New features in Container Security

Introduces the ability to better control which Defenders perform registry scans. You can now utilize collections to select Defenders for registry scanning, setting scope by hostname and AWS tags.

Implements a more robust runtime protection mechanism for App-Embedded Defenders based on ptrace. App-Embedded Defender protects AWS Fargate tasks, and containers in other Container-as-a-Service offerings, including Azure Container Instance and Google Cloud Run. As part of this change, Prisma Cloud now ships with a default runtime rule for App-Embedded Defenders.

Adds the ability for App-Embedded Defenders to assess containers in Fargate tasks for vulnerability and compliance issues.

Enhances the output from twistcli for image scans. When specifying --output-file, twistcli exports scan data to a local JSON file. The schema is now considered stable, and the structure will be maintained in future releases. In order to stabilize for the future, there are some breaking changes in the schema between 21.04 (this release) and 20.12 (the previous release). See the section on breaking changes for full details.

Introduces a new compliance template for the Docker Enterprise DISA STIG.

Adds a new control to container runtime rules that detects suspicious privilege escalation by watching for binaries with the setuid bit that are executed in your containers.

New features in Host Security

Adds the ability to discover VMs in your AWS, Azure, and GCP cloud accounts, and auto-deploy Host Defender to unprotected EC2 instances in your AWS accounts.

Adds support for host OS-specific compliance benchmarks, specifically:
Amazon Linux (CIS Amazon Linux Benchmark v2.1.0)
Amazon Linux 2 (CIS Amazon Linux 2 Benchmark v1.0.0)

Improved host runtime capabilities:
All anti-malware and exploit prevention capabilities in a single tab
Separate effect for all anti-malware, exploit prevention and networking capabilities
New anti-malware capabilities:
Detection of non packaged binaries
Encrypted/packed binaries
Trusted executables by hash
Improved cryptominer detection
WildFire analysis
Added webshell detection for anti-exploit
Added allow list for IP and DNS on networking capabilities

New features in Serverless Security

Improves how you scope the serverless functions to scan. Scan scopes now include all regions in a cloud account, and collections now let you target specific resources by region and tag.

Enhances handling for AWS Lambda layers. Lambda layers are now also scanned for vulnerability and compliance issues. Scan reports show where issues are found (in the Lambda function itself, or a dependent layer).

New features in Shift Left Security

Introduces the ability to set and enforce a license policy for package dependencies in code repository scans.

Adds support for scanning code repositories with twistcli and the Jenkins plugin.

Adds support for the Go language for code repository scanning.

New features in WAAS

Improves WAAS’s API protection capabilities. WAAS can now produce a report of discovered API endpoints and usage statistics. The report can be exported as an OpenAPI file, and imported back into WAAS for enforcement.

Adds support to WAAS API protection for validating body, header, and formData parameters.

Adds custom rules for WAAS, which let you describe and detect discrete conditions in requests and responses.

Enhances WAAS policy rules:
Automatically assigning and enforcing unique app IDs for each rule in a WAAS policy.
Adding support for enabling, disabling, copying, importing, and exporting WAAS rules.
Adding the ability to export the entire WAAS policy.
Auditing all triggered alerts.
DoS protection: separating burst and average rates for alerting and banning.
Access control: separating denied inbound source IPs and source countries for alert and prevent effects.
Adding response header names and status code fields to all WAAS events.
Adding an "Entities in scope" column for host and container rules.
Adding a "Protection" dimension to the analytics view (supported dimensions: Firewall, DoS, Bot, Custom, Access Control).

Introduces reCAPTCHA integration for advanced bot detection.

Adds the ability to customize the page WAAS displays in response to a block action. You can customize the page template (HTTP) and response code.

Improves the usability of the WAAS audit timeline graph. You can now dynamically adjust the date filter by clicking and selecting the area of interest.

DISA STIG scan findings and justifications

Breaking changes

For Fargate and App-Embedded Defenders: Until this release, Prisma Cloud kept the task running if the connectivity to Console failed because of corrupt installation bundles (we just log and run the task anyway). Now, if a task is failing or is in an error state, Prisma Cloud doesn’t allow connections back to Console.

