Features Introduced in October 2021

Learn about the new Compute capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in October 2021.
The following host, container, and serverless capabilities will be available on the
Compute
tab on Prisma Cloud Enterprise Edition starting October 17, 2021. When upgraded, the version will be 21.08.520

New Features in Prisma Cloud Compute

Review the exciting new Compute features on Prisma Cloud Enterprise Edition.
NEW FEATURE
DESCRIPTION
Unified Notifications
If you have configured integrations to send Prisma Cloud alerts as notifications to external services for streamlining your workflows, you can now reuse the same integrations for alert profiles on Compute. With this enhancement, when Defenders detect security issues on your host, container and serverless functions, you can send alerts to the following external services:
  • JIRA
  • Slack
  • PagerDuty
  • Webhooks
  • Email—Prisma Cloud makes this simpler as the SMTP server set up is provided with the Prisma Cloud platform.
  • Splunk—
    New
    Notification service support for Compute.
  • Google Cloud Security Command Center—Only available cloud accounts that are onboarded to Prisma Cloud.
  • AWS Security Hub —Only available cloud accounts that are onboarded to Prisma Cloud.
  • ServiceNow - Support for Incident Response workflows only.
Discovery of Unsecured Workloads on Cloud Radar
When you onboard a cloud account on Prisma Cloud (
Settings
Cloud Accounts
), and import this account to enable Cloud Discovery on
Compute
, Prisma Cloud analyzes the security posture and state of cloud resources deployed in this account and discovers unsecured workloads in the
Cloud Radar
. This visibility enables you to automatically deploy a Defender to secure hosts on Azure and GCP, in addition to the current support for AWS.
With this enhancement, Prisma Cloud is optimizing API calls to the Cloud Service Provider and using the data ingested from the Cloud accounts for both CSPM and cloud discovery capabilities, thereby reducing the time to learn about potential risks to your organization.
Versioned APIs
With API versioning, as your Console is upgraded to newer versions, you can continue to use older versioned APIs with stability and migrate to newer version APIs at your convenience within the N-2 support lifecycle.
Versioned API endpoints contain the version of the API within the URI. For example, all the versioned APIs for this release begin with /api/v21.08/ in the URI.
The deployment scripts and twistcli that you download from Console, will use the Prisma Cloud Compute APIs associated with the specific version of Console. This versioning is automatically enabled and documented for use.
Cloud Account Onboarding Templates—Permission Updates
To automatically deploy Defenders for unsecured workloads, additional permissions will be added to the onboarding templates. Review the complete list of all Compute feature-wise permissions that will enable you to adopt the Compute capabilities more easily.
In addition to the features listed above, for a complete list of Cloud Workload Protection features such as Image Analysis Sandbox, and Web Application and API Security (WAAS) enhancements that are included in this release, see:

