217 +|When creating or editing custom *Build* policies under *Application Security > Governance*, you will now find a new category— *AI and Machine Learning*. This category is available in the YAML policy templates within the *Code Editor* and under the *Category Type* option in the *Visual Editor*. -|Vulnerability Dashboard now supports cloud account and cluster/namespace filters. +The *AI and Machine Learning* category offers granular control over *Build* configurations for machine learning and artificial intelligence workloads. You can use it into your custom policies and relevant dashboards through the *IaC Category* filter, which streamlines policy management for AI resources. For more details, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies[Custom Build Policies]. +image::cas-ai-ml-learning-category.png[] -|*New AI and Machine Learning Category in Custom Build Policies* +|*New Resource Classes Filter* +//BCE-37242 tt:[Secure the Source] tt:[24.8.1] -//CAS feature enhancement update. received from J.Bakst +|A new filter, *Resource Classes*, is now available under *Application Security > Inventory > IaC Resources*. This filter becomes active after you select a *Framework* from the inventory table. -|When creating or editing custom *Build* policies under *Application Security > Governance*, you will now find a new category— *AI and Machine Learning*. This category is available in the YAML policy templates within the *Code Editor* and under the *Category Type* option in the *Visual Editor*. +*Resource Classes* provide a structured method for categorizing infrastructure resources based on their type, function, or other relevant criteria. This helps streamline the filtering and management of assets within the IaC inventory. Supported options for *Resource Classes* include— *Compute, Storage, Network, Identity & Security, Database, AI and Machine Learning, Analytics, Code*, and *Others*. For more details, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/cloud-and-software-inventory/iac-resources#resource-class[Resource Class.] -The *AI and Machine Learning* category offers granular control over *Build* configurations for machine learning and artificial intelligence workloads. You can use it into your custom policies and relevant dashboards through the *IaC Category* filter, which streamlines policy management for AI resources. For more details, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies[Custom Build Policies]. +image::resource-classes-filter-apsec.png[] + +|*Blocklist Resource Control* +//BCE-37258 + +tt:[Secure the Source] + +tt:[24.8.1] + +|You can now define granular resource controls to allow or block any use of specific resource types defined in Terraform, enabling you to create blocklists that specify which resources are restricted within your environment, enhancing security and compliance by preventing unauthorized resource usage. For more details, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples#resource-blocklist[example blocklist]. + +|=== + +[#changes-in-existing-behavior] +=== Changes in Existing Behavior + +[cols="50%a,50%a"] +|=== +|*Feature* +|*Description* + +|*Multiselect Disabled for Alert Rule Name Filter* +//RLP-147561 + +tt:[24.8.2] + +|You cannot select multiple alert rules in the *Alert Rule Name* filter on the *Alerts > Overview* page. The multiselect option is disabled to eliminate inconsistent results when filtering more than one alert rule. + +When using the `POST/alerts/policy` API, make sure to include only one *Alert Rule Name* in the filters attribute of the request body schema. + +|*Role-Based Access Control for Compliance and Alert Reports* +//RLP-140182 + +tt:[24.8.1] + +|User-generated reports are only visible to System Administrators and to users with the same role. + +Implementing Role-Based Access Control (RBAC) enhances data security by streamlining report access for users with the same role, while also preventing unauthorized access. + +|*Create or Update Policy Permissions* +//RLP-139027 + +tt:[24.8.1] + +|The Create/Update Policy Permissions are divided into the two granular permissions as follows: + +* Policy +* Manage Policy Compliance Mapping + +*Impact—* + +* Users managing new custom permission groups must select both permissions explicitly if they want to assign compliance mappings during policy create/update operation. +* Manage policy compliance mapping is added by default to all existing permission groups with policy create/update permissions. + +|=== + + +[#api-ingestions] +=== API Ingestions + +[cols="30%a,70%a"] +|=== +|*Service* +|*API Details* + +|*Amazon Bedrock* + +tt:[24.8.2] +//RLP-147120 + +|*aws-bedrock-foundation-model* + +Additional permissions required: + +* `bedrock:ListFoundationModels` +* `bedrock:GetFoundationModel` + +The Security Audit role include the above permissions. You must manually update the CFT template to enable them. + +|*Amazon Bedrock* + +tt:[24.8.2] +//RLP-147118 + +|*aws-bedrock-custom-model* + +Additional permissions required: + +* `bedrock:ListCustomModels` +* `bedrock:GetCustomModel` +* `bedrock:ListTagsForResource` + +The Security Audit role includes the permissions. + +|*Amazon Bedrock* + +tt:[24.8.2] +//RLP-147113 + +|*aws-bedrock-agent* + +Additional permissions required: + +* `bedrock:ListAgents` +* `bedrock:GetAgent` +* `bedrock:ListTagsForResource` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + +|*AWS Resource Groups and Tagging* + +tt:[24.8.2] +//RLP-146625 + +|*aws-resourcegroupstaggingapi-report-creation* + +Additional permission required: + +* `tag:DescribeReportCreation` + +The Security Audit role does not include the above permission. You must manually update the CFT template to enable them. + +|*AWS Resource Groups and Tagging* + +tt:[24.8.2] +//RLP-146624 + +|*aws-resourcegroupstaggingapi-compliance-summary* + +Additional permission required: + +* `tag:GetComplianceSummary` + +The Security Audit role does not include the above permission. You must manually update the CFT template to enable them. + + +|tt:[Update] *AWS Key Management Service (KMS)* + +tt:[24.8.2] +//RLP-147450 + +|*aws-kms-get-key-rotation-status* + +The API is updated to include the `multiRegion` field in the JSON resource configuration. As part of this change, the `multiRegion` key is now available in RQL auto-completion. + + +|*Azure Active Directory* + +tt:[24.8.2] +//RLP-131015 + +|*azure-active-directory-authentication-methods-registration-campaign* + +Additional permission required: + +* `Policy.ReadWrite.AuthenticationMethod` + +The Reader role includes the permission. + +|*Azure Active Directory* + +tt:[24.8.2] +//RLP-128436 + +|*azure-active-directory-subscribed-sku* + +Additional permission required: + +* `Organization.Read.All` + +The Reader role includes the permission. + +|*Azure App Service* + +tt:[24.8.2] +//RLP-146757 + +|*azure-app-service-plan-diagnostic-settings* + +Additional permissions required: + +* `Microsoft.Web/serverfarms/Read` +* `Microsoft.Insights/DiagnosticSettings/Read` + +The Reader role includes the permissions. + +|tt:[Update] *Azure Storage* + +//RLP-146499, RLP-146500, RLP-146501, RLP-146502 + +|The following APIs are updated to include the `StorageAccountId` and `StorageAccountName` fields in the JSON resource configuration. This enhancement facilitates more complex joins and improved cross-referencing in RQL queries. + +* `azure-storage-account-blob-diagnostic-settings` +* `azure-storage-account-file-diagnostic-settings` +* `azure-storage-account-queue-diagnostic-settings` +* `azure-storage-account-table-diagnostic-settings` + +|*Google Cloud VMware Engine* + +tt:[24.8.2] +//RLP-124735 + +|*gcloud-vmware-engine-external-address* + +Additional permissions required: + +* `vmwareengine.privateClouds.list` +* `vmwareengine.externalAddresses.list` + +The Viewer role includes the permissions. + + +|*Google Cloud Domains* + +tt:[24.8.2] +//RLP-128080 + +|*gcloud-cloud-domains-registration* + +Additional permissions required: + +* `domains.registrations.list` +* `domains.registrations.getIamPolicy` + +The Viewer role includes the permissions. + + +|*Google BigLake* + +tt:[24.8.2] +//RLP-146984 + +|*gcloud-biglake-catalog-database-table* + +Additional permissions required: + +* `biglake.catalogs.list` +* `biglake.databases.list` +* `biglake.tables.list` + +The Viewer role includes the permissions. + +|*Google BigLake* + +tt:[24.8.2] +//RLP-146983 + +|*gcloud-biglake-catalog-database* + +Additional permissions required: + +* `biglake.catalogs.list` +* `biglake.databases.list` + +The Viewer role includes the permissions. + +|*Google BigLake* + +tt:[24.8.2] +//RLP-146982 + +|*gcloud-biglake-catalog* + +Additional permission required: + +* `biglake.catalogs.list` + +The Viewer role includes the permission. + +|*Google BigQuery Data Transfer* + +tt:[24.8.2] +//RLP-146981 + +|*gcloud-bigquery-data-transfer-config* + +Additional permission required: + +* `bigquery.transfers.get` + +The Viewer role includes the permission. + + +|*AWS Systems Manager* + +tt:[24.8.1] +//RLP-145960 + +|*aws-ssm-service-setting* + +Additional permission required: + +* `ssm:GetServiceSetting` + +The Security Audit role includes the permission. + +|*AWS Systems Manager* + +tt:[24.8.1] +//RLP-145206 + +|*aws-ssm-session* + +Additional permission required: + +* `ssm:DescribeSessions` + +The Security Audit role includes the permission. + +|*AWS Web Application Firewall (WAF)* + +tt:[24.8.1] +//RLP-134184 + +|*aws-waf-v2-global-rule-group* + +Additional permissions required: + +* `wafv2:ListRuleGroups` +* `wafv2:GetRuleGroup` + +The Security Audit role includes the `wafv2:ListRuleGroups` permission. + +The Security Audit role does not include the `wafv2:GetRuleGroup` permission. You must manually add it to the CFT template to enable it. + +|*Azure Kusto* +//RLP-145859 + +tt:[24.8.1] + +|*azure-kusto-databases* + +Additional permissions required: + +* `Microsoft.Kusto/Clusters/read` +* `Microsoft.Kusto/Clusters/Databases/read` + +The Reader role includes the permissions. + +|*Azure Active Directory* +//RLP-131021 + +tt:[24.8.1] + +|*azure-active-directory-authentication-strength-policy* + +Additional