Features Introduced in July 2022
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July 2022.
The host, container, and serverless capabilities on the
Computetab are being upgraded on Prisma Cloud Enterprise Edition on July 31, 2022. When upgraded, the version will be 22.06.197.
New Features in Prisma Cloud Compute
New Features in the Core Platform
CVE Coverage Update
As part of the 22.06 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
New Filters in the Vulnerability Explorer
Vulnerability Explorer, you can now generate a vulnerabilities report using new filters such as CVSS score and severity threshold. In addition to viewing the filtered results for deployed images, registry images, hosts, and functions under
Vulnerability (CVE) results, on
, you can also download a detailed report for CVEs in a CSV format or a detailed report for impacted resources in a CSV format from the Vulnerability Explorer.
Vulnerability Scan Report for Registry Images
With the vulnerabilities report for registry images (
), you can review the top 10 critical CVEs discovered in your registry images and search by a CVE ID to view the results for both registry and deployed images that are impacted by a CVE.
ARM64 Architecture Support
You can now deploy Defenders to protect AWS workloads based on the Linux ARM64 architecture.
With ARM64 support, you can secure your deployments and enhance the cost savings for compute and network-intensive workloads that use cloud-native compute offerings such as the AWS Graviton processor.
To use Prisma Cloud on ARM64 architecture, see the system requirements.
Compliance Alert Triggers for Slack
You can now trigger and send vulnerabilities detected for container and image compliance, and host compliance to your Slack integration.
Integrate with Azure Active Directory Using SAML 2.0
Prisma Cloud Compute now uses the Microsoft Graph API for integrating with Azure Active Directory (AD) resources. This transition is inline with the deprecation notice from Microsoft of the Azure AD Graph API and the Azure Active Directory Authentication Library (ADAL).
For authenticating users on the Prisma Cloud Console, you must replace the
Directory.Read.Allpermission for Azure Active Directory Graph with the
Directory.Read.Allpermission for the Microsoft Graph API.
OIDC User Identity Mapping
You can map OIDC identities to Prisma Cloud users as required by the specification. Instead of using the default
subattribute, you can now use like
Improvements in Runtime Protection
The container model learning is improved to reduce false positive audits when a binary is modified during container creation. The grace time for binaries added after the container has started is now at 10 seconds. Additionally, for CI/CD environments where dedicated containers are used to pull images, you can now allow pulling images.
For example, if a container was started with podman as one of its startup processes, the Dockerfile will allow this action and ignore runtime audits.
Enhanced Coverage for Certificate Authentication with Azure
You can now authenticate with Azure using a certificate for the following integrations:
GKE Autopilot Deployment Improvement
When deploying Defenders into your Kubernetes deployment for GKE Autopilot , you have a new toggle in the console and a corresponding twistcli flag that makes the workflow easier. The improvements automatically remove the mounts that are not relevant to the Autopilot deployment and enable you to add the annotation required to deploy Defenders successfully.
On the console,
, select Kubernetes and enable the Nodes use Container Runtime Interface (CRI), not Docker and GKE Autopilot deployment.
--gke-autopilotflag in twistcli adds the annotation to the YAML file or Helm chart.
New Features in Container Security
Vulnerability and Compliance Scanning for Workloads Protected by App-Embedded Defenders
App-Embedded Defenders can now scan the workloads they protect for vulnerabilities and compliance issues. They can also collect and report package information and metadata about the cloud environments in which they run.
to review the scan reports.
Improved Visibility for CaaS Workloads Protected by App-Embedded Defenders
For CaaS (Container as a Service) workloads protected by the App-Embedded Defenders, you can now view more metadata on the cloud environment on which it is deployed, forensics, and runtime audits on the
page. You can filter the workloads in the table by a number of facets, including collections, account ID, and clusters.
Runtime File System Audits for App-Embedded Defenders
App-Embedded Defender runtime defense now includes support for container file systems so that you can continuously monitor and protect containers from suspicious file system activities and malware.
Automatically Extract Fargate Task Entrypoint at Embed-Time
To streamline the embed flow and eliminate manual intervention (that is updating task definitions to explicitly specify entrypoints), Prisma Cloud can automatically find the image entrypoint and set it up in the protected task definition.