New Features in the Core Platform

Extending Support for Defender
  • Support for Defender versions extended to n-2.
  • Defenders can now be up to two versions behind the Console and still provide protection and visibility for your workloads.
  • To support environments where you have rigorous testing requirements or tighter maintenance schedules for upgrading Defenders, Defenders are now supported for two releases, which significantly extends the supported time period and backward compatibility.
  • This compatibility is automatically enabled and you don’t need to configure it.
Notes about extended support (also known as “backwards compatibility”) in 21.08:
  • Support for backwards compatibility begins in 21.08. However, 21.08 will only support Defenders from 21.08 and 21.04 (n-1). Starting with the next release (Joule), we’ll offer full n-2 support. That is, Joule will support Defenders from Joule, 21.08 and 21.04.
  • In 21.08, twistcli and the Jenkins plugin contain new infrastructure to support backwards compatibility, but don’t offer any backwards compatibility yet. In 21.08, twistcli and the Jenkins plugin can only connect and communicate to a 21.08 Console. Starting in Joule, twistcli and the Jenkins plugin will support both Joule and 21.08 (n-1). Starting in Kepler (the release after Joule), we’ll offer full n-2 backwards compatibility.
    • With our new support for backwards compatibility, auto-upgrade has been deprecated.
    • Upgrade action from the Console UI for orchestrated Defenders is deprecated, since we are removing auto-upgrade.
    • Upgrade action from the Console UI is still supported for single Defenders.
  • twistcli downloads — this API endpoint always downloads the version of twistcli that matches Console’s version, not version specified in the
    version
    part of the API URI.
Versioned API
With each release, the API endpoints will now be versioned and the API version is specified in the URI. For example, the APIs for this release begin with /api/v21.08/ in the URI. This means that twistcli and automation scripts that use the Prisma Cloud Compute APIs will be associated with a specific version, so that you have maximum stability with the version you consume and can update your integration at your schedule within the support lifecycle for the API version.
  • The versioning is automatically enabled and you don’t need to configure it. For maximum stability, use these versioned APIs for integrations and automation scripts. The behavior of the versioned endpoints should not change for the entirety of the supported lifecycle of that version. Changes, if any, will be documented. With the backward compatibility support for n-2 releases, you will need to update the version references in the path within your scripts every three releases to ensure compatibility with the product release lifecycle.
  • The v1 version is always aligned to the latest API that matches the Console version. This means that any change to APIs in the newer version of Console will apply immediately upon upgrade. For /v1 endpoints that are supported and therefore have a versioned API that corresponds, the changes will be documented and impact to your automation will be minimal. For other /v1 endpoints, your must independently review and fix your automation scripts to ensure that your scripts continue to work as expected. The API documentation and release notes will include notifications for changes and deprecations of supported endpoints only and you must update your implementation to keep up-to-date with the latest release.
Red Hat Container Security Certification
  • Prisma Cloud achieves Red Hat Container Security Certification.
  • Expanding our close partnership with Red Hat we are now pleased to announce that Prisma Cloud is a Red Hat Certified Technology Vulnerability Scanner.
  • This verifies our extensive capabilities and strengthens our interoperability with Red Hat.
  • No need to enable it - just yet another product enhancement!
Additional New Functionality
  • Adds support for defining grace periods based on the severity of the vulnerability. For example, you can decide 30 days for a low severity and 15 for a high severity.
  • Enhances workflow for configuring Azure AD SAML groups. Adds an option to create an AAD SAML group by OID instead of displayname. The two options are now:
    • Get OID automatically - This is the current functionality, where you enter the display name of the group.
    • Set OID manually - This is new functionality in 21.08, where you enter the OID manually (without the display name).
  • Adds support for JFrog Artifactory webhooks. You can now configure JFrog Artifactory webhooks with Prisma Cloud to scan container images when they’re pushed to the Artifactory registry (alternatively, you can continue using the Docker Registry webhooks for Artifactory).
  • Adds support for OpenShift 4.8.
  • Validates support for Istio 1.11. Istio 1.11 is supported on all 21.08 releases.
  • Adds support for Podman 1.6.4 on RHEL7.
  • Adds a warning label when AWS access keys are more than 90 days old. Aligns with AWS best practices for long term credentials, which should be rotated every 90 days.
  • Updates the Intelligence Stream to add coverage for very old Java CVEs (back to year 2000).
  • Enhances our support for webhook alerts. Webhook alerts now support:
    • Image, container, and host vulnerabilities.
    • Image, container, and host compliance issues.
    • Specifying collections.
  • Enhanced the details in Syslog for each vulnerability found in CI scans when verbose scans are enabled. The details include:
    • Path to the vulnerable package.
    • Layer time and instruction for the layer that contains the vulnerability.

New Features in Container Security

Fargate/App-Embedded Defender
  • The forensic blackbox recorder now supports Fargate/ App-Embedded Defenders!
    • With our forensic capabilities you get a complete picture into everything that led up to a security incident - even when that incident was automatically blocked.
  • We’ve also added more granular runtime support by enabling custom rules for Fargage/App-Embedded Defenders.
  • As you adopt new workload types, such as AWS Fargate, Azure Container Instances, and Google Cloud Run, Prisma Cloud Compute supports your ability to secure them with custom runtime rules and our extensive forensic data collection capabilities.
  • These capabilities are automatically enabled and you don’t need to configure them.
Image Analysis Sandbox
  • With image analysis sandboxing, Prisma Cloud runs your third-party container image in an environment of your choosing, and leverages our machine learning to perform deep inspection of processes, file system, and networking activity pre-deployment. This means you have complete visibility and control over all aspects of any image before you bring it into a live environment with detailed analysis results to both the CLI and the Console UI.
  • Organizations consume images from many different sources, including container registries maintained by different business units internally, external sources like Docker Hub, or other registries from third-party vendors. This feature means that you have visibliity and control over all images that come into your environment - deep learning to catch malware, cryptominers, and other nasties before they can appear in a live environment.
  • Use this from the CLI (twistcli) and see results appear there and in Console.
  • Creates new permissions for the image analysis sandbox that lets users analyze images and read results. By default, these permissions are assigned to Admins and Operators. In this update, the permission is also now assigned to DevOps Users, so that you don’t have to grant privileged roles (Admin, Operator) for users that need to work with image sandbox analysis. Auditor and DevSecOps roles will get read-only access to review results only. For SaaS customers, use the Prisma Cloud permission group that maps to the DevOps role in Compute to grant access to use the image analysis sandbox.

