: Features Introduced in February 2022

Features Introduced in February 2022

Table of Contents

Features Introduced in February 2022

Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in February 2022.
The host, container, and serverless capabilities on the
tab are being upgraded on Prisma Cloud Enterprise Edition on February 27, 2022. When upgraded, the version will be 22.01.857.

New Features in Prisma Cloud Compute

New Features in the Core Platform
CVE Coverage Update
After updating to the enhanced intelligence feed in this release, you may see alerts on vulnerabilities in Prisma Cloud components and Defender images of releases 21.08 or older.
The following vulnerabilities may cause an alert on previous releases: CVE-2021-38297, CVE-2021-41771 and CVE-2021-41772. We have determined that Prisma Cloud components are not impacted by these vulnerabilities. There is no risk to continue running any of the supported Prisma Cloud releases.
To ensure these vulnerability alerts do not display, upgrade to the latest 22.01 release, where applicable. If you are not ready to upgrade right away, add an exception in the default
Ignore Twistlock Components
rule (under *
) to suppress these vulnerability alerts.
Intelligence Stream Update
The Intelligence Stream updates include vulnerability information for SUSE SLES 12 and 15.
Support for Operating Systems
This release includes support for:
  • Bottlerocket OS
  • RHEL 6 (vulnerability coverage only)
  • Photon OS 3
  • K3s (K3s clusters are not shown in the Containers Radar; the containers are displayed under
    Non-cluster containers
  • EKS using containerd
  • AKS with Windows nodes using containerd (supported for runtime defender and radar visibility)
  • GKE Autopilot (except for custom compliance and Prevent effect in runtime policy)
Enhanced Scoping for Vulnerability Tags
For enhanced exception and metadata reporting on vulnerabilities, Prisma Cloud allows you to granularly tag vulnerabilities based on CVE ID, package, and resources.
Use the
Collections and tags
page to assign a tag to a CVE for a single package, or for all the packages affected by it. You can assign a tag to a specific resource such as ubuntu:18.04, resources defined using wildcards (for example, ubuntu:*), and to multiple resources across your environment. For container images, when you assign the tag to a base image, Prisma Cloud automatically assigns the tag to all its descendant images.
Organization-Level Credentials for GCP
You can now use your organization-level credentials to enable Prisma Cloud to find and scan all projects in your GCP organization resource hierarchy. With the support for organization-level credentials, capabilities such as cloud discovery and registry scanning are simplified and you do not need to create credentials for each project.
Log DNS Queries in Forensics
To investigate incidents and events that occur in your environment, the forensics capabilities with recording DNS queries are extended to include containers, hosts, and App-Embedded Defenders.
Cortex XDR Integration
Cortex XDR is now a native alert provider to which Prisma Cloud Compute can send runtime audits and incidents. With this integration, you can now create a new profile on
and send alerts to Cortex XDR.
Simplified Certificate Management for Console-Defender Communication
Console-Defender communication certificates are now automatically rotated one year before expiration. During the year after rotation and until expiration of the old certificates, Console communicates with Defenders using both the old and new certificates. This allows the entire deployment to continue functioning without the need for immediate redeployment of the Defenders.
  • Redeploy all Defenders within the year to ensure that they acquire the new certificate.
    The Console web interface helps you identify which Defenders require redeployment.
  • New Defenders deployed after rotation will get the new certificate.
  • Console CA certificate expiration alerts are now sent 90 days in advance (increased from 30 days).
PII/Sensitive Information Sanitization for Runtime Events
You can now you can filter sensitive information included within Runtime events, such as commands run inside protected workloads, and ensure that it is not included in the Runtime findings (including Forensics, Incidents, Audits.) on
For protecting user privacy as well as ensuring that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others), you have two options to scrub your sensitive Runtime data in Prisma Cloud Compute,
  • Default scrubbing configuration: automatically scrub secrets from runtime events. This configuration is
    by default when you upgrade the Console.
  • Customize your own regex to detect and scrub sensitive information, in addition to the existing capabilities in WAAS.
Splunk Integration
You can now send alerts from Prisma Cloud Compute Edition Console to Splunk and consolidate alert notifications to enable your operations teams. The alert integration with Splunk uses the Splunk HTTP Event Collector and the _json source type.
This enhancement is in addition to the existing Prisma Cloud Enterprise Edition integration with Splunk.
Quicker Vulnerability Alerting
To supplement the existing vulnerability alerting mechanism, you can now send alerts as soon as new vulnerabilities are detected when:
  • Deploying a new image/host with vulnerabilities.
  • Detecting new vulnerabilities when re-scanning an existing image/host.
Extended RBAC Across Prisma Cloud Views
RBAC capabilities across Prisma Cloud enable you to limit data only to specify users and groups based on the Resource List and Collections assignments. These enhancements restrict views after the first scan.
New Features in Container Security
Kubernetes auditing enhancements for EKS and AKS
Kubernetes auditing, which ingests audit data from Kubernetes clusters to help you identify risks and security events, now supports AWS EKS clusters and Azure AKS clusters.The configuration settings on
are enhanced to include AWS and Azure, in addition to the existing GCP support. Additionally, you can configure Kubernetes auditing policy rules more granularly using a cluster filter and apply rules to specific clusters.
The AWS CFT on Prisma Cloud includes the additional permissions for EKS Auditing for onboarded cloud accounts. See to update the CFT stack.
CIS Benchmarks Support
CIS Benchmarks was extended to cover:
  • CIS RedHat OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS Docker Benchmark v1.3.1
