New Features in the Core Platform

Support for Defender versions extended to n-2.
Defenders can now be up to two versions behind the Console and still provide protection and visibility for your workloads.
To support environments where you have rigorous testing requirements or tighter maintenance schedules for upgrading Defenders, Defenders are now supported for two releases, which significantly extends the supported time period and backward compatibility.
This compatibility is automatically enabled and you don’t need to configure it.

Support for backwards compatibility begins in 21.08. However, 21.08 will only support Defenders from 21.08 and 21.04 (n-1). Starting with the next release (Joule), we’ll offer full n-2 support. That is, Joule will support Defenders from Joule, 21.08 and 21.04.
In 21.08, twistcli and the Jenkins plugin contain new infrastructure to support backwards compatibility, but don’t offer any backwards compatibility yet. In 21.08, twistcli and the Jenkins plugin can only connect and communicate to a 21.08 Console. Starting in Joule, twistcli and the Jenkins plugin will support both Joule and 21.08 (n-1). Starting in Kepler (the release after Joule), we’ll offer full n-2 backwards compatibility.
With our new support for backwards compatibility, auto-upgrade has been deprecated.
Upgrade action from the Console UI for orchestrated Defenders is deprecated, since we are removing auto-upgrade.
Upgrade action from the Console UI is still supported for single Defenders.
twistcli downloads — this API endpoint always downloads the version of twistcli that matches Console’s version, not version specified in the
version
part of the API URI.

The versioning is automatically enabled and you don’t need to configure it. For maximum stability, use these versioned APIs for integrations and automation scripts. The behavior of the versioned endpoints should not change for the entirety of the supported lifecycle of that version. Changes, if any, will be documented. With the backward compatibility support for n-2 releases, you will need to update the version references in the path within your scripts every three releases to ensure compatibility with the product release lifecycle.
The v1 version is always aligned to the latest API that matches the Console version. This means that any change to APIs in the newer version of Console will apply immediately upon upgrade. For /v1 endpoints that are supported and therefore have a versioned API that corresponds, the changes will be documented and impact to your automation will be minimal. For other /v1 endpoints, your must independently review and fix your automation scripts to ensure that your scripts continue to work as expected. The API documentation and release notes will include notifications for changes and deprecations of supported endpoints only and you must update your implementation to keep up-to-date with the latest release.

Prisma Cloud achieves Red Hat Container Security Certification.
Expanding our close partnership with Red Hat we are now pleased to announce that Prisma Cloud is a Red Hat Certified Technology Vulnerability Scanner.
This verifies our extensive capabilities and strengthens our interoperability with Red Hat.
No need to enable it - just yet another product enhancement!

Adds support for defining grace periods based on the severity of the vulnerability. For example, you can decide 30 days for a low severity and 15 for a high severity.
Enhances workflow for configuring Azure AD SAML groups. Adds an option to create an AAD SAML group by OID instead of displayname. The two options are now:
Get OID automatically - This is the current functionality, where you enter the display name of the group.
Set OID manually - This is new functionality in 21.08, where you enter the OID manually (without the display name).
Adds support for JFrog Artifactory webhooks. You can now configure JFrog Artifactory webhooks with Prisma Cloud to scan container images when they’re pushed to the Artifactory registry (alternatively, you can continue using the Docker Registry webhooks for Artifactory).
Adds support for OpenShift 4.8.
Validates support for Istio 1.11. Istio 1.11 is supported on all 21.08 releases.
Adds support for Podman 1.6.4 on RHEL7.
Adds a warning label when AWS access keys are more than 90 days old. Aligns with AWS best practices for long term credentials, which should be rotated every 90 days.
Updates the Intelligence Stream to add coverage for very old Java CVEs (back to year 2000).
Enhances our support for webhook alerts. Webhook alerts now support:
Image, container, and host vulnerabilities.
Image, container, and host compliance issues.
Specifying collections.
Enhanced the details in Syslog for each vulnerability found in CI scans when verbose scans are enabled. The details include:
Path to the vulnerable package.
Layer time and instruction for the layer that contains the vulnerability.

