Features Introduced in January 2020
Learn what’s new on Prisma™ Cloud in January 2020.
Features Introduced on January 31, 2020
New Features
Feature | Description |
---|---|
Coverage for the Personal Information Protection
and Electronics Document Act Standard | Prisma Cloud adds support for the Personal Information
Protection and Electronic Documents Act (PIPEDA), a Canadian federal
privacy law that protects the rights and privacy of consumers. It
governs how private sector organizations collect, use and disclose personal
information in the course of commercial business. The coverage for
this compliance standard is
available across AWS, Azure, and GCP. |
Notification Template Updates and Event
Management Support for ServiceNow | Prisma Cloud now adds support for the Event Management
module, the default reporting table on ServiceNow. ![]() Along
with this enhancement, the ServiceNow integration includes
the following usability improvements:
|
More Policies for NIST CSF Compliance | Prisma Cloud now has increased policy coverage for
the NIST Cyber Security Framework v1.1 on Azure and GCP to bring
the count to over 30 policies on each of these cloud platforms. ![]() |
Set Function in RQL to Compare or Combine
Lists and Find a Value | The _Set function enables you to
compare or combine the values in lists (on the Left Hand Side and Right
Hand Side) using the properties of union or intersection, and identify
whether a specific value or comma separated list of values are included
within that result set.The methods supported are _Set.intersection and _Set.union ,
and you can use the boolean operator intersects to
verify whether the values you want to look for are included in the result,
or if the result set contains the specified value(s).For
example, to detect Internet exposed instances with a public IP address
and firewall rule with 0.0.0.0/0 and destination has a specific
target tag: config where api.name = 'gcloud-compute-instances-list' as X; config where api.name = 'gcloud-compute-firewall-rules-list' as Y; filter '$.X.networkInterfaces[*].network contains $.Y.network and $.X.networkInterfaces[*].accessConfigs[*].natIP size greater than 0 and $.Y.direction contains INGRESS and $.Y.sourceRanges[*] contains 0.0.0.0/0 and $.X.tags.items[*] intersects $.Y.targetTags[*] and $.Y.disabled contains false'; show X; |
RQL Function to find a specific address
or subnet within a CIDR | In an RQL Config query, you can now use the _IPAddress.inCIDRRange to find
whether a specific IPv4 or IPv6 address or subnet is a part of a
specific CIDR block or supernetwork. For example: config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[].ipv4Ranges[].cidrIp,106.51.77.60/24) is true' or config where api.name = 'aws-ec2-describe-security-groups' AND json.rule = '_IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,10.0.0.0/8) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,172.31.0.0/12) is true and _IPAddress.inCIDRRange($.ipPermissions[*].ipv4Ranges[*].cidrIp,192.168.0.0/16) is true’ |
Auto remediation on GCP Storage Buckets
with gsutil | If you would like to enable auto remediation
on all GCP Storage buckets, you can use gsutil from the command
line. Support for gsutil allows you to limit excessive permissions
for specific sets of IAM users or to restrict buckets from being
open to the internet. The gsutil command is supported only
for GCP Storage policies with API name gcloud-storage-buckets-list
along with gcloud. For example:
|
Alert Notification Emails with Attachments | You can now send alerts instantly or schedule them
as recurring batched jobs to any email address, and not
only to Prisma Cloud administrators. The email recipients receive
a complete list of all open alerts, as scheduled. In the
email, you can opt to include the remediation information for the
policies that triggered the alerts, attach the alert details as
a CSV file, or as a compressed zip file. An email can have up to
10 attachments with 9 MB total size limit. The uncompressed CSV
file can have 900 rows per attachment, while the compressed zip
file limit is 95000 rows per attachment. ![]() |
API Ingestion Update | Azure azure-sql-server-list
API is modified to ingest JSON metadata on the server encryption
protector type such as ServiceManaged or AzureKeyVault . |
AWS Some of the new APIs require
additional permissions. To ingest the resources that require these permissions,
you must update the CFT.
| |
Deprecated APIs | GCP Prisma Cloud no longer
ingests the following APIs:
|
Saved Search Addition for Azure VMs | Azure VM endpoint protection extension is
not installed json.rule = Extensions.*.virtualMachineExtensionType is empty OR Extensions.*.virtualMachineExtensionType is not member of attribute
in the RQL to add the endpoint protection extensions which are approved by
your organization. |
Policy Updates and New Policies
Policy | Description |
---|---|
Azure Storage Account Policies updates to RQL | The RQL associated with the following policies
that detect Azure Storage Account analytics have been revised to
exclude Azure Premium Storage:
|
New Azure Policies for Activity Logs | The following new policies are added to identify changes
in activity alert logs, which you can use to detect suspicious activity
more easily.
