Features Introduced in January 2019

Learn what’s new on Prisma Cloud in January 2019.
The following topic provides a snapshot of new features introduced for Prisma™ Cloud in January 2019. Refer to the Prisma Cloud Administrator’s Guide for more information on how to use Prisma Cloud.

Features Introduced on January 31,2019

New Features

This release of Prisma Cloud includes these improvements:
FEATURES
DESCRIPTION
My Saved Searches
For easy access to all the searches that you have created for investigating incidents, you can now see them listed under
My Saved Searches
. This is different from Saved Searches, which lists all search queries saved by any user on Prisma Cloud.
View the My Saved Searches dashboard:
saved-searches-dashboard.png
API incorporation
Enhanced the ingestion of following APIs to include additional parameters:
  • aws-ec2-describe-instances
  • aws-ec2-vpn-connections-summary
  • aws-ec2-describe-vpcs

Policy Updates

The following new config policies are now included in the default state:
POLICY
DESCRIPTION
AWS Elastic Load Balancer (Classic) SSL negotiation policy configured with insecure ciphers
Identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing insecure ciphers.
AWS VPC allows unauthorized peering
Identifies the VPCs which have unauthorized peering. The recommended best practice is to disallow VPC peering between two VPCs from different AWS accounts.
AWS Config fails to deliver log files
Identifies AWS Configs which are failing to deliver its log files to the specified S3 bucket.
Azure storage accounts has blob container(s) with public access
Identifies blob containers within an Azure storage account that allow anonymous/public access (
CONTAINER
or
BLOB
).
Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days
Identifies Azure Network Security Groups (NSG) for which flow logs retention period is 90 days or less.
Azure virtual network peer is disconnected
Identifies Azure virtual network peers that are disconnected due to deleting a peering configuration on one virtual network, and the other virtual network reports the peering status as disconnected.
Azure Network Watcher Network Security Group (NSG) flow logs are disabled
Identifies Azure Network Security Groups (NSG) for which flow logs are disabled.
Azure storage account logging for blobs is disabled
Identifies Azure storage accounts that do not have logging enabled for blobs.

Features Introduced on January 28,2019

New Features

This release of Prisma Cloud includes these improvements:
FEATURE
DESCRIPTION
CSV download of network traffic grouped by port
To analyze your network traffic offline, you can now download the traffic details for your entire network, a node or an instance, or for a specific connection between a source and a destination node in a CSV format.
This report groups all connection details by port and includes details such as source and destination IP addresses and names, inbound and outbound bytes, inbound and outbound packets, and whether the node accepted the traffic connection.
View of network traffic grouped by port:
network-traffic-groupded-by-port.png
Asset inventory
Asset Inventory dashboard now loads the assets for one Account Group at a time. You can change the account groups from the Account Group filter.
The link on the failed resources now redirects the users to the corresponding alerts.
API incorporation
You can now use these APIs to build config queries for investigating and analyzing data.
  • New API
    azure-disk-list
    provides details about Azure managed disks.
  • Support for additional parameters in the following services.
    • azure-storage-account-list
    • azure-network-subnet-list
    • aws-es-describe-elasticsearch-domain
    • azure-network-usage
    • azure-sql-server-list
  • Removed the API
    aws-sns-get-subscription-attributes
    .

