Features Introduced in December 2020

Learn what’s new on Prisma™ Cloud in December 2020.

New Features Introduced in 20.12.2

New Features

Feature
Description
Iac Scan Plugin Updates to support IaC Scan API v2
The IntelliJ andCircleCI plugins are updated to use the IaC Scan API v2.
The updates simplify the installation and set up workflows and the highlights are:
  • Payload limit increased from 1 MB to 300MB
  • With the exception of template-type and version, other template scan parameters are optional. With Terraform, the plugin detects root-modules automatically.
  • Terraform v.13 support
  • The scan result include a column for policy URL which is a link to more details on the policy that was a violation.
  • Twistcli updates to support HTTP Proxy for environments that are placed behind a web proxy server.
  • DevOps Inventory dashboard to view and filter IaC scan results on Prisma Cloud.
API Ingestion
AWS Data Migration Service
aws-dms-certificate
The Security Audit role includes the required permissions.
AWS Direct Connect
aws-direct-connect-connection
The Security Audit role includes the required permissions.
Azure Virtual Network
azure-ddos-protection-plan
Additional permissions required are:
Microsoft.Network/ddosProtectionPlans/read
The Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
Google Compute Engine
gcloud-compute-instance-disk-snapshot
Additional permissions required are:
compute.snapshots.list
compute.snapshots.getIamPolicy
The Compute Network Viewer includes these permissions.
Google Cloud Source Repositories
gcloud-cloud-source-repository
source.repos.list
source.repos.getIamPolicy
The Project Viewer role and the Source Repository Reader role includes these permissions.

Updates to Existing Behavior

Feature with Behavior Change
Descripion
Alerts on Prisma Cloud
To reduce noise from alerts for accounts that are not actively monitored using Prisma Cloud, when you add a cloud account on Prisma Cloud and then disable it, you can no longer view existing alerts associated with the disabled account on
Alerts
Overview
on Prisma Cloud.
Previously, on disabling an account, the alert status—Open, Snoozed, Dismissed, or Resolved—was retained to indicate the last known state and the
Alerts
Overview
count included these alerts.

New Policy and Policy Updates

New Policies and Policy Updates
New Policies
Azure app services remote debugging is enabled
Identifies Azure App Services that have remote debugging enabled, which opens up inbound ports on App Services and increases security risk.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = config.remoteDebuggingEnabled is true
Azure virtual machine boot diagnostics disabled
Identifies Azure Virtual Machines with boot diagnostics disabled. Boot diagnostics capture screenshots and console output at the virtual machine startup, and this helps with troubleshooting the virtual machine if it enters a non-bootable state.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = ['properties.diagnosticsProfile'].bootDiagnostics.enabled is false
Azure virtual machine scale sets boot diagnostics disabled
Identifies Azure Virtual Machine scale sets with boot diagnostics disabled. When boot diagnostics is enabled for the virtual machine, it captures screenshot and console output during the virtual machine startup and helps with troubleshooting the virtual machine if it enters a non-bootable state.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-virtual-machine-scale-set' AND json.rule = properties.virtualMachineProfile.diagnosticsProfile.bootDiagnostics.enabled is false
Policy Updates—RQL and Metadata
Alibaba Cloud MFA is disabled for RAM user
The RQL has been updated to check for MFA device value to report disabled MFA users.
config from cloud.resource where cloud.type = 'alibaba_cloud' AND api.name = 'alibaba-cloud-ram-user' AND json.rule = 'MFADevice is empty'
Impact
: Previous alerts will get resolved as Policy_Updated and new alerts will be generated using the revised query.
Alibaba Cloud Security group overly permissive to all traffic
The Policy Name and Description have been updated. The policy checks for inbound rules that allow traffic from (0.0.0.0/0) any IP address.
Impact
: This change does not affect alerts.
Azure storage account logging for queues is disabled
Updated RQL
—The updated RQL is
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = 'sku.tier equals Standard and loggingProperties.queue exists and (loggingProperties.queue.readEnabled is false or loggingProperties.queue.writeEnabled is false or loggingProperties.queue.deleteEnabled is false)'
The RQL has been updated to properly identify Azure Blob Storage accounts.
Impact
: This RQL fix resolves previously opened alerts and marks them as Policy_Updated.
Azure storage account logging for tables is disabled
Updated RQL
—The updated RQL is
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = 'sku.tier equals Standard and (loggingProperties.table.readEnabled is false or loggingProperties.table.writeEnabled is false or loggingProperties.table.deleteEnabled is false)'
The RQL has been updated to properly identify Azure Blob Storage accounts.
Impact
: This RQL fix resolves previously opened alerts and marks them as Policy_Updated.
Policy Updates—Recommendation
AWS Elastic File System (EFS) with encryption for data at rest is disabled
The recommendation instructions in the policy is updated to replace RedShift with AWS Elastic File System (EFS).

Rest API Updates

Change
Description
Update
Rate limiting on List Alert APIs
Prisma Cloud will now enforce rate limiting on the following APIs:
  • GET /v2/alert
  • POST /v2/alert
The limit is one request per second for a client session. Excess of the limit will result in an HTTP 429 error code.
Impact
—While most clients will not see any effect, if you're using automation, please plan to insert delay and retry logic to work with the new rate limits.