Now, when Prisma Cloud generates a protected task definition , it knows the entrypoint and/or cmd instructions of the container image during the first run of the App-Embedded Defender.
CloudFormation Template (CFT) Support for Fargate Task Definitions
You can now generate protected Fargate task definitions in the CFT format for embedding an App-Embedded Defender.
Additional Checks for CIS Benchmark for OpenShift
In 22.06, we’ve added support for more checks from the CIS OpenShift benchmark.
Support for Vulnerability and Compliance Scanning for Windows Containers
Windows Container Defender on hosts with the containerd runtime can now scan Windows containers for vulnerabilities and compliance issues. This is supported on AKS only.
In addition, deployed Windows Container Defenders can now be configured to scan Windows images in registries.
twistclifor Windows has also been extended to scan Windows images on Windows hosts with containerd installed.
Support for Google Artifact Registry
Registry Scanning Enhancements
Enhanced registry scanning progress status within the Prisma Cloud Console UI and logs.
The enhancements provide the option to choose whether to stop or continue an in-progress scan when saving the registry settings.
After you , Prisma Cloud automatically scans the images within for vulnerabilities using an improved flow.
Scan Image Tar Files with twistcli
twistclican scan image tarballs for the Docker Image Specification v1.1 and later.
This enhancement enables support for vendors who deliver container images as tar files, not via a registry, and the integration with Kaniko, a tool that builds images in a Kubernetes cluster from a Dockerfile without access to a Docker daemon.
Rule to Allow Activity in Attached Sessions
When you start a session inside pods or containers running in your deployment using commands such as kubectl exec or docker exec, you can now explicitly specify whether the rule should allow the activity in attached sessions. This option on
helps you reduce the volume of alerts generated for the allowed activities and processes.
Defend Runtime Container Policy
When enabled, process, network, and filesystem activity executed in an attached session such as kubectl exec, is explicitly allowed without additional runtime analysis.
Only Defender versions 22.06 or later will support this capability.
New Features in Agentless Security
Support for Microsoft Azure
Agentless scanning is now available for vulnerability scanning and compliance scanning on Azure. .
Support for Google Cloud
Agentless scanning is now available for vulnerability scanning and compliance scanning on Google Cloud.
Compliance and Custom Compliance Support
With agentless scanning you can now scan hosts from all three major cloud providers—AWS, Azure, and Google Cloud—against compliance benchmarks. In addition to out of-the-box checks, you can apply user defined custom compliance checks and scan against the host file system.
Unpatched OS Detection
In addition to vulnerabilities and compliance scanning, you can now track pending OS security updates in this release with agentless scanning.
Unscanned Cloud Account Detection
You can now easily discover regions within AWS, Azure, or Google Cloud accounts where agentless scanning is not enabled, and enable scanning for those cloud accounts.
In this release, you can manage how scanners connect to the Prisma Cloud Console for agentless scanning. If you use a proxy, you can configure the proxy configuration in the scan settings for accounts under
New Features in Host Security
Auto-Defend Host Process Update
When you set up the process to automatically deploy Defenders on hosts, this update ensures that Host Defenders are not deployed on container hosts. Hosts running containers require Container Defenders to protect and secure both the host and the containers on it.
CIS Linux Benchmark Update
The CIS Linux Benchmark now includes 13 additional checks. You can find the additional controls in the
New Features in Serverless Security
Runtime Protection for Azure Functions
New features in Web Application and API Security (WAAS)
WAAS Out of Band Detection
Out of band is a new mode for deploying Web Application and API Security (WAAS). It enables you to inspect HTTP messages to an application based on a mirror of the traffic, without the need for setting up WAAS as an inline proxy, so that you can receive alerts on malicious requests such as OWASP top alerts, bot traffic, and API events. It provides you with API discovery and alerting without impacting the flow, availability, or response time of the protected web application.
Out of band detection also allows you to extend your WAAS approach:
After you conﬁgure a custom rule for out of band mode (
), all the detections are applied on a read-only copy of the traffic. And you can view the out of band traffic details on
Out of band
Out of band observations
OpenAPI Definition File Scanning
You can scan OpenAPI 2.X and 3.X definition files in either YAML or JSON formats, and generate a report for any errors or shortcomings such as structural issues, gaps in adherence to security guidelines and best practices.
