Features Introduced in July 2022

Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July 2022.
The host, container, and serverless capabilities on the
tab are being upgraded on Prisma Cloud Enterprise Edition on July 31, 2022. When upgraded, the version will be 22.06.197.

New Features in Prisma Cloud Compute

New Features in the Core Platform
CVE Coverage Update
As part of the 22.06 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
  • Support for Github Security Advisories vulnerabilities including Go, Java, and Python vulnerabilities.
  • Increase of 152% new PRISMA-IDs since the Joule major release.
  • Faster addition of CVEs (pre-filled CVEs).
    The pre-filled CVEs were added to the Intelligence Stream on an average of 56 days before they were analyzed in the NVD. As an example, the SpringShell CVE (CVE-2022-22965) was published on March 31, 2022, and the NVD analysis was completed on April 8, 2022. ‘PRISMA-2022-0130’ was published for the vulnerability on March 30, 2022, and was changed to the CVE as soon as it was published in the NVD.
New Filters in the Vulnerability Explorer
On the
Vulnerability Explorer
, you can now generate a vulnerabilities report using new filters such as CVSS score and severity threshold. In addition to viewing the filtered results for deployed images, registry images, hosts, and functions under
Vulnerability (CVE) results
, on
Vulnerability Explorer
, you can also download a detailed report for CVEs in a CSV format or a detailed report for impacted resources in a CSV format from the Vulnerability Explorer.
Vulnerability Scan Report for Registry Images
With the vulnerabilities report for registry images (
), you can review the top 10 critical CVEs discovered in your registry images and search by a CVE ID to view the results for both registry and deployed images that are impacted by a CVE.
ARM64 Architecture Support
You can now deploy Defenders to protect AWS workloads based on the Linux ARM64 architecture.
With ARM64 support, you can secure your deployments and enhance the cost savings for compute and network-intensive workloads that use cloud-native compute offerings such as the AWS Graviton processor.
To use Prisma Cloud on ARM64 architecture, see the system requirements.
Compliance Alert Triggers for Slack
You can now trigger and send vulnerabilities detected for container and image compliance, and host compliance to your Slack integration.
Integrate with Azure Active Directory Using SAML 2.0
Prisma Cloud Compute now uses the Microsoft Graph API for integrating with Azure Active Directory (AD) resources. This transition is inline with the deprecation notice from Microsoft of the Azure AD Graph API and the Azure Active Directory Authentication Library (ADAL).
For authenticating users on the Prisma Cloud Console, you must replace the
permission for Azure Active Directory Graph with the
permission for the Microsoft Graph API.
OIDC User Identity Mapping
You can map OIDC identities to Prisma Cloud users as required by the specification. Instead of using the default
attribute, you can now use like
Improvements in Runtime Protection
The container model learning is improved to reduce false positive audits when a binary is modified during container creation. The grace time for binaries added after the container has started is now at 10 seconds. Additionally, for CI/CD environments where dedicated containers are used to pull images, you can now allow pulling images.
For example, if a container was started with podman as one of its startup processes, the Dockerfile will allow this action and ignore runtime audits.
Enhanced Coverage for Certificate Authentication with Azure
You can now authenticate with Azure using a certificate for the following integrations:
  • Cloud discovery
  • Azure Key Vault
  • ACR registry scanning
  • Azure serverless function scanning
  • Azure VM image scanning
GKE Autopilot Deployment Improvement
When deploying Defenders into your Kubernetes deployment for GKE Autopilot , you have a new toggle in the console and a corresponding twistcli flag that makes the workflow easier. The improvements automatically remove the mounts that are not relevant to the Autopilot deployment and enable you to add the annotation required to deploy Defenders successfully.
On the console,
, select Kubernetes and enable the Nodes use Container Runtime Interface (CRI), not Docker and GKE Autopilot deployment.
flag in twistcli adds the annotation to the YAML file or Helm chart.
For example,
./twistcli defender export kubernetes --gke-autopilot --cri --cluster-address <console address> --address https://<console address>:8083
New Features in Container Security
