Features Introduced in December 2020
Learn what’s new on Prisma™ Cloud in December 2020.
New Features Introduced in 20.12.2
New Features
Feature | Description |
|---|---|
Iac Scan Plugin Updates to support IaC Scan
API v2 | The updates simplify the installation
and set up workflows and the highlights are:
|
API Ingestion | AWS Data Migration Service aws-dms-certificate The
Security Audit role includes the required permissions. |
AWS Direct Connect aws-direct-connect-connection The
Security Audit role includes the required permissions. | |
Azure Virtual Network azure-ddos-protection-plan Additional
permissions required are:
The
Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json
will be updated to include the permissions. | |
Google Compute Engine gcloud-compute-instance-disk-snapshot Additional
permissions required are:
The
Compute Network Viewer includes these permissions. | |
Google Cloud Source Repositories gcloud-cloud-source-repository
The
Project Viewer role and the Source Repository Reader role includes
these permissions. |
Updates to Existing Behavior
Feature with Behavior Change | Descripion |
|---|---|
Alerts on Prisma Cloud | To reduce noise from alerts for accounts that
are not actively monitored using Prisma Cloud, when you add a cloud
account on Prisma Cloud and then disable it, you can no longer view
existing alerts associated with the disabled account on on
Prisma Cloud. Previously, on disabling an account, the alert status—Open, Snoozed,
Dismissed, or Resolved—was retained to indicate the last known state
and the count
included these alerts. |
New Policy and Policy Updates
See Look Ahead—Planned Updates on
Prisma Cloud to learn what’s coming soon.
New Policies and Policy Updates | |
|---|---|
New Policies | Azure app services remote debugging is enabled Identifies
Azure App Services that have remote debugging enabled, which opens
up inbound ports on App Services and increases security risk.
|
Azure virtual machine boot diagnostics disabled Identifies
Azure Virtual Machines with boot diagnostics disabled. Boot diagnostics
capture screenshots and console output at the virtual machine startup,
and this helps with troubleshooting the virtual machine if it enters
a non-bootable state.
| |
Azure virtual machine scale sets boot diagnostics
disabled Identifies Azure Virtual Machine scale sets with
boot diagnostics disabled. When boot diagnostics is enabled for
the virtual machine, it captures screenshot and console output during
the virtual machine startup and helps with troubleshooting the virtual
machine if it enters a non-bootable state.
| |
Policy Updates—RQL and Metadata | Alibaba Cloud MFA is disabled for RAM
user The RQL has been updated to check for MFA device
value to report disabled MFA users.
Impact :
Previous alerts will get resolved as Policy_Updated and new alerts
will be generated using the revised query. |
Alibaba Cloud Security group overly permissive
to all traffic The Policy Name and Description have been updated.
The policy checks for inbound rules that allow traffic from (0.0.0.0/0)
any IP address. Impact : This change does not affect
alerts. | |
Azure storage account logging for queues
is disabled Updated RQL —The updated RQL is
The
RQL has been updated to properly identify Azure Blob Storage accounts. Impact :
This RQL fix resolves previously opened alerts and marks them as Policy_Updated. | |
Azure storage account logging for tables is
disabled Updated RQL —The updated RQL is
The
RQL has been updated to properly identify Azure Blob Storage accounts. Impact :
This RQL fix resolves previously opened alerts and marks them as Policy_Updated. | |
Policy Updates—Recommendation | AWS Elastic File System (EFS) with encryption
for data at rest is disabled The recommendation instructions
in the policy is updated to replace RedShift with AWS Elastic File
System (EFS). |
Rest API Updates
Change | Description |
|---|---|
Update Rate limiting on List Alert
APIs | Prisma Cloud will now enforce rate limiting
on the following APIs:
The limit is one request per second
for a client session. Excess of the limit will result in an HTTP
429 error code. Impact —While most clients will not
see any effect, if you're using automation, please plan to insert
delay and retry logic to work with the new rate limits. |
New Features Introduced in 20.12.1
New Features
Feature | Description |
|---|---|
Machine Learning Classification Improvements
for Unusual User Activity / UEBA Policies | For better detection of anomalies, the machine learning
model is being updated on Prisma Cloud. These changes are transparent
to you.  For Excessive
login failures , the detection window has been reduced from
1 hour to 15 minutes and the default threshold is set to 5 failed
login events. Also, the model building thresholds have been reduced
from 7 days and 4 events to 1 day and just 1 event to help you detect
incidents sooner.For generating alerts on Account hijacking
attempts , the minimum distance between the two locations has
to be at least 1000 miles within a 2-hour period.For Unusual
user activity , the unknown location alert will be generated only
if the new location is at least 160 miles away, instead of 120 miles
from any of the known locations in the model. |
Malware Scan Status in Data Inventory | If you have enabled the Prisma Cloud Data
Security subscription, you can review the malware scan status on
the Data Inventory table on . Two
new columns display the time stamp of when Prisma Cloud received
the verdict from the WildFire service, and the scan status to indicate
whether the scan is in progress, failed, file type is not supported
or too large, or confirmation if the object is malware or benign. |
Read-Only Permission Group Update | Prisma Cloud administrators who are assigned
to the read-only permission group can now save filters on the Asset Inventory and Compliance page. |
API Ingestion | Azure Data Lake Analytics azure-data-lake-analytics-account
The
Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json
will be updated to include the permissions. In addition to
the permissions above, on each Azure Data Lake Analytics account
you must assign the Prisma Cloud role to access catalog related
information such as ACLs, databases, credentials, external data
sources, so that it can ingest metadata. For details on how to enable
permissions, see Set up your Azure subscription
for Prisma Cloud. |
Azure Data Lake Store (Gen 1) azure-data-lake-store-gen1-account
The
Reader role includes these permissions, and the azure_prisma_cloud_read_only_role.json
will be updated to include the permissions. |
New Policy and Policy Updates
New Policies and Policy Updates | |
|---|---|
Policy Updates—RQL and Metadata | AWS Security Groups policies These
policies are renamed to remove the word 'internet' from the name
and to leverage nested rules for RQL optimization:
Reason :
Impact —There
is no change in the number of alerts generated against these policies. |
Azure Network Security Group policies
Reason —The
severity was updated because these policies check for overly permissive
Azure network security group inbound rules from all open ports for
TCP, UDP or any protocol.Impact — The compliance report
may include additional alerts because three additional policies
are mapped to Azure CIS compliance benchmark. | |
GCP Kubernetes Engine Clusters have HTTP
load balancing disabled Updated RQL — The updated RQL
is
Impact —Open
alerts that are false positives will be resolved. | |
Custom Policy Modification | When you modify the RQL in a custom policy,
you cannot change the cloud.type and the api.name ,
in the existing policy.To revise either of these attributes,
you must create a new custom policy and disable or delete the existing
policy. |
REST API Updates
Change | Description |
|---|---|
Infrastructure-As-Code (IaC) Scan API Version
2 | A new IaC Scan API that returns scan result
details in OASIS Static Analysis Results Interchange Format (SARIF)
is available. |