You can initiate a scan through twistcli, upload a file to the Console, or import a definition file in to a WAAS app. The scan reports are available under
API definition scan
Automatic Port Detection of WAAS Applications for Containers or Hosts
When you enable the automatic detection of ports in WAAS
Out of bandrules, you can secure ports used by unprotected web applications. The automatic detection of ports makes it easier to deploy WAAS at scale because you can protect web applications without the knowledge of which ports are used. Additionally, you can add specific ports to the protected HTTP endpoints within each app in your deployment.
Customization of Response Headers
You can append or override names and values in HTTP response headers for Containers, Hosts, and App Embedded deployments that are sent from WAAS protected applications.
WAAS Actions for HTTP Messages that Exceed Body Inspection Limits
You can now apply the
BanWAAS actions for HTTP messages that exceed the body inspection limit and ensure that messages that exceed the inspection limit are not forwarded to the protected application.
To enforce these limitions, you must have a minimum Defender version of 22.01 (Joule).
And with custom rules (
), you can apply
Out of band
Alertactions for HTTP messages that exceed the body inspection limit.
Attacker IP Addition to a Network List
When a WAAS event includes an attacker IP address, you can now directly click a link to add the attacker IP address to an existing or new network list from
Aggregated WAAS events
Regex Match in Forensics Message
When defining a custom rule, you can now define a regular expression to match for strings and include the matched information in the forensics message.
Defender Compatibility with Custom Rules
To make it easier to review and make sure that all Defenders meet the minimum version requirement for a rule, you can now view the minimum Defender version required to use each rule. The Defender version information is displayed in a new column within the custom rules table.
WAAS Proxy Error Statistics
you can view WAAS proxy statistics for blocked requests, count of requests when the inspection limit was exceeded, and parsing errors.
WAAS connectivity monitor
DISA STIG Scan Findings and Justifications
Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.
New API Endpoints
Introduces a new API endpoint that downloads a detailed report for CVEs in a CSV format.
Introduces a new API endpoint that downloads a detailed report for impacted resources in a CSV format.
Introduces a new API endpoint that updates or edits a WAAS custom rule for
out of band traffic.
Introduces a new API endpoint that discovers and detects the HTTP traffic for an existing WAAS out of band custom rule.
Introduces a new API endpoint that fetches the impacted resources list for an existing WAAS out of band custom rule.
Introduces a new API endpoint that scans the API definition files and generates a report for any errors, or shortcomings such as structural issues, compromised security, best practices, and so on. API definition scan supports scanning OpenAPI 2.X and 3.X definition files in either YAML or JSON formats.
Introduces a new API endpoint that fetches the app-embedded runtime metadata.
Introduces a new API endpoint that downloads the app-embedded runtime profiles in a CSV format.
Introduces a new API endpoint that downloads an x64 bit Linux ARM architecture twistcli in a ZIP format.
Changes to Existing API Endpoints
Introduces a change in the existing API endpoint that fetches the vulnerabilities (CVEs) affecting an environment. The data for each CVE, such as impacted packages, highest severity, and so on, is now based on the entire environment irrespective of the collections filter, assigned collections, or assigned accounts.
Also, the impacted resources and distribution counts are not retrieved and are returned as zero when you apply filters or are assigned with specific collections or accounts.
Introduces new optional query parameters such as
resource typeto the existing API endpoint. To enable backward compatibility, if you don’t use these optional query parameters, the API response will display results without pagination and registry images, and similar to the response in the previous releases (Joule or earlier).
Fixed an issue where a Defender scanning a non-docker (CRI-O) registry incorrectly reported all custom compliance checks as passed.
Fixed error that overwrote the communication port after upgrading a Defender with a custom port from the Prisma Cloud Console UI.
Fixed an issue with sending automatic emails for alerts to recipients in the dynamic email list, which is based on custom labels that you define as metadata on your cloud resource.