permission required: + +* `Policy.Read.All` + +The Reader role includes the permission. + + +|*Azure Monitor* +//RLP-145820 + +tt:[24.8.1] + +|*azure-monitor-data-collection-rules* + +Additional permission required: + +* `Microsoft.Insights/DataCollectionRules/Read` + +The Reader role includes the permission. + +|*Azure SQL Database* +//RLP-143840 + +tt:[24.8.1] + +|*azure-sql-vm* + +Additional permission required: + +* `Microsoft.SqlVirtualMachine/sqlVirtualMachines/read` + +The Reader role includes the permission. + +|*Azure Virtual Desktop* +//RLP-145868 + +tt:[24.8.1] + +|*azure-virtual-desktop-application-groups* + +Additional permission required: + +* `Microsoft.DesktopVirtualization/applicationgroups/read` + +The Reader role includes the permission. + +|*Google Application Integration* +//RLP-146020 + +tt:[24.8.1] + +|*gcloud-application-integration* + +Additional permissions required: + +* `integrations.integrations.list` +* `integrations.integrationVersions.list` + +The Viewer role includes the permissions. + +|*Google Backup and DR* +//RLP-146021 + +tt:[24.8.1] + +|*gcloud-backup-dr-management-server* + +Additional permissions required: + +* `backupdr.managementServers.list` +* `backupdr.managementServers.getIamPolicy` + +The Viewer role includes the permissions. + + +|*Google Cloud Scheduler* +//RLP-146022 + +tt:[24.8.1] + +|*gcloud-cloud-scheduler-job* + +Additional permission required: + +* `cloudscheduler.jobs.list` + +The Viewer role includes the permission. + +|=== + + +[#new-policies] +=== New Policies + +[cols="50%a,50%a"] +|=== +|*Policies* +|*Description* + +|*AWS API Gateway REST API execution logging disabled* + +tt:[24.8.2] +//RLP-147676 + +|This policy identifies AWS API Gateway REST API's that have disabled execution logging in their stages. + +AWS API Gateway REST API is a service for creating and managing RESTful APIs integrated with backend services like Lambda and HTTP endpoints. Execution logs all the API activity logs to CloudWatch, which helps in incident response, security and compliance, troubleshooting, and monitoring. + +It is recommended to enable logging on the API Gateway REST API to track API activity. + +*Policy Severity—* Informational + +*Policy Type—* Config + +---- +config from cloud.resource where api.name = 'aws-apigateway-get-stages' AND json.rule = methodSettings.[].loggingLevel does not exist OR methodSettings.[].loggingLevel equal ignore case off as X; config from cloud.resource where api.name = 'aws-apigateway-get-rest-apis' as Y; filter ' $.X.restApi equal ignore case $.Y.id '; show Y; +---- + +|*AWS S3 access point Block public access setting disabled* + +tt:[24.8.2] +//RLP-147675 + +|This policy identifies AWS S3 access points with the block public access setting disabled. + +AWS S3 Access Point simplifies managing data access by creating unique access control policies for specific applications or users within a S3 bucket. The Amazon S3 Block Public Access feature manages access at the account, bucket, and access point levels. Each level's settings can be configured independently but cannot override more restrictive settings at higher levels. Instead, access point settings complement those at the account and bucket levels. + +It is recommended to enable the Block public access setting on a S3 access point unless intended for public exposure. + +*Policy Severity—* Medium + +*Policy Type—* Config + +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3-access-point' AND json.rule = networkOrigin equal ignore case internet and (publicAccessBlockConfiguration does not exist or (publicAccessBlockConfiguration.blockPublicAcls is false and publicAccessBlockConfiguration.ignorePublicAcls is false and publicAccessBlockConfiguration.blockPublicPolicy is false and publicAccessBlockConfiguration.restrictPublicBuckets is false)) +---- + +|*AWS Secrets Manager secret configured with automatic rotation not rotated as scheduled* + +tt:[24.8.2] +//RLP-147729 + +|This policy identifies the AWS Secrets Manager secret not rotated successfully based on the rotation schedule. + +Secrets Manager stores secrets centrally, encrypts them automatically, controls access, and rotates secrets safely. By rotating secrets, you replace long-term secrets with short-term ones, limiting the risk of unauthorized use. If secrets fail to rotate in Secrets Manager, long-term secrets remain in use, increasing the risk of unauthorized access and potential data breaches. + +It is recommended that proper configuration and monitoring of the rotation process be ensured to mitigate these risks. + +*Policy Severity—* Informational + +*Policy Type—* Config + +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-secretsmanager-describe-secret' AND json.rule = 'lastRotatedDate exists and rotationEnabled is true and _DateTime.daysBetween($.lastRotatedDate,today()) > $.rotationRules.automaticallyAfterDays' +---- + +|*AWS S3 bucket with cross-account access* + +tt:[24.8.2] +//RLP-147726 + +|This policy identifies the AWS S3 bucket policy allows