New Features in Container Security

The forensic blackbox recorder now supports Fargate/ App-Embedded Defenders!
With our forensic capabilities you get a complete picture into everything that led up to a security incident - even when that incident was automatically blocked.
We’ve also added more granular runtime support by enabling custom rules for Fargage/App-Embedded Defenders.
As you adopt new workload types, such as AWS Fargate, Azure Container Instances, and Google Cloud Run, Prisma Cloud Compute supports your ability to secure them with custom runtime rules and our extensive forensic data collection capabilities.
These capabilities are automatically enabled and you don’t need to configure them.

With image analysis sandboxing, Prisma Cloud runs your third-party container image in an environment of your choosing, and leverages our machine learning to perform deep inspection of processes, file system, and networking activity pre-deployment. This means you have complete visibility and control over all aspects of any image before you bring it into a live environment with detailed analysis results to both the CLI and the Console UI.
Organizations consume images from many different sources, including container registries maintained by different business units internally, external sources like Docker Hub, or other registries from third-party vendors. This feature means that you have visibliity and control over all images that come into your environment - deep learning to catch malware, cryptominers, and other nasties before they can appear in a live environment.
Use this from the CLI (twistcli) and see results appear there and in Console.
Creates new permissions for the image analysis sandbox that lets users analyze images and read results. By default, these permissions are assigned to Admins and Operators. In this update, the permission is also now assigned to DevOps Users, so that you don’t have to grant privileged roles (Admin, Operator) for users that need to work with image sandbox analysis. Auditor and DevSecOps roles will get read-only access to review results only. For SaaS customers, use the Prisma Cloud permission group that maps to the DevOps role in Compute to grant access to use the image analysis sandbox.

New Features in Host Security

Hosts without a Defender in AWS, Azure, or GCP can now be auto-defended.
With our last Cloud Workload Protection release, we proudly announced our auto-detect and auto-defend capabilities for AWS EC2 instances. Now, Prisma Cloud host security expands and enhances its capabilities to provide auto-defend functionality for virtual machines on Azure and Google Cloud. Now organizations can be confident that workloads they have running across these cloud service providers will have advanced protection capabilities automatically deployed.
Regardless of how hosts come to run in your environment, Prisma Cloud can protect them even if they weren’t bundled with a Defender. This means that you can have confidence across your entire estate - regardless of whether it’s in AWS, GCP, Azure, or all three.
You can enable this in
Manage
Defenders
Deploy
Host auto-defend
.

Expands the types of alerts that you can configure - in this release we’ve increased the options with:
Host vulnerabilities: email, Jira, and webhooks.
Host compliance issues: Jira and webhooks.
Improves AMI scanning.
Adds customization support, you can now scan the AMIs in a VPC and Subnet of your choice.
Adds support for encrypted AMIs, where the keys are part of KMS.
Updates scan configuration. You can now choose the EC2 instance type to spin up for scanning. We recommend not to pick the nano or micro instances.
Supports specifying a custom port for communication between twistcli and Console.

New Features in Serverless Security

Our auto-defend functionality continues to improve.
Largely behind the scenes update, but now customers will have a better experience with proxies, changing the scope of auto-defend to specific labels, delete rules in bulk - the type of things that are small but make a big difference in day to day life.
As serverless is used more and more, we think it’s important to continue enhancing the usability of the product. This update just makes life easier for our customers and means that serverless auto-defend will continue to expand.
Manage
Defenders
Deploy
Serverless auto-defend
to configure it.

Introduces streamline credit consumption model for serverless. Six defended functions now consume one credit, where a defended function is secured at runtime OR scanned for vulnerabilities and compliance.
Adds support for Ruby 2.5 and 2.7 in Serverless Defender.