Vulnerability and Compliance Scanning for Workloads Protected by App-Embedded Defenders
App-Embedded Defenders can now scan the workloads they protect for vulnerabilities and compliance issues. They can also collect and report package information and metadata about the cloud environments in which they run.
Go to
to review the scan reports.
Improved Visibility for CaaS Workloads Protected by App-Embedded Defenders
For CaaS (Container as a Service) workloads protected by the App-Embedded Defenders, you can now view more metadata on the cloud environment on which it is deployed, forensics, and runtime audits on the
App-Embedded observations
page. You can filter the workloads in the table by a number of facets, including collections, account ID, and clusters.
Runtime File System Audits for App-Embedded Defenders
App-Embedded Defender runtime defense now includes support for container file systems so that you can continuously monitor and protect containers from suspicious file system activities and malware.
Automatically Extract Fargate Task Entrypoint at Embed-Time
To streamline the embed flow and eliminate manual intervention (that is updating task definitions to explicitly specify entrypoints), Prisma Cloud can automatically find the image entrypoint and set it up in the protected task definition.
Now, when Prisma Cloud generates a protected task definition , it knows the entrypoint and/or cmd instructions of the container image during the first run of the App-Embedded Defender.
CloudFormation Template (CFT) Support for Fargate Task Definitions
You can now generate protected Fargate task definitions in the CFT format for embedding an App-Embedded Defender.
Additional Checks for CIS Benchmark for OpenShift
In 22.06, we’ve added support for more checks from the CIS OpenShift benchmark.
Support for Vulnerability and Compliance Scanning for Windows Containers
Windows Container Defender on hosts with the containerd runtime can now scan Windows containers for vulnerabilities and compliance issues. This is supported on AKS only.
In addition, deployed Windows Container Defenders can now be configured to scan Windows images in registries.
for Windows has also been extended to scan Windows images on Windows hosts with containerd installed.
Support for Google Artifact Registry
You can now scan Google Artifact Registries .
Registry Scanning Enhancements
Enhanced registry scanning progress status within the Prisma Cloud Console UI and logs.
The enhancements provide the option to choose whether to stop or continue an in-progress scan when saving the registry settings.
After you , Prisma Cloud automatically scans the images within for vulnerabilities using an improved flow.
Scan Image Tar Files with twistcli
can scan image tarballs for the Docker Image Specification v1.1 and later.
This enhancement enables support for vendors who deliver container images as tar files, not via a registry, and the integration with Kaniko, a tool that builds images in a Kubernetes cluster from a Dockerfile without access to a Docker daemon.
Rule to Allow Activity in Attached Sessions
When you start a session inside pods or containers running in your deployment using commands such as kubectl exec or docker exec, you can now explicitly specify whether the rule should allow the activity in attached sessions. This option on
Defend Runtime Container Policy
Add rule
helps you reduce the volume of alerts generated for the allowed activities and processes.
When enabled, process, network, and filesystem activity executed in an attached session such as kubectl exec, is explicitly allowed without additional runtime analysis.
Only Defender versions 22.06 or later will support this capability.
New Features in Agentless Security
Support for Microsoft Azure
Agentless scanning is now available for vulnerability scanning and compliance scanning on Azure. .
Support for Google Cloud
Agentless scanning is now available for vulnerability scanning and compliance scanning on Google Cloud.
Compliance and Custom Compliance Support
With agentless scanning you can now scan hosts from all three major cloud providers—AWS, Azure, and Google Cloud—against compliance benchmarks. In addition to out of-the-box checks, you can apply user defined custom compliance checks and scan against the host file system.
Unpatched OS Detection
In addition to vulnerabilities and compliance scanning, you can now track pending OS security updates in this release with agentless scanning.
Unscanned Cloud Account Detection
You can now easily discover regions within AWS, Azure, or Google Cloud accounts where agentless scanning is not enabled, and enable scanning for those cloud accounts.
