Features Introduced in September 2019

Learn what’s new on Prisma™ Cloud in September 2019.

Features Introduced on September 18, 2019

New Features

Feature
Description
Support for Network investigation of GCP Resources in a Shared VPC Model
A shared VPC on the Google Cloud Platform (GCP) allows centralized management of network and firewall resources across projects within a GCP organization. If you are using the Shared VPC model and have service projects that are using shared VPC network and firewall rules, you can now view the traffic flow between VMs in different service projects on the
Investigate
page.
shared-vpc.png
API Ingestion Updates
Prisma Cloud has added coverage for the API:
azure-network-application-security-group
API Deprecation
aws-elasticache-security-groups
is deprecated.
Support for AWS Bahrain
Prisma Cloud can now monitor resources deployed in the AWS Bahrain (me-south-1) region.

Policy Updates

Policy
Description
AWS Multiple Lambda Functions using same IAM role
Identifies when multiple Lambda functions use same IAM role as this violates the best practice of the principle of least privilege.

Features Introduced on September 5, 2019

New Features

Feature
Description
Integration Status Checks
Prisma Cloud performs periodic checks and background validation of outbound external integrations to identify exceptions or failures in processing notifications. With the exception of Email, PagerDuty, Qualys, and Tenable.io integrations, the status checks now indicate when a change on the integration vendor impacts outbound alert notifications. The status checks display as red—integration failed validations, yellow—one or more templates associated with the integration are invalid, or green—working and all templates are valid. Any state transitions are automatically reflected on the Prisma Cloud administrator console.
integration-status-checks.png
Resource Attribution on Azure Updates
Prisma Cloud correlates data available in resource configurations and audit events to you identify who (which user) made changes to specific Azure resources.
In addition to the services that were supported in the last release, resource attribution is now available for events related to the following Azure resources:
  • Azure Network Watcher
  • Azure Load Balancer
  • Azure SQL Database
  • Azure SQL Server
  • Azure Storage Account
  • Azure VPN Connection
  • Azure Container Registry
  • Azure Application Gateway
  • Azure Disk
  • Azure Vault
  • Azure App Service
Resource Name in RQL to Identify IP Addresses Associated with a Resource
To detect when web traffic is not secured by a web application firewall (WAF), an new RQL enhancement enables you to use a resource name to identify the IP addresses associated with a resource. Instead of manually listing multiple IP addresses or creating an IP whitelist, use the NOT IN boolean operator with a dest.resource or source.resource attribute in a single query:
network where cloud.account = 'xxx' AND bytes > 0 AND dest.resource NOT IN (resource where tag ('tag' ) IN ('value1', 'value2', 'value3' ))
For example:
network where dest.resource NOT IN ( resource where securitygroup.name = 'auto-aws-sg-rdp-3389-274251' ) AND dest.resource NOT IN ( resource where virtualnetwork.name NOT IN ( 'automation-vpc-dnd', 'vpc-a938dcc0', 'aws_rds_vpc', '' ) )
API Ingestion Updates
Prisma Cloud has added coverage for the API:
azure-cosmos-db
azure-network-route-table
Update the JSON for the API
aws-sns-get-subscription-attributes
. Some fields such as
RawMessageDelivery
,
PendingConfirmation
,
ConfirmationWasAuthenticated
are no longer retrieved for this API.

Policy Updates

Policy
Description
AWS ECS Task Definition Elevated Privileges Enabled
Checks the security configuration of your task definition for ECS Containers and alerts you to it.
AWS ECS/ ECS Fargate task definition execution IAM Role not found
Generates an alert if a task execution IAM role is not defined in your task definition for pulling container images and publishing container logs to Amazon CloudWatch.
AWS ECS Task Definition Root User Found
Checks if your container definition uses a root user and alerts you to it.
GCP GKE Unsupported Node Version
Checks your GKE master node version and generates an alert if the version running is unsupported.
Non-Corporate Accounts Have Access to Google Cloud Platform (GCP) Resources
The RQL in this customizable policy is updated to match on more than one domain, and the match criteria checks for whether the email address contains or ends in the specified domain(s).

Recommended For You