1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2020
    7. Features Introduced in January 2020

    Features Introduced in January 2020

    Learn what’s new on Prisma™ Cloud in January 2020.

    Features Introduced on January 31, 2020

    New Features

    Feature
    Description
    Coverage for the Personal Information Protection and Electronics Document Act Standard
    Prisma Cloud adds support for the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian federal privacy law that protects the rights and privacy of consumers. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. The coverage for this compliance standard is available across AWS, Azure, and GCP.
    Notification Template Updates and Event Management Support for ServiceNow
    Prisma Cloud now adds support for the Event Management module, the default reporting table on ServiceNow.
    servicenow-event-incidents-alerts.png
    Along with this enhancement, the ServiceNow integration includes the following usability improvements:
    • New notification template hub where you can select the ServiceNow template, instead of a generic template.
    • Ability to configure custom Alert Notification mappings depending on the alert status—Open, Dismissed, or Resolved.
    • Validation that the set up is working with the push of a button, so you can send a test notification as soon as you configure a notification template.
    More Policies for NIST CSF Compliance
    Prisma Cloud now has increased policy coverage for the NIST Cyber Security Framework v1.1 on Azure and GCP to bring the count to over 30 policies on each of these cloud platforms.
    nist-csf-policies.png
    Set Function in RQL to Compare or Combine Lists and Find a Value
    The
    _Set
    function enables you to compare or combine the values in lists (on the Left Hand Side and Right Hand Side) using the properties of union or intersection, and identify whether a specific value or comma separated list of values are included within that result set.
    The methods supported are
    _Set.intersection
     and
    _Set.union
    , and you can use the boolean operator
    intersects
     to verify whether the values you want to look for are included in the result, or if the result set
    contains
     the specified value(s).
    For example, to detect Internet exposed instances with a public IP address and firewall rule with 0.0.0.0/0 and destination has a specific target tag:
    config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X;
    RQL Function to find a specific address or subnet within a CIDR
    In an RQL Config query, you can now use the
    _IPAddress.inCIDRRange
     to find whether a specific IPv4 or IPv6 address or subnet is a part of a specific CIDR block or supernetwork.
    For example:
    config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,106.51.77.60/24) is true'
    or
    config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true’
    Auto remediation on GCP Storage Buckets with gsutil
    If you would like to enable auto remediation on all GCP Storage buckets, you can use gsutil from the command line. Support for gsutil allows you to limit excessive permissions for specific sets of IAM users or to restrict buckets from being open to the internet.
    The gsutil command is supported only for GCP Storage policies with API name gcloud-storage-buckets-list along with gcloud. For example: 
    gcloud iam --project=${account} list-grantable-roles;gsutil versioning set off gs://${resourceName};
    Alert Notification Emails with Attachments
    You can now send alerts instantly or schedule them as recurring batched jobs to any email address, and not only to Prisma Cloud administrators. The email recipients receive a complete list of all open alerts, as scheduled.
    In the email, you can opt to include the remediation information for the policies that triggered the alerts, attach the alert details as a CSV file, or as a compressed zip file. An email can have up to 10 attachments with 9 MB total size limit. The uncompressed CSV file can have 900 rows per attachment, while the compressed zip file limit is 95000 rows per attachment.
    alerts-with-csv.png
    API Ingestion Update
    Azure
    azure-sql-server-list API is modified to ingest JSON metadata on the server encryption protector type such as
    ServiceManaged
     or
    AzureKeyVault
    .
    AWS
    Some of the new APIs require additional permissions. To ingest the resources that require these permissions, you must update the CFT.
    • Amazon EC2: aws-ec2-key-pair
    • AWS API Gateway: aws-apigateway-method
    • Amazon Elastic Container Service: aws-ecs-service
    • Amazon Elastic Container Registry (ECR):aws-ecr-image
      To ingest the this API, you must enable additional permissions for 
      ecr:DescribeImages
    • Amazon Elastic Container Registry (ECR): aws-ecr-get-repository-policy
    • AWS Resource Access Manager (RAM):
      • aws-ram-principal
      • aws ram list-resources
      • aws-ram-resource
      • aws-ram-resource-share
        To ingest the resource share API, you must enable additional permissions for 
        ram:GetResourceShares
    • AWS Web Application Firewall (WAF): aws-waf-web-acl-resources
      To ingest this API, you must enable additional permissions for
      wafv2:ListResourcesForWebACL
      wafv2:ListWebACLs
    • AWS Route 53: aws-route53-domain
      To ingest this API, you must enable additional permissions for 
      route53domains:ListDomains
      route53domains:ListTagsForDomain
    • AWS Glue: aws-glue-security-configuration
      To ingest this API, you must enable additional permissions for 
      glue:GetSecurityConfigurations
    • AWS Lambda: aws-lambda-list-functions, is modified to ingest the resource policy associated with the Lambda function.
      To ingest the information on Lambda policy, you must enable additional permissions for 
      lambda:GetPolicy
    Deprecated APIs
    GCP
    Prisma Cloud no longer ingests the following APIs:
    • gcloud-cloud-spanner-instance-list
    • gcloud_bigtable-instance-list
    Saved Search Addition for Azure VMs
    Azure VM endpoint protection extension is not installed
    helps you identify VMs that do not have endpoint protection enabled. You can edit the
    json.rule = Extensions.*.virtualMachineExtensionType is empty OR Extensions.*.virtualMachineExtensionType is not member of
     attribute in the RQL to add the endpoint protection extensions which are approved by your organization.

