Features Introduced in January 2020
Learn what’s new on Prisma™ Cloud in January 2020.
Features Introduced on January 31, 2020
Coverage for the Personal Information Protection and Electronics Document Act Standard
Prisma Cloud adds support for the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian federal privacy law that protects the rights and privacy of consumers. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. The coverage for this compliance standard is available across AWS, Azure, and GCP.
Notification Template Updates and Event Management Support for ServiceNow
Prisma Cloud now adds support for the Event Management module, the default reporting table on ServiceNow.
Along with this enhancement, the ServiceNow integration includes the following usability improvements:
More Policies for NIST CSF Compliance
Prisma Cloud now has increased policy coverage for the NIST Cyber Security Framework v1.1 on Azure and GCP to bring the count to over 30 policies on each of these cloud platforms.
Set Function in RQL to Compare or Combine Lists and Find a Value
_Setfunction enables you to compare or combine the values in lists (on the Left Hand Side and Right Hand Side) using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set.
The methods supported are
_Set.union, and you can use the boolean operator
intersectsto verify whether the values you want to look for are included in the result, or if the result set
containsthe specified value(s).
For example, to detect Internet exposed instances with a public IP address and firewall rule with 0.0.0.0/0 and destination has a specific target tag:
config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;
RQL Function to find a specific address or subnet within a CIDR
In an RQL Config query, you can now use the
_IPAddress.inCIDRRangeto find whether a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork.
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions.ipv4Ranges.cidrIp,18.104.22.168/24) is true'
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true’
Auto remediation on GCP Storage Buckets with gsutil
If you would like to enable auto remediation on all GCP Storage buckets, you can use gsutil from the command line. Support for gsutil allows you to limit excessive permissions for specific sets of IAM users or to restrict buckets from being open to the internet.
The gsutil command is supported only for GCP Storage policies with API name gcloud-storage-buckets-list along with gcloud. For example:
Alert Notification Emails with Attachments
You can now send alerts instantly or schedule them as recurring batched jobs to any email address, and not only to Prisma Cloud administrators. The email recipients receive a complete list of all open alerts, as scheduled.
In the email, you can opt to include the remediation information for the policies that triggered the alerts, attach the alert details as a CSV file, or as a compressed zip file. An email can have up to 10 attachments with 9 MB total size limit. The uncompressed CSV file can have 900 rows per attachment, while the compressed zip file limit is 95000 rows per attachment.
API Ingestion Update
azure-sql-server-list API is modified to ingest JSON metadata on the server encryption protector type such as
Some of the new APIs require additional permissions. To ingest the resources that require these permissions, you must update the CFT.
Prisma Cloud no longer ingests the following APIs:
Saved Search Addition for Azure VMs
helps you identify VMs that do not have endpoint protection enabled. You can edit the
Azure VM endpoint protection extension is not installed
json.rule = Extensions.*.virtualMachineExtensionType is empty OR Extensions.*.virtualMachineExtensionType is not member ofattribute in the RQL to add the endpoint protection extensions which are approved by your organization.
Policy Updates and New Policies
Azure Storage Account Policies updates to RQL
The RQL associated with the following policies that detect Azure Storage Account analytics have been revised to exclude Azure Premium Storage:
New Azure Policies for Activity Logs
The following new policies are added to identify changes in activity alert logs, which you can use to detect suspicious activity more easily.
Features Introduced on January 16, 2020
New LookAsset Inventory
The Inventory provides a summary of the total number of resources discovered across your cloud deployments and the number of resources that are passing or failing policy checks.
To add visual appeal, you also have an asset trend chart, an asset classification bar graph, and a table with details (pass or fail) and alerts by severity.
To help you drill into the details, the inline links in the table take you to the
Passresources. The resources that failed policy checks are grouped as
Highseverity and these links take you to the
Alerts Overviewwhere you can review the details for each policy violation and the number of alerts that were generated against each policy.
Scheduled Compliance Reports
Enables you to set up one-time or recurring reports to assess the security status of your cloud resources against the compliance standards that matter most to you and to receive the reports in your email inbox.
The scheduled reports are also saved on Prisma™ Cloud so that you can download a report on demand. Additionally, the data in each report is available as a historical trend chart on the Prisma Cloud interface, which helps you view your overall compliance posture during a specific period of time.
GCP Flow Log Compression using the Google Cloud Dataflow Service
To address the lack of native log compression on Google Cloud Platform (GCP) and mitigate the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure, you can now automate flow log compression using the Google Cloud Dataflow service. Whether you are monitoring your GCP project or organization, Prisma Cloud can automate flow log compression and save the compressed logs to the same storage bucket as your VPC flow logs. These compressed logs are then sent to the Prisma Cloud infrastructure for monitoring the network activity of your cloud resources.
For flowlog compression, you need to enable the Google Cloud Dataflow APIs and provide additional permissions that enable Prisma Cloud to make API calls and save the compressed logs to your Google Cloud Storage bucket.
API Ingestion Update
More Policies for GDPR Compliance
Prisma Cloud now includes GDPR support on Azure and includes more policies to extend coverage for GDPR compliance on GCP.
Support for CIS v1.0.0 on GCP and CIS v1.2.0 on AWS
The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in v1.0.0 on GCP and v1.2.0 on AWS.
California Consumer Privacy Act of 2018
Prisma Cloud now supports the California Consumer Privacy Act, which is a state statute intended to enhance privacy rights and consumer protection for residents of California (United States).
Saved search addition for Azure VMs
The saved search
Azure VM has unapproved extensions installedhelps you to determine whether your deployment includes VMs with unapproved extensions. You can edit the
is not member ofattribute in the query to specify the list of extensions that are approved for use in your organization.
Policy Updates and New Policies
Permission Updates for AWS CFTs
The permission in the AWS read-only and read-write CloudFormation Templates (CFTs) for AWS public cloud and AWS GovCloud are updated to include
ec2:describeRegions. With this update, Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.
Remediation CLI for Existing policies
The following policies are now designated as
Remediableon the Prisma Cloud administrative console:
Azure Storage account container storing activity logs is publicly accessible
Identifies storage account containers that allow public access to activity log content. This is a risk because it can aid an adversary in identifying weaknesses in the account configuration.
Azure disk is unattached and not encrypted
Identifies disks which are unattached and not encrypted. Even if a disk is not attached to any VM, there is a risk where a compromised user account with administrative access to VM service can mount and attach these data disks, which can result in disclosure or tampering of sensitive information.
Azure SQL server send alerts to field value is misconfigured
Identifies SQL servers that are not properly configured to send alerts to an email address. Having a valid email address for threat detection alerts enables you to receive alerts when any anomalous activities are detected on your SQL servers.
Azure Data disk is not encrypted
Identifies data disks which are not encrypted. Encrypt data disks (non-boot volume) to protect the volume from unwarranted reads without a key.
AWS support access policy is not associated with a role
Identifies IAM policies with support role access that are not attached to any role. An IAM role with support access policy enables you to ensure that users in your account can securely control access to AWS services and resources.
Recommended For You
Recommended videos not found.