Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Cloud Security] PCSUP-22206 #770

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Cloud Security] PCSUP-22206 #770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
abf32de
[Cloud Security] PCSUP-22206
arane26 Jul 22, 2024
1d32b08
text updates
arane26 Jul 22, 2024
b87161c
text updates
arane26 Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions ...ons/search-and-investigate/network-queries/network-config-query-attributes.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ The Cloud Network Analyzer (CNA) engine of Prisma Cloud calculates the external

Each attribute allows you to narrow your search criteria. As you use these attributes, the auto-suggestion capability shows the available expressions and xref:../rql-operators.adoc[operators] that are applicable for each attribute. In order for the network configuration query to be valid, you need to specify at least one `source` , one `dest` (destination), and one `cloud.type` attribute. You can only use the `and` operator in the RQL query. Use `=` to specify a single value and `in` to specify comma separated values (csv).

Prisma Cloud includes improved handling of internet exposure caused by assets deployed in VPCs that use public CIDR blocks. It now generates new alerts in the following cases:

* Inbound OOB policy to AWS EC2 instances are shown as directly exposed even if the ENI has no public IP.

* Inbound OOB policy to an interface (with private IP that is a public IP) is shown as exposed even if the interface is not behind a load balancer as long as security considerations allow the packet.

Prisma Cloud resolves alerts for outbound OOB policy which has a *Instance (with private IP that is a public IP in this case) > NAT Gateway > Internet Gateway > Internet* path because NAT Gateway drops traffic for the packet which has the source IP as a public IP in the outbound path.

[NOTE]
====
Any IP addresses or CIDR that you have not defined as xref:../../administration/trusted-ip-addresses-on-prisma-cloud.adoc[Trusted IP Addresses on Prisma Cloud] and are not part of your cloud environment are considered as UNTRUST_INTERNET.
Expand Down
2 changes: 1 addition & 1 deletion ...d-release-info/features-introduced-in-2024/features-introduced-in-may-2024.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ tt:[Secure the Infrastructure]

|The Cloud Network Analyzer (CNA) includes the following enhancements:

* Improved handling of internet exposure caused by assets deployed in VPCs that use public CIDR blocks.
* Improved handling of internet exposure caused by assets deployed in VPCs that use public https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-config-query-attributes[CIDR] blocks.
* _AWS EC2 instance with unrestricted outbound access to internet_ policy now generates alerts when a device is configured as a NAT.
* Support for Azure Service tags IP ranges in path exposure calculation.
* Azure OOTB policy that detects inbound exposure now supports DestinationAddressPrefix analysis in Azure NSG.
Expand Down
Loading