Features Introduced in November 2020

Learn what’s new on Prisma™ Cloud in November 2020.

New Features Introduced in 20.11.2

New Features

Feature
Description
Additional Billable Resources
The Prisma Cloud Visibility, Compliance, and Governance modules now count your usage of the following resources towards Prisma Cloud credits:
  • Azure—Azure PostgreSQL Database
  • Azure—SQL Managed Instance
  • GCP—GCP Load Balancing
  • GCP—Cloud NAT
With this update, the current list of resources counted towards Prisma Cloud credits are the following:
  • AWS
    • EC2
    • RDS
    • Redshift
    • ELB
    • NAT gateway
  • Azure
    • Virtual Machines
    • SQL DB
    • PostgreSQL
    • SQL Managed Instance
    • Load Balancer
  • GCP
    • GCE
    • CloudSQL
    • Cloud Load Balancing
    • Cloud NAT
  • Alibaba Cloud
    • ECS
RQL Syntax Updates for Extensibility
The Prisma Cloud RQL syntax is updated to enable better visibility and support ingestion of new data sources to monitor your resources deployed across different cloud platforms.
All the existing RQL queries used in Prisma Cloud default policies, custom policies, saved searches and recent searches of the Investigate page on Prisma Cloud will be automatically updated to this new syntax, and do not need any action from you. For any out-of-band policies or automation scripts using Prisma Cloud search API:
https://api.<your Prisma Cloud tenant URL>/search/
, make sure to update the syntax as follows:
  • config where <rest of the query>
    to
    config from cloud.resource where <rest of the query>
  • event where <rest of the query>
    to
    event from cloud.audit_logs where <rest of the query>
  • network where <rest of the query>
    to
    network from vpc.flow_records where <rest of the query>
The config where, event where and network where query format is being deprecated. To give you time to get used to the language changes, RQL statements will work with the older syntax. When creating new queries or saved searches, please use the new query format, because the older syntax will be removed in a future release.
New Look
Policies Table
The
Policies
page is updated with a new layout that supports a quicker page load time, better visual appeal, and it includes a new
Group By
option so you can aggregate policies using criteria that is important to you.
policies-group-by.png
Jenkins Plugin for Scanning IaC Templates
Try the new Jenkins plugin to scan your IaC templates against Prisma Cloud default policies or custom policies you define, and mitigate security or compliance risks directly in your DevOps processes. This functionality allows you to define severity-based failure criteria for your organizational needs and detect potential issues before you deploy your code to production. The failure criteria you defined is compared against the number of actual issues found to conclude a pass or fail result.
The Jenkins plugin enable you to scan Terraform v.11 through v.13, AWS CFT, and Kubernetes manifests. The file extensions supported are .yaml and .json for CFT and Kubernetes, and .tf and .json for Terraform.
Plugins Updates to support IaC Scan API v2
The currently available Prisma Cloud plugins or extensions for Visual Studio Code, Azure DevOps, GitLab—SCM and CI/CD, and GitHub are updated to use the IaC Scan API v2, and the installation and set up workflows are simplified.
Build Alert Rules and Resource List for IaC Scan
Resource Lists on Prisma Cloud enable visibility and the permissions to view IaC scan results on the Prisma Cloud administrative console.
You can specify any tags or labels to identify cloud resources, in a
Resource List
on Prisma Cloud and define role-based access control to specific administrative users only. These users can then view the scan results, on the
DevOps Inventory
, for the IaC templates that match the specified tags.
For build-time checks of IaC templates, you can also now define Build alert rules, where you choose the policies to detect security issues or misconfiguration and associate a resource list to match for specific tags.
devops-build-alert-type.png
Build alert rules do not create new alerts or notifications for policy violations, but they help you ensure all IaC template that include specific tags are consistently scanned against the same set of policies.
devops-rsource-list-alert.png
You can then view the scan results on the DevOps Inventory.
DevOps Inventory
Use
Inventory
DevOps
to review the IaC scan results. The DevOps Inventory provides a bird’s eye view of the total number of IaC scans performed across all the Prisma Cloud IaC Scan plugins including twistcli and directly accessing the IaC Scan APIs. It also displays the results on how many scans passed or failed policy checks, and how they sort by severity for your enforcement standards. The visual dashboard provides scan trends and results grouped by the repository that hosts your source code or templates.
devops-inventory-widgets.png
The tabular view includes the details such as the scan status, the user who initiated the scan, the failure criteria defined for the scan, and resource list. When a template fails the scan, the scan results displays the count of the security issues detected— sorted by severity—and the list of policies that caused the failure.
devops-inventory-table.png
API Ingestion
AWS Directory Service
aws-ds-directory
Additional permissions required:
ds:DescribeDirectories
ds:ListTagsForResource
AWS Web Application Firewall (v2)
aws-waf-v2-global-web-acl-resource
Additional permissions required:
wafv2:GetWebACL
wafv2:GetLoggingConfiguration
Azure SQL Database
azure-sql-server-list
The API is updated to retrieve the API lock and tag information in the JSON response.
Azure Monitor
azure-monitor-log-profiles-list
Additional permissions required:
microsoft.insights/diagnosticSettings/read
The azure_prisma_cloud_read_only_role.json will be updated to include this permission.
Azure Storage
azure-storage-account-list
Updated the API to retrieve storage service properties for Cross-Origin Resource Sharing (CORS) metadata.

Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
New Policies and Policy Updates
New Policies
The following new policies are being added:
Azure Active Directory Guest users found
Identifies guest user accounts added on your Azure Active Directory instance to give you visibility so that you can review these accounts and reduce risk.Note: This policy monitors Azure Active Directory instances only and does not monitor Azure Subscriptions.
Azure Cosmos DB IP range filter not configured
Identifies Azure Cosmos databases where the IP range filter is empty and it does not restrict access to a defined set of IP addresses or IP range.
AWS SageMaker notebook instance is not placed in VPC
Identifies SageMaker notebook instances that are not placed inside a VPC to ensure that it cannot be accessed outside a VPC network.
AWS SageMaker notebook instance not encrypted using Customer Managed Key
Identifies SageMaker notebook instances that are not encrypted using Customer Managed Key to have more granular control over the data-at-rest encryption/decryption process and meet compliance requirements.
AWS SageMaker notebook instance IAM policy overly