one or more of the actions (s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl) for a principal in another AWS account. + +An S3 bucket policy that defines permissions and conditions for accessing an Amazon S3 bucket and its objects. Granting permissions like s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, and s3:PutObjectAcl to other AWS accounts can lead to unauthorized access and potential data breaches. + +It is recommended to review and remove permissions from the S3 bucket policy by deleting statements that grant access to restricted actions for other AWS accounts. + +*Policy Severity—* Medium + +*Policy Type—* Config + +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn and Principal.AWS does not contain $.accountId) and (Action contains "s3:Put*" or Action contains "s3:Delete*" or Action equals "*" or Action contains "s3:*" or Action is member of ('s3:DeleteBucketPolicy','s3:PutBucketAcl','s3:PutBucketPolicy','s3:PutEncryptionConfiguration','s3:PutObjectAcl') ))] exists +---- + + +|*AWS Lambda Function with administrative permissions* + +tt:[24.8.2] +//RLP-147712 + +|This policy identifies Lambda Functions granted administrative permissions, increasing the blast radius in case of a potential compromise of the function. + +*Policy Severity—* Medium + +*Policy Type—* IAM + +*Policy Subtype—* Permissions + +---- +config from iam where dest.cloud.type = 'AWS' AND action.access.isAdministrative = true AND source.cloud.service.name = 'lambda' +---- + + +|*Azure Function App with administrative permissions* + +tt:[24.8.2] +//RLP-147712 + +|This policy identifies Function App instances granted administrative permissions, increasing the blast radius in case of a potential compromise of the function. + +*Policy Severity—* Medium + +*Policy Type—* IAM + +*Policy Subtype—* Permissions + +---- +config from iam where dest.cloud.type = 'AZURE' AND action.access.isAdministrative = true and source.cloud.service.name = 'microsoft.web' +---- + +|*Azure Database for MySQL flexible server public network access setting is enabled* + +tt:[24.8.2] +//RLP-36847 + +|This policy identifies Azure Database for MySQL flexible servers which have public network access setting enabled. + +Publicly accessible MySQL servers are vulnerable to external threats with risk of unauthorized access or may remotely exploit any vulnerabilities. + +As a best security practice, it is recommended to configure the MySQL servers with IP-based strict server-level firewall rules or virtual-network rules or private endpoints so that servers are accessible only to restricted entities. -image::cas-ai-ml-learning-category.png[] +*Policy Severity—* Medium -|*New Resource Classes Filter* +*Policy Type—* Config -tt:[Secure the Source] +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case Ready and firewallRules[*] is empty and properties.network.publicNetworkAccess equal ignore case Enabled +---- -tt:[24.8.1] -//BCE-37242 +|*Azure Database for MySQL flexible server firewall rule allow access to all IPv4 address* -|A new filter, *Resource Classes*, is now available under *Application Security > Inventory > IaC Resources*. This filter becomes active after you select a *Framework* from the inventory table. +tt:[24.8.2] +//RLP-36845 -*Resource Classes* provide a structured method for categorizing infrastructure resources based on their type, function, or other relevant criteria. This helps streamline the filtering and management of assets within the IaC inventory. Supported options for *Resource Classes* include— *Compute, Storage, Network, Identity & Security, Database, AI and Machine Learning, Analytics, Code*, and *Others*. For more details, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/cloud-and-software-inventory/iac-resources#resource-class[Resource Class.] +|This policy identifies Azure Database for MySQL flexible servers which have firewall rule allowing access to all IPV4 address. -image::resource-classes-filter-apsec.png[] +MySQL server having a firewall rule with start IP being 0.0.0.0 and end IP being 255.255.255.255 (i.e. all IPv4 addresses) would allow access to server from any host on the internet. Allowing access to all IPv4 addresses expands the potential attack surface and exposes the MySQL server to increased threats.Allowing access to all IPv4 addresses expands the potential attack surface and exposes the MySQL server to increased threats. -|*Blocklist Resource Control* +As a best security practice, it is recommended to configure the MySQL servers with restricted IP-based server-level firewall rules so that servers are accessible only to restricted entities. -tt:[Secure the Source] +*Policy Severity—* Medium -tt:[24.8.1] -//BCE-37258 +*Policy Type—* Config -|You can now define granular resource controls to allow or block any use of specific resource types defined in Terraform, enabling you to create blocklists that specify which resources are restricted within your environment, enhancing security and compliance by preventing unauthorized resource usage. For more details, see https://docs.prismacloud.io/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples#resource-blocklist[example blocklist]. +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case Ready and properties.network.publicNetworkAccess equal ignore case Enabled and firewallRules[?any(properties.startIpAddress equals 0.0.0.0 and properties.endIpAddress equals 255.255.255.255)] exists +---- +|*Azure Event Hub Namespace having authorization rules except RootManageSharedAccessKey* -|=== +tt:[24.8.2] +//RLP-36090 +|This policy identifies Azure Event Hub Namespaces which have authorization rules except RootManageSharedAccessKey. -[#api-ingestions] -=== API Ingestions +Having Azure Event Hub namespace authorization rules other than 'RootManageSharedAccessKey' could provide access to all queues and topics under the namespace which pose a risk if these additional rules are not properly managed or secured. -[cols="30%a,70%a"] -|=== -|*Service* -|*API Details* +As best practice, it is recommended to remove Event Hub namespace authorization rules other than RootManageSharedAccessKey and create access policies at the entity level, which provide access to only that specific entity for queues and topics. -|*AWS Systems Manager* +*Policy Severity—* Informational -tt:[24.8.1] -//RLP-145960 +*Policy Type—* Config -|*aws-ssm-service-setting* +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-event-hub-namespace' AND json.rule = authorizationRules[*].name exists and authorizationRules[?any(name does not equal RootManageSharedAccessKey)] exists +---- -Additional permission required: +|*Azure Event Hub Instance not defined with authorization rule* -* `ssm:GetServiceSetting` +tt:[24.8.2] +//RLP-36089 -The Security Audit role includes the permission. +|This policy identifies Azure Event Hub Instances that are not defined with authorization rules. -|*AWS Systems Manager* +If the Azure Event Hub Instance authorization rule is not defined, there is a heightened risk of unauthorized access to the event hub data and resources. This could potentially lead to unauthorized data retrieval, tampering, or disruption of the event hub operations. Defining proper authorization rules helps mitigate these risks by controlling and restricting access to the event hub resources. -tt:[24.8.1] -//RLP-145206 +As a best practice, it is recommended to define the least privilege security model access policies at Event Hub Instance. -|*aws-ssm-session* +*Policy Severity—* Informational -Additional permission required: +*Policy Type—* Config -* `ssm:DescribeSessions` +---- +config from cloud.resource where api.name = 'azure-event-hub-namespace' AND json.rule = properties.disableLocalAuth is false as X; config from cloud.resource where api.name = 'azure-event-hub' AND json.rule = properties.status equal ignore case ACTIVE and authorizationRules[*] is empty as Y; filter '$.Y.id contains $.X.name'; show Y; +---- -The Security Audit role includes the permission. +|*Azure user not restricted to create Microsoft Entra Security Group* -|*AWS Web Application Firewall (WAF)* +tt:[24.8.2] +//RLP-147323 -tt:[24.8.1] -//RLP-134184 +|This policy identifies instances in the Microsoft Entra ID configuration where security group creation is not restricted to administrators only. -|*aws-waf-v2-global-rule-group* +When the ability to create security groups is enabled, all users in the directory can create new groups and add members to them. Unless there is a specific business need for this broad access, it is best to limit the creation of security groups to administrators only. -Additional permissions required: +As a best practice, it is recommended to restrict the ability to create Microsoft Entra Security Groups to administrators only. -* `wafv2:ListRuleGroups` -* `wafv2:GetRuleGroup` +*Policy Severity—* Low -The Security Audit role includes the `wafv2:ListRuleGroups` permission. +*Policy Type—* Config -The Security Audit role does not include the `wafv2:GetRuleGroup` permission. You must manually add it to the CFT template to enable it. +---- +config from cloud.resource where cloud.type = 'azure' and api.name = 'azure-active-directory-authorization-policy' AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true +---- -|*Azure Kusto* -//RLP-145859 +|*Azure Guest User Invite not restricted to users with specific admin role* -tt:[24.8.1] +tt:[24.8.2] +//RLP-147320 -|*azure-kusto-databases* +|This policy identifies instances in the Microsoft Entra ID configuration where guest user invitations are not restricted to specific administrative roles. -Additional permissions required: +Allowing anyone in the organization, including guests and non-admins, to invite guest users can lead to unauthorized access and potential data breaches. This unrestricted access poses a significant security risk. -* `Microsoft.Kusto/Clusters/read` -* `Microsoft.Kusto/Clusters/Databases/read` +As a best practice, it is recommended to configure guest user invites to specific admin roles. This will ensure that only authorized personnel can invite guests, maintaining tighter control over access