  • CIS Kubernetes V1.20 Benchmark v1.0.0
The newly-added compliance checks are set to ignore on preexisting compliance rules, regardless of severity.
Compliance for containerd Containers
All CRI runtime compliance checks are now applicable for containerd containers also.
This feature is not supported on Bottlerocket OS.
Multiple Image Tags Support
Image tags are now collected and presented for image IDs with multiple, different tags.
AKS Windows containerd Node Support
You can now install the Windows Container Defender on your Azure Kubernetes Service (AKS) Windows nodes with containerd runtime.
With Defenders deployed, you can view the running containers and images on
and leverage the runtime defense capabilities on Prisma Cloud Compute for these containers; Vulnerabilities and Compliance scanning are not supported yet.
Harbor Registry Scanning Improvements
The Harbor Registry scanning performance is improved.
OpenShift Clusters Upgrade
Seamlessly upgrade the OpenShift clusters when Prisma Cloud Defender is installed. This update will solve the issue mentioned in https://access.redhat.com/solutions/5206691.
This will be supported starting with OpenShift 4.7, and Defenders v22.01.
Defenders on VMware Tanzu TAS Isolation Segments
Support for deploying Defenders on VMWare Tanzu TAS isolation segments (Network and Compute Isolation) is now available.
Remote VMware Tanzu Blobstores Scan
You can now scan remote VMWare Tanzu TAS blobstores located in a different cloud controller than the scanning Defender. This capability provides flexibility when defining the blobstore scanning Defenders, and eliminates the need to deploy Defenders in all TAS environments where you want to perform blobstore scanning.
Agentless Security
Prisma Cloud Compute adds support for vulnerability scanning on running EC2 hosts on AWS. Agentless scans enable you to gain visibility into running or stopped vulnerable hosts in your cloud accounts without the need for deploying Defenders.
For your scaling needs and flexibility in protection modes, you can use Defenders and agentless scanning where convenient.
Licensing for agentless scan is 1 credit per host.
The AWS CFT for
Monitor and Protect
on Prisma Cloud includes the additional permissions for Agentless scanning on EC2 for onboarded cloud accounts.
New Features in Host Security
Pre-Deployment Scan Support for Hosts on Azure and GCP
You can now scan virtual machine (VM) images on Azure and GCP to detect and harden against vulnerabilities, compliance issues, and malware at the pre-deployment stage. For example, if you have an image with the vulnerable version of the Apache log4j, the scan will detect and report this security issue before you deploy any hosts using the image.
Configure automatic scanning of the VM images for public, marketplace or private libraries across your Azure subscription or GCP projects on
VM images
, and review the scan results on
VM Images
Vulnerabilities and Compliance
Collection of Cloud Provider Metadata for Windows Virtual Machines
Windows Defenders now collect and report cloud metadata the same way as Linux Defenders. Cloud metadata includes things such as the cloud provider where the Defender runs (for example, AWS), and the name of the host on which the Defender is deployed.
New features in WAAS
WAAS Explorer
The new
WAAS explorer
dashboard on
provides an overview of protection coverage, web application and API security posture, usage statistics and insights
WAAS Event IDs
To enable findability, an Event ID will be assigned to all new WAAS events so you can reference and search within the
Event Monitor
End users who are denied access to a web page can now view event IDs as part of WAAS block pages, and in a new HTTP response header (X-Prisma-Event-Id) when the option is enabled for an app on a WAAS rule on
Advanced settings
Custom Rules-Extended Functionality
action is now available for WAAS custom rules. When allowed, requests override actions set by other protections such as application firewall, bot protection, API protection can be applied for traffic that matches WAAS and runtime rules.
gRPC Support
For API-based protection of gRPC messages, WAAS now supports inspection of gRPC messages.
Scanning for Unprotected Web Applications and APIs
Support for scanning unprotected web applications and APIs on hosts is now available.
Additionally, the scan for unprotected web applications and APIs for both container and hosts is enabled by default, and you have the option to now disable the scan on
API Observations Improvements
API observations
, the JSON body content is now added to the learning model.
Schemes will be presented as part of the observations and will be available for export in an Open API specification V3 JSON.
Compatibility and Supportability Notifications
End of Support Notifications
Operating Systems
  • Ubuntu 16.04 (Xenial Xerus) is no longer supported.
  • Debian 9 (Stretch) is no longer supported.
  • RHEL 6 as no longer supported. RHEL 6 is no longer generally available as stated on the Red Hat website.
  • GKE using Docker is no longer supported.
  • Docker Swarm is no longer supported. You must unistall Docker Swarm Defender before the upgrade to 22.01.
Serverless Runtimes
  • Python2 is no longer supported.
  • Node.js 10 is no longer supported.
  • Cloud compliance has been removed.
  • Kubernetes auditing for self managed clusters will no longer be supported by Kubernetes dynamic audit configuration, which was deprecated in Kubernetes 1.19. It will use the audit webhook backend instead.
Information on Backward Compatibility
New features introduced in this release that will not be supported by older versions of Defenders.
  • Openshift - make changes to crio.conf via Machine Config Operator only
  • Remove PII data from FullProcCmd command
  • Defender support for containerd on Windows
  • Container compliance support for containers running on containerd
  • Update of Docker CIS to 1.3.1
    The following new/modified checks aren’t supported:1.1.4, 1.1.8, 1.1.12, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 3.23, 3.24. 3.7, 3.8.The rest are supported.
  • Openshfit CIS v1.1.0 support
  • Log DNS requests in Forensics
  • Compute-XDR integration - phase 1
    The integration will work with older Defenders, however, the new fields that were added for the integration (e.g. ip, port, filepath) will only be collected on Defenders
  • TAS - Scan external blobstores

Recommended For You