|
Features Introduced on January 16, 2020
New Features
Feature | Description |
---|---|
New Look Asset Inventory | The Inventory provides a summary
of the total number of resources discovered across your cloud deployments
and the number of resources that are passing or failing policy checks. To
add visual appeal, you also have an asset trend chart, an asset
classification bar graph, and a table with details (pass or fail)
and alerts by severity. ![]() To
help you drill into the details, the inline links in the table take
you to the Asset Explorer for Total resources
and Pass resources. The resources that failed
policy checks are grouped as Low , Medium and High severity
and these links take you to the Alerts Overview where
you can review the details for each policy violation and the number
of alerts that were generated against each policy. |
Scheduled Compliance Reports | Enables you to set up one-time or recurring reports
to assess the security status of your cloud resources against the
compliance standards that matter most to you and to receive the
reports in your email inbox. The scheduled reports are also
saved on Prisma™ Cloud so that you can download a report on demand.
Additionally, the data in each report is available as a historical
trend chart on the Prisma Cloud interface, which helps you view your
overall compliance posture during a specific period of time. ![]() |
GCP Flow Log Compression using the Google
Cloud Dataflow Service | To address the lack of native log compression
on Google Cloud Platform (GCP) and mitigate the network egress costs
associated with sending uncompressed GCP logs to the Prisma Cloud
infrastructure, you can now automate flow log compression using
the Google Cloud Dataflow service. Whether you are monitoring your
GCP project or organization, Prisma Cloud can automate flow log
compression and save the compressed logs to the same storage bucket
as your VPC flow logs. These compressed logs are then sent to the
Prisma Cloud infrastructure for monitoring the network activity
of your cloud resources. For flowlog compression, you
need to enable the Google Cloud Dataflow APIs and provide additional
permissions that enable Prisma Cloud to make API calls and save
the compressed logs to your Google Cloud Storage bucket. ![]() |
API Ingestion Update | Azure
GCP
AWS
|
More Policies for GDPR Compliance | Prisma Cloud now includes GDPR support on
Azure and includes more policies to extend coverage for GDPR compliance
on GCP. ![]() |
Support for CIS v1.0.0 on GCP and CIS v1.2.0
on AWS | The CIS compliance standard on Prisma Cloud
is updated to include policy updates that check for compliance with
the requirements and sections in v1.0.0 on GCP and v1.2.0 on AWS. ![]() |
California Consumer Privacy Act of 2018 | Prisma Cloud now supports the California Consumer
Privacy Act, which is a state statute intended to enhance privacy
rights and consumer protection for residents of California (United States). ![]() |
Saved search addition for Azure VMs | The saved
search Azure VM has unapproved extensions installed helps
you to determine whether your deployment includes VMs with unapproved
extensions. You can edit the is not member of attribute
in the query to specify the list of extensions that are approved
for use in your organization. |
Policy Updates and New Policies
Policy | Description |
---|---|
Permission Updates for AWS CFTs | The permission in the AWS read-only and read-write
CloudFormation Templates (CFTs) for AWS public cloud and AWS GovCloud
are updated to include ec2:describeRegions . With
this update, Prisma Cloud can get data on the AWS cloud accounts
for all enabled regions. |
Remediation CLI for Existing policies | The following policies are now designated as Remediable on
the Prisma Cloud administrative console:
|
Azure Storage account container
storing activity logs is publicly accessible | Identifies storage account containers that allow
public access to activity log content. This is a risk because it
can aid an adversary in identifying weaknesses in the account configuration. |
Azure disk is unattached and
not encrypted | Identifies disks which are unattached and not
encrypted. Even if a disk is not attached to any VM, there is a
risk where a compromised user account with administrative access
to VM service can mount and attach these data disks, which can result
in disclosure or tampering of sensitive information. |
Azure SQL server send alerts
to field value is misconfigured | Identifies SQL servers that are not properly configured
to send alerts to an email address. Having a valid email address
for threat detection alerts enables you to receive alerts when any anomalous
activities are detected on your SQL servers. |
Azure Data disk is not encrypted | Identifies data disks which are not encrypted.
Encrypt data disks (non-boot volume) to protect the volume from
unwarranted reads without a key. |
AWS support access policy is
not associated with a role | Identifies IAM policies with support role access
that are not attached to any role. An IAM role with support access
policy enables you to ensure that users in your account can securely control
access to AWS services and resources. |
Recommended For You
Recommended Videos
Recommended videos not found.