    Policy Updates and New Policies

    Policy
    Description
    Azure Storage Account Policies updates to RQL
    The RQL associated with the following policies that detect Azure Storage Account analytics have been revised to exclude Azure Premium Storage:
    • Azure storage account logging for tables is disabled
    • Azure storage account logging for queues is disabled
    • Azure storage account logging for blobs is disabled
    New Azure Policies for Activity Logs
    The following new policies are added to identify changes in activity alert logs, which you can use to detect suspicious activity more easily.
    • Azure Activity log alert for Update security policy does not exist
    • Ensure Activity Log Alert exists for Delete SQL Server Firewall Rule
    • Ensure Activity Log Alert exists for Create or Update SQL Server Firewall Rule
    • Ensure Activity Log Alert exists for Delete Security Solution
    • Ensure Activity Log Alert exists for Create or Update Security Solution
    • nsure Activity Log Alert exists for Delete Network Security Group Rule
    • Ensure Activity Log Alert exists for Create or Update Network Security Group Rule
    • Ensure Activity Log Alert exists for Delete Network Security Group
    • Ensure Activity Log Alert exists for Create or Update Network Security Group
    • Activity Log Alert for Create Policy Assignment

    Features Introduced on January 16, 2020

    New Features

    Feature
    Description
    New Look
     Asset Inventory
    The Inventory provides a summary of the total number of resources discovered across your cloud deployments and the number of resources that are passing or failing policy checks.
    To add visual appeal, you also have an asset trend chart, an asset classification bar graph, and a table with details (pass or fail) and alerts by severity.
    asset-inventory-new.png
    To help you drill into the details, the inline links in the table take you to the
    Asset Explorer
     for
    Total
     resources and
    Pass
     resources. The resources that failed policy checks are grouped as
    Low
    ,
    Medium
     and
    High
     severity and these links take you to the
    Alerts Overview
     where you can review the details for each policy violation and the number of alerts that were generated against each policy.
    Scheduled Compliance Reports
    Enables you to set up one-time or recurring reports to assess the security status of your cloud resources against the compliance standards that matter most to you and to receive the reports in your email inbox.
    The scheduled reports are also saved on Prisma™ Cloud so that you can download a report on demand. Additionally, the data in each report is available as a historical trend chart on the Prisma Cloud interface, which helps you view your overall compliance posture during a specific period of time.
    create-scheduled-report.gif
    GCP Flow Log Compression using the Google Cloud Dataflow Service
    To address the lack of native log compression on Google Cloud Platform (GCP) and mitigate the network egress costs associated with sending uncompressed GCP logs to the Prisma Cloud infrastructure, you can now automate flow log compression using the Google Cloud Dataflow service. Whether you are monitoring your GCP project or organization, Prisma Cloud can automate flow log compression and save the compressed logs to the same storage bucket as your VPC flow logs. These compressed logs are then sent to the Prisma Cloud infrastructure for monitoring the network activity of your cloud resources.
    For flowlog compression, you need to enable the Google Cloud Dataflow APIs and provide additional permissions that enable Prisma Cloud to make API calls and save the compressed logs to your Google Cloud Storage bucket.
    prisma-cloud-add-gcp-organization.png
    API Ingestion Update
    Azure
    • Azure Data Factory: azure-data-factory-v1 and azure-data-factory-v2
    • Azure Data Bricks: azure-databricks-workspace
    GCP
