Features Introduced in March 2020

Learn about the exciting new features introduced on Prisma Cloud in March 2020.

Features Introduced on March 24, 2020

New Features

This release of Prisma™ Cloud includes these improvements:
Features
Description
(Beta)
AutoFocus Integration on Prisma Cloud
With the Prisma Cloud Enterprise Edition license, threat feeds from AutoFocus, the cloud-based threat intelligence service from Palo Alto Networks are now available to you. When Prisma Cloud identifies a suspicious IP address, the threat feeds will enable you to classify and view more information on the malicious IP addresses with which the suspicious IP address is communicating, and detect activity such as bit coin mining and the bad actors that expose them to risk.
You can take advantage of the threat feeds without making any configuration changes on Prisma Cloud.
af-threat-feed.png
Granular Licensing Data in CSV Format
To view data on hourly or daily licensed workloads on Prisma Cloud, you can now download data on license usage in one zip file that includes individual files for each cloud type that Prisma Cloud monitors - AWS, Alibaba, Azure and GCP.
For a time period of 3 days or less, you can download hourly usage data, and data on daily usage for a time period greater than 3 days. This granularity enables you to review usage on a account group level and manage internal charge backs within your enterprise.
license-zip.png
User Attribution for Azure Storage Blob Containers
Prisma Cloud now ingests data on the creation and revision date of an Azure storage blob container. With user attribution, you can now monitor who made changes using the Audit Trail in the Resource Explorer for events related to Azure Storage Blob Containers on the Prisma Cloud administrative console.
azure-storage-blob-container.png
Geo-Location for Port Scan And Port Sweep Alerts
The alerts associated with an port scan and port sweep activity triggered by an external entity, now include geo-location data to help you identify the location of the IP address from which the attack originates.
port-scan-geo-location.png
API Ingestion Update
Prisma Cloud now ingests the following new services to help build Config queries for investigating and analyzing data:
  • aws-ec2-elastic-addresses
  • aws-sagemaker-notebook-instance
Permissions Update for ServiceNow Integration
The Prisma Cloud integration with ServiceNow, no longer requires you to grant the
itil
or the
sn_si.admin
roles to the user account. Review the updated list of permissionsrequired.
Saved Search Additions
Use the following Saved Search to easily create a policy and generate an alert if you want to check for:
  • Azure SQL server audit action groups in auditing policy are not set properly
  • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
  • AWS Log metric filter and alarm does not exist for usage of the root account
saved-searches-20.3.2.png

Features Introduced on March 10, 2020

New Features

This release of Prisma™ Cloud includes these improvements:
Features
Description
Support for Multi-Tenant Demisto Deployments
When you enable the Demisto integration on Prisma Cloud, you can now add the tenant name of a Demisto instance that is a part of a multi-tenant deployment.
API Ingestion Update
Prisma Cloud now ingests the following new services to help build Config queries for investigating and analyzing data:
  • azure-sql-managed-instance
  • aws-elbv2-target-group
  • aws-apigateway-client-certificates

New Policies and Policy Updates

POLICY
DESCRIPTION
AWS Elastic Load Balancer v2 (ELBv2) with listener TLS/SSL is not configured
Identifies AWS Elastic Load Balancers v2 (ELBv2) that have TLS/SSL listener disabled, and therefore do not receive traffic over a secure channel with a valid SSL certificate.
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Monitors the AWS accounts that do not have a log metric filter and alarm for AWS management console authentication failures, when you do not have MFA enabled.
AWS Log metric filter and alarm does not exist for usage of the root account
Identifies AWS accounts that do not have a log metric filter and alarm for monitoring the use of the privileged root account for login.
Azure SQL server audit action groups in auditing policy are not set properly
Identifies Azure SQL servers that are not enabled with AuditActionGroups to capture critical activities performed on these servers.
AWS CloudTrail logging is disabled
Identifies AWS CloudTrail for that do not maintain an audit trail of activities across different services.
Policy Updates
The
AWS Config Recording is disabled
policy RQL is updated to include the count function. With this change, instead of generating an alert at the account level, the policy generates alerts for each region where AWS config recording is not enabled to detect changes to resource configuration.
The updated RQL is
config where cloud.type = 'aws' AND api.name = 'aws-configservice-describe-configuration-recorders' AND json.rule = 'status.recording is true and status.lastStatus equals SUCCESS and recordingGroup.allSupported is true' as X; count(X) less than 1
The following remediable policies have updates to the remediation CLI that require additional permissions:
  • Azure App Service Web app authentication is off
  • Azure App Service Web app doesn't redirect HTTP to HTTPS
  • Azure App Service Web app doesn't use latest TLS version
  • Azure App Service Web app doesn't require Client Certs
  • Azure App Service Web app doesn't have a Managed Service Identity
  • Azure App Service Web app doesn't use HTTP 2.
The additional permissions required are:
“Microsoft.Web/sites/config/write"
, and
"Microsoft.Web/sites/write"

Recommended For You