Proxy Support
In this release, you can manage how scanners connect to the Prisma Cloud Console for agentless scanning. If you use a proxy, you can configure the proxy configuration in the scan settings for accounts under
Cloud Accounts
New Features in Host Security
Auto-Defend Host Process Update
When you set up the process to automatically deploy Defenders on hosts, this update ensures that Host Defenders are not deployed on container hosts. Hosts running containers require Container Defenders to protect and secure both the host and the containers on it.
CIS Linux Benchmark Update
The CIS Linux Benchmark now includes 13 additional checks. You can find the additional controls in the
CIS Linux
New Features in Serverless Security
Runtime Protection for Azure Functions
Serverless Defenders now offer runtime protection for Azure Functions. Functions implemented in C# (.NET Core) 3.1 and 6.0 are supported.
New features in Web Application and API Security (WAAS)
WAAS Out of Band Detection
Out of band is a new mode for deploying Web Application and API Security (WAAS). It enables you to inspect HTTP messages to an application based on a mirror of the traffic, without the need for setting up WAAS as an inline proxy, so that you can receive alerts on malicious requests such as OWASP top alerts, bot traffic, and API events. It provides you with API discovery and alerting without impacting the flow, availability, or response time of the protected web application.
Out of band detection also allows you to extend your WAAS approach:
  • You can monitor your resources deployed on AWS with VPC traffic mirroring from workloads. This option gives you the flexibility to monitor environments without deploying Defenders.
  • If you have deployed Defenders in your environment, but are not using the WAAS capabilities on Compute, you can mirror traffic for an out of band inspection without requiring any additional configuration.
After you configure a custom rule for out of band mode (
Out of band
), all the detections are applied on a read-only copy of the traffic. And you can view the out of band traffic details on
API observations
Out of band observations
OpenAPI Definition File Scanning
You can scan OpenAPI 2.X and 3.X definition files in either YAML or JSON formats, and generate a report for any errors or shortcomings such as structural issues, gaps in adherence to security guidelines and best practices.
You can initiate a scan through twistcli, upload a file to the Console, or import a definition file in to a WAAS app. The scan reports are available under
API definition scan
Automatic Port Detection of WAAS Applications for Containers or Hosts
When you enable the automatic detection of ports in WAAS
, or
Out of band
rules, you can secure ports used by unprotected web applications. The automatic detection of ports makes it easier to deploy WAAS at scale because you can protect web applications without the knowledge of which ports are used. Additionally, you can add specific ports to the protected HTTP endpoints within each app in your deployment.
Customization of Response Headers
You can append or override names and values in HTTP response headers for Containers, Hosts, and App Embedded deployments that are sent from WAAS protected applications.
WAAS Actions for HTTP Messages that Exceed Body Inspection Limits
You can now apply the
, or
WAAS actions for HTTP messages that exceed the body inspection limit and ensure that messages that exceed the inspection limit are not forwarded to the protected application.
To enforce these limitions, you must have a minimum Defender version of 22.01 (Joule).
And with custom rules (
Out of band
), you can apply
actions for HTTP messages that exceed the body inspection limit.
Attacker IP Addition to a Network List
When a WAAS event includes an attacker IP address, you can now directly click a link to add the attacker IP address to an existing or new network list from
Aggregated WAAS events
Regex Match in Forensics Message
When defining a custom rule, you can now define a regular expression to match for strings and include the matched information in the forensics message.
Defender Compatibility with Custom Rules
To make it easier to review and make sure that all Defenders meet the minimum version requirement for a rule, you can now view the minimum Defender version required to use each rule. The Defender version information is displayed in a new column within the custom rules table.
WAAS Proxy Error Statistics
WAAS connectivity monitor
you can view WAAS proxy statistics for blocked requests, count of requests when the inspection limit was exceeded, and parsing errors.

