Description

After updating to the enhanced intelligence feed in this release, you may see alerts on vulnerabilities in Prisma Cloud components and Defender images of releases 21.08 or older.

The following vulnerabilities may cause an alert on previous releases: CVE-2021-38297, CVE-2021-41771 and CVE-2021-41772. We have determined that Prisma Cloud components are not impacted by these vulnerabilities. There is no risk to continue running any of the supported Prisma Cloud releases.

To ensure these vulnerability alerts do not display, upgrade to the latest 22.01 release, where applicable. If you are not ready to upgrade right away, add an exception in the default

Ignore Twistlock Components

rule (under *

Defend

Vulnerabilities

Images

Deployed

) to suppress these vulnerability alerts.

The Intelligence Stream updates include vulnerability information for SUSE SLES 12 and 15.

This release includes support for:

For enhanced exception and metadata reporting on vulnerabilities, Prisma Cloud allows you to granularly tag vulnerabilities based on CVE ID, package, and resources.

Use the

Manage

Collections and tags

Tags

page to assign a tag to a CVE for a single package, or for all the packages affected by it. You can assign a tag to a specific resource such as ubuntu:18.04, resources defined using wildcards (for example, ubuntu:*), and to multiple resources across your environment. For container images, when you assign the tag to a base image, Prisma Cloud automatically assigns the tag to all its descendant images.

You can now use your organization-level credentials to enable Prisma Cloud to find and scan all projects in your GCP organization resource hierarchy. With the support for organization-level credentials, capabilities such as cloud discovery and registry scanning are simplified and you do not need to create credentials for each project.

To investigate incidents and events that occur in your environment, the forensics capabilities with recording DNS queries are extended to include containers, hosts, and App-Embedded Defenders.

Cortex XDR is now a native alert provider to which Prisma Cloud Compute can send runtime audits and incidents. With this integration, you can now create a new profile on

Manage

Alerts

Manage

and send alerts to Cortex XDR.

Console-Defender communication certificates are now automatically rotated one year before expiration. During the year after rotation and until expiration of the old certificates, Console communicates with Defenders using both the old and new certificates. This allows the entire deployment to continue functioning without the need for immediate redeployment of the Defenders.

You can now you can filter sensitive information included within Runtime events, such as commands run inside protected workloads, and ensure that it is not included in the Runtime findings (including Forensics, Incidents, Audits.) on

Manage

System

General

.

For protecting user privacy as well as ensuring that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others), you have two options to scrub your sensitive Runtime data in Prisma Cloud Compute,

You can now send alerts from Prisma Cloud Compute Edition Console to Splunk and consolidate alert notifications to enable your operations teams. The alert integration with Splunk uses the Splunk HTTP Event Collector and the _json source type.

This enhancement is in addition to the existing Prisma Cloud Enterprise Edition integration with Splunk.

To supplement the existing vulnerability alerting mechanism, you can now send alerts as soon as new vulnerabilities are detected when:

RBAC capabilities across Prisma Cloud enable you to limit data only to specify users and groups based on the Resource List and Collections assignments. These enhancements restrict views after the first scan.

Kubernetes auditing, which ingests audit data from Kubernetes clusters to help you identify risks and security events, now supports AWS EKS clusters and Azure AKS clusters.The configuration settings on

Defend

Access

Kubernetes

are enhanced to include AWS and Azure, in addition to the existing GCP support. Additionally, you can configure Kubernetes auditing policy rules more granularly using a cluster filter and apply rules to specific clusters.

CIS Benchmarks was extended to cover:

The newly-added compliance checks are set to ignore on preexisting compliance rules, regardless of severity.

All CRI runtime compliance checks are now applicable for containerd containers also.

This feature is not supported on Bottlerocket OS.

Image tags are now collected and presented for image IDs with multiple, different tags.

You can now install the Windows Container Defender on your Azure Kubernetes Service (AKS) Windows nodes with containerd runtime.

With Defenders deployed, you can view the running containers and images on

Radar

and leverage the runtime defense capabilities on Prisma Cloud Compute for these containers; Vulnerabilities and Compliance scanning are not supported yet.

The Harbor Registry scanning performance is improved.

Seamlessly upgrade the OpenShift clusters when Prisma Cloud Defender is installed. This update will solve the issue mentioned in https://access.redhat.com/solutions/5206691.

This will be supported starting with OpenShift 4.7, and Defenders v22.01.

Support for deploying Defenders on VMWare Tanzu TAS isolation segments (Network and Compute Isolation) is now available.

You can now scan remote VMWare Tanzu TAS blobstores located in a different cloud controller than the scanning Defender. This capability provides flexibility when defining the blobstore scanning Defenders, and eliminates the need to deploy Defenders in all TAS environments where you want to perform blobstore scanning.

Prisma Cloud Compute adds support for vulnerability scanning on running EC2 hosts on AWS. Agentless scans enable you to gain visibility into running or stopped vulnerable hosts in your cloud accounts without the need for deploying Defenders.

For your scaling needs and flexibility in protection modes, you can use Defenders and agentless scanning where convenient.

Licensing for agentless scan is 1 credit per host.

You can now scan virtual machine (VM) images on Azure and GCP to detect and harden against vulnerabilities, compliance issues, and malware at the pre-deployment stage. For example, if you have an image with the vulnerable version of the Apache log4j, the scan will detect and report this security issue before you deploy any hosts using the image.

Configure automatic scanning of the VM images for public, marketplace or private libraries across your Azure subscription or GCP projects on

Defend

Vulnerabilities

Host

VM images

, and review the scan results on

Monitor

Host

VM Images

under

Vulnerabilities and Compliance

.

Windows Defenders now collect and report cloud metadata the same way as Linux Defenders. Cloud metadata includes things such as the cloud provider where the Defender runs (for example, AWS), and the name of the host on which the Defender is deployed.

The new

WAAS explorer

dashboard on

Monitor

WAAS

provides an overview of protection coverage, web application and API security posture, usage statistics and insights

To enable findability, an Event ID will be assigned to all new WAAS events so you can reference and search within the

Event Monitor

.

End users who are denied access to a web page can now view event IDs as part of WAAS block pages, and in a new HTTP response header (X-Prisma-Event-Id) when the option is enabled for an app on a WAAS rule on

Defend

WAAS

<Rulename>

Advanced settings

.

The

Allow

action is now available for WAAS custom rules. When allowed, requests override actions set by other protections such as application firewall, bot protection, API protection can be applied for traffic that matches WAAS and runtime rules.

The following transformation functions are available for creating custom rules - lowercase, compressWhitespace, removeWhitespace, urlQueryDecode, urlPathDecode, unicodeDecode, htmlEntityDecode, base64Decode, replaceComments, removeCommentSymbols, removeTags.

For API-based protection of gRPC messages, WAAS now supports inspection of gRPC messages.

Support for scanning unprotected web applications and APIs on hosts is now available.

Additionally, the scan for unprotected web applications and APIs for both container and hosts is enabled by default, and you have the option to now disable the scan on

Radar

Settings

.

On

Monitor

WAAS

API observations

, the JSON body content is now added to the learning model.

Schemes will be presented as part of the observations and will be available for export in an Open API specification V3 JSON.

New features introduced in this release that will not be supported by older versions of Defenders.