New Features in Shift Left Security

Pull requests for vulnerabilities can now be automatically raised.
You can now configure the vulnerability rule to raise a PR for vulnerabilities with fixes. Upon scan Prisma Cloud automatically creates PRs when it detects vulnerabilities in your code repository.
Trigger on demand scans with twistcli or have regular scans through our UI but pull requests can now be automatically raised! The PR contains all the information necessary including the CVE, the fixed version, and more!
Defend
Vulnerabilities
Code Repositories
to add a rule and configure it.
Also adds Slack and Jira as alert providers for vulnerabilities found in code repositories.
Manage
Alerts
Manage
to configure it.

Enhances the vulnerabilities feed for Red Hat products.
Users get standardized vulnerability information for RedHat products, including direct links to the RedHat security advisories.
Enhances frontend integrations, like improved Okta integration amongst others.
Adds support for scanning code repos in GitHub Enterprise (in addition to current support for GitHub).
Makes Jenkins plugin proxy-aware - configure it with existing proxy settings from your Console or custom ones in Jenkins.
Expands the Intelligence Stream, building on our Autofocus integrations with more DNS improvements.
Adds an
--output-file
option to
twistcli pcf
, which lets you save scan results to the local file system when analyzing droplets. Also stores scan results in Console.

New Features in WAAS

Using the Console UI or API you can now directly see the health status of your API.
Prisma Cloud Compute now shows you the traffic traversing WAAS, how it was sent to your endpoint and the response code returned from your application.
Now you have the visibility into your network, not just that it’s being secured but everything that passes through WAAS even down to how your application responds. Concerned whether an issue is at the application level, or the WAAS level, or even beyond? Well now you can have direct visibility of each part, showing traffic received, performance, how its handled, and how your application responded. You can get this aggregated hourly or on demand - you’re in control.
As always with Prisma Cloud releases this information ties into alerting:
Certificate no longer valid.
Incoming requests with no origin responses (multiple timeouts).
Multiple 5XX responses received from the application in a short space of time.
Slow responses, WAAS dropping requests, even if WAAS is listening on a non-exposed port.
If you’re already using WAAS you’ll see this information in the
Radar
when you click on a node protected by WAAS.

WAAS now seamlessly inter-operates with Istio and Linkerd.
When deploying WAAS, Prisma Cloud identifies the pods with the labels identifying the service mesh sidecars, and injects the appropriate routing to allow WAAS traffic protection features.
This feature is enabled automatically in your environment - no additional configuration from you!

Your application may involve sensitive information in a query or the message body. Now you can filter this sensitive information and ensure that it is not included in logs.
PII sanitization is important for protecting user privacy as well as to ensure that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others). Now your logs will have any sensitive data censored but still have the correct level of logging.
Tailor this to headers, query parameters, body parameters (raw/form-data/XML/JSON), cookies, or even provide a regex for any part of the captured payload or event/audit.
Go to
Defend
WAAS
to see the available options.

Prisma Cloud WAAS module has been expanded to cover Microsoft Windows hosts.
Defend
WAAS
to get started.

Adds a new page in Console that lists all unprotected web apps that Prisma Cloud has detected.
See
Monitor
WAAS
Unprotected web apps
.

Extends WAAS custom rules to offer the same functionality to resp.body as it does for req.body. WAAS can also now match on specific content type headers.
Allows adding policy exceptions from the event viewer based on specific audits.
Displays a banner notification at the top of Console when a new WAAS virtual patch (custom rule) has been pushed from Prisma Cloud Labs to your Console.
Adds ability to enforce minimum TLS version to prevent downgrade attacks.
Updates WAAS certificate management to alert users about TLS certificate expiration 30 days in advance, rather than 7 days.
Enables you to individually configure the SameSite and Secure attributes for Prisma Cloud session cookies.
Adds support for HTTP Strict Transport Security (HSTS) (RFC 6797) enforcement.
Provides the ability to view certificates that have been uploaded to an app config, so you can confirm what’s been uploaded and monitor its expiration.
Enhances the UI to alert customers when a certificate is about to expire or has already expired.
Adds support for inspecting REST path parameters.

DISA STIG Scan Findings and Justifications

Changes in Existing Behavior