DISA STIG Scan Findings and Justifications

Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

API Changes

New API Endpoints
GET /stats/vulnerabilities/download
Introduces a new API endpoint that downloads a detailed report for CVEs in a CSV format.
GET /stats/vulnerabilities/impacted-resources/download
Introduces a new API endpoint that downloads a detailed report for impacted resources in a CSV format.
PUT policies/firewall/app/out-of-band
Introduces a new API endpoint that updates or edits a WAAS custom rule for
out of band traffic
GET policies/firewall/app/out-of-band
Introduces a new API endpoint that discovers and detects the HTTP traffic for an existing WAAS out of band custom rule.
GET policies/firewall/app/out-of-band/impacted
Introduces a new API endpoint that fetches the impacted resources list for an existing WAAS out of band custom rule.
POST waas/openapi-scans
Introduces a new API endpoint that scans the API definition files and generates a report for any errors, or shortcomings such as structural issues, compromised security, best practices, and so on. API definition scan supports scanning OpenAPI 2.X and 3.X definition files in either YAML or JSON formats.
GET profiles/app-embedded
Introduces a new API endpoint that fetches the app-embedded runtime metadata.
GET profiles/app-embedded/download
Introduces a new API endpoint that downloads the app-embedded runtime profiles in a CSV format.
GET util/arm64/twistcli
Introduces a new API endpoint that downloads an x64 bit Linux ARM architecture twistcli in a ZIP format.
Changes to Existing API Endpoints
GET /stats/vulnerabilities
Introduces a change in the existing API endpoint that fetches the vulnerabilities (CVEs) affecting an environment. The data for each CVE, such as impacted packages, highest severity, and so on, is now based on the entire environment irrespective of the collections filter, assigned collections, or assigned accounts.
Also, the impacted resources and distribution counts are not retrieved and are returned as zero when you apply filters or are assigned with specific collections or accounts.
GET /stats/vulnerabilities/impacted-resources
Introduces new optional query parameters such as
resource type
to the existing API endpoint. To enable backward compatibility, if you don’t use these optional query parameters, the API response will display results without pagination and registry images, and similar to the response in the previous releases (Joule or earlier).

Addressed Issues

Fixed an issue where a Defender scanning a non-docker (CRI-O) registry incorrectly reported all custom compliance checks as passed.
Fixed error that overwrote the communication port after upgrading a Defender with a custom port from the Prisma Cloud Console UI.
Fixed an issue with sending automatic emails for alerts to recipients in the dynamic email list, which is based on custom labels that you define as metadata on your cloud resource.
When setting up an alert profile, when you now you enter a custom label in the
Recipients - Dynamic list based on labels (Optional)
within the
Alert Profile
, the drop-down list displays the list of eligible email addresses.With this fix, the alert notification is sent to both the static and dynamic recipients you have configured on the alert profile (
Add Alert Profile
Fixed an issue wherein the Defenders blocked application deployments on SELinux due to incorrect SELinux labeling on proxy runc.
With this fix, the original runc SELinux label is applied to the created `runc` proxy binary.
Fixed an issue of duplicate or missing system rules for WAAS.
Fixed issue with the scanned images filter.
With this fix the filter lists all the tags when multiple images have the same digest.
Fixed an issue that showed different fixes for the same CVE on a single image. Each CVE vulnerability is now consolidated and grouped according to OS version for each image and package.
Fixed an issue where XSS was not detected due to query key/value parsing.
Fixed an issue where fixedDate for Windows vulnerabilities did not update.
The Intelligence Stream is updated to fix an issue where some Red Hat Enterprise Linux (RHEL) packages were incorrectly reported as vulnerable.
Security Fixes
In accordance with the security assurance policy, this release contains updates to resolve older vulnerabilities in packaged dependencies:
Console & Defender:
  • Upgraded Go Lang version
  • Removed mongodb-tools binaries
  • Containerd updates for Kubernetes (github.com/containerd/containerd)
  • Open Policy Agent updates (github.com/open-policy-agent/opa)
  • Runc updates (github.com/opencontainers/runc)
  • Kubernetes (k8s.io/kubernetes)
  • Mongod
  • Mongodb Go driver (go.mongodb.org/mongo-driver)
  • AWS SDK for Go (github.com/aws/aws-sdk-go)
  • Dependency updates for:
    • Package xz (github.com/ulikunitz/xz)
    • YAML for Go package (gopkg.in/yaml.v3)
  • github.com/docker/distribution
  • github.com/tidwall/gjson
  • Dependency updates for com.google.code.gson_gson