Policy Updates

The following new config policies are now included in the default state:
POLICY
DESCRIPTION
AWS Elastic Load Balancer (Classic) SSL negotiation policy configured with vulnerable SSL protocol
Identifies Elastic Load Balancers (Classic) which are configured with SSL negotiation policy containing vulnerable SSL protocol.
AWS IAM deprecated managed policies in use by User
Checks for any usage of deprecated AWS IAM managed policies and returns an alert if it finds one in your cloud resources.
AWS RDS event subscription disabled for DB security groups
Identifies RDS event subscriptions for which DB security groups event subscription is disabled.
AWS SQS does not have a dead letter queue configured
Identifies AWS Simple Queue Services (SQS) which do not have a dead letter queue configured. Dead letter queues are useful for debugging the messaging system and identifying the problems for unprocessed messages.
AWS RDS event subscription disabled for DB instance
Identifies RDS event subscriptions for which DB instance event subscription is disabled. You will not be notified when an event occurs for a given DB instance.
Azure Network Security Group allows Telnet (TCP Port 23)
Identifies any NSG rule that allows Telnet traffic on TCP port 23 from the internet.
Azure Network Security Group allows Windows RPC (TCP Port 135)
Identifies any NSG rule that allows Windows RPC traffic on TCP port 135 from the internet.
Azure Network Security Group allows MySQL (TCP Port 3306)
Identifies any NSG rule that allows MySQL traffic on TCP port 3306 from the internet.
Azure Network Security Group allows PostgreSQL (TCP Port 5432)
Identifies any NSG rule that allows PostgreSQL traffic on TCP port 5432 from the internet.
Azure Network Security Group allows SqlServer (TCP Port 1433)
Identifies any NSG rule that allows SqlServer traffic on TCP port 1433 from the internet.
Azure Network Security Group allows SQLServer (UDP Port 1434)
Identifies any NSG rule that allows SQLServer traffic on UDP port 1434 from the internet.
Azure Network Security Group allows MSQL (TCP Port 4333)
Identifies any NSG rule that allows MSQL traffic on TCP port 4333 from the internet.
Azure Network Security Group allows VNC Server (TCP Port 5900)
Identifies any NSG rule that allows VNC Server traffic on TCP port 5900 from the internet.
Azure Network Security Group allows NetBIOS (UDP Port 137)
Identifies any NSG rule that allows NetBIOS traffic on UDP port 137 from the internet.
Azure Network Security Group allows ICMP (Ping)
Identifies any NSG rule that allows ICMP (Ping) traffic from the internet.
Azure Network Security Group allows FTP (TCP Port 21)
Identifies any NSG rule that allows FTP traffic on TCP port 21 from the internet.
Azure Network Security Group allows FTP-Data (TCP Port 20)
Identifies any NSG rule that allows FTP-Data traffic on TCP port 20 from the internet.
Azure Network Security Group allows SMTP (TCP Port 25)
Identifies any NSG rule that allows SMTP traffic on TCP port 25 from the internet.
Azure Network Security Group allows DNS (UDP Port 53)
Identifies any NSG rule that allows DNS traffic on UDP port 53 from the internet.
Azure Network Security Group allows Windows SMB (TCP Port 445)
Identifies any NSG rule that allows Windows SMB traffic on TCP port 445 from the internet.
Azure Network Security Group allows CIFS (UDP Port 445)
Identifies any NSG rule that allows CIFS traffic on UDP port 445 from the internet.
Azure Network Security Group allows NetBIOS (UDP Port 138)
Identifies any NSG rule that allows NetBIOS traffic on UDP port 138 from the internet.
Azure Network Security Group allows VNC Listener (TCP Port 5500)
Identifies any NSG rule that allows VNC Listener traffic on TCP port 5500 from the internet.
Azure Network Security Group allows DNS (TCP Port 53)
Identifies any NSG rule that allows DNS traffic on TCP port 53 from the internet.
Azure Network Security Group allows Windows SMB (TCP Port 445)
Identifies any NSG rule that allows Windows SMB traffic on TCP port 445 from the internet.
Azure Network Security Group allows CIFS (UDP Port 445)
Identifies any NSG rule that allows CIFS traffic on UDP port 445 from the internet.
Azure Network Security Group allows NetBIOS (UDP Port 138)
Identifies any NSG rule that allows NetBIOS traffic on UDP port 138 from the internet.
Azure Network Security Group allows VNC Listener (TCP Port 5500)
Identifies any NSG rule that allows VNC Listener traffic on TCP port 5500 from the internet.
Azure Network Security Group allows DNS (TCP Port 53)
Identifies any NSG rule that allows DNS traffic on TCP port 53 from the internet.

