22.01 Release Notes

The following table outlines the release particulars:
Code name
Release date
January 10, 2022
Major release
SHA-256 Digest

CVE coverage update

As part of the 22.01 release, Prisma Cloud has rolled out updates to its vulnerability data stream for Common Vulnerabilities and Exposures (CVEs). After updating to the enhanced intelligence feed, you may see alerts on vulnerabilities in Prisma Cloud components and Defender images of releases 21.08 or older. The following vulnerabilities may cause an alert on previous releases: CVE-2021-38297, CVE-2021-41771 and CVE-2021-41772. We have determined that Prisma Cloud components are not impacted by these vulnerabilities. There is no risk to continue running any of the supported Prisma Cloud releases.
To ensure these vulnerability alerts do not display, we recommend upgrading to the latest 22.01 release where applicable. If you are not ready to upgrade right away, add an exception in the default
Ignore Twistlock Components
rule (under
Defend > Vulnerabilities > Images > Deployed
) to suppress these vulnerability alerts.

New features in the core platform

In addition to familiarizing yourself with the new features and enhancements in this release, review the minimum System Requirements for versions that are tested and supported on 22.01.
To download the Prisma Cloud Compute Edition release tarball from the Palo Alto Networks Customer Support Portal (CSP):
  1. Go to
    Updates > Software Updates
    and select
    Prisma Cloud Compute Edition

Enhanced scoping options for vulnerability tags

Vulnerability tags are predefined labels that can help you manage the vulnerabilities in your environment. For enhanced exception and metadata reporting on vulnerabilities, Prisma Cloud allows you to granularly tag vulnerabilities based on CVE ID, package, and resources.
  • Use the
    Manage > Collections and tags > Tags
    page to assign a tag to a CVE for a single package, or for all the packages affected by it. You will also be able to assign a tag to a specific resource such as ubuntu:18.04, resources defined using wildcards (for example, ubuntu:*), and to multiple or all the resources across your environment.
  • For container images, when you assign the tag to a base image, Prisma Cloud automatically assigns the tag to all its descendant images.

Organization-level credentials for GCP

You can now use your organization-level credentials for GCP to enable Prisma Cloud to find and scan all projects in your GCP organization resource hierarchy. With the support for organization-level credentials, capabilities such as cloud discovery and registry scanning are simplified and you do not need to create credentials for each project.

Log DNS queries in forensics

To investigate incidents and events that occur in your environment, the forensics capabilities with recording DNS queries are extended to include containers, hosts, and App-Embedded Defenders.

Cortex XDR integration

Cortex XDR is now a native alert provider to which Prisma Cloud Compute can send runtime audits and incidents. With this integration, you can now create a new profile and send alerts to Cortex XDR (
Manage > Alerts > Manage

Simplified Console-Defender communication certificates management process

The certificate management process for Console-Defender communication is improved to support the rotation of the Console-Defender communication certificates automatically, one year before expiration. During the year after rotation and until expiration of the old certificates, Console communicates with Defenders using both the old and new certificates. This allows the entire deployment to continue functioning without the need for immediate redeployment of the Defenders.
  • All Defenders must be redeployed during this year to acquire the new certificate. The Console web interface helps you identify which Defenders require redeployment.
  • New Defenders deployed after rotation will get the new certificate.
  • Updates certificate management to alert users about Console CA certificate expiration 90 days in advance, and is increased from 30 days.

Protecting Runtime events from PII/sensitive information:

You can now you can filter sensitive information included within Runtime events, such as commands run inside protected workloads, and ensure that it is not included in the Runtime findings (including Forensics, Incidents, Audits.) on
Manage > System > General
Because PII sanitization is important for protecting user privacy as well as ensuring that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others), you have two options to scrub your sensitive Runtime data in Prisma Cloud Compute:
  • Default scrubbing configuration: automatically scrub secrets from runtime events. This configuration is
    by default when you upgrade the Console.
  • Customize your own regex to detect and scrub sensitive information, in addition to the existing capabilities in WAAS.

Splunk integration

You can now send alerts from Prisma Cloud Compute Edition Console to Splunk and consolidate alert notifications to enable your operations teams. The alert integration with Splunk uses the Splunk HTTP Event Collector and the _json source type.
This enhancement is in addition to the existing Prisma Cloud Enterprise Edition integration with Splunk.

Immediate vulnerability alerts

You can now send alerts as soon as new vulnerabilities are detected when:
  • Deploying a new image/host with vulnerabilities
  • Detecting new vulnerabilities when re-scanning an existing image/host
This capability is in addition to the existing vulnerability alerting mechanism.

Extend RBAC capabilities across Prisma Cloud views

RBAC capabilities cross Prisma Cloud enable you to limit data only to specify users and groups based on the Resource List and Collections assignments. These enhancements will affect the restricted views after the first scan.