to cloud resources. -The Reader role includes the permissions. +*Policy Severity—* Medium -|*Azure Active Directory* -//RLP-131021 +*Policy Type—* Config -tt:[24.8.1] +---- +config from cloud.resource where cloud.type = 'azure' and api.name = 'azure-active-directory-authorization-policy' AND json.rule = not (allowInvitesFrom equal ignore case adminsAndGuestInviters OR allowInvitesFrom equal ignore case none) +---- -|*azure-active-directory-authentication-strength-policy* +|*Azure Machine learning compute instance configured with public IP* -Additional permission required: +tt:[24.8.2] +//RLP-146434 -* `Policy.Read.All` +|This policy identifies Azure Machine Learning compute instances which are configured with public IP. -The Reader role includes the permission. +Configuring an Azure Machine Learning compute instance with a public IP exposes it to significant security risks, including unauthorized access and cyber-attacks. This setup increases the likelihood of data breaches, where sensitive information and intellectual property could be accessed by unauthorized individuals, leading to potential data leakage and loss. +As a best practice, it is recommended not to configure Azure Machine Learning instances with public IP. -|*Azure Monitor* -//RLP-145820 +*Policy Severity—* Medium -tt:[24.8.1] +*Policy Type—* Config -|*azure-monitor-data-collection-rules* +---- +config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-machine-learning-compute' AND json.rule = properties.provisioningState equal ignore case Succeeded AND properties.properties.connectivityEndpoints.publicIpAddress exists AND properties.properties.connectivityEndpoints.publicIpAddress does not equal ignore case "null" +---- -Additional permission required: -* `Microsoft.Insights/DataCollectionRules/Read` +|*Cloud Service account is inactive for 90 days* -The Reader role includes the permission. +tt:[24.8.2] +//RLP-147712 -|*Azure SQL Database* -//RLP-143840 +|This policy identifies cloud service accounts in Azure, AWS, and GCP that have not been used in the last 90 days. -tt:[24.8.1] +*Policy Severity—* Low -|*azure-sql-vm* +*Policy Type—* IAM -Additional permission required: +*Policy Subtype—* Permissions -* `Microsoft.SqlVirtualMachine/sqlVirtualMachines/read` +---- +config from iam where grantedby.cloud.entity.type IN ( 'role', 'serviceaccount', 'service principal', 'user assigned', 'system assigned' ) AND grantedby.cloud.entity.lastlogin.days > 90 +---- -The Reader role includes the permission. +|*Cloud Service account with Metadata Write Permissions is inactive for 90 days* -|*Azure Virtual Desktop* -//RLP-145868 +tt:[24.8.2] +//RLP-147712 -tt:[24.8.1] +|This policy identifies cloud service accounts in Azure, AWS, and GCP that have not been used in the last 90 days and hold Metadata Write permissions. -|*azure-virtual-desktop-application-groups* +*Policy Severity—* Low -Additional permission required: +*Policy Type—* IAM -* `Microsoft.DesktopVirtualization/applicationgroups/read` +*Policy Subtype—* Permissions -The Reader role includes the permission. +---- +config from iam where grantedby.cloud.entity.type IN ( 'role', 'serviceaccount', 'service principal', 'user assigned', 'system assigned' ) AND grantedby.cloud.entity.lastlogin.days > 90 AND action.access.level = 'Metadata Write' +---- -|*Google Application Integration* -//RLP-146020 +|*Cloud Service account with Metadata Read Permissions is inactive for 90 days* -tt:[24.8.1] +tt:[24.8.2] +//RLP-147712 -|*gcloud-application-integration* +|This policy identifies cloud service accounts in Azure, AWS and GCP that have not been used in the last 90 days and hold Metadata Read permissions. -Additional permissions required: +*Policy Severity—* Low -* `integrations.integrations.list` -* `integrations.integrationVersions.list` +*Policy Type—* IAM -The Viewer role includes the permissions. +*Policy Subtype—* Permissions -|*Google Backup and DR* -//RLP-146021 +---- +config from iam where grantedby.cloud.entity.type IN ( 'role', 'serviceaccount', 'service principal', 'user assigned', 'system assigned' ) AND grantedby.cloud.entity.lastlogin.days > 90 AND action.access.level = 'Metadata Read' +---- -tt:[24.8.1] +|*Cloud Service account with Data Write Permissions is inactive for 90 days* -|*gcloud-backup-dr-management-server* +tt:[24.8.2] +//RLP-147712 -Additional permissions required: +|This policy identifies cloud service accounts in Azure, AWS and GCP that have not been used in the last 90 days and hold Data Write permissions. -* `backupdr.managementServers.list` -* `backupdr.managementServers.getIamPolicy` +*Policy Severity—* Low -The Viewer role includes the permissions. +*Policy Type—* IAM +*Policy Subtype—* Permissions -|*Google Cloud Scheduler* -//RLP-146022 +---- +config from iam where grantedby.cloud.entity.type IN ( 'role', 'serviceaccount', 'service principal', 'user assigned', 'system assigned' ) AND grantedby.cloud.entity.lastlogin.days > 90 AND action.access.level = 'Data Write' +---- -tt:[24.8.1] +|*Cloud Service account with Data Read Permissions is inactive