New Features Introduced in 20.12.1

New Features

Feature
Description
Machine Learning Classification Improvements for Unusual User Activity / UEBA Policies
For better detection of anomalies, the machine learning model is being updated on Prisma Cloud. These changes are transparent to you.
ueba-anomaly-policies.png
For
Excessive login failures
, the detection window has been reduced from 1 hour to 15 minutes and the default threshold is set to 5 failed login events. Also, the model building thresholds have been reduced from 7 days and 4 events to 1 day and just 1 event to help you detect incidents sooner.
For generating alerts on
Account hijacking attempts
, the minimum distance between the two locations has to be at least 1000 miles within a 2-hour period.
For
Unusual user activity
, the unknown location alert will be generated only if the new location is at least 160 miles away, instead of 120 miles from any of the known locations in the model.
Malware Scan Status in Data Inventory
If you have enabled the Prisma Cloud Data Security subscription, you can review the malware scan status on the Data Inventory table on
Inventory
Data
.
Two new columns display the time stamp of when Prisma Cloud received the verdict from the WildFire service, and the scan status to indicate whether the scan is in progress, failed, file type is not supported or too large, or confirmation if the object is malware or benign.
Read-Only Permission Group Update
Prisma Cloud administrators who are assigned to the read-only permission group can now save filters on the
Asset Inventory
and
Compliance
page.
API Ingestion
Azure Data Lake Analytics
azure-data-lake-analytics-account
Microsoft.DataLakeAnalytics/accounts/read
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read
Microsoft.DataLakeAnalytics/accounts/firewallRules/read
Microsoft.DataLakeAnalytics/accounts/storageAccounts/read
Microsoft.Authorization/permissions/read
The Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.
In addition to the permissions above, on each Azure Data Lake Analytics account you must assign the Prisma Cloud role to access catalog related information such as ACLs, databases, credentials, external data sources, so that it can ingest metadata. For details on how to enable permissions, see Set up your Azure subscription for Prisma Cloud.
Azure Data Lake Store (Gen 1)
azure-data-lake-store-gen1-account
Microsoft.DataLakeStore/accounts/read
Microsoft.DataLakeStore/accounts/firewallRules/read
Microsoft.DataLakeStore/accounts/virtualNetworkRules/read
Microsoft.DataLakeStore/accounts/trustedIdProviders/read
The Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json will be updated to include the permissions.

New Policy and Policy Updates

New Policies and Policy Updates
Policy Updates—RQL and Metadata
AWS Security Groups policies
These policies are renamed to remove the word 'internet' from the name and to leverage nested rules for RQL optimization:
  • AWS Security Groups allow internet traffic from internet to FTP-Data port (20)
  • AWS Security Groups allow internet traffic from internet to FTP port (21)
  • AWS Security Groups allow internet traffic to SSH port (22)
  • AWS Security Groups allow internet traffic from internet to Telnet port (23)
  • AWS Security Groups allow internet traffic from internet to SMTP port (25)
  • AWS Security Groups allow internet traffic from internet to DNS port (53)
  • AWS Security Groups allow internet traffic from internet to Windows RPC port (135)
  • AWS Security Groups allow internet traffic from internet to NetBIOS port (137)
  • AWS Security Groups allow internet traffic from internet to NetBIOS port (138)
  • AWS Security Groups allow internet traffic from internet to CIFS port (445)
  • AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
  • AWS Security Groups allow internet traffic from internet to SQLServer port (1434)
  • AWS Security Groups allow internet traffic from internet to MYSQL port (3306)
  • AWS Security Groups allow internet traffic from internet to RDP port (3389)
  • AWS Security Groups allow internet traffic from internet to MSQL port (4333)
  • AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432)
  • AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
  • AWS Security Groups allow internet traffic from internet to VNC Server port (5900)
Reason
:
  • The word
    Internet
    is removed from the policy name and description.
  • The RQL grammar will be updated to use a nested array.
Impact
—There is no change in the number of alerts generated against these policies.
Azure Network Security Group policies
The following policies are mapped to the Azure CIS compliance benchmark, and the severity is being updated from Medium to High.
  • Azure Network Security Group having Inbound rule overly permissive to all traffic on TCP protocol
  • Azure Network Security Group having Inbound rule overly permissive to all traffic on UDP protocol
  • Azure Network Security Group having Inbound rule overly permissive to all traffic on any protocol
Reason
—The severity was updated because these policies check for overly permissive Azure network security group inbound rules from all open ports for TCP, UDP or any protocol.
Impact
— The compliance report may include additional alerts because three additional policies are mapped to Azure CIS compliance benchmark.
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
Updated RQL
— The updated RQL is
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'addonsConfig.httpLoadBalancing.disabled equals true'
Impact
—Open alerts that are false positives will be resolved.
Custom Policy Modification
When you modify the RQL in a custom policy, you cannot change the
cloud.type
and the
api.name
, in the existing policy.
To revise either of these attributes, you must create a new custom policy and disable or delete the existing policy.

REST API Updates

Change
Description
Infrastructure-As-Code (IaC) Scan API Version 2
A new IaC Scan API that returns scan result details in OASIS Static Analysis Results Interchange Format (SARIF) is available.

Recommended For You