New Features in Host Security

Auto-defend Hosts Running across AWS, GCP, and Azure
  • Hosts without a Defender in AWS, Azure, or GCP can now be auto-defended.
  • With our last Cloud Workload Protection release, we proudly announced our auto-detect and auto-defend capabilities for AWS EC2 instances. Now, Prisma Cloud host security expands and enhances its capabilities to provide auto-defend functionality for virtual machines on Azure and Google Cloud. Now organizations can be confident that workloads they have running across these cloud service providers will have advanced protection capabilities automatically deployed.
  • Regardless of how hosts come to run in your environment, Prisma Cloud can protect them even if they weren’t bundled with a Defender. This means that you can have confidence across your entire estate - regardless of whether it’s in AWS, GCP, Azure, or all three.
  • You can enable this in
    Manage
    Defenders
    Deploy
    Host auto-defend
    .
Additional New Functionality
  • Expands the types of alerts that you can configure - in this release we’ve increased the options with:
    • Host vulnerabilities: email, Jira, and webhooks.
    • Host compliance issues: Jira and webhooks.
  • Improves AMI scanning.
    • Adds customization support, you can now scan the AMIs in a VPC and Subnet of your choice.
    • Adds support for encrypted AMIs, where the keys are part of KMS.
    • Updates scan configuration. You can now choose the EC2 instance type to spin up for scanning. We recommend not to pick the nano or micro instances.
    • Supports specifying a custom port for communication between twistcli and Console.

New Features in Serverless Security

Auto-defend Enhancements
  • Our auto-defend functionality continues to improve.
  • Largely behind the scenes update, but now customers will have a better experience with proxies, changing the scope of auto-defend to specific labels, delete rules in bulk - the type of things that are small but make a big difference in day to day life.
  • As serverless is used more and more, we think it’s important to continue enhancing the usability of the product. This update just makes life easier for our customers and means that serverless auto-defend will continue to expand.
  • Manage
    Defenders
    Deploy
    Serverless auto-defend
    to configure it.
Additional New Functionality
  • Introduces streamline credit consumption model for serverless. Six defended functions now consume one credit, where a defended function is secured at runtime OR scanned for vulnerabilities and compliance.
  • Adds support for Ruby 2.5 and 2.7 in Serverless Defender.

New Features in Shift Left Security

Automated Github PRs
  • Pull requests for vulnerabilities can now be automatically raised.
  • You can now configure the vulnerability rule to raise a PR for vulnerabilities with fixes. Upon scan Prisma Cloud automatically creates PRs when it detects vulnerabilities in your code repository.
  • Trigger on demand scans with twistcli or have regular scans through our UI but pull requests can now be automatically raised! The PR contains all the information necessary including the CVE, the fixed version, and more!
  • Defend
    Vulnerabilities
    Code Repositories
    to add a rule and configure it.
  • Also adds Slack and Jira as alert providers for vulnerabilities found in code repositories.
  • Manage
    Alerts
    Manage
    to configure it.
Additional New Functionality
  • Enhances the vulnerabilities feed for Red Hat products.
  • Users get standardized vulnerability information for RedHat products, including direct links to the RedHat security advisories.
  • Enhances frontend integrations, like improved Okta integration amongst others.
  • Adds support for scanning code repos in GitHub Enterprise (in addition to current support for GitHub).
  • Makes Jenkins plugin proxy-aware - configure it with existing proxy settings from your Console or custom ones in Jenkins.
  • Expands the Intelligence Stream, building on our Autofocus integrations with more DNS improvements.
  • Adds an
    --output-file
    option to
    twistcli pcf
    , which lets you save scan results to the local file system when analyzing droplets. Also stores scan results in Console.