When setting up an alert profile, when you now you enter a custom label in the
Recipients - Dynamic list based on labels (Optional)within the
Alert Profile, the drop-down list displays the list of eligible email addresses.With this fix, the alert notification is sent to both the static and dynamic recipients you have configured on the alert profile (
Add Alert Profile
Fixed an issue wherein the Defenders blocked application deployments on SELinux due to incorrect SELinux labeling on proxy runc.
With this fix, the original runc SELinux label is applied to the created `runc` proxy binary.
Fixed an issue of duplicate or missing system rules for WAAS.
Fixed issue with the scanned images filter.
With this fix the filter lists all the tags when multiple images have the same digest.
Fixed an issue that showed different fixes for the same CVE on a single image. Each CVE vulnerability is now consolidated and grouped according to OS version for each image and package.
Fixed an issue where XSS was not detected due to query key/value parsing.
Fixed an issue where fixedDate for Windows vulnerabilities did not update.
The Intelligence Stream is updated to fix an issue where some Red Hat Enterprise Linux (RHEL) packages were incorrectly reported as vulnerable.
In accordance with the security assurance policy, this release contains updates to resolve older vulnerabilities in packaged dependencies:
Console & Defender:
Supported Host Operating Systems and Orchestrators
Prisma Cloud now supports hosts running x86 architecture on multiple platforms and hosts running ARM64 architecture on AWS.
Review the full system requirements for all supported operating systems and orchestrators.
Hosts on x86 Architecture
In this release, Prisma Cloud added support for the following host operating systems on x86 architecture:
Hosts on ARM64
In this release, Prisma Cloud added support for the following host operating systems on ARM64 architecture running on AWS:
Changes in Existing Behavior
No Image Scanning for Short-lived Containers
For short-lived containers, that is, when a container is created and immediately terminated, the image will not be scanned. In previous versions, the image was scanned by monitoring pull events from the registry.
Update Permissions in AWS Agentless Scanning Template
An additional permission is added to AWS agentless scanning template.
For existing accounts that are enabled for agentless scans you will need to update the permissions.
Change in Prisma Cloud UI
Credentials for AWS, GCP, and Azure cloud accounts are now under
Scanning Process Impact on Artifact Metadata in JFrog Artifactory
In 22.01 update 2, we updated how the scanning process impacts artifact metadata in JFrog Artifactory. The scanning process no longer updates the
Last Downloadeddate for all manifest files of all the images in the registry.
In 22.06, we’ve further refined how this works:
As part of the process for evaluating which images should be scanned, in addition to reviewing the manifest files, Prisma Cloud also examines the actual images. Now the
Last Downloadeddate won’t change unless the image is actually pulled and scanned.
"Transparent security tool scanning" is
notsupported for anything other than
Localrepositories. If you select anything other than Local in your scan configuration (including virtual repositories backed by local repositories), then Prisma Cloud automatically uses the Docker API to scan all repositories (local, remote, and virtual). When using Docker APIs, the
Last Downloadedfield in local JFrog Artifactory registries will be impacted by scanning.
If you’ve got a mix of local, remote, and virtual repositories, and you want to ensure that the
Last Downloadeddate isn’t impacted by Prisma Cloud scanning, then create separate scan configurations for local repositories and remote/virtual repositories.
Serial Number Field for Incidents will be Empty
The data collection for incidents in the Prisma Cloud Compute database is capped to 25,000 incidents or 50 MB, whichever limit is reached first.
After the upgrade to 22.06, if the size of your incident collection exceeds this limit, then the oldest incidents that exceed the limit will be dropped.
As part of this change, the serial number field for incidents will now be empty. The serial number was a running count of the incidents according to the size of the data collection. Now that the collection is capped, the serial number is no longer available. To uniquely identify incidents, use the ID field instead.
Use Category Field to Identify Incident Type
A new field
categoryis now available for incidents alert integration with Webhook and Splunk to identify the incident type.
Update Existing App-Embedded Collections to Use App IDs Field
With 22.06, all App-Embedded collections including Fargate tasks, will be grouped together in collections using the
Until now, collections of Fargate tasks were specified using the
Hostsfield in vulnerability, compliance, and incidents pages.
After upgrading to 22.06, update your existing collections to use the
App IDsfield rather than the
Hostsfield to maintain the correct grouping of resources for filtering, assigning permissions, and scoping vulnerability and compliance policies.