Supported Host Operating Systems and Orchestrators

Prisma Cloud now supports hosts running x86 architecture on multiple platforms and hosts running ARM64 architecture on AWS.
Review the full system requirements for all supported operating systems and orchestrators.
Hosts on x86 Architecture
In this release, Prisma Cloud added support for the following host operating systems on x86 architecture:
  • Bottlerocket OS 1.7
  • Latest Amazon Linux 2
  • Latest Container-Optimized OS on Google Cloud
  • Ubuntu 22.04 LTS
Hosts on ARM64
In this release, Prisma Cloud added support for the following host operating systems on ARM64 architecture running on AWS:
  • Amazon Linux 2
  • Ubuntu 18.04 LTS
  • Debian 10
  • RHEL 8.4
  • CentOS 8
  • Photon OS 4
  • Google Kubernetes Engine (GKE) version 1.23.7 with containerd version 1.5.11
  • GKE version 1.24.1 running on ARM64 architecture. For the full announcement, refer to our blog.
  • VMware Tanzu Kubernetes Grid Integrated (TKGI) version 1.14
  • VMware Tanzu Kubernetes Grid Multicloud (TKGM) version 1.5.1 on Photon 3 and Ubuntu 20.04.03 LTS

Changes in Existing Behavior

No Image Scanning for Short-lived Containers
For short-lived containers, that is, when a container is created and immediately terminated, the image will not be scanned. In previous versions, the image was scanned by monitoring pull events from the registry.
Update Permissions in AWS Agentless Scanning Template
An additional permission is added to AWS agentless scanning template.
For existing accounts that are enabled for agentless scans you will need to update the permissions.
Change in Prisma Cloud UI
Credentials for AWS, GCP, and Azure cloud accounts are now under
Cloud Accounts
Scanning Process Impact on Artifact Metadata in JFrog Artifactory
In 22.01 update 2, we updated how the scanning process impacts artifact metadata in JFrog Artifactory. The scanning process no longer updates the
Last Downloaded
date for all manifest files of all the images in the registry.
In 22.06, we’ve further refined how this works:
As part of the process for evaluating which images should be scanned, in addition to reviewing the manifest files, Prisma Cloud also examines the actual images. Now the
Last Downloaded
date won’t change unless the image is actually pulled and scanned.
"Transparent security tool scanning" is
supported for anything other than
repositories. If you select anything other than Local in your scan configuration (including virtual repositories backed by local repositories), then Prisma Cloud automatically uses the Docker API to scan all repositories (local, remote, and virtual). When using Docker APIs, the
Last Downloaded
field in local JFrog Artifactory registries will be impacted by scanning.
If you’ve got a mix of local, remote, and virtual repositories, and you want to ensure that the
Last Downloaded
date isn’t impacted by Prisma Cloud scanning, then create separate scan configurations for local repositories and remote/virtual repositories.
Serial Number Field for Incidents will be Empty
The data collection for incidents in the Prisma Cloud Compute database is capped to 25,000 incidents or 50 MB, whichever limit is reached first.
After the upgrade to 22.06, if the size of your incident collection exceeds this limit, then the oldest incidents that exceed the limit will be dropped.
As part of this change, the serial number field for incidents will now be empty. The serial number was a running count of the incidents according to the size of the data collection. Now that the collection is capped, the serial number is no longer available. To uniquely identify incidents, use the ID field instead.
Use Category Field to Identify Incident Type
A new field
is now available for incidents alert integration with Webhook and Splunk to identify the incident type.
Update Existing App-Embedded Collections to Use App IDs Field
With 22.06, all App-Embedded collections including Fargate tasks, will be grouped together in collections using the
App ID
Until now, collections of Fargate tasks were specified using the
field in vulnerability, compliance, and incidents pages.
After upgrading to 22.06, update your existing collections to use the
App IDs
field rather than the
field to maintain the correct grouping of resources for filtering, assigning permissions, and scoping vulnerability and compliance policies.
Also, the CSV file export for vulnerability scan results, compliance scan results, and incidents has changed. Fargate tasks protected by App-Embedded Defender will be reported under the
column instead of the

