Features Introduced in July 2020

Learn what’s new on Prisma™ Cloud in July 2020.

Features Introduced on July 28, 2020

New Features

Feature
Description
Integration with Azure Service Bus Queue
You can now send Prisma Cloud alerts to an Azure Service Bus queue and set up custom workflows with other downstream systems.
To authenticate and authorize access to Azure Service Bus resources, you can use the Azure Activity Directory (Azure AD) credentials associated with an Azure subscription you have onboarded to Prisma Cloud, or use a Shared Access Signatures (SAS) token that has limited access.
azure-service-bus.png
Thresholds and Settings for Anomaly Policies
For Anomaly policies that help you detect network incidents, such as unusual protocols or ports used to access a server on your network, you can now define two settings for each policy on 
Settings
Anomaly Settings
Alerts and Thresholds
, and customize it to your needs:
  • Training Model Threshold which informs Prisma Cloud on the values to use for various parameters such as number of days and packets, when creating the machine learning (ML) models. These thresholds are available only for the policies that require model building such as Unusual server port activity and Spambot activity.
  • Alert Disposition which is your preference on the severity (low, medium, high) of alerts for which you want to enable notifications.
anomaly-thresholds.png
Beta
 Support for Flow Logs on AWS China and Azure China
For the onboarded cloud accounts, flow log details will are available in the network graph visualization and detailed activities table on the Prisma Cloud administrative console, and you can now viewthe byte and packet counts and session stateinformation too.
API Ingestion
AWS
  • Amazon Kineses—aws-kinesis-firehose-delivery-stream
    Additional permissions required if you do not use the Security Audit role are
    ListDeliveryStreams
    DescribeDeliveryStream
    ListTagsForDeliveryStream
  • Amazon Simple Notification Service (SNS)—aws-sns-platform-application
    Additional permissions required if you do not use the Security Audit role are
    ListPlatformApplications
  • AWS Sagemaker—aws-sagemaker-endpoint
    Additional permissions required if you do not use the Security Audit role are
    sagemaker:DescribeEndpoint
    sagemaker:ListEndpoints
    sagemaker:LIST_TAGS
Azure
  • azure-api-management-service
GCP
  • Google Compute Engine—
    gcloud-compute-router
    Need additional permissions for
    compute.routers.list

New Policy and Policy Updates

Policy Name
Description
GCP PostgreSQL instance database flag log_temp_files is not set to 0
Identifies PostgreSQL database instances in which database flag log_temp_files is not set to 0, which means that all temporary files are not logged. These files enable you to identify potential performance issues that are caused by reasons such as poor application coding or a deliberate attempt on resource starvation.
AWS API gateway request authorization is not set
Identifies AWS API Gateways that are REST based, for which the request authorization method is not specified. The method specification provides an additional layer of protection.
AWS policies that enable auto-remediation
The following policies are updated to support auto-remediation:
  • AWS CloudTrail logging is disabled
  • AWS RDS instance with Multi-Availability Zone disabled
  • AWS VPC subnets should not allow automatic public IP assignment
  • AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabled
Permissions required are:"ec2:ModifySubnetAttribute","elasticloadbalancing:ModifyLoadBalancerAttributes","cloudtrail:StartLogging","elasticache:ModifyReplicationGroup","s3: PutBucketVersioning"
RLP-23908 has this list for 20.7.2. PLEASE CONFIRM IF THE LIST ABOVE IS ACCURATE OR THIS ONE IS:
AWS S3 Object Versioning is disabled
AWS RDS instance with copy tags to snapshots disabled
AWS Elastic Load Balancer (Classic) with connection draining disabled
AWS VPC subnets should not allow automatic public IP assignment
AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabled
AWS CloudTrail logging is disabled
AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to disabled
AWS RDS instance with Multi-Availability Zone disabled

Public REST API Updates

Change
Description
Integration 
The existing integration APIs support a new integration for Azure Service Bus Queue.
Licensing API role requirement
Users should verify that the role of Prisma Cloud System Administrator is assigned to callers who access the following endpoints, so those callers can continue to view licensing information:
  • /usage/cloud_type
  • /timeline/usage
  • /v2/usage
Update report request
The API caller can now update the body request parameter
 target.compressionEnabled
 for request PUT /report/{id}.
Anomaly settings
There are new API endpoints to access and manage network anomaly settings.
Infrastructure-as-Code scans
The IaC scan API request to scan Terraform files now supports Terraform 0.12 plan files in JSON format.

Features Introduced on July 14, 2020

New Features

Feature
Description
Support for GCP Folders
When you add your GCP Organization to Prisma Cloud, you can now view all the projects or folders that are contained in the organization hierarchy and choose to add all the projects, or selectively include or exclude the projects and folders you want to monitor, or monitor and protect using Prisma Cloud.
gcp-folder.png
Prisma Cloud as a PAYG Subscription on the AWS Marketplace
Prisma Cloud is available as an hourly PAYG subscription on the AWS Marketplace. With this new listing, you can use the Prisma Cloud Enterprise Edition license for the first 15 days as a free trial, and then you are billed based on hourly usage; there is no long-term contract required.
(
Coming Soon
) Support Domain-based Message Authentication, Reporting & Conformance (DMARC)
Email notifications from Prisma Cloud will include the domain name to support Domain-based Message Authentication, Reporting & Conformance (DMARC), and the email address noreply@paloaltonetworks.com is being replaced with noreply@prismacloud.paloaltonetworks.com.
To ensure that you continue to receive emails, please replace 
noreply@paloaltonetworks.com
 with 
noreply@prismacloud.paloaltonetworks.com
 in your approved sender list.
New Filters for Policies
The 
Policies
 page has three new filters for 
Category
Class
, and 
Subtype
. And the table view includes these filters as new columns. 
The Category filter enables you to separate incidents from risks and prioritize what you want to focus on based on your role. You can for example, use this filter to identify policies that identify incidents before policies that identify risky configurations.
The Class filter logically groups policies. Use it to separate policies that affect your area of focus, and delegate as appropriate.
The Subtype filter separates the various types of policies that pertain to each policy Type. For example, Anomaly policies are split into two subtypes—Network and UEBA.
policy-filters.png
Updates for Inclusive Language on Prisma Cloud
Prisma Cloud has updated all references to whitelist on the API and management console. 
Settings
IP Whitelisting
 is renamed as 
Settings
Trusted IP Addresses
, where you can specify 
Trusted Alert IP Addresses
 (previously Login IP Whitelisting ) and 
Trusted Login IP Addresses
 (previously called Trusted IP Whitelisting)
trusted-ip.png
Exclusion of Trusted Sources in Anomaly
Policies 
To exclude trusted IP addresses that are internal or external, such as those you may use to conduct tests for PCI compliance or penetration testing on your network, you can now add these IP addresses in a CIDR format on the Trusted IP Address List on 
Settings
Anomaly Settings
Anomaly Trusted List
. You can apply the IP addresses included in each anomaly trusted list to one or more anomaly policies— such as port scan activity or Spambot activity— that detect issues related to unusual network activity. Any addresses included in this list do not generate alerts against Prisma Cloud Anomaly policies.
anomaly-policies-trusted-ips.png
GCP Flow Logs Update
GCP flow logs are now be available for Prisma Cloud tenants deployed on https://app.prismacloud.io. You do not need to submit a special request to enable flow logs on your tenant.
Amazon SQS Integration Supports a Separate IAM Role
When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to use a separate IAM role to enable alert notifications to SQS.
If you use the CFT to onboard your AWS account and the SQS queue belongs to the same cloud account, the Prisma Cloud IAM Role policy has the permissions required for Amazon SQS. And, by default, Prisma Cloud accesses the SQS queue with these credentials. 
If this is not applicable for the SQS queue you are trying to integrate, when you add a new SQS integration, you can provide the IAM credentials (Access Key and Secret Key) associated with that role (
Settings
Integrations
).
sqs-integration.png
The IAM user, whose security credentials (Access and Secret Keys) you provide must have 
sqs:SendMessage
 and 
sqs:SendMessageBatch
 permissions. 
API Ingestion
AWS
  • noCloudTrailFound
     attribute no longer ingested for aws-cloudtrail-describe-trails API.
    With this change, Prisma Cloud will no longer ingest the 
    noCloudTrailFound
     attribute, for an AWS account that does not have CloudTrail enabled in a given region. If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.
GCP
  • Google Compute Engine—gcloud-compute-project-info
  • Google Dataproc Clusters —gcloud-dataproc-clusters-list 
  • For the 
    gcloud-compute-api
     Prisma Cloud now includes labels assigned to your GCP project. You can use the tag attribute to find resources tagged with labels in 
    config where
     RQL queries.
Saved Search Additions
Use the following Saved Search to easily create a policy and generate an alert if you want to check for:
  • AWS IAM policy with unused permissions
  • AutoFocus saved searches are consolidated by tag groups to detect malicious activities that are initiated from a internal source on your network or from an external source.
    saved-searches-autofocus-20.7.1.png
AutoFocus Updates —Change in threat source name in RQL and access the AutoFocus from the Prisma Cloud Console.
The AutoFocus threat intelligence feed was referred to as 
threat.source in ( AF)
 and that is now updated to be 
threat.source in ( AutoFocus) 
For example, the RQL should now be: 
network where dest.publicnetwork IN ('Suspicious IPs') AND threat.source IN ( 'AutoFocus' ) AND threat.tag.group = 'Cryptominer'
Additionally, if you have an AutoFocus license, you can now click the IP address link to launch the AutoFocus portal and search for a Suspicious IP address directly from the 
Investigate
 page.
af-threat-source-link.png
Compliance Standards in Business Unit Reports
When generating the Business Unit report, you can now filter on one or more compliance standards to ensure that the report data is only for the alerts that are associated with policies which are tied to the selected compliance standards.
API Ingestion
APIs to ingest:
  • Azure custom policy definitions at the subscription level. Azure Policy —
     azure-policy-definition
  • Updated the JSON structure for the 
    azure-storage-account-list
     API to display the total count of containers that are accessible publicly. In addition, the data ingested displays the name of the first 1000 containers in this list.
  • noCloudTrailFound
     attribute no longer ingested for aws-cloudtrail-describe-trails API.
    If you have any custom policies that use this attribute, the alerts against this policy will be marked as resolved.
GCP Las Vegas Region Support
Prisma Cloud can now monitor resources deployed in the Las Vegas region. To review the list of supported regions, use the Cloud Region filter on the Asset 
Inventory
.
Prisma Cloud Service for AWS China
Start using the Prisma Cloud tenant in China (https://app.prismacloud.cn) to connect to your AWS China accounts deployed in the Ningxia and Beijing regions.
Prisma Cloud Service in Singapore
Prisma Cloud is now available in the Singapore region. You can select this region, when you sign up for the service from the AWS Marketplace or the Palo Alto Networks Marketplace. 

