Features Introduced in February 2020

Learn what’s new on Prisma™ Cloud in February 2020.

Features Introduced on February 26, 2020

New Features

Prisma Cloud has an update to the Service Names that are displayed for each cloud provider. For details, see Service Name Changes.
Feature
Description
International Regions Support on Alibaba Cloud
If you have adopted Alibaba Cloud, you can now use Prisma Cloud for visibility and compliance monitoring of International regions, in addition to the regions within Mainland China. To get started, add your Alibaba Cloud account on Prisma Cloud.
Asset Inventory and Compliance Overview—Usability Enhancements
The inline links on the
Inventory
Asset
and
Compliance
Overview
take you to the
Asset Explorer
, and the
View Alerts
links enable you to view all open alerts on
Alerts
Overview
filtered by severity.
usability-asset-compliance.png
API Ingestion Update
Azure
  • azure-databricks-workspace
  • azure-data-factory-v2
AWS
  • aws-directconnect-describe-gateway
  • aws-vpc-nat-gateway
  • aws-waf-classic-web-acl-resource
    To ingest the resources associated with this API, you must update the CFT and enable additional permissions:
    • waf-regional:ListResourcesForWebACL
    • waf-regional:ListWebACLs
  • aws-logs-describe-metric-filters is updated so that the count function now reports asset metadata for the AWS account instead of grouping data by AWS region.
RQL Config queries with joins support
json.rule
specification within the alias clause
For faster search results in a join operation, you can now use
json.rule
as part of the alias clause within a Configuration RQL,
config where
query.
For example, to get a list of all EC2 instances that use a specified snapshot ID and AMI, you can use the query:
config where api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key contains "Name" as X; config where api.name = 'aws-ec2-describe-snapshots' AND json.rule = snapshot.snapshotId contains "snap-004b0221589e516d7" as Y; config where api.name = 'aws-ec2-describe-images' AND json.rule = image.imageId contains "ami-03698559b1d406e89" as Z;
instead of using
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-snapshots' as Y; config where api.name = 'aws-ec2-describe-images' as Z; filter '(($.X.tags[*].key contains "Name") and ($.Y.snapshot.snapshotId contains "snap-004b0221589e516d7") and ($.Z.image.imageId contains "ami-03698559b1d406e89"))' ; show X; limit search records to 100
Search within the JSON Resource configuration
Prisma Cloud administrative console provides a new search window directly within the JSON Resource configuration on the
Investigate
page. Use this search to easily find something that is part of the metadata ingested on Prisma Cloud, and speed up your investigation.
rql-search-within-resource-config.png

New Policies

Cloud
Policy Name and Description
AWS
A set of AWS policies that identify the AWS regions where you have not enabled AWS Log metric filter and alarms to monitor configuration changes, and detect unauthorized, or malicious activities. The following policies are now available:
  • AWS Log metric filter and alarm does not exist for unauthorized API calls
  • AWS Log metric filter and alarm does not exist for IAM policy changes
  • AWS Log metric filter and alarm does not exist for CloudTrail configuration changes
  • AWS Log metric filter and alarm does not exist for AWS management console authentication failures
  • AWS Log metric filter and alarm does not exist for disabling or scheduled deletion of customer created CMKs
  • AWS Log metric filter and alarm does not exist for S3 bucket policy changes
  • AWS Log metric filter and alarm does not exist for AWS Config configuration changes
  • AWS Log metric filter and alarm does not exist for Security group changes
  • AWS Log metric filter and alarm does not exist for Network Access Control Lists (NACL) changes
  • AWS Log metric filter and alarm does not exist for Network gateways changes
  • AWS Log metric filter and alarm does not exist for Route table changes
  • AWS Log metric filter and alarm does not exist for VPC changes
Azure
Azure Monitor log profile does not capture all activities
—Identifies the Monitor log profiles which are not configured to capture all activities for the categories ''Write'', ''Delete'' and ''Action'' for the control/management plane activities performed on the subscription.
Azure log profile not capturing activity logs for all regions
Identifies Azure log profiles which are not capturing activity logs for all regions.
Azure MySQL Database Server SSL connection is disabled
—Identifies Azure MYSQL database server for which SSL connections between database server and client applications are not encrypted and can be at risk of ‘man in the middle’ attacks.
Azure Storage Account Container with Activity log has BYOK encryption disabled
—Identifies Azure storage account where the activity logs are exported with BYOK (Bring Your Own Key) without encryption, and hence lacks confidentiality controls for log data.
Google Cloud Platform
A set of GCP policies that identify GCP projects where you have not enabled Log metric filter and alarms to monitor configuration changes, and detect unauthorized, or malicious activities.
  • GCP Log metric filter and alert does not exist for VPC network changes
  • GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes
  • GCP Log metric filter and alert does not exist for SQL instance configuration changes
  • GCP Log metric filter and alert does not exist for IAM custom role changes
  • GCP Log metric filter and alert does not exist for Project Ownership assignments/changes
  • GCP Log metric filter and alert does not exist for Audit Configuration Changes
  • GCP Log metric filter and alert does not exist for VPC Network Firewall rule changes
  • GCP Log metric filter and alert does not exist for VPC network route changes

Features Introduced on February 12, 2020

New Features

Feature
Description
Streamlined Cloud Account Onboarding
Onboard your cloud accounts on AWS, Azure, and GCP and simplify the first step for cloud monitoring and governance. The guided experience automates some of the configuration options for quicker onboarding with Terraform templates and CloudFormation template, and reduces user error.
add-cloud-account.png
Upgrade Notification for Prisma Cloud Compute
You can upgrade the Prisma Cloud Compute Console using the new
Upgrade Button
in the Prisma Cloud administrative console. After you complete the upgrade, you must update the Prisma Cloud Defenders to stay in sync with the Console version you just installed.
License Usage Details for Prisma Cloud Compute Workloads
Each Prisma Cloud Compute Defender deployed on an AWS EC2, Azure VM, or GCP GCE instance is counted as one Prisma Cloud Enterprise Edition workload license, and you can view the number of licenses on the
Settings
Licensing
Compute
.
API Ingestion Update
Azure
  • azure-locations
  • azure-storage-account-list is updated to retrieve Storage service encryption and the
    keyvaultproperties
  • azure-mysql-server
AWS
aws-ec2-key-pair
To ingest the resources associated with this API, you must update the CFT and enable permission for ec2:DescribeKeyPairs
GCP
  • gcloud-logging-metric
  • gcloud-cloud-function

Policy Updates and New Policies

Policy
Description
AWS RDS snapshot is encrypted using default KMS key instead of CMK
Identifies RDS snapshots that are encrypted with a default KMS key. As a best practice, you should use a Customer Managed Key (CMK) for better key management including the ability to rotate and delete keys, and control access using IAM policies.
AWS RDS DB snapshot is not encrypted
Identifies RDS snapshots that are not encrypted. This is a risk because your data at rest is not encrypted and at risk of unauthorized access.
AWS RDS cluster is encrypted using default KMS key instead of CMK
Identifies RDS clusters that are encrypted with a default KMS key. As a best practice, you should use a Customer Managed Key (CMK) for better key management including the ability to rotate and delete keys, and control access using IAM policies.

Recommended For You