Features Introduced on January 18,2019

New Features

The release of Prisma Cloud includes these improvements:
FEATURE
DESCRIPTION
Integration with Google Cloud Security Command Center (Beta)
The Prisma Cloud integration with Cloud Security Command Center provides customers with centralized visibility into security and compliance risks, and greater context for alerting and actionable remediation in Google Cloud environments. As part of the integration, Prisma Cloud monitors Google Cloud environments and sends alerts pertaining to resource mis-configurations, compliance violations, network security risks and anomalous user activities to Cloud Security Command center.
View of Google Cloud Platform Command Center:
integration-google-cloud-security-center.png
Cross subscription support for Azure flow logs ingestion
Prisma Cloud now supports ingestion of Azure flow logs that are stored in storage accounts in subscriptions that are not on-boarded into the Prisma Cloud application.
The Prisma Cloud enterprise application needs to have Reader and Data Access role assigned on these storage accounts that are used to store the NSG flow logs.
Compliance data in alert payload
Alert payload now has compliance metadata included in it. With the help of this data, users can now relate alerts that have been generated for any compliance risks or violations.
Refined Data Models for UEBA
Prisma Cloud now retrieves granular user attribution data to build more accurate data models. As an example, for AWS cloud accounts, you can now see Assume Role details for operations in the user interface.From the below example, you can see who logged in to the system using SSO.
All existing Data Models are deleted and the system will start generating new ones from the time of this deployment. As per your UEBA settings, if your Training Model Threshold is set to low, you have to wait for 7 days to see anomaly events generated in the system. If it is set to medium, you have to wait for 30 days and if it is set to high, you have to wait for 90 days to see anomaly events.
Clear selections in left-hand filtering menu
You can now clear selections for some of the filters in the left-hand filtering menu in the User Interface.
dashboard-clear-selection-filtering.png
Updates to AWS CFT templates
The AWS CFT templates rl-read-only and rl.read-and-write have been updated to include these permissions.
  • lambda:List
  • s3:GetAccountPublicAccessBlock
  • s3:GetBucketPublicAccessBlock
Use the instructions in this article to update your CFT and so that Prisma Cloud will have access to the new APIs ingested.
Incorporation of new APIs and enhancements
The following new services are now incorporated into Prisma Cloud. You can now use these APIs to build config queries for investigating and analyzing data.
  • aws-s3control-public-access-block
Provides details about Amazon S3 Block Public Access settings for buckets and accounts that help you manage public access to Amazon S3 resources.The ingestion for these services has been enhanced to include additional parameters.
  • azure-storage-account-list
  • aws-s3api-get-bucket-acl

Policy Updates

The Prisma Cloud application requires
Reader and Data Access
role assigned in addition to the existing
Reader role
at the subscription level, for the subscription that is onboarded on Prisma Cloud. This permission is required for storage account related Azure policies.
The following new config policies are now included in the default state:
Policy Name
Description
AWS CloudFormation stack configured without SNS topic
Identifies
CloudFormation
stacks which are configured without Simple Notification Service (SNS) topic.
AWS EC2 Instance IAM Role/Profile not enabled
Identifies EC2 instances which do not have IAM roles associated with them.
AWS EBS Volume is unattached
Identifies EBS volumes that are not attached to any EC2 instances.
AWS RDS retention policy less than 7 days
Identifies RDS clusters that are not retaining at least 7 days of backups.
AWS RDS minor upgrades not enabled
Identifies Amazon Relational Database Service (Amazon RDS) that do not have minor upgrades enabled for the database instances.
AWS Config fails to deliver log files
Identifies AWS Configs which are not delivering their log files to the specified S3 bucket.
AWS NAT Gateways are not being utilized for the default route
Identifies Route Tables which have NAT instances for the default route instead of NAT gateways.
AWS S3 Object Versioning is disabled
Identifies the S3 buckets which have Object Versioning disabled.
AWS Lambda nearing availability code storage limit
Identifies Lambda nearing availability code storage limit per region. As per AWS documentation, Lambda account limit per region is 75 GB. This policy will trigger an alert if Lambda account limit per region reaches 90% (i.e. 67500000 KB) of resource availability limit allocation.
AWS CloudFront distribution with access logging disabled
Identifies CloudFront distributions which have access logging disabled
AWS Elastic Load Balancer (Classic) with connection draining disabled
Identifies Classic Elastic Load Balancers which have connection draining disabled.
AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabled
Identifies Classic Elastic Load Balancers which have cross-zone load balancing disabled. When cross-zone load balancing is enabled, a classic load balancer distributes requests evenly across the registered instances in all enabled Availability Zones.
AWS Elastic Load Balancer (Classic) with access log disabled
Identifies Classic Elastic Load Balancers which have access logging disabled.
AWS IAM deprecated managed policies in use by User
Identifies any usage of deprecated AWS IAM managed policies.

Recommended For You