Also, the CSV file export for vulnerability scan results, compliance scan results, and incidents has changed. Fargate tasks protected by App-Embedded Defender will be reported under the
Appscolumn instead of the
End of Support and Deprecation Notifications
Openshift 3.11 End of Support
RedHat has announced the EOL for Openshift 3.11. So, Openshift 3.11 is no longer supported on Prisma Cloud.
Debian 9 End of Life
Debian 9 (Stretch) has reached End of Life (EOL), and CVE security vulnerabilities for Debian 9 will no longer be available in the Intelligence Stream feed.
Alert Notifications through External Integrations that Overlap on Prisma Cloud
Starting with the Maxwell release, the external integrations (
alert profiles) in Compute that overlap with the Prisma Cloud platform will only be supported on the platform.
For the list of overlapping integrations, see supported alert providers.
Before the Maxwell release, you must set up new integrations on
and delete the overlapping alert profiles defined under
EOL for Windows Server 2016
Support for Windows Server 2022 will be added with or before the next release, Lagrange. With support for Windows Server 2022, Windows Server 2016 will no longer be supported. Microsoft has announced the EOL for Windows Server 2016 as of January,2022.
Docker Access Control with the Access User role
Support for Docker Access Control is being deprecated along with the Access User role.
Support will be removed in the Newton release.
Code Security module for Scanning
Support for scanning your code repositories from the Prisma Cloud Compute console (
) is being deprecated. Twistcli for code rep scanning is also being deprecated.
You can use the Code Security module on Prisma Cloud to scan code repositories and CI pipelines for misconfigurations and vulnerabilities.
Support for code repo scanning using Prisma Cloud Compute will be removed in the Newton release.
Backward Compatibility for New Features
UNSUPPORTED COMPONENT (DEFENDER/TWISTCLI)
Support for Google Artifact Registry
Old defenders will not be supported for scanning Artifact Registry.
Registry Scan Enhancements
A new log record was added for Defender finished scanning image, which adds pull, analysis and total duration. For older defenders, the following fields will be zero: ImagePullDuration, ImageAnalysisDuration, ImageScanDuration.
Vulnerability and compliance for Workloads Protected by App-Embedded Defenders
Old app-embedded Defenders (except for ECS Fargate Defenders) will not be supported for vulnerabilities, compliance, and package info. The images running with these Defenders will not be returned in the GET images API. Also, for old ECS Fargate Defenders, the Environment → Apps tab within the image dialog will be empty, even though there are running tasks and their count is displayed on the main images page under the Apps column.
Runtime File System Audits for App-Embedded Defenders
Old app-embedded Defeders will not be able to have the filesystem capability, so the workloads protected by them can not be monitored for FS.
Rule to Allow Activity in Attached Sessions
Old Defenders will not support the new functionality as they don’t have the backend implementation part of this toggle
Support ARM: Add vulnerabilities support for ARM to the IS ARM support
Defenders, twistcli, Console and Intelligence Stream
Old defenders and consoles won’t support ARM64 since there isn’t any the dedicated implementation. The Intelligence Stream is updated with ARM64 CVEs for all consoles, but as we predict, it won’t be common to get an ARM related CVE for each x86 CVE. ARM64 Defenders are required to scan ARM-based images. Make sure to assign the appropriate collections in your Registry Scanning Scope for x86_64 images and ARM64 images to prevent errors in the registry scanning. The ALL collection automatically includes the ARM64 Defenders.
Windows defender for Vulnerability and Compliance with Containers
Old Defendersand twistcli will not support the new functionality as they don’t have the updated implementation
Improved Visibility for CaaS workloads protected by App-Embedded Defenders
Old App-Embedded Defenders will not be supported, the new capability of fetching the workload cloud metadata to App-Embedded proﬁle
Authenticate with Azure Container Registry using certificate
We will have a problem with using the new credential in scanning with older defenders, they will not be able to use this credential
Extract Fargate task Entrypoint and Command Params, Support Fargate Task Definition in CloudFormation Template format
New implementation for Fargate Task defenders in twistcli
Support image tar files scanning with twistcli
Old twistcli version doesn’t have this implementation
Recommended For You
Recommended videos not found.