Features Introduced in June 2023
Table of Contents
Features Introduced in June 2023
Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June 2023.
The host, container, and serverless capabilities on the
Compute
tab are being upgraded starting on June 25, 2023. When upgraded, the version will be 30.02.123.New Features in Prisma Cloud Compute
Feature | Description |
CVE Coverage Update | |
As part of the 30.00 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
| |
Enhancements | |
Container Runtime Types in Defender Deployment Workflow | The Defender deployment workflows now support Docker, CRI-O, and Containerd container runtime types. When installing a Defender using twistcli, pass the --container-runtime flag with the selecttion for the runtime that you use - docker, cri-o, or containerd.  |
Support custom compliance checks | Added support for custom compliance checks on clusters running containerd runtime. |
Added Support for Managed Identities in Azure | Added support for Azure Managed Identities to authenticate any Azure resources that support AD authentication without adding keys in Prisma Console.
To use this authentication method, add an Azure role with required permissions to scan the resources under Manage > Cloud accounts . |
Support for New Operating Systems | |
Windows Server 2016 | Reinstating the support for Defenders on Windows 2016. For details on the extended support from Microsoft, see the Microsoft documentation. |
Added new NAT gateway IP addresses | Prisma Cloud is adding new NAT IP addresses for the Compute SaaS Console Region in GCP. The egress IPs for connections from The Compute SaaS Console to the internet in us-east 1 (South Carolina) are:
34.139.64.150 and 34.139.249.192. Make sure to add these IP addresses to your allow list.
These IP addresses will be added to the documentation. |
New Features in Agentless Security | |
Encrypted volumes support in GCP with hub mode | This feature adds the capability to scan encrypted volumes in GCP with agentless scanning when using hub mode. |
New Features in Host Security | |
Change in the format of runtime events information used in notification webhooks | Replaced the aggregated and rest macros with the following macros:
This change fixes an issue where some of the aggregated alerts were missing fields like ContainerID, Namespace, and User. The aggregated and rest macros are still available but are being deprecated after the two upcoming releases following our deprecation notice policy.
For existing settings of alert providers, you must edit the alert structure and use the new macros. |
API Changes
CHANGE | DESCRIPTION |
Add Backward Compatibility to api/v1/cloud/discovery/entities | The api/vVERSION/cloud/discovery/entities API endpoint is now available as a supported and backward-compatible route to view the cloud discovered entities. |
Monitor the status of an OnDemand and Regular registry scan | The new API endpoint api/vVERSION/registry/progress is available to view the progress of onDemand and regular ongoing registry scans. Set the request parameter onDemand to true to view progress of an ongoing on-demand scan. By default, onDemand is set to false and shows the progress of a regular scan. |
Breaking Changes in API
CHANGE | DESCRIPTION |
Defender APIs modified to support the containerd runtime | The following APIs have been enhanced to include support for the containerd runtime in addition to the existing Docker and CRI-O runtimes: The cri boolean parameter (in the common.DaemonSetOptions schema) in the above endpoints has been replaced by the common.ContainerRuntime schema in the 30.02 release, as shown below: Old (30.01 and earlier releases) Example request schema showing cri set to a boolean value true for Docker and CRI-O:
New (in release 30.02) From 30.02, you can set the following values for container runtime:
Example request schema showing cri is replaced with containerRuntime :
You must update existing scripts that use either of the two endpoints when you upgrade to 30.02 or a future release. |
Deprecation Notice
Cloud Native Network Segmentation (CNNS) Deprecation | The ability to create CNNS policies that Defenders use to limit traffic from containers and hosts is being deprecated. The configuration settings on the console ( Compute > Defend > CNNS ) and the corresponding APIs for CNNS will be removed in the next major release.
Radar has a container and a host view, where you can view the network topology for your containerized apps and hosts respectively, and this will continue to be available.List of deprecated API endpoints: |
Macros for Runtime Events Webhooks | The aggregated and rest macros will be deprecated.
For the existing webhook alerts, you can edit the custom JSON body and replace #aggregated macro with #aggregatedAlerts and #rest macro with #dropped. |