Features Introduced in May 2020

Learn what’s new on Prisma™ Cloud in May 2020.

Features Introduced on May 19, 2020

New Features

Feature
Description
resource.status Attribute in Config RQL
RQL Config query adds a new attribute
resource.status
that enables you to identify cloud resources that are in an
active
or
deleted
state within a specified time-range.
For example:
config where resource.status = Deleted AND cloud.account = 'account_name' AND api.name = 'aws-ec2-describe-route-tables'
and specify the time range.
rql-resource-status-investigate.png
The
resource.status
attribute is supported on the
Investigate
page only. You can also view the current status of the cloud resource on the
Resource Explorer
. The status shows whether the resource is deleted (Deleted—True) or active (Deleted—False).
rql-resource-status.png
API Ingestion
APIs to ingest the following services:
  • AWS
    aws-iam-service-last-accessed-details
    The API enables you to view details about when an IAM resource (user, role, or policy) was last used to access an AWS service. To ingest the resources associated with this API, you must update the CFT and enable additional permissions: generateServiceLastAccessedDetails, getServiceLastAccessedDetails
    When enabled, the details on all roles and all users created in the AWS account, and all policies which are attached to the users/roles are ingested every 24 hours on Prisma Cloud.
    api-aws-iam-last-service-accessed-details.png
    For example:
    • To query users, roles, policies with unused permissions
      config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = serviceLastAccesses[*].totalAuthenticatedEntities any equal "0" AND arn contains ":user"
    • To list users (or roles) who can access a specific service
      config where api.name = 'aws-iam-service-last-accessed-details' AND json.rule = arn contains ":user" AND serviceLastAccesses[*].serviceNamespace contains "s3"
Ingesting Tags for AWS Resources
To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:
  • aws-describe-vpc-endpoints
  • aws-ec2-describe-flow-logs
  • aws-organization
  • aws-apigateway-get-rest-apis
  • aws-apigateway-get-stages
  • aws-elasticache-snapshots
  • aws-eks-describe-cluster
    The
    eks:ListTagsForResource
    permission is required to ingest tags for the EKS service. SeeUpdate the CFT to enable the additional permissions.
Additional Context for Network Anomaly Alerts
Network anomaly alerts generated against the
Port scan activity
and
Port sweep activity
policies now include additional context based on threat feed information from sources such as Autofocus and Facebook Threat Exchange. In addition, all anomaly alerts include a tooltip that describes the threat details.
network-anomaly-alerts-tooltip.png

New Policies and Policy Updates

Policy
Description
GCP VM Instance Using a Default Service Account with Full Access to all Cloud APIs
Identifies VM instances on GCP that are using a default service account with full access to all Cloud APIs. This policy enables you to prevent potential privilege escalation, and enforce the principle of least privilege when granting permissions to service accounts.
Policy Updates
The GCP CIS v1.0.0 Compliance standard, section 4.1 is updated to match on the policy
GCP VM instance using a default service account with full access to all Cloud APIs
instead of
GCP VM instances with excessive service account permissions
.
Updated the
AWS RDS DB cluster encryption is disabled policy
to include the instructions for remediation.

