Features Introduced in June 2020

Learn what’s new on Prisma™ Cloud in June 2020.

Features Introduced on June 16, 2020

New Features

Feature
Description
Threat Source and Unit 42 tags in Network RQL
In Network RQL, you can now filter for search results based on threat source, such as AutoFocus or Facebook ThreatExchange.
af-threat-source-1.png
And for AutoFocus, you can further query for specific tag groups using
threat.tag.group
that reference genre for malware families as categorized by the Unit 42 threat research team.
af-threat-source.png
For example:
network where dest.publicnetwork IN ('Suspicious IPs') and threat.source IN ( 'AF' ) AND threat.tag.group = 'Cryptominer'
Prisma Cloud Business Edition on Azure China
Start using the Prisma Cloud tenant in China to connect to your Azure China subscriptions and monitor the resources deployed in China.
Plugin Updates for scanning IaC templates
The GitHub plugin adds support for Terraform version 0.12 and enables you to include your Prisma Cloud credentials as part of the installation process.
The Visual Studio Code plugin adds support for Terraform version 0.12 and enables you to scan multiple files within a directory.
API Ingestion
  • GCP IAM Recommender, which is a part of the Google Recommendations service—
    gcloud-iam-policy-recommendation-list
    Additional permissions required are
    recommender.iamPolicyRecommendations.list
    .
  • Google API Key—
    gcloud-api-key
    Additional permissions required are
    serviceusage.apiKeys.list
    .
    GCP has released this API as an alpha release. To use this API, you must be explicitly allowed access to the API from Google Cloud. Because Google Cloud does not provide an SLA for this alpha version, this API is also not bound by the terms of the Prisma Cloud SLA.
Saved Search Additions
Use the following Saved Search to easily create a policy and generate an alert if you want to check for:
  • AWS IAM user with unused Key management or System manager permissions
  • AWS IAM role which is not set with any permission boundaries or set with excessive permission boundary permissions

New Policy and Policy Updates

Policy Name
Description
AWS IAM roles with administrator access permissions
Identifies AWS IAM roles with administrator access privileges. Granting least privilege access is recommended as a security best practice.
AWS IAM groups with administrator access permissions
Identifies AWS IAM groups with administrator access privileges.
GCP SQL Server instance database flag 'cross db ownership chaining' is enabled
Identifies GCP SQL Server instances that are enabled for cross database ownership, so that you can assess the security implications of this setting.
GCP SQL Server instance database flag ‘contained database authentication’ is enabled
Identifies SQL Server instances that are enabled for contained database authentication, as this poses a security risk because control over access to the server is no longer limited to members of the system or security administrators.
Prisma Cloud Default Policies—No longer available
Due to the delay in generating the associated alerts, the following Prisma Cloud default policies are no longer available:
  • AWS Multiple Lambda Functions using same IAM role.
  • AWS Log metric filter and alarm does not exist for Security group changes.
These policies are being removed to optimize performance and to address the time to alert delays due to the large volume of data that these policies parse.

Features Introduced on June 2, 2020

New Features

Feature
Description
Custom Header Support for Webhook Integration
To enable support for additional data such as the API key or access token of your application in a Webhook integration, Prisma Cloud supports key-value pairs in a custom header.
webhook-integration.png
If you had previously set up a Webhook integration, the Auth Token you had configured is now sent as a custom header in the payload.
Business Unit Report on Open Alerts
To share a report on the status of your cloud assets and how they are doing against Prisma Cloud security and compliance policy checks, you can generate an on-demand or schedule a
Business Unit Report
.
business-unit-report.png
The report enables your business stakeholders to keep track of the total number of assets and how many of them have passed or failed against the enabled policies, and monitor how they’re doing on a regular basis.
You can opt to create a summary report which shows you how you’re doing across all your business units. The detailed report allows you to get more granular on each of the cloud account in the report.
GCP Seoul Region Support
Prisma Cloud can now monitor resources deployed in the Seoul region. To review the list of supported regions, use the
Cloud Region
filter on the
Asset Inventory
.
gcp-regions-seoul.png
API Ingestion
APIs to ingest the following services:
  • aws-organization-ou
    Additional permissions required are `organizations:ListChildren, organizations:listPoliciesForTarget, organizations:DescribeOrganizationalUnit`
  • aws-organization-account
    Additional permissions required are ‘organizations:listPoliciesForTarget, organizations:DescribeAccount, organizations:ListTagsForResource`
  • `aws-organization-root`
    Additional permissions required are `organizations:ListChildren, organizations:listPoliciesForTarget, organizations:listRoots`
  • aws-organizations-scp
    Additional permissions required are `organizations:ListChildren, organizations:ListPolicies, organizations:DescribePolicy,organizations:listPoliciesForTarget`
  • aws-organizations-tag-policy
    Additional permissions required are `organizations:ListChildren, organizations:ListPolicies, organizations:DescribePolicy,organizations:listPoliciesForTarget`
Ingesting Tags for AWS Resources
To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:
  • aws-cloudtrail-describe-trails
  • aws-cloudwatch-describe-alarms
  • aws-describe-workspace-directories
  • aws-dynamodb-describe-table
  • The
    cloudwatch:ListTagsForResource
    and
    dynamodb:ListTagsOfResource
    permission is required to ingest tags for these services. See Update the CFT to enable the additional permissions.
    If you want to grant granular permissions manually:
    • Cloudtrail service requires ListTags
    • Dynamodb service requires ListTagsOfResource
    • Cloudwatch service requires ListTagsForResource
Saved Search Additions
Use the following
Saved Searches
to easily create a policy and generate an alert if you want to check for:
  • AWS IAM role with unused S3 buckets permissions_RL
  • AWS IAM user with unused S3 buckets permissions_RL
  • AWS IAM role with unused permissions_RL
  • AWS IAM user with unused permissions_RL
  • AWS EC2 instances with Marketplace AMI_RL

New Policies and Policy Updates

Policy
Description
Anomaly Policies to Detect Network Evasion or Resource Misuse
Five new Anomaly policies are available to help you detect:
  • Ports or protocols that are not typically used on your network to provide or consume services.
    Unusual server port activity (Internal)
    —Identifies network activity from one (external or internal) client host to a server host inside your cloud environment, using a server port not previously seen in the VPC.
    Unusual server port activity (External)
    —Identifies network activity from a client host inside your cloud environment to an external server host, using a server port not previously seen in the VPC.
    Unusual protocol activity (Internal)
    —Identifies network activity from one (external or internal) client host to a server host inside your cloud environment, using an IP protocol not previously seen in the VPC.
    Unusual protocol activity (External)
    —Identifies network activity from a client host inside your cloud environment to an external server host, using an IP protocol not previously seen in the VPC.
  • Resource misuse by potential spam.
    Spambot activity
    —Identifies a host inside your cloud environment that is generating outbound SMTP traffic and for which no previous mail-related network activity has been observed. This instance may be compromised and sending out spam.
anomaly-policies-network-evasion.png
AWS MQ is publicly accessible
Identifies AWS MQ brokers that are publicly accessible from the internet. As a best practice, ensure that AWS MQ brokers are not accessible from the Internet to minimize security risks and exposure of sensitive data.
AWS MFA is not enabled on Root account
Identifies root accounts that do not enforce Multi Factor Authentication (MFA) on the AWS public cloud. Because root accounts have privileged access to all AWS services, enabling MFA reduces the risk of root accounts credentials being compromised.This policy does not apply to AWS GovCloud accounts because you cannot enable MFA on AWS GovCloud (US) root accounts.

Recommended For You