New features in the core platform

Log in to the Palo Alto Networks Customer Support Portal.
Go to
Updates > Software Updates
and select
Prisma Cloud Compute Edition
.

Enhanced scoping options for vulnerability tags

Vulnerability tags are predefined labels that can help you manage the vulnerabilities in your environment. For enhanced exception and metadata reporting on vulnerabilities, Prisma Cloud allows you to granularly tag vulnerabilities based on CVE ID, package, and resources.

Use the
Manage > Collections and tags > Tags
page to assign a tag to a CVE for a single package, or for all the packages affected by it. You will also be able to assign a tag to a specific resource such as ubuntu:18.04, resources defined using wildcards (for example, ubuntu:*), and to multiple or all the resources across your environment.
For container images, when you assign the tag to a base image, Prisma Cloud automatically assigns the tag to all its descendant images.

Organization-level credentials for GCP

You can now use your organization-level credentials for GCP to enable Prisma Cloud to find and scan all projects in your GCP organization resource hierarchy. With the support for organization-level credentials, capabilities such as cloud discovery and registry scanning are simplified and you do not need to create credentials for each project.

Log DNS queries in forensics

To investigate incidents and events that occur in your environment, the forensics capabilities with recording DNS queries are extended to include containers, hosts, and App-Embedded Defenders.

Cortex XDR integration

Cortex XDR is now a native alert provider to which Prisma Cloud Compute can send runtime audits and incidents. With this integration, you can now create a new profile and send alerts to Cortex XDR (

Manage > Alerts > Manage

).

Simplified Console-Defender communication certificates management process

The certificate management process for Console-Defender communication is improved to support the rotation of the Console-Defender communication certificates automatically, one year before expiration. During the year after rotation and until expiration of the old certificates, Console communicates with Defenders using both the old and new certificates. This allows the entire deployment to continue functioning without the need for immediate redeployment of the Defenders.

All Defenders must be redeployed during this year to acquire the new certificate. The Console web interface helps you identify which Defenders require redeployment.
New Defenders deployed after rotation will get the new certificate.
Updates certificate management to alert users about Console CA certificate expiration 90 days in advance, and is increased from 30 days.

Protecting Runtime events from PII/sensitive information:

You can now you can filter sensitive information included within Runtime events, such as commands run inside protected workloads, and ensure that it is not included in the Runtime findings (including Forensics, Incidents, Audits.) on

Manage > System > General

.

Because PII sanitization is important for protecting user privacy as well as ensuring that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others), you have two options to scrub your sensitive Runtime data in Prisma Cloud Compute:

Default scrubbing configuration: automatically scrub secrets from runtime events. This configuration is
enabled
by default when you upgrade the Console.
Customize your own regex to detect and scrub sensitive information, in addition to the existing capabilities in WAAS.

Splunk integration

You can now send alerts from Prisma Cloud Compute Edition Console to Splunk and consolidate alert notifications to enable your operations teams. The alert integration with Splunk uses the Splunk HTTP Event Collector and the _json source type.

This enhancement is in addition to the existing Prisma Cloud Enterprise Edition integration with Splunk.

New features in container security

Kubernetes auditing enhancements for EKS and AKS

Kubernetes auditing, which ingests audit data from Kubernetes clusters to help you identify risks and security events, now supports AWS EKS clusters and Azure AKS clusters. The configuration settings on

Defend > Access > Kubernetes

are enhanced to include AWS and Azure, in addition to the existing GCP support.

Additionally, you can configure Kubernetes auditing policy rules more granularly using a cluster filter and apply rules to specific clusters.

Multiple image tags support

Image tags are now collected and presented for image IDs with multiple, different tags.

Remote VMware Tanzu blobstores scan

You can now scan remote VMWare Tanzu TAS blobstores located in a different cloud controller than the scanning Defender. This capability provides flexibility when defining the blobstore scanning Defenders, and eliminates the need to deploy Defenders in all TAS environments where you want to perform blobstore scanning.

Agentless security

Vulnerability policies with alert option and risk factors are applicable for agentless scans.
Automatic scaling and easy switch between Defenders and agentless scans allows for flexibility in protection modes.
Licensing for agentless scan is 1 credit per host.