for 90 days* -|*gcloud-cloud-scheduler-job* +tt:[24.8.2] +//RLP-147712 -Additional permission required: +|This policy identifies cloud service accounts in Azure, AWS and GCP that have not been used in the last 90 days and hold Data Read permissions. -* `cloudscheduler.jobs.list` +*Policy Severity—* Low -The Viewer role includes the permission. +*Policy Type—* IAM -|=== +*Policy Subtype—* Permissions +---- +config from iam where grantedby.cloud.entity.type IN ( 'role', 'serviceaccount', 'service principal', 'user assigned', 'system assigned' ) AND grantedby.cloud.entity.lastlogin.days > 90 AND action.access.level = 'Data Read' +---- -[#new-policies] -=== New Policies -[cols="50%a,50%a"] -|=== -|*Policies* -|*Description* |*AWS FSx for OpenZFS file systems not configured to copy tags to backups or volumes* @@ -773,6 +1419,7 @@ config from iam where source.cloud.type = 'GCP' AND dest.cloud.type = 'AWS' and |=== + [#policy-updates] === Policy Updates @@ -783,6 +1430,36 @@ config from iam where source.cloud.type = 'GCP' AND dest.cloud.type = 'AWS' and 2+|*Policy Updates—RQL and Metadata* +|*AWS SageMaker endpoint data encryption at rest not configured with CMK* +//RLP-147139 + +tt:[24.8.2] + +|*Changes—* The policy name and description are updated. + +*Current Policy Name—* AWS SageMaker endpoint data encryption at rest not configured + +*Updated Policy Name—* AWS SageMaker endpoint data encryption at rest not configured with CMK + +*Current Policy Description—* This policy identifies AWS SageMaker Endpoints not configured with data encryption at rest. + +AWS SageMaker Endpoint configuration defines the resources and settings for deploying machine learning models to SageMaker endpoints. By default, SageMaker Endpoints are not encrypted at rest. Enabling the encryption helps protect the integrity and confidentiality of the data on the storage volume attached to the ML compute instance that hosts the endpoint. + +It is recommended to set encryption at rest to mitigate the risk of unauthorized access and potential data breaches. + +*Updated Policy Description—* This policy identifies AWS SageMaker Endpoints not configured with data encryption at rest. + +AWS SageMaker Endpoint configuration defines the resources and settings for deploying machine learning models to SageMaker endpoints. By default, SageMaker encryption uses transient keys if a KMS key is not specified, which does not provide the control and management benefits of *AWS Customer Managed KMS Key*. Enabling the encryption helps protect the integrity and confidentiality of the data on the storage volume attached to the ML compute instance that hosts the endpoint. + +It is recommended to set encryption at rest to mitigate the risk of unauthorized access and potential data breaches. + +*Policy Severity—* High + +*Policy Type—* Config + +*Impact—* No impact on alerts. + + |*GCP GKE unsupported Master node version* //RLP-146735 @@ -1648,53 +2325,74 @@ It is recommended to enable 2-Step Verification for all Super Admins as it provi |*Compliance Benchmark* |*Description* -|*CIS Controls v8.1* +|*SEBI - Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF)* -tt:[24.8.1] -//RLP-146766 +tt:[24.8.2] +//RLP-147789, RLP-147728 -|Prisma Cloud now includes support for the CIS Critical Security Control v8.1 ensuring that your compliance monitoring is based on the latest cybersecurity best practices. This update introduces refined compliance checks, enhanced security profiles, improved reporting functionalities, and actionable remediation recommendations. +|Prisma Cloud now supports Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) released by the Securities and Exchange Board of India (SEBI). CSCRF aims to establish a unified framework that encompasses various strategies to safeguard REs (Regulated Entities) and Market Infrastructure Institutions (MIIs) against cyber risks and incidents. -You can now view the built-in standard and the associated policies on the *Compliance > Standards* page. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. +You can view this built-in standard and the associated policies on the *Compliance > Standards* page. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. -|=== +|*Secure Controls Framework (SCF) - 2024.2* -[#changes-in-existing-behavior] -=== Changes in Existing Behavior +tt:[24.8.2] +//RLP-147607 -[cols="50%a,50%a"] -|=== -|*Feature* -|*Description* +|Prisma Cloud has been updated to incorporate support for the Secure Controls Framework (SCF) - 2024.2, providing a comprehensive approach to both cybersecurity and privacy practices for safeguarding organizational information assets. The SCF's latest version elaborates on the refinement of current controls, introduces new controls tailored to counteract recent threats and technological advancements, ensures alignment with the most current compliance mandates, and integrates modifications driven by input from the community and industry professionals. -|*Role-Based Access Control for Compliance and Alert Reports* +You can view this built-in standard and the associated policies on the *Compliance > Standards* page. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. -tt:[24.8.1] -//RLP-140182 -|User-generated reports will only be visible to System Administrators and to users with the same role. +|*NIST SP 800-171 Revision 3* -Implementing Role-Based Access Control (RBAC) enhances data security by streamlining report access for users with the same role, while also preventing unauthorized access. +tt:[24.8.2] +//RLP-147678 +|Prisma Cloud now supports the latest version of NIST SP 800-171 Revision 3. This updated includes significant updates to the publication’s control families, security controls and new Prisma cloud policies are mapped to the controls increasing the overall coverage. -|*Create or Update Policy Permissions* +You can view this built-in standard and the associated policies on the *Compliance > Standards* page. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. -tt:[24.8.1] -//RLP-139027 +|*Update for CIS AWS Foundation Benchmark* -|The Create/Update Policy Permissions are divided into the two granular permissions as follows: +tt:[24.8.2] +//RLP-147548 -* Policy -* Manage Policy Compliance Mapping +|New Policy mappings are added to both Level 1 and Level 2 of CIS AWS Foundation benchmark v2.0.0 and CIS AWS Foundation benchmark v3.0.0 to improve policy mapping coverage. -*Impact—* +*Impact—* As new mappings are introduced, compliance scoring might vary. -* Users managing new custom permission groups must select both permissions explicitly if they want to assign compliance mappings during policy create/update operation. -* Manage policy compliance mapping is added by default to all existing permission groups with policy create/update permissions. +|*Update for CIS Microsoft Azure Foundation Benchmark* + +tt:[24.8.2] +//RLP-147442 + +|New Policy mappings are added to both Level 1 and Level 2 of CIS Microsoft Azure Foundation benchmark v2.0.0 and CIS AWS Foundation benchmark v2.1.0 to improve policy mapping coverage. +*Impact—* As new mappings are introduced, compliance scoring might vary. + +|*Update for GDPR* + +tt:[24.8.2] +//RLP-147541 + +|New Policy mappings are added to the GDPR compliance standard. + +*Impact—* As new mappings are introduced, compliance scoring might vary. + + +|*CIS Controls v8.1* + +tt:[24.8.1] +//RLP-146766 + +|Prisma Cloud now includes support for the CIS Critical Security Control v8.1 ensuring that your compliance monitoring is based on the latest cybersecurity best practices. This update introduces refined compliance checks, enhanced security profiles, improved reporting functionalities, and actionable remediation recommendations. + +You can now view the built-in standard and the associated policies on the *Compliance > Standards* page. You can also generate reports for immediate viewing or download, or schedule recurring reports to track this compliance standard over time. |=== + [#rest-api-updates] === REST API Updates @@ -1703,6 +2401,13 @@ tt:[24.8.1] |*Change* |*Description* +|*Vulnerabilities Dashboard API* + +tt:[24.8.2] +//RLP-147609 + +|A new *View* query parameter is added to the https://pan.dev/prisma-cloud/api/cspm/vulnerabilities-search-api/[Get Vulnerabilities by RQL] API. When searching for vulnerabilities using an RQL query, you can view the details by CVE or Asset. This parameter allows you to get the vulnerabilities details based on the CVE view or Asset view. + |*Policy API* tt:[24.8.1] @@ -1730,12 +2435,47 @@ tt:[24.8.1] |=== -//[#deprecation-notices] -//=== Deprecation Notices +[#deprecation-notices] +=== Deprecation Notices + +[cols="37%a,63%a"] +|=== + +|*Change* +|*Description* + +|tt:[*End of Support for Azure Time Series Insights and Azure Data Catalog Services*] +//RLP-147490 + +tt:[24.8.2] + +|The following APIs are deprecated since Azure has announced the retirement of Azure Time Series Insights and Azure Data Catalog Services. Due to this deprecation, Prisma Cloud will no longer ingest metadata for the following APIs: + +* `azure-timeseriesinsights-environments` +* `azure-datacatalog-catalog` + +When running an RQL query, the key will not be available in the `api.name` attribute auto-completion. + +*Impact—* If you have a saved search or custom policies based on these APIs, you must delete them manually. The policy alerts will be resolved as *Policy_Deleted*. + +|=== + +[#end-of-sale] +=== End of Sale Notice + +[cols="50%a,50%a"] +|=== +|*Feature* +|*Description* + +|*Prisma Cloud Data Security* + +|With the GA release of Prisma Cloud DSPM and AI-SPM, Prisma Cloud Data Security (PCDS) module is now in the End of Sale (EOS) status. Note the following important dates: + +* PCDS EOS will be effective on August 31, 2024. +* Prisma Cloud tenants will no longer be able to subscribe to the PCDS module after September 1, 2024. +* PCDS subscribed tenants can continue to use the PCDS module until its End of Life. +* End of Life/End of Support will be effective on August 31, 2025 (one year after EOS). -//[cols="37%a,63%a"] -//|=== -//|*Change* -//|*Description* +|=== -//|===