Additional supported platforms

The following operating systems are now supported:
  • Bottlerocket OS
  • RHEL 6 (vulnerability coverage only)
  • Photon OS 3
The following Kubernetes distributions and configurations are now supported:
  • K3s (K3s clusters are not shown in the Containers Radar and their containers are displayed under "Non-cluster containers".)
  • EKS using containerd
  • AKS with Windows nodes using containerd (supported for runtime defender and radar visibility)
  • GKE Autopilot (except for custom compliance and Prevent effect in runtime policy)

New features in container security

Kubernetes auditing enhancements for EKS and AKS

Kubernetes auditing, which ingests audit data from Kubernetes clusters to help you identify risks and security events, now supports AWS EKS clusters and Azure AKS clusters. The configuration settings on
Defend > Access > Kubernetes
are enhanced to include AWS and Azure, in addition to the existing GCP support.
Additionally, you can configure Kubernetes auditing policy rules more granularly using a cluster filter and apply rules to specific clusters.

CIS Benchmarks extended support

The list of supported CIS Benchamrks was extended to cover:
  • CIS RedHat OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS Docker Benchmark v1.3.1
  • CIS Kubernetes V1.20 Benchmark v1.0.0
Note: newly-added compliance checks are set to ignore on pre-existing compliance rules, regardless of severity.

Compliance for containerd containers

All CRI runtime compliance checks are now applicable for containerd containers also. This feature is not supported on Bottlerocket OS.

Multiple image tags support

Image tags are now collected and presented for image IDs with multiple, different tags.

AKS Windows containerd node support

You can now install the Windows Container Defender on your Azure Kubernetes Service (AKS) Windows nodes with containerd runtime. With Defenders deployed, you can view the running containers and images on Radar and leverage the Runtime Defense capabilities on Prisma Cloud Compute for these containers.
Vulnerabilities and Compliance scanning are not supported yet.

Harbor registry scanning improvements

The Harbor Registry scanning performance is improved.

OpenShift clusters upgrade

Seamlessly upgrade the OpenShift clusters when Prisma Cloud Defender is installed. This update will solve the following issue mentioned in https://access.redhat.com/solutions/5206691.
This will be supported starting with OpenShift 4.7, and Defenders v22.01.

Defenders on VMware Tanzu isolation segments

Support for deploying Defenders on VMWare Tanzu TAS isolation segments (Network and Compute Isolation) is now available.

Remote VMware Tanzu blobstores scan

You can now scan remote VMWare Tanzu TAS blobstores located in a different cloud controller than the scanning Defender. This capability provides flexibility when defining the blobstore scanning Defenders, and eliminates the need to deploy Defenders in all TAS environments where you want to perform blobstore scanning.

Agentless security

Prisma Cloud Compute adds support for vulnerability scanning on running EC2 hosts on AWS. Agentless scans enable you to gain visibility into running or stopped vulnerable hosts in your cloud accounts without the need for deploying Defenders.
  • Vulnerability policies with alert option and risk factors are applicable for agentless scans.
  • Automatic scaling and easy switch between Defenders and agentless scans allows for flexibility in protection modes.
  • Licensing for agentless scan is 1 credit per host.

New features in host security

Pre-deployment scan support for hosts on Azure and GCP

You can now scan virtual machine (VM) images on Azure and GCP to detect and harden against vulnerabilities, compliance issues, and malware at the pre-deployment stage. For example, if you have an image with the vulnerable version of the Apache log4j, the scan will detect and report this security issue before you deploy any hosts using the image.
Configure automatic scanning of the VM images for public, marketplace or private libraries across your Azure subscription or GCP projects on
Defend > Vulnerabilities > Host > VM images
, and review the scan results on
Monitor > Host > VM Images under Vulnerabilities and Compliance

Collection of cloud provider metadata for Windows virtual machines

Windows Defenders now collect and report cloud metadata the same way as Linux Defenders. Cloud metadata includes things such as the cloud provider where the Defender runs (for example, AWS), the name of the host on which the Defender is deployed.

New features in WAAS

WAAS Dashboard

A new
WAAS explorer
dashboard is now available on
Monitor > WAAS
. The WAAS dashboard provides an overview of protection coverage, web application and API security posture, usage statistics and insights.

WAAS Event IDs

To enable findability, an Event ID will be assigned to all new WAAS events so you can reference and search within the
Event Monitor
. End users will be able to view event IDs as part of WAAS block pages and in a new HTTP response header (X-Prisma-Event-Id).

Custom Rules-Extended Functionality

The "Allow" effect is now available for custom rules. When allowed, requests override actions set by other protections such as application firewall, bot protection, API protection.

gRPC Support

WAAS now supports inspection of gRPC messages.

Scanning for Unprotected Web Applications and APIs

Support for scanning unprotected web applications and APIs on hosts is now available.
Additionally, the scan for unprotected web applications and APIs for both container and hosts is enabled by default, and you have the option to now disable the scan on
Radar > Settings

API Observations Improvements

Monitor > WAAS > API observations
, the JSON body content is now added to the learning model. Schemes will be presented as part of the observations and will be available for export in an Open API specification V3 JSON.