Features Introduced on May 5, 2020

New Features

Feature
Description
Network RQL supports IP address in a CIDR format
To help you monitor network traffic between VPCs or to a specific destination within a VPC, in a network query, you can search for IP addresses from the RFC 1918 address space using the CIDR format.
You can include a single IP address or a comma separated list of IP addresses in the CIDR format as the source or destination attribute within the query.
For example:
network where source.ip = 10.144.0.0/16 AND dest.ip = 10.2.0.0/16
or
network where cloud.account = 'xyz' AND source.ip IN ( 10.2.2.0/24, 10.2.1.0/24 ) AND dest.ip = 10.2.0.0/24
rql-cidr-support-network.png
Multiple Role Assignments for Prisma Cloud administrator
A System Administrator on Prisma Cloud can now assign up to five roles to any Prisma Cloud user, and set one role as the default role.
When a user with multiple roles logs in, she can change the default role assignment and switch between roles using the
Profile
drop-down.
multiple-roles-admin.png
With this change, when an administrator creates policies, saved searches, saved alert filters and recurring compliance reports without a cloud account selection, the objects are associated with the role assumed by the user instead of the user’s details.
ServiceNow Integration Support for Orlando
Prisma Cloud supports the ServiceNow Orlando release.
servicenow-orlando.png
Beta
Prisma Cloud Business Edition on Azure China
Prisma Cloud introduces the ability to use your Prisma Cloud tenant in China to connect to your Azure China subscriptions and monitor the resources deployed in China.
Please reach out to your account team if you'd like to participate in the beta.
Cloud Account Owner for Azure Subscriptions
When Prisma Cloud detects an issue with an Azure subscription, you can view the cloud account owner information for the subscription. This information is refreshed every 24 hours, and you can use it to contact the account owner directly for any issues related to the subscription.
After you onboard your Azure subscription, the name of the account owner displays in the new
Cloud Account Owner
column on
Settings
Cloud Accounts
.
clous-account-owner.png
Prisma Cloud DevOps Security Enhancements
Centralization of Run and Build Phase Configuration Policies
The Prisma Cloud administrator console is a single pane where you can view all configuration policies that are pertinent to the build and run phases of your application development lifecycle.
On the
Policies
page, you can also create custom policy for scanning Kubernetes, Terraform, or CloudFormation Templates in the build phase, and define the JSON query to build the rule. Optionally, you can include the details on how to fix the issue when a policy violation occurs.
config-policy-build-run.png
Terraform 0.12 Support for IaC Scan
Prisma Cloud IaC scan adds support for Terraform 0.12 including multiple modules, variable files, and external variables.
New
Prisma Cloud GitLab plugins (IaC scan only)
The Prisma Cloud GitLab extension for SCM and CI/CD enable you to scan your files, review any potential security issues, fix and validate code before you check it in to your source control repository or integrate it in your CI/CD pipeline.

New Policies and Policy Updates

Policy
Description
GCP MySQL instance with local_infile database flag is not disabled.
Identifies MySQL instances in which local_infile database flag is not disabled. This flag controls the server-side LOCAL capability for LOAD DATA statements. When enabled, the server permits clients to load local data.
GCP PostgreSQL instance with log_checkpoints database flag is disabled.
Identifies PostgreSQL instances in which log_checkpoints database flag is disabled. When the flag is disabled, the server log does not record checkpoints and restart points.
GCP PostgreSQL instance database flag log_connections is disabled.
Identifies PostgreSQL type SQL instances for which the log_connections database flag is disabled. PostgreSQL does not log attempted connections by default. Enabling the log_connections setting creates log entries for each attempted connection as well as successful completion of client authentication and help with troubleshooting issues and identifying unusual connection attempts to the server.
GCP PostgreSQL instance database flag log_disconnections is disabled.
Identifies PostgreSQL type SQL instances for which the log_disconnections database flag is disabled. Enabling the log_disconnections setting will create log entries at the end of each session and help you audit unusual activity.
GCP PostgreSQL instance database flag log_lock_waits is disabled.
Identifies PostgreSQL database instances in which database flag log_lock_waits is not set. Enabling the flag helps identify poor performance due to locking delays or resource starvation caused by specially-crafted SQL.
Policy Updates
The AWS Cloudtrail API
aws-cloudtrail-describe-trails
is updated to list the cloud account name when used with the
count (x)
function.
With this change, if you have created custom policies that use the count function such as
config where api.name = aws-cloudtrail-describe-trails' count(X) less than 1
, all open alerts that were previously generated will be resolved and only one new alert will be generated for each cloud account. The new alert will include the cloud account name.
For
aws-iam-list-roles
, Prisma Cloud retrieves data on the
permissionBoundary
, and you can use it as part of the json.rule attribute to view the maximum permissions for a role/user as defined in IAM policy.
Example:
config where api.name = 'aws-iam-list-roles' AND json.rule = role.permissionsBoundary.permissionsBoundaryArn exists
and view the details on the Investigate page
role-permissions-arn.png
Please reach out to your account team if you'd like to use this feature.

Recommended For You