New Policy and Policy Updates

Policy Name
Description
Alibaba Cloud RAM user with both console access and access keys
Identifies Resource Access Management (RAM) users who can access both the Alibaba Cloud management console and the API. As a best practice, limit access to what the user can do to and give permissions for console access or the API.
AWS policies that enable auto-remediation
The following policies are updated:
  • AWS Customer Master Key (CMK) rotation is not enabled
  • AWS EKS cluster endpoint access publicly enabled
  • AWS RDS event subscription disabled for DB instance
  • AWS EKS control plane logging disabled
  • AWS Redshift clusters should not be publicly accessible
  • AWS RDS database instance is publicly accessible
  • AWS RDS minor upgrades not enabled
  • AWS RDS instance without Automatic Backup setting
The additional permissions required to enable auto-remediation for these policies are: 
"kms:EnableKeyRotation", "rds:ModifyEventSubscription", "eks:UpdateClusterConfig", "rds:ModifyDBInstance", "redshift:ModifyCluster"
Internet exposed instances
Updated the 
Internet exposed instances
 policy to identify AWS Cloud workloads that are exposed to the Internet. 
With this change, this policy now applies to AWS only.

Public REST API Updates

Change
Description
Deprecated and replacement REST API endpoint paths
The REST endpoint paths in the following list are deprecated. A new endpoint replaces each deprecated endpoint. The deprecated endpoints will be removed in the near future:
  • Deprecated: /ip_whitelist_login
    New: /ip_allow_list_login
  • Deprecated: /ip_whitelist_login/{id}
    New: /ip_allow_list_login/{id}
  • Deprecated: /ip_whitelist_login/status
    New: /ip_allow_list_login/status
  • Deprecated: /ip_whitelist_login/tab
    New: /ip_allow_list_login/tab
  • Deprecated: /whitelist/network
    New: /allow_list/network
  • Deprecated: /whitelist/network/{networkUuid}
    New: /allow_list/network/{networkUuid}
  • Deprecated: /whitelist/network/{networkUuid}/cidr
    New: /allow_list/network/{networkUuid}/cidr
  • Deprecated: /whitelist/network/{networkUuid}/cidr/{cirdUuid}
    New: /allow_list/network/{networkUuid}/cidr/{cirdUuid}
The x-redlock-status header values have been updated in a similar manner (e.g. 
login_ip_whitelist_missing_field
 is now 
login_ip_allow_list_missing_field
).
Cloud accounts and GCP Folders
There are additions to the cloud account REST APIs, including additions to the request parameters to on-board cloud accounts, to support the new feature Support for GCP Folders.
Anomalies Trusted List
There are new REST API endpoints to support the anomalies trusted list.
Amazon SQS integration
The REST API for Amazon SQS integration has some new but optional request parameters.
Policies
There are three new read-only attributes in the Policy and Policy View models (the latter is in the response to a List Policies request) to describe the hierarchy of a policy. New policy filters exist for these attributes.
Reports
The Report Target model, which occurs in the request body parameters to add a Report and in some Reports API response objects, has a new optional field 
complianceStandardIds
.
Alerts
Requests to list alerts by policy (GET or POST /alert/policy) no longer return alert rules in the response object. Alert rules are available through requests for individual alert info.

Recommended For You