Features Introduced in May 2019

Learn what’s new on Prisma™ Cloud in May 2019.

Features Introduced on May 23,2019

Learn what’s new on May 23, 2019.

New Features

Feature
Description
CSV Download of Config Data
You can now download details in a CSV format to analyze Config events offline. Enter your RQL query on the Investigate page on the Redlock admin console to download the results as a .zip file.
Tenable Integration for GCP accounts
RedLock service now supports the Tenable integrationon Google Cloud Platform.This integration provides additional context around vulnerabilities identified in your GCP workloads to help you prioritize alerts. For example, you can address high severity vulnerabilities on hosts that are internet facing and are receiving malicious traffic ahead of other types of hosts.
CLI Variables for Automated Remediation
When you define a custom policy with auto-remediation, you can now see the variables that are available for use in the CLI commands.
available-cli-variables.png
Auto Suggestion for
json.rule
attribute in Event RQL
To help you easily build Event RQL queries, you can see automatic suggestions for the attribute
json.rule
when used with the
operation
attribute. Auto suggest works with the operators
=
and
IN
.
jsonrule-auto-suggest.png
Auto suggestion is not available for array objects.
Use
cloud.type
attribute to refine your search results.
API Ingestion
Prisma Cloud now ingests the following new Azure services to help build Config queries:
  • azure-app-service
  • azure-kubernetes-cluster
Classification of Microsoft Azure ELBs
Microsoft Azure Load Balancers are now classified as
Azure ELB
.
azure-elb.png

Policy Updates

Policy
Description
AWS Lambda Function is not assigned to access within VPC
Identifies the AWS Lambda functions which do not have access within the VPC.
GCP Project audit logging is not configured properly across all services and all users in a project
Identifies the GCP projects in which cloud audit logging is not configured properly across all services and all users.

Features Introduced on May 9,2019

Learn what’s new on May 09, 2019.

New Features

Feature
Description
RedLock Service in New Regions
Prisma Cloud is now available in the Australia & New Zealand (ANZ) region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace. In addition, Prisma Cloud is also available on AWS GovCloud. You can request a RedLock tenant on AWS GovCloud, when you sign up for the service from the Palo Alto Networks Marketplace.
Operators in Event RQL
You can now use the operators
Contains
,
Does not Contain
,
Exists
, and
Does not exist
with Event RQL queries.
API Ingestion Update
The API
aws-iam-get-policy-version
is now updated to fetch unattached policies.
user
Attribute Rename in Event RQL
user
attribute in Event RQL is renamed to
subject
to represent both users and instances.
event where role = ’oktaDevReadWriteRole’ and subject = ’johnjames@paloaltonetworks.com’
role
Attribute in Event RQL
The new Event RQL attribute
role
allows you to filter the search results by role.
Event where role = ’OktaDevReadWriteRole’
Support for Strings with Space Separators
You can now use RQL to search for strings that include white space as a separator. This capability helps you find values with space, such as in keys, key value pairs, or security groups. For example, if your key name is
test 4081
and it has the value
tag with space
, use this query.
config where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = "tags[*] size greater than 0 and tags[?(@.key=='test 4081')].value contains \"tag with space\""
Network Alert Workflow Update
Prisma Cloud now automatically reopens any alerts for a Network policy violation that you had manually dismissed, in the event that the same policy is violated again.

Policy Updates

Policy
Description
GCP Kubernetes cluster size contains less than 3 nodes
Checks the size of your cluster pools and alerts if there are fewer than 3 nodes in a pool.
GCP Kubernetes cluster Istio Config not enabled
Checks your cluster for the Istio add-on feature and alerts if it is not enabled.
GCP Kubernetes cluster not in redundant zones
Alerts if your cluster is not located in at least 3 zones.
GCP Kubernetes cluster Application-layer Secrets not encrypted
Checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled.
GCP Kubernetes cluster intra-node visibility disabled
Checks your cluster's intra-node visibility feature and generates an alert if it's disabled.
AWS SSM Parameter is not encrypted
Identifies the AWS SSM Parameters which are not encrypted.
AWS Cloudfront Distribution with S3 have Origin Access set to disabled
Identifies the AWS CloudFront distributions which are utilizing S3 bucket and have Origin Access Disabled.
AWS CloudFront Distributions with Field-Level Encryption not enabled
Identifies CloudFront distributions for which field-level encryption is not enabled.

Features Introduced on May 2, 2019

Learn what’s new on May 02, 2019.

New Features

Feature
Description
Auto Enable New RedLock Default Policies
You can now globally enable all RedLock Default policies of
High
,
Medium
, or
Low
severity.
When you save this selection, you can choose whether to automatically enable all existing and future policies that match the criteria, or only enable policies future policies that match the criteria.
Asset Inventory Details for all Cloud Accounts
View up-to-date information of all assets, monitored across your cloud accounts, on the Asset Inventory dashboard. A single account group is not the default selection.
Aggregate Connection Count for Network Queries
Network Query (RQL) attributes to aggregate connection counts for both ingress and egress traffic are now available to help you detect an attempt to perform a port scan or port sweep, or identify hosts that are establishing multiple SSH connections from one or more external IP addresses, or to detect an attempt to set up a large number of egress connections on the crypto ports of a host.
Use
source.outboundpeers
and
dest.outboundpeers
to count distinct outbound IP addresses to which a resource is establishing connections. And use
source.outboundports
and
dest.outboundports
to count the outbound ports to which a resource is establishing connections. Both outboundpeers and outboundports support numeric operators (<, =, >).
For example, the following RQL helps you detect resources that have established outbound connections on 2 or more ports to external destinations including web servers or Databases:
network where source.outboundports >= 2 AND dest.resource IN ( resource where role = 'Web Server' AND role = 'Database')
The network visualization graph on Investigate gives you the ability to drill-down for details.
network-rql-connection-count-aggregate-visual.png
Mandatory Account Group Selection
You must now select and associate an Account Group to your Cloud accounts while adding them to Prisma Cloud.
Link to Configure Integrations from an Alert Rule
While configuring RedLock Alert Notifications if you want to send notification to an external integration, you can now use the inline link to set up the integration. This usability enhancement makes it easier for you to configure external integrations just in time with the creation of the alert rule.
create-integration-alert-rule.png
Count(X)
Attribute in Config Queries
The new Config Query attribute
Count(X)
allows you to aggregate search results by account or by region.
For example:
config where api.name = 'aws-iam-list-users' as Y; count(Y) > 1
displays results grouped by account because the API is global.
while
config where api.name = 'gcloud-compute-instances-list' as X; count(X) > 1
displays results grouped by region because the API is regional.

Policy Updates

Policy
Description
GCP Kubernetes Engine Clusters not configured with network traffic egress metering
Identifies Kubernetes Engine Clusters which are not configured with network traffic egress metering.
GCP Kubernetes Engine Clusters have Alpha cluster feature enabled
Identifies Google Kubernetes Engine (GKE) clusters that are enabled for alpha clusters.
GCP Kubernetes Engine Clusters network firewall inbound rule overly permissive to all traffic
Identifies Firewall rules attached to the cluster network which allows inbound traffic on all protocols from the public internet.
GCP Kubernetes Engine Clusters legacy compute engine metadata endpoints enabled
Identifies Kubernetes Engine Clusters for which legacy compute engine metadata endpoints are enabled.

Recommended For You