New features in host security

Pre-deployment scan support for hosts on Azure and GCP

You can now scan virtual machine (VM) images on Azure and GCP to detect and harden against vulnerabilities, compliance issues, and malware at the pre-deployment stage. For example, if you have an image with the vulnerable version of the Apache log4j, the scan will detect and report this security issue before you deploy any hosts using the image.

Configure automatic scanning of the VM images for public, marketplace or private libraries across your Azure subscription or GCP projects on

Defend > Vulnerabilities > Host > VM images

, and review the scan results on

Monitor > Host > VM Images under Vulnerabilities and Compliance

.

New features in WAAS

Bug fixes

ServiceNow Vulnerability Response REST API script has been updated to resolve an error received while trying to send alerts. Users receiving errors should retrieve the updated script from their upgraded Console and update it in ServiceNow.

IPC_LOCK capability has been added to container Defender to resolve an issue with runtime process monitoring for certain operating systems.

Vulnerability discovery dates are no longer updated following an upgrade. This fix will only take effect for upgrades initiated after 22.01 has been deployed. In other words, when you upgrade from 21.08 to 22.01, vulnerability disovery dates will be updated. However, once you’re based on 22.01, vulnerability discovery dates will be preserved in all subsequent upgrades to newer major and minor versions of the product.

DISA STIG scan findings and justifications

Breaking changes

twistcli sandbox now exits with return value 1 if the image verdict is "failed".

The required permissions for the Serverless Radar, Serverless Scanning and Serverless Auto-Defend were slightly adjusted to support scanning and auto-defending KMS encrypted functions.

Non-breaking changes

Newly-added compliance checks are set to ignore on pre-existing compliance rules, regardless of severity.

Known issues

The upgrade to 22.01 fails if you have changed the rule name for the default CVE rule in
Defend > Vulnerabilities > Images > Deployed
from
Default - ignore Twistlock components
to anything else, or deleted the rule. To upgrade successfully, the rule must exist and the rule name must be named
Default - ignore Twistlock components
.
Workaround to address the upgrade failure
:
Deploy a 21.08 console (with the exact version before the upgrade) and restore the database using the latest backup.
Do one of the following:
If you deleted the rule, create a new rule in Defend > Vulnerabilities > Images >Deployed called Default - ignore Twistlock components.
If you renamed the rule, rename the default CVE rule in Defend > Vulnerabilities > Images >Deployed to use the default rule name Default - ignore Twistlock components.
Upgrade to the 22.01 or 22.02 update 1 release.

When Defender is installed on Windows hosts in AWS, and Prisma Cloud Compute Cloud Discovery is configured to scan your environment for protected hosts, the Windows hosts running Defender are reported as unprotected.

Both the /agentless/scan and /agentless/progress API endpoints introduced in 22.01 are available as v1 endpoints in the open API specification file. The versioned endpoints for 22.01 are not in the open API specification file.

CIS Docker Benchmark v1.3.1 recommendation 2.1 ("Run the Docker daemon as a non-root user") is not supported due to a bug in Docker.

Upgrading to 22.01.839 or 22.01.840 fails when you have alert profiles that were set up in version 20.09 or earlier. This issue is caused because of a parsing error in a field with a null value.
Workaround until this issue is fixed in 22.01 Update 1:
Reinstall the 21.08.525 console and restore from the backup.
Do one of the following:
Delete existing alert profiles and recreate after upgrade to 22.01, or
Exec to the console.
Run mongo and run the following commands:
use twistlock
db.getCollection('alertProfiles').updateMany({"xsoar": null}, {"$unset": {"xsoar":1}})
exit
Exit and restart the Console.
Upgrade to 22.01.

Limitations

End of support notifications

Ubuntu 16.04 (Xenial Xerus) is no longer supported.
Debian 9 (Stretch) is no longer supported.

GKE using Docker is no longer supported.
Docker Swarm is no longer supported. Any docker swarm defender should be uninstalled prior to the console upgrade to 21.01.

Python2 is no longer supported.
Node.js 10 is no longer supported.

Cloud compliance has been removed.
Kubernetes auditing for self managed clusters will no longer be supported by Kubernetes dynamic audit configuration, which was deprecated in Kubernetes 1.19, but rather will rely on audit webhook backend.

Backward compatibility limitations