Features Introduced in December 2019

Learn what’s new on Prisma™ Cloud in December 2019.

Features Introduced on December 19, 2019

Feature
Description
Resource Count Attribute in Config RQL
The
count
attribute in RQL provides you with a tally of the number of resources of a specific type.
For example—
config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-vpcs' as X; config where api.name = 'aws-ec2-describe-subnets' as Y; filter 'not $.X.vpcId equals $.Y.vpcId'; show X; count(X) > 2
displays the number of VPCs that do not have subnets associated only when there are more than 2 VPCs (for the selected time period).
count
is available for use with the
api.name
attribute as <X, Y or Z>); it is not available with json.rule.
When the api.name is a global service (such as, aws-iam-get-account-summary), count includes all resources for that service within the cloud account; if the api.name is a regional service (such as, aws-rds-describe-db-instances), the count includes the only resources tied to the cloud region for the cloud account.
Tag-Based Filtering for All Cloud Resources
You can now find all resources that have a specific tag name or value.
The operators supported include the following:
config where tag ('key') = 'value', for example,
config where tag ('CreatedBy') ='Automation'
config where tag ('key') EXISTS, for example,
config where tag('CreatedBy') exists
config where tag ('key') in ('value1', 'value2', 'value3'), for example,
config where tag ('AcmeApiName') in ('azure-network-lb-list', 'aws-iam-list-access-keys')
So, instead of finding resources that are tagged within a specific service such as
config where api.name = 'gcloud-compute-instances-list' AND json.rule = tags.items[*] contains "production"
, you can now find all resources with a specific tag value across a cloud platform or all cloud platforms.
You can also use
All
,
Any
and the negation of the operators listed above.
Tag-based filtering allows you to find resources on the
Investigate
page. You cannot save the query as a saved search or use it in custom policy. Additionally, only the tags that are displayed in the
Resource Explorer
are available for you to match on.
Inventory and Asset Explorer
The Asset Inventory is renamed as
Inventory
and is now accessible directly from the left navigation. Along with this change, you have a new
Asset Explorer
page enables you to view all the resources that pass compliance checks on Prisma Cloud. To view the Asset Explorer, click the Passed resources link pass-click-asset-explorer.png on the
Compliance
Overview
page.
asset-inventory.png
ServiceNow Integration Update
Prisma Cloud can now support ServiceNow releases Madrid and New York for incident management and security incident management flows.
With this release, when you enable the integration, you are prompted to select your ServiceNow release version. If you have an existing ServiceNow integration on Prisma Cloud, the London release is selected as the default version and you can edit it on
Settings
Integrations
to select the correct release version, if different.
HiTrust Compliance Standard Version 9.3
Prisma Cloud enables you to audit your AWS, Azure, and GCP resources against the healthcare regulatory requirement, Health Information Trust Alliance (HITRUST) Version 9.3 compliance standard to ensure that your workloads that store, process, transmit, and analyze protected health information are securely handling sensitive data.
API Ingestion Update
The JSON metadata for the following APIs have been updated:
azure-network-nsg-list
includes the fields: $.securityRules[*].sourceApplicationSecurityGroups and $.securityRules[*].destinationApplicationSecurityGroups
azure-network-nic-list
includes the field: $.properties.ipConfigurations.properties.applicationSecurityGroups
Prisma Cloud can now retrieve the metadata on the server side encryption algorithm—AES256 or KMS—used on an S3 bucket. When it uses KMS, the
kmsMasterKeyID
is included with this update. You to find the sse algorithm in use, you can use the RQL
config where api.name = 'aws-s3api-get-bucket-acl AND json.rule = sseAlgorithm exists

Policy Update

Policy Name
Description
AWS ECR repository is exposed to public
Identifies AWS Elastic Container Registry (ECR) repository, a collection of Docker images available on AWS cloud, that are publicly accessible.
Azure PostgreSQL database with SSL connection disabled
Identifies Azure PostgreSQL database servers that do not enforce SSL for communication with the client application.
Azure PostgreSQL database with log checkpoints parameter disabled
Identifies Azure PostgreSQL database servers that do not have the log checkpoint parameter enabled to generate query and error logs.
Azure PostgreSQL database with log connections parameter is disabled
Identifies Azure PostgreSQL database servers that do not have the log connections parameter enabled to record all connection attempts to the server including successful client authentication events.
Azure PostgreSQL database with log disconnections parameter disabled
Identifies Azure PostgreSQL database servers that do not have the log disconnections parameter enabled to record when a session ends, which triggers the generation of query and error logs.
Azure PostgreSQL database with log duration parameter disabled
Identifies Azure PostgreSQL database servers that do not have the log duration parameter enabled to record the duration of each completed SQL statement, which triggers the generation of query and error logs.
Azure PostgreSQL database with connection throttling parameter is disabled
Identifies Azure PostgreSQL database servers that do not have connection throttling enabled to verbosely record log messages, and generate query and error logs for concurrent connections.
Azure PostgreSQL database log retention days is less than or equal to 3 days
Identifies Azure PostgreSQL database servers that do not have log retention period set to at least four days.

Features Introduced on December 4, 2019

New Features

Feature
Description
Automated Remediation CLI for Multi-Step Tasks
In a Prisma Cloud custom policy, you can now define up to 5 CLI commands in a sequence for an automatic remediation workflow such as disassociating an EC2 instance from a security group before deleting the EC2 instance. To resolve an alert, you can separate each command with a semi-colon, and the sequence is executed in the order defined in policy. If an automated remediation CLI command fails, the execution stops at that command.
Event RQL Attribute for Anomaly Policy
The
event where
query enables you to identify and investigate events relating to the different types of anomalies such as bruteforce login attempts or location-based anomalies using the attribute
anomaly.type
.
For example,
event where anomaly.type IN ( 'Activity-based Anomaly (UBA)', 'Bruteforce Login', 'Device finger print (Account Hijacking)', 'Impossible time travel (Account Hijacking)', 'Location & Activity-based Anomaly (UBA)', 'Location-based Anomaly (UBA)' )
You also have the option to look for anomalous activities with the
has.anomaly
or exclude them with
NOT has.anomaly
attributes.
rql-anomaly-policy.png
Support for AWS GovCloud (East)
Prisma Cloud can now ingest configuration data, cloud trail and VPC flow logs from AWS GovCloud (East) region in addition to the current support for AWS GovCloud (West) region.

Policy Updates

Policy Name
Description
Permission Updates for AWS CFTs
The permission in the AWS read-only and read-write CFTs for AWS public cloud and AWS GovCloud are updated to include
ec2:describeRegions
. With this update Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.
Rename—Azure Security Center policy update.
The policy Automatic provisioning of monitoring agent is set to Off in Security Center is renamed as Azure Security Center automatic provisioning of monitoring agent is set to Off. And the RQL is updated to use api.name = 'azure-security-center-settings'.
Update —AWS Amazon Machine Image (AMI) is publicly accessible
The policy AWS Amazon Machine Image (AMI) is publicly accessible is updated to find every public AMI owned by the account. These AMIs are now ingested, in addition to the AMIs that are private or shared with the account being monitored on Prisma Cloud.
AWS EMR cluster is not configured with security configuration
Identifies Amazon EMR clusters that do not use security configurations to configure data encryption, Kerberos authentication, and Amazon S3 authorization for EMRFS.
AWS EMR cluster is not configured with Kerberos authentication.
Identifies AWS EMR clusters that are not configured with Kerberos authentication.
AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)
Identifies EMR clusters which are not configured with Server Side Encryption Kerberos Managed Keys (SSE KMS) for data at rest encryption of Amazon S3 with EMRFS.
AWS EMR cluster is not configured with CSE CMK for data at rest encryption (Amazon S3 with EMRFS).
Identifies EMR clusters which are not configured with Client Side Encryption Customer Master Keys (CSE CMK) for data at rest encryption of Amazon S3 with EMRFS.
AWS EMR cluster is not enabled with local disk encryption using CMK.
Identifies AWS EMR clusters which are not enabled with local disk encryption using Customer Managed Key (CMK) to protect digital data confidentiality.
AWS EMR cluster is not enabled with local disk encryption.
Identifies AWS EMR clusters that are not enabled for encrypting data stored on the local disk to protect digital data confidentiality.
AWS EMR clusters are not enabled with encryption in transit.
Identifies AWS EMR clusters which are not enabled with encryption in transit, to protect data from unauthorized access as it travels through the network, between clients and storage servers.
AWS EMR clusters are not enabled with encryption at rest.
Identifies AWS EMR clusters that are not enabled with encryption at rest to protect digital data confidentiality.

Recommended For You