Features Introduced in August 2020

Learn what’s new on Prisma™ Cloud in August 2020.

Features Introduced in 20.8.2

New Features

Feature
Description
Prisma Cloud Licensing Changes
To simplify licensing, Prisma Cloud replaces the workload-based pricing with
credits
. With these credits you can use the different Prisma Cloud Modules available within the Prisma Cloud Enterprise or Prisma Cloud Compute Edition licenses. Each module has its own capacity unit and the unit price is specified as Prisma Cloud credits.
Permission updates for the Prisma Cloud Read Only TF template for Azure
The custom role JSON for onboarding your Azure subscription to Prisma Cloud is updated to include the following permissions for new services:
"Microsoft.Authorization/policyDefinitions/read"
"Microsoft.ApiManagement/service/read"
"Microsoft.ApiManagement/service/portalsettings/read"
"Microsoft.ApiManagement/service/tenant/read"
"Microsoft.Cache/redis/read"
"Microsoft.Cache/redis/firewallRules/read"
"Microsoft.Compute/virtualMachineScaleSets/read"
"Microsoft.DBforMySQL/servers/virtualNetworkRules/read"
API Ingestion
AWS
Amazon CloudSearch—aws-cloudsearch-domain
The additional permission required is
cloudsearch:DescribeDomains
Azure
  • Azure Active Directory—
    azure-active-directory-conditional-access-policy
    azure-active-directory-named-location
    The additional permission required is
    Policy.Read.All
    For ingesting Azure Active Directory APIs for Azure China and Azure Government, you must add the permission manually.
  • Azure Key Vault—
    azure-key-vault-list
    is updated to include firewall and virtual networks information in the
    networkAcls
    JSON key within a JSON response.
  • Azure MySQL—
    azure-mysql-server
    is updated to include virtual network rules.
GCP
  • Google Cloud Service Usage—gcloud-services-list
  • Google Cloud Run—gcloud-cloud-run-services-list
  • Cloud Bigtable—gcloud-bigtable-instance-list
    The additional permissions required are:
    bigtable.clusters.list
    bigtable.appProfiles.list
    bigtable.instances.list
    bigtable.instances.getIamPolicy
GCP New Regions Support
Prisma Cloud can now monitor resources deployed ithe Salt Lake City, Utah and Jakarta, Indonesia regions. To review the list of supported regions, use the
Cloud Region
filter on the
Asset Inventory
.

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
Policy Name
Description
New Policies
AWS
AWS API gateway unvalidated Requests
—Identifies AWS API gateways on which the request parameters in the URI, query string, and headers of an incoming request are not validated.
GCP
  • GCP BigQuery dataset is publicly accessible
    —Identifies BigQuery datasets that are anonymously or publicly accessible. Granting permissions to
    allUsers
    or
    allAuthenticatedUsers
    allows anyone to access the dataset, and is not recommended.
  • GCP PostgreSQL instance database flag log_min_duration_statement is not set to -1
    —Identifies PostgreSQL database instances in which logging of SQL statements is not disabled, and thereby exposes a risk when sensitive information on execution statements are recorded in logs.
  • GCP PostgreSQL instance database flag log_min_messages is not set
    —Identifies PostgreSQL database instances that are not configured to log messages to the server log.
Policy Updates
The RQL in the
Azure VPN is not configured with cryptographic algorithm
is updated to check whether Azure VPN gateways use a custom IPsec/IKE policy with specific cryptographic algorithms and keys and it excludes Express Route VPN:
config where api.name = 'azure-network-vpn-connection-list' AND json.rule = 'ipsecPolicies is empty and connectionType does not equal ExpressRoute'
The
GCP Kubernetes Engine Clusters have Legacy Authorization enabled
is updated to include remediation CLI, and this policy is now a Remediable Prisma Cloud Default policy. To enable automatic remediation, the
container.clusters.update
permission is required.
The Service Account created by the Terraform templates that you use to
Protect and Monitor
your GCP accounts is updated to include this permission.
AWS policies that enable auto-remediation
The following policies are updated to support automatic remediation, and are now designated as
Remediable
on the Prisma Cloud administrative console:
  • AWS S3 Object Versioning is disabled
  • AWS RDS instance with copy tags to snapshots disabled
  • AWS Elastic Load Balancer (Classic) with connection draining disabled

REST API Updates

Change
Description
Limited GA
Onboard your Azure Active Directory Account on Prisma Cloud through the REST APi
You can now use the Prisma Cloud REST APIs to onboard your Azure Active Directory on Prisma Cloud. To support this feature, the following REST API requests have a new optional body parameter,
cloudAccount.accountType
, for Azure accounts:
  • POST /cloud/{cloud_type}
  • PUT /cloud/{cloud_type}/{id}
Enhanced validation for Policy creation and updates
The following REST API requests now apply validation to RQL that you specify in the request body parameter
criteria
but don’t denote as a saved search:
  • POST /policy
  • PUT /policy/{id}

Features Introduced in 20.8.1

New Features

Feature
Description
Notification Template Enhancement
To easily modify and reuse an existing notification template on Prisma Cloud, you can clone a notification template for Email, Jira, or ServiceNow.
clone-notification-template.png
Limited GA
Onboard your Azure Active Directory Account on Prisma Cloud
Onboard Azure Active Directory (Azure AD) and ingest your Azure AD user information on Prisma Cloud to
Investigate
user activity. When the data is ingested, use the RQL
config where cloud.type = 'azure' AND api.name = 'azure-active-directory-user' AND json.rule = userType equals "Guest"
azure-ad-20-8-1.png
API Ingestion
Azure
Azure Cache—
azure-redis-cache
Azure Compute—
azure-virtual-machine-scale-set
GCP
GCP Compute Engine—
gcloud-compute-nat
The additional permission required is
compute.routers.list

New Policy and Policy Updates

There are no policy updates in this release. See Look Ahead—Planned Updates on Prisma Cloud.

REST API Updates

Change
Description
Notification Templates
  • A new API, POST /notification/template/clone/{id}, enables you to clone an existing notification template.
  • The possible options for field “description” for both ServiceNow and Jira notification template field configurations have been expanded to include:
    • ResourceTags
    • Status
    • FirstSeen
    • LastSeen
    • Reason
    You can see these options in the response object for the following APIs:
    • GET /template/servicenow/{integrationId}/types
    • GET /template/servicenow/{interationid}/{type}/fields
    • GET /template/fields/jira/{integrationid}/{project}/{issueType}

Recommended For You