New Features in WAAS

API Security Health Monitor
  • Using the Console UI or API you can now directly see the health status of your API.
  • Prisma Cloud Compute now shows you the traffic traversing WAAS, how it was sent to your endpoint and the response code returned from your application.
  • Now you have the visibility into your network, not just that it’s being secured but everything that passes through WAAS even down to how your application responds. Concerned whether an issue is at the application level, or the WAAS level, or even beyond? Well now you can have direct visibility of each part, showing traffic received, performance, how its handled, and how your application responded. You can get this aggregated hourly or on demand - you’re in control.
  • As always with Prisma Cloud releases this information ties into alerting:
    • Certificate no longer valid.
    • Incoming requests with no origin responses (multiple timeouts).
    • Multiple 5XX responses received from the application in a short space of time.
    • Slow responses, WAAS dropping requests, even if WAAS is listening on a non-exposed port.
  • If you’re already using WAAS you’ll see this information in the
    Radar
    when you click on a node protected by WAAS.
Service Mesh Integration
  • WAAS now seamlessly inter-operates with Istio and Linkerd.
  • When deploying WAAS, Prisma Cloud identifies the pods with the labels identifying the service mesh sidecars, and injects the appropriate routing to allow WAAS traffic protection features.
  • This feature is enabled automatically in your environment - no additional configuration from you!
Protecting Logs from PII/Sensitive Information
  • Your application may involve sensitive information in a query or the message body. Now you can filter this sensitive information and ensure that it is not included in logs.
  • PII sanitization is important for protecting user privacy as well as to ensure that logs comply with relevant regulations (PCI, GDPR, HIPAA, amongst others). Now your logs will have any sensitive data censored but still have the correct level of logging.
    • Tailor this to headers, query parameters, body parameters (raw/form-data/XML/JSON), cookies, or even provide a regex for any part of the captured payload or event/audit.
  • Go to
    Defend
    WAAS
    to see the available options.
Windows Support
  • Prisma Cloud WAAS module has been expanded to cover Microsoft Windows hosts.
  • Defend
    WAAS
    to get started.
Unprotected Web App Report
  • Adds a new page in Console that lists all unprotected web apps that Prisma Cloud has detected.
  • See
    Monitor
    WAAS
    Unprotected web apps
    .
Additional New Functionality
  • Extends WAAS custom rules to offer the same functionality to resp.body as it does for req.body. WAAS can also now match on specific content type headers.
  • Allows adding policy exceptions from the event viewer based on specific audits.
  • Displays a banner notification at the top of Console when a new WAAS virtual patch (custom rule) has been pushed from Prisma Cloud Labs to your Console.
  • Adds ability to enforce minimum TLS version to prevent downgrade attacks.
  • Updates WAAS certificate management to alert users about TLS certificate expiration 30 days in advance, rather than 7 days.
  • Enables you to individually configure the SameSite and Secure attributes for Prisma Cloud session cookies.
  • Adds support for HTTP Strict Transport Security (HSTS) (RFC 6797) enforcement.
  • Provides the ability to view certificates that have been uploaded to an app config, so you can confirm what’s been uploaded and monitor its expiration.
  • Enhances the UI to alert customers when a certificate is about to expire or has already expired.
  • Adds support for inspecting REST path parameters.

DISA STIG Scan Findings and Justifications

The 21-08 Prisma Cloud Compute Console and Defender images are scanned for Security Content Automation Protocol (
SCAP
) compliance. The process is based on the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan, and we compare our scan results to IronBank’s latest approved UBI8-minimal scan findings and address or justify any discrepancies. Review the Prisma Cloud Compute DISA STIG scan findings.

Changes in Existing Behavior

Feature
Change in Behavior
Audit Aggregation Periods
With the upgrade, the minimum audit aggregation period in
Compute
Manage
Alerts
Alert providers
will change from seconds to 10 minutes.
Support for
seconds
and
minute
aggregation is removed and all previous alert policies targeting audit aggregation period of
seconds
or
minute
will be migrated to 10 minutes.
Auto-upgrade of Defenders
With the support for backward compatibility, Defenders are no longer being automatically upgraded with the Console upgrade.
You now have the time to upgrade Defenders anytime within the supported software lifecycle.
Console 21.08 supports Defenders running 21.04 and 21.08. Defenders on earlier versions cannot connect to the Console.
Twistcli for Iac Scanning
The
iac
command in twistcli is removed.
You can continue to use the Prisma Cloud IaC scanning functionality using the IaC Scan API or the plugins.
Review the list of Breaking Changes and Deprecations also.

Recommended For You