Features Introduced in March 2019

Features Introduced on March 28, 2019

New Features

This release of Prisma™ Cloud includes these improvements:
Features
Description
ServiceNow Integration
Integrate Prisma Cloud with ServiceNow to connect your existing security tools with Security Operations. You can prioritize and respond to incidents and vulnerabilities according to their potential impact on your business. This integration will seamlessly fit into your organization’s existing work flows of incident management (itsm) and security operations management (security).
RQL Enhancements
  • You can now use RQL queries and fetch and distinguish vulnerability information from Qualys, Tenable, AWS GuardDuty and AWS Inspector. Use the new construct
    hostfinding.source
    to query for this information.
    config where hostfinding.source = 'AWS Inspector' AND hostfinding.severity = 'critical'
  • Use the new RQL date function daysBetween (value a, value b) to look for infromation between two dates.
    config where cloud.type = 'aws' and api.name = 'aws-cloudtrail-get-trail-status' AND json.rule ="_DateTime.daysBetween($.latestDeliveryTime, today()) ! = 2"
  • Use the function today() to return today’s date.
    config where cloud.type = 'aws' AND json.rule = "_DateTime.daysBetween($.launchTime,today()) != 2"
API Ingestion
You can now use the Azure API
Azure-locklist
to build config queries for investigating and analyzing data.

Features Introduced on March 1, 2019

New Features

This release of Prisma™ Cloud includes these improvements:
Features
Description
CSV Download of Audit Data
You can now download details in a CSV format to analyze Audit events offline. Enter your RQL query on the
Investigate
page on the Redlock admin console to download the results as a .zip file.
RQL Enhancements
  • You can now use the new cloud.account.group attribute to narrow your search criteria while writing Config, Event, and Network queries. This attribute filters your search results to the specified cloud account group(s).
    config where cloud.account.group = 'accountgroup' AND api.name = 'aws-cloudwatch-describe-alarms'
  • Query network traffic details using two new attributes: response.bytes and accepted.bytes in Network queries. These attributes help you specify a value to identify the volume of data transferred to a virtual machine instance or volume of data accepted by a virtual machine instance.
    network where accepted.bytes > 50,000
API Ingestion
Prisma Cloud now ingests the following new services to help build Config queries for investigating and analyzing data:
  • aws-describe-db-parameters
  • aws-describe-delivery-channels
  • aws-iam-list-groups
  • aws-guardduty-detector
  • azure-security-center-settings
The aws-ec2-describe-images service, which was previously disabled, is now enabled with limited ingestion. The attributes of images are not ingested.
The ingestion for the following services has been enhanced to include additional parameters:
  • aws-iam-list-users
  • aws-s3api-get-bucket-acl
  • aws-iam-list-roles
  • aws-iam-list-user-policies
Policy and Saved Search Attributes in the Alert Payload
Alert Payload now includes policy UUID and saved search UUID metadata that you can use to uniquely identify the policies.
Icons to Differentiate Host Vulnerability Findings
You can now differentiate Host Vulnerabilities that are imported in to the RedLock application from third-party integrations such as Tenable, Qualys, AWS Inspector, and Amazon GuardDuty. The new
Source
column in
Host Findings
displays different icons for each integration to help you easily identify the source of the vulnerability findings.
Saved Search
Prisma Cloud includes a new Saved Search called Azure Virtual Machine has non-approved extensions. This search enables you to list Azure Virtual Machines with non-approved extensions, and you can use it to create a custom policy.

Policy Updates

POLICY
DESCRIPTION
AWS RDS instance not in private subnet
Identifies Amazon RDS instances that are not in a private subnet.RDS instances should not be deployed in a public subnet; production databases should be located behind a DMZ in a private subnet with limited access in most scenarios.
AWS Certificate Manager (ACM) has certificates expiring in 30 days or less
Identifies ACM certificates expiring in 30 days or less, which are in the AWS Certificate Manager. If SSL/TLS certificates are not renewed prior to their expiration date, they will become invalid and the communication between the client and the AWS resource that implements the certificates is no longer secure.
Azure SQL Server advanced data security does not send alerts to service and co-administrators
Identifies Azure SQL Servers that are not enabled with ADS. As a best practice, enable ADS so that the administrators—service and co-administrator—can receive email alerts when anomalous activities are detected on the SQL Servers.
Azure SQL Server advanced data security does not have an email alert recipient
Identifies Azure SQL Servers that do not have an email address configured for ADS alert notifications. As a best practice, provide one or more email addresses where you want to receive alerts for any anomalous activities detected on SQL Servers.
Azure Virtual Machine does not have endpoint protection installed
Identifies Azure Virtual Machines (VMs) that do not have endpoint protection installed. Installing endpoint protection systems (like Anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software.
Azure SQL Server audit log retention is less than 91 days
Identifies SQL servers which do not retain audit logs for more than 90 days. As a best practice, configure the audit logs retention time period to be greater than 90 days.
Azure SQL Server threat logs retention is less than 91 days
Identifies SQL servers for which threat detection logs are retained for 90 days or less. Because threat detection logs help you investigate suspicious activities including detecting an SQL Server breach with known attack signatures, as a best practice, set the log retention period to more than 90 days.
Azure Load Balancer diagnostics logs are disabled
Identifies Azure Load Balancers that have diagnostics logs disabled. As a best practice, enable diagnostic logs to start collecting the data available through these logs.
Azure Virtual Network subnet is not configured with a Network Security Group
Identifies Azure Virtual Network (VNet) subnets that are not associated with a Network Security Group (NSG). While binding an NSG to a network interface of a Virtual Machine (VM) enables fine-grained control to the VM, associating a NSG to a subnet enables better control over network traffic to all resources within a subnet.
Azure SQL Server threat detection alerts not enabled for all threat types
Identifies Azure SQL servers that have disabled the detection of one or more threat types. To protect your SQL Servers, as a best practice, enable ADS detection for all types of threats.
Azure SQL Server advanced data security is disabled
Identifies Azure SQL servers that do not have ADS enabled. As a best practice, enable ADS on mission-critical SQL servers.
Azure SQL Server auditing is disabled
Identifies SQL servers do not have auditing enabled. As a best practice, enable auditing on each SQL server so that the database are audited, regardless of the database auditing settings.
Azure Application Gateway does not have the Web application firewall (WAF) enabled
Identifies Azure Application Gateways that do not have Web application firewall (WAF) enabled.As a best practice, enable WAF to manage and protect your web applications behind the Application Gateway from common exploits and vulnerabilities.

Recommended For You