Features Introduced in May 2020
Learn what’s new on Prisma™ Cloud in May 2020.
Features Introduced on May 19, 2020
resource.status Attribute in Config RQL
RQL Config query adds a new attribute
resource.statusthat enables you to identify cloud resources that are in an
deletedstate within a specified time-range.
config where resource.status = Deleted AND cloud.account = 'account_name' AND api.name = 'aws-ec2-describe-route-tables'and specify the time range.
resource.statusattribute is supported on the
Investigatepage only. You can also view the current status of the cloud resource on the
Resource Explorer. The status shows whether the resource is deleted (Deleted—True) or active (Deleted—False).
APIs to ingest the following services:
Ingesting Tags for AWS Resources
To enable filtering using tags in RQL, the following AWS APIs ingest tag information on your cloud resources:
Additional Context for Network Anomaly Alerts
Network anomaly alerts generated against the
Port scan activityand
Port sweep activitypolicies now include additional context based on threat feed information from sources such as Autofocus and Facebook Threat Exchange. In addition, all anomaly alerts include a tooltip that describes the threat details.
New Policies and Policy Updates
GCP VM Instance Using a Default Service Account with Full Access to all Cloud APIs
Identifies VM instances on GCP that are using a default service account with full access to all Cloud APIs. This policy enables you to prevent potential privilege escalation, and enforce the principle of least privilege when granting permissions to service accounts.
The GCP CIS v1.0.0 Compliance standard, section 4.1 is updated to match on the policy
GCP VM instance using a default service account with full access to all Cloud APIsinstead of
GCP VM instances with excessive service account permissions.
AWS RDS DB cluster encryption is disabled policyto include the instructions for remediation.
Features Introduced on May 5, 2020
Network RQL supports IP address in a CIDR format
To help you monitor network traffic between VPCs or to a specific destination within a VPC, in a network query, you can search for IP addresses from the RFC 1918 address space using the CIDR format.
You can include a single IP address or a comma separated list of IP addresses in the CIDR format as the source or destination attribute within the query.
network where source.ip = 10.144.0.0/16 AND dest.ip = 10.2.0.0/16or
network where cloud.account = 'xyz' AND source.ip IN ( 10.2.2.0/24, 10.2.1.0/24 ) AND dest.ip = 10.2.0.0/24
Multiple Role Assignments for Prisma Cloud administrator
A System Administrator on Prisma Cloud can now assign up to five roles to any Prisma Cloud user, and set one role as the default role.
When a user with multiple roles logs in, she can change the default role assignment and switch between roles using the
With this change, when an administrator creates policies, saved searches, saved alert filters and recurring compliance reports without a cloud account selection, the objects are associated with the role assumed by the user instead of the user’s details.
ServiceNow Integration Support for Orlando
BetaPrisma Cloud Business Edition on Azure China
Prisma Cloud introduces the ability to use your Prisma Cloud tenant in China to connect to your Azure China subscriptions and monitor the resources deployed in China.
Please reach out to your account team if you'd like to participate in the beta.
Cloud Account Owner for Azure Subscriptions
When Prisma Cloud detects an issue with an Azure subscription, you can view the cloud account owner information for the subscription. This information is refreshed every 24 hours, and you can use it to contact the account owner directly for any issues related to the subscription.
After you onboard your Azure subscription, the name of the account owner displays in the new
Cloud Account Ownercolumn on
Prisma Cloud DevOps Security Enhancements
Centralization of Run and Build Phase Configuration Policies
The Prisma Cloud administrator console is a single pane where you can view all configuration policies that are pertinent to the build and run phases of your application development lifecycle.
Policiespage, you can also create custom policy for scanning Kubernetes, Terraform, or CloudFormation Templates in the build phase, and define the JSON query to build the rule. Optionally, you can include the details on how to fix the issue when a policy violation occurs.
Terraform 0.12 Support for IaC Scan
Prisma Cloud IaC scan adds support for Terraform 0.12 including multiple modules, variable files, and external variables.
NewPrisma Cloud GitLab plugins (IaC scan only)
The Prisma Cloud GitLab extension for SCM and CI/CD enable you to scan your files, review any potential security issues, fix and validate code before you check it in to your source control repository or integrate it in your CI/CD pipeline.
New Policies and Policy Updates
GCP MySQL instance with local_infile database flag is not disabled.
Identifies MySQL instances in which local_infile database flag is not disabled. This flag controls the server-side LOCAL capability for LOAD DATA statements. When enabled, the server permits clients to load local data.
GCP PostgreSQL instance with log_checkpoints database flag is disabled.
Identifies PostgreSQL instances in which log_checkpoints database flag is disabled. When the flag is disabled, the server log does not record checkpoints and restart points.
GCP PostgreSQL instance database flag log_connections is disabled.
Identifies PostgreSQL type SQL instances for which the log_connections database flag is disabled. PostgreSQL does not log attempted connections by default. Enabling the log_connections setting creates log entries for each attempted connection as well as successful completion of client authentication and help with troubleshooting issues and identifying unusual connection attempts to the server.
GCP PostgreSQL instance database flag log_disconnections is disabled.
Identifies PostgreSQL type SQL instances for which the log_disconnections database flag is disabled. Enabling the log_disconnections setting will create log entries at the end of each session and help you audit unusual activity.
GCP PostgreSQL instance database flag log_lock_waits is disabled.
Identifies PostgreSQL database instances in which database flag log_lock_waits is not set. Enabling the flag helps identify poor performance due to locking delays or resource starvation caused by specially-crafted SQL.
The AWS Cloudtrail API
aws-cloudtrail-describe-trailsis updated to list the cloud account name when used with the
With this change, if you have created custom policies that use the count function such as
config where api.name = aws-cloudtrail-describe-trails' count(X) less than 1, all open alerts that were previously generated will be resolved and only one new alert will be generated for each cloud account. The new alert will include the cloud account name.
aws-iam-list-roles, Prisma Cloud retrieves data on the
permissionBoundary, and you can use it as part of the json.rule attribute to view the maximum permissions for a role/user as defined in IAM policy.
config where api.name = 'aws-iam-list-roles' AND json.rule = role.permissionsBoundary.permissionsBoundaryArn existsand view the details on the Investigate page
Please reach out to your account team if you'd like to use this feature.
Recommended For You
Recommended videos not found.