Bug fixes

  • ServiceNow Vulnerability Response REST API script has been updated to resolve an error received while trying to send alerts. Users receiving errors should retrieve the updated script from their upgraded Console and update it in ServiceNow.
  • IPC_LOCK capability has been added to container Defender to resolve an issue with runtime process monitoring for certain operating systems.
  • Vulnerability discovery dates are no longer updated following an upgrade. This fix will only take effect for upgrades initiated after 22.01 has been deployed. In other words, when you upgrade from 21.08 to 22.01, vulnerability disovery dates will be updated. However, once you’re based on 22.01, vulnerability discovery dates will be preserved in all subsequent upgrades to newer major and minor versions of the product.

DISA STIG scan findings and justifications

Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

Breaking changes

Be aware of the following breaking changes when upgrading to 22.01:
  • The required permissions for the Serverless Radar, Serverless Scanning and Serverless Auto-Defend were slightly adjusted to support scanning and auto-defending KMS encrypted functions.

Non-breaking changes

  • Newly-added compliance checks are set to ignore on pre-existing compliance rules, regardless of severity.

Known issues

  • The upgrade to 22.01 fails if you have changed the rule name for the default CVE rule in
    Defend > Vulnerabilities > Images > Deployed
    Default - ignore Twistlock components
    to anything else, or deleted the rule. To upgrade successfully, the rule must exist and the rule name must be named
    Default - ignore Twistlock components
    Workaround to address the upgrade failure
    1. Deploy a 21.08 console (with the exact version before the upgrade) and restore the database using the latest backup.
    2. Do one of the following:
      • If you deleted the rule, create a new rule in Defend > Vulnerabilities > Images >Deployed called Default - ignore Twistlock components.
      • If you renamed the rule, rename the default CVE rule in Defend > Vulnerabilities > Images >Deployed to use the default rule name Default - ignore Twistlock components.
    3. Upgrade to the 22.01 or 22.02 update 1 release.
  • When Defender is installed on Windows hosts in AWS, and Prisma Cloud Compute Cloud Discovery is configured to scan your environment for protected hosts, the Windows hosts running Defender are reported as unprotected.
  • Both the /agentless/scan and /agentless/progress API endpoints introduced in 22.01 are available as v1 endpoints in the open API specification file. The versioned endpoints for 22.01 are not in the open API specification file.
  • CIS Docker Benchmark v1.3.1 recommendation 2.1 ("Run the Docker daemon as a non-root user") is not supported due to a bug in Docker.
  • Upgrading to 22.01.839 or 22.01.840 fails when you have alert profiles that were set up in version 20.09 or earlier. This issue is caused because of a parsing error in a field with a null value.
    Workaround until this issue is fixed in 22.01 Update 1:
    1. Reinstall the 21.08.525 console and restore from the backup.
    2. Do one of the following:
      • Delete existing alert profiles and recreate after upgrade to 22.01, or
      • Exec to the console.
        1. Run mongo and run the following commands:
          use twistlock db.getCollection('alertProfiles').updateMany({"xsoar": null}, {"$unset": {"xsoar":1}}) exit
        2. Exit and restart the Console.
    3. Upgrade to 22.01.


When using the automatic renewal of certificates issued by Console, Serverless Defenders have a current certificate only, and if it expires the Defenders must be redeployed.

End of support notifications

The following list of items are no longer supported in 22.01.
Operating systems:
  • Ubuntu 16.04 (Xenial Xerus) is no longer supported.
  • Debian 9 (Stretch) is no longer supported.
  • GKE using Docker is no longer supported.
  • Docker Swarm is no longer supported. Any docker swarm defender should be uninstalled prior to the console upgrade to 21.01.
Serverless runtimes:
  • Python2 is no longer supported.
  • Node.js 10 is no longer supported.
  • Cloud compliance has been removed.
  • Kubernetes auditing for self managed clusters will no longer be supported by Kubernetes dynamic audit configuration, which was deprecated in Kubernetes 1.19, but rather will rely on audit webhook backend.

Backward compatibility limitations

The following table lists new features introduced in 22.01 that will not be supported by older versions of Defenders/twistcli/Jenkins plugin.
Unsupported component
Openshift - make changes to crio.conf via Machine Config Operator only
Remove PII data from FullProcCmd command
Defender support for containerd on Windows
Container compliance support for containers running on containerd
Update of Docker CIS to 1.3.1
The following new/modified checks aren’t be supported: 1.1.4, 1.1.8, 1.1.12, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 3.23, 3.24. 3.7, 3.8. The rest are supported.
Openshfit CIS v1.1.0 support
Log DNS requests in Forensics
Compute-XDR integration - phase 1
The integration will work with older Defenders, however, the new fields that were added for the integration (e.g. ip, port, filepath) will only be collected on Defenders
TAS - Scan external blobstores

Recommended For You