Features Introduced in January 2020

Learn what’s new on Prisma™ Cloud in January 2020.

Features Introduced on January 31, 2020

New Features

Feature
Description
Coverage for the Personal Information Protection and Electronics Document Act Standard
Prisma Cloud adds support for the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian federal privacy law that protects the rights and privacy of consumers. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. The coverage for this compliance standard is available across AWS, Azure, and GCP.
Notification Template Updates and Event Management Support for ServiceNow
Prisma Cloud now adds support for the Event Management module, the default reporting table on ServiceNow.
servicenow-event-incidents-alerts.png
Along with this enhancement, the ServiceNow integration includes the following usability improvements:
  • New notification template hub where you can select the ServiceNow template, instead of a generic template.
  • Ability to configure custom Alert Notification mappings depending on the alert status—Open, Dismissed, or Resolved.
  • Validation that the set up is working with the push of a button, so you can send a test notification as soon as you configure a notification template.
More Policies for NIST CSF Compliance
Prisma Cloud now has increased policy coverage for the NIST Cyber Security Framework v1.1 on Azure and GCP to bring the count to over 30 policies on each of these cloud platforms.
nist-csf-policies.png
Set Function in RQL to Compare or Combine Lists and Find a Value
The
_Set
function enables you to compare or combine the values in lists (on the Left Hand Side and Right Hand Side) using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set.
The methods supported are
_Set.intersection
and
_Set.union
, and you can use the boolean operator
intersects
to verify whether the values you want to look for are included in the result, or if the result set
contains
the specified value(s).
For example, to detect Internet exposed instances with a public IP address and firewall rule with 0.0.0.0/0 and destination has a specific target tag:
config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;
RQL Function to find a specific address or subnet within a CIDR
In an RQL Config query, you can now use the
_IPAddress.inCIDRRange
to find whether a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork.
For example:
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,106.51.77.60/24) is true'
or
config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true’
Auto remediation on GCP Storage Buckets with gsutil
If you would like to enable auto remediation on all GCP Storage buckets, you can use gsutil from the command line. Support for gsutil allows you to limit excessive permissions for specific sets of IAM users or to restrict buckets from being open to the internet.
The gsutil command is supported only for GCP Storage policies with API name gcloud-storage-buckets-list along with gcloud. For example:
gcloud iam --project=${account} list-grantable-roles;gsutil versioning set off gs://${resourceName};
Alert Notification Emails with Attachments
You can now send alerts instantly or schedule them as recurring batched jobs to any email address, and not only to Prisma Cloud administrators. The email recipients receive a complete list of all open alerts, as scheduled.
In the email, you can opt to include the remediation information for the policies that triggered the alerts, attach the alert details as a CSV file, or as a compressed zip file. An email can have up to 10 attachments with 9 MB total size limit. The uncompressed CSV file can have 900 rows per attachment, while the compressed zip file limit is 95000 rows per attachment.
alerts-with-csv.png
API Ingestion Update
Azure
azure-sql-server-list API is modified to ingest JSON metadata on the server encryption protector type such as
ServiceManaged
or
AzureKeyVault
.
AWS
Some of the new APIs require additional permissions. To ingest the resources that require these permissions, you must update the CFT.
  • Amazon EC2: aws-ec2-key-pair
  • AWS API Gateway: aws-apigateway-method
  • Amazon Elastic Container Service: aws-ecs-service
  • Amazon Elastic Container Registry (ECR):aws-ecr-image
    To ingest the this API, you must enable additional permissions for
    ecr:DescribeImages
  • Amazon Elastic Container Registry (ECR): aws-ecr-get-repository-policy
  • AWS Resource Access Manager (RAM):
    • aws-ram-principal
    • aws ram list-resources
    • aws-ram-resource
    • aws-ram-resource-share
      To ingest the resource share API, you must enable additional permissions for
      ram:GetResourceShares
  • AWS Web Application Firewall (WAF): aws-waf-web-acl-resources
    To ingest this API, you must enable additional permissions for
    wafv2:ListResourcesForWebACL
    wafv2:ListWebACLs
  • AWS Route 53: aws-route53-domain
    To ingest this API, you must enable additional permissions for
    route53domains:ListDomains
    route53domains:ListTagsForDomain
  • AWS Glue: aws-glue-security-configuration
    To ingest this API, you must enable additional permissions for
    glue:GetSecurityConfigurations
  • AWS Lambda: aws-lambda-list-functions, is modified to ingest the resource policy associated with the Lambda function.
    To ingest the information on Lambda policy, you must enable additional permissions for
    lambda:GetPolicy
Deprecated APIs
GCP
Prisma Cloud no longer ingests the following APIs:
  • gcloud-cloud-spanner-instance-list
  • gcloud_bigtable-instance-list
Saved Search Addition for Azure VMs
Azure VM endpoint protection extension is not installed
helps you identify VMs that do not have endpoint protection enabled. You can edit the
json.rule = Extensions.*.virtualMachineExtensionType is empty OR Extensions.*.virtualMachineExtensionType is not member of
attribute in the RQL to add the endpoint protection extensions which are approved by your organization.

Policy Updates and New Policies

Policy
Description
Azure Storage Account Policies updates to RQL
The RQL associated with the following policies that detect Azure Storage Account analytics have been revised to exclude Azure Premium Storage:
  • Azure storage account logging for tables is disabled
  • Azure storage account logging for queues is disabled
  • Azure storage account logging for blobs is disabled
New Azure Policies for Activity Logs
The following new policies are added to identify changes in activity alert logs, which you can use to detect suspicious activity more easily.
  • Azure Activity log alert for Update security policy does not exist
  • Ensure Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Ensure Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Ensure Activity Log Alert exists for Delete Security Solution
  • Ensure Activity Log Alert exists for Create or Update Security Solution
  • nsure Activity Log Alert exists for Delete Network Security Group Rule
  • Ensure Activity Log Alert exists for Create or Update Network Security Group Rule
  • Ensure Activity Log Alert exists for Delete Network Security Group
  • Ensure Activity Log Alert exists for Create or Update Network Security Group
  • Activity Log Alert for Create Policy Assignment

Features Introduced on January 16, 2020

New Features

Feature
Description
New Look
Asset Inventory
The Inventory provides a summary of the total number of resources discovered across your cloud deployments and the number of resources that are passing or failing policy checks.
To add visual appeal, you also have an asset trend chart, an asset classification bar graph, and a table with details (pass or fail) and alerts by severity.
asset-inventory-new.png
To help you drill into the details, the inline links in the table take you to the
Asset Explorer
for
Total
resources and
Pass
resources. The resources that failed policy checks are grouped as
Low
,
Medium
and
High
severity and these links take you to the
Alerts Overview
where you can review the details for each policy violation and the number of alerts that were generated against each policy.
Scheduled Compliance Reports
Enables you to set up one-time or recurring reports to assess the security status of your cloud resources against the compliance standards that matter most to you and to receive the reports in your email inbox.
The scheduled reports are also saved on Prisma™ Cloud so that you can download a report on demand. Additionally, the data in each report is available as a historical trend chart on the Prisma Cloud interface, which helps you view your overall compliance posture during a specific period of time.
create-scheduled-report.gif
GCP Flow Log Compression using the Google Cloud Dataflow Service
To address the lack of native log compression on Google Cloud Platform (GCP) and mitigate the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure, you can now automate flow log compression using the Google Cloud Dataflow service. Whether you are monitoring your GCP project or organization, Prisma Cloud can automate flow log compression and save the compressed logs to the same storage bucket as your VPC flow logs. These compressed logs are then sent to the Prisma Cloud infrastructure for monitoring the network activity of your cloud resources.
For flowlog compression, you need to enable the Google Cloud Dataflow APIs and provide additional permissions that enable Prisma Cloud to make API calls and save the compressed logs to your Google Cloud Storage bucket.
prisma-cloud-add-gcp-organization.png
API Ingestion Update
Azure
  • Azure Data Factory: azure-data-factory-v1 and azure-data-factory-v2
  • Azure Data Bricks: azure-databricks-workspace
GCP
  • gcloud-projects-iam-role
  • gcloud-organization-iam-role; to ingest data relating to this role, the following permission is required:
    roles/iam.organizationRoleViewer
  • gcloud-bigquery-dataset-list is updated to include encryption configuration in the JSON metadata. This update enables you to detect unencrypted BigQuery tables.
AWS
  • AWS API Gateway: aws-apigateway-domain-name
  • AWS API Gateway: aws-apigateway-base-path-mapping
  • AWS CloudWatch: aws-cloudwatch-log-group
More Policies for GDPR Compliance
Prisma Cloud now includes GDPR support on Azure and includes more policies to extend coverage for GDPR compliance on GCP.
gdpr-on-all-3-clouds.png
Support for CIS v1.1.0 on GCP and CIS v1.2.0 on AWS
The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in v1.1.0 on GCP and v1.2.0 on AWS.
cis-gcp-aws.png
California Consumer Privacy Act of 2018
Prisma Cloud now supports the California Consumer Privacy Act, which is a state statute intended to enhance privacy rights and consumer protection for residents of California (United States).
ccpa.png
Saved search addition for Azure VMs
The saved search
Azure VM has unapproved extensions installed
helps you to determine whether your deployment includes VMs with unapproved extensions. You can edit the
is not member of
attribute in the query to specify the list of extensions that are approved for use in your organization.

Policy Updates and New Policies

Policy
Description
Permission Updates for AWS CFTs
The permission in the AWS read-only and read-write CloudFormation Templates (CFTs) for AWS public cloud and AWS GovCloud are updated to include
ec2:describeRegions
. With this update, Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.
Remediation CLI for Existing policies
The following policies are now designated as
Remediable
on the Prisma Cloud administrative console:
  • GCP VPC Flow logs for the subnet is set to Off
  • Azure PostgreSQL database with SSL connection disabled
  • Azure PostgreSQL database with log_checkpoints parameter disabled
  • Azure PostgreSQL database with log_connections parameter is disabled
  • Azure PostgreSQL database with log_disconnections parameter disabled
  • Azure PostgreSQL database with log_duration parameter disabled
  • Azure PostgreSQL database with connection throttling parameter is disabled
  • Azure PostgreSQL database log retention days is less than 3 days
Azure Storage account container storing activity logs is publicly accessible
Identifies storage account containers that allow public access to activity log content. This is a risk because it can aid an adversary in identifying weaknesses in the account configuration.
Azure disk is unattached and not encrypted
Identifies disks which are unattached and not encrypted. Even if a disk is not attached to any VM, there is a risk where a compromised user account with administrative access to VM service can mount and attach these data disks, which can result in disclosure or tampering of sensitive information.
Azure SQL server send alerts to field value is misconfigured
Identifies SQL servers that are not properly configured to send alerts to an email address. Having a valid email address for threat detection alerts enables you to receive alerts when any anomalous activities are detected on your SQL servers.
Azure Data disk is not encrypted
Identifies data disks which are not encrypted. Encrypt data disks (non-boot volume) to protect the volume from unwarranted reads without a key.
AWS support access policy is not associated with a role
Identifies IAM policies with support role access that are not attached to any role. An IAM role with support access policy enables you to ensure that users in your account can securely control access to AWS services and resources.

Recommended For You