End of Support and Deprecation Notifications

Openshift 3.11 End of Support
RedHat has announced the EOL for Openshift 3.11. So, Openshift 3.11 is no longer supported on Prisma Cloud.
Debian 9 End of Life
Debian 9 (Stretch) has reached End of Life (EOL), and CVE security vulnerabilities for Debian 9 will no longer be available in the Intelligence Stream feed.
Alert Notifications through External Integrations that Overlap on Prisma Cloud
Starting with the Maxwell release, the external integrations (
alert profiles
) in Compute that overlap with the Prisma Cloud platform will only be supported on the platform.
Before the Maxwell release, you must set up new integrations on
and delete the overlapping alert profiles defined under
For the list of overlapping integrations, see supported alert providers.
EOL for Windows Server 2016
Support for Windows Server 2022 will be added with or before the next release, Lagrange. With support for Windows Server 2022, Windows Server 2016 will no longer be supported. Microsoft has announced the EOL for Windows Server 2016 as of January,2022.
Docker Access Control with the Access User role
Support for Docker Access Control is being deprecated along with the Access User role.
Support will be removed in the Newton release.
Code Security module for Scanning
Support for scanning your code repositories from the Prisma Cloud Compute console (
Code repositories
) is being deprecated. Twistcli for code rep scanning is also being deprecated.
You can use the Code Security module on Prisma Cloud to scan code repositories and CI pipelines for misconfigurations and vulnerabilities.
Support for code repo scanning using Prisma Cloud Compute will be removed in the Newton release.

Backward Compatibility for New Features

Support for Google Artifact Registry
Old defenders will not be supported for scanning Artifact Registry.
Registry Scan Enhancements
A new log record was added for Defender finished scanning image, which adds pull, analysis and total duration. For older defenders, the following fields will be zero: ImagePullDuration, ImageAnalysisDuration, ImageScanDuration.
Vulnerability and compliance for Workloads Protected by App-Embedded Defenders
Old app-embedded Defenders (except for ECS Fargate Defenders) will not be supported for vulnerabilities, compliance, and package info. The images running with these Defenders will not be returned in the GET images API. Also, for old ECS Fargate Defenders, the Environment → Apps tab within the image dialog will be empty, even though there are running tasks and their count is displayed on the main images page under the Apps column.
Runtime File System Audits for App-Embedded Defenders
Old app-embedded Defeders will not be able to have the filesystem capability, so the workloads protected by them can not be monitored for FS.
Rule to Allow Activity in Attached Sessions
Old Defenders will not support the new functionality as they don’t have the backend implementation part of this toggle
Support ARM: Add vulnerabilities support for ARM to the IS ARM support
Defenders, twistcli, Console and Intelligence Stream
Old defenders and consoles won’t support ARM64 since there isn’t any the dedicated implementation. The Intelligence Stream is updated with ARM64 CVEs for all consoles, but as we predict, it won’t be common to get an ARM related CVE for each x86 CVE. ARM64 Defenders are required to scan ARM-based images. Make sure to assign the appropriate collections in your Registry Scanning Scope for x86_64 images and ARM64 images to prevent errors in the registry scanning. The ALL collection automatically includes the ARM64 Defenders.
Windows defender for Vulnerability and Compliance with Containers
Defenders, twistcli
Old Defendersand twistcli will not support the new functionality as they don’t have the updated implementation
Improved Visibility for CaaS workloads protected by App-Embedded Defenders
Old App-Embedded Defenders will not be supported, the new capability of fetching the workload cloud metadata to App-Embedded profile
Authenticate with Azure Container Registry using certificate
We will have a problem with using the new credential in scanning with older defenders, they will not be able to use this credential
Extract Fargate task Entrypoint and Command Params, Support Fargate Task Definition in CloudFormation Template format
New implementation for Fargate Task defenders in twistcli
Support image tar files scanning with twistcli
Old twistcli version doesn’t have this implementation

Recommended For You