Compliance Explorer has been refactored to make it easier to understand how your environments, and segments of your environment, comply to policy. Because the structure of the data has changed, existing compliance statistics will be deleted on upgrade. Also:
CSV export for the main table have changed according to the new table structure.
CSV export for the compliance check dialog table have changed. The CSV will be taken from the download API for images, containers, hosts, and serverless pages.
Compliance metrics in Radar’s sidebar have been updated to align with the new data and structure in Compliance Explorer.
Istio compliance checks opened from Compliance explorer don’t have a list of affected resources in the dialog.

Prometheus compliance fields have changed. Up until this release, Prisma Cloud had metrics by impacted resources (e.g. images_critical_compliance). Now we provide the total number of failed checks by severity. The new metrics are:
low_compliance - Total number of low severity failed compliance checks.
medium_compliance - Total number of medium severity failed compliance checks.
high_compliance - Total number of high severity failed compliance checks.
critical_compliance - Total number of critical severity failed compliance checks.

The JSON file output from twistcli image scans has the following schema changes:
Publish date - name changed, date format instead of days.
Discovered date - name changed, date format instead of days.
Risk factors - string array instead of an empty JSON format.

The twistcli flag --include-package-files has been deprecated and removed.

If you’re using Kubernetes auditing, you must redeploy the AuditSink after upgrading. Console’s certificate might be renewed during upgrade, so your cluster won’t be able to send audits to Prisma Cloud Console.

Starting with this release, only users with the administrator role can download debug logs and create backups. The operator and auditor roles can no longer perform these actions. The artifacts from these actions contain sensitive information that could be used to escalate privileges in Prisma Cloud. Only admins can:
Download debug logs from
Manage > Logs > Console
.
Create backups from
Manage > System > Backup & restore
.

The Access User role lost all of its permissions, except access to some generally available API endpoints that are open to all authenticated users. Access Users will no longer be able to login to the Console UI. This role will be removed in the next release. As a reminder, the Access User role was originally designed for users to install certificates as part of a mechanism to control access to Docker commands.

Defender Manager user role (Mapped to "Cloud Provisioning Admin" permission group on SaaS) will no longer be able to perform CI scans.

As part of the work to introduce the new ATT&CK dashboard, all audits will be discarded on upgrade.

Installations using legacy host based licensing will not have the WAAS feature available

Due to reuse of network ranges in customer VPCs defenders on different clusters have the same name therefore host names were renamed. Therefore, upon defender upgrade the old defender will appear at console as disconnected until automatically removed by the console. The upgraded defender will appear under it’s new format name. Note: if the old defender(s) was specifically selected for registry scan, it will be needed to be reselected with their updated name New format names listed below:
AWS format: hostname ⇒ hostname-unique AWS instance ID For example: ip-172-31-80-18.ec2.internal ⇒ ip-172-31-80-18.ec2.internal-i-07dca3f58ecf1e48a
Azure format: hostname ⇒ hostname-custom resource group name-subscription ID For example: aks-agentpool-16678185-vmss000000 ⇒ aks-agentpool-16678185-vmss000000-MC_alexs-aks_alexs-aks_eastus-ae02981e-e1bd-49ec-ad81-801f157a944e

Customers using automatic upgrade of defender may see vulnerabiliteis reported on their defenders. This is due to the fact that the automatic upgrade replaces the binary during while the vulenabilit(ies) exist on the base layer. In order to fix this, manual upgrade of the defenders will need to be performed

Breaking changes in the API

Deprecated this release

The Registry scanner role for Defenders has been deprecated and removed. Starting this release, Defenders are selected to perform registry scanning based on collections. To determine which Defenders are part of the scanner pool, filter the table in
Manage > Defenders > Manage > Defenders
by collection.

The
Roles
column in the table in
Manage > Defenders > Manage > Defenders
has been deprecated and removed. Defenders can no longer have the
Registry scanner
role (see above). Also, the table already contains data to show if a Defender has the
Docker proxy
role. See the
Listerner type
column in the table in
Manage > Defenders > Manage > Defenders
. If listener type is set to
TCP Socket
, Defender acts as a Docker proxy.

Compliance check 420, Image is not updated to latest, has been deprecated and removed from the product.

As part of the work to improve runtime support for App-Embedded Defenders, explicitly denied lists in App-Embedded runtime rules have been deprecated. By default, everything is denied unless explicitly allow-listed.

Upcoming deprecations

The
Access User
role will be deprecated in the next release (code-named Iverson).