    • gcloud-projects-iam-role
    • gcloud-organization-iam-role; to ingest data relating to this role, the following permission is required:
      roles/iam.organizationRoleViewer
    • gcloud-bigquery-dataset-list is updated to include encryption configuration in the JSON metadata. This update enables you to detect unencrypted BigQuery tables.
    AWS
    • AWS API Gateway: aws-apigateway-domain-name
    • AWS API Gateway: aws-apigateway-base-path-mapping
    • AWS CloudWatch: aws-cloudwatch-log-group
    More Policies for GDPR Compliance
    Prisma Cloud now includes GDPR support on Azure and includes more policies to extend coverage for GDPR compliance on GCP.
    gdpr-on-all-3-clouds.png
    Support for CIS v1.1.0 on GCP and CIS v1.2.0 on AWS
    The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in v1.1.0 on GCP and v1.2.0 on AWS.
    cis-gcp-aws.png
    California Consumer Privacy Act of 2018
    Prisma Cloud now supports the California Consumer Privacy Act, which is a state statute intended to enhance privacy rights and consumer protection for residents of California (United States).
    ccpa.png
    Saved search addition for Azure VMs
    The saved search
    Azure VM has unapproved extensions installed
     helps you to determine whether your deployment includes VMs with unapproved extensions. You can edit the
    is not member of
     attribute in the query to specify the list of extensions that are approved for use in your organization.

    Policy Updates and New Policies

    Policy
    Description
    Permission Updates for AWS CFTs
    The permission in the AWS read-only and read-write CloudFormation Templates (CFTs) for AWS public cloud and AWS GovCloud are updated to include
    ec2:describeRegions
    . With this update, Prisma Cloud can get data on the AWS cloud accounts for all enabled regions.
    Remediation CLI for Existing policies
    The following policies are now designated as
    Remediable
     on the Prisma Cloud administrative console:
    • GCP VPC Flow logs for the subnet is set to Off
    • Azure PostgreSQL database with SSL connection disabled
    • Azure PostgreSQL database with log_checkpoints parameter disabled
    • Azure PostgreSQL database with log_connections parameter is disabled
    • Azure PostgreSQL database with log_disconnections parameter disabled
    • Azure PostgreSQL database with log_duration parameter disabled
    • Azure PostgreSQL database with connection throttling parameter is disabled
    • Azure PostgreSQL database log retention days is less than 3 days
    Azure Storage account container storing activity logs is publicly accessible
    Identifies storage account containers that allow public access to activity log content. This is a risk because it can aid an adversary in identifying weaknesses in the account configuration.
    Azure disk is unattached and not encrypted
    Identifies disks which are unattached and not encrypted. Even if a disk is not attached to any VM, there is a risk where a compromised user account with administrative access to VM service can mount and attach these data disks, which can result in disclosure or tampering of sensitive information.
    Azure SQL server send alerts to field value is misconfigured
    Identifies SQL servers that are not properly configured to send alerts to an email address. Having a valid email address for threat detection alerts enables you to receive alerts when any anomalous activities are detected on your SQL servers.
    Azure Data disk is not encrypted
    Identifies data disks which are not encrypted. Encrypt data disks (non-boot volume) to protect the volume from unwarranted reads without a key.
    AWS support access policy is not associated with a role
    Identifies IAM policies with support role access that are not attached to any role. An IAM role with support access policy enables you to ensure that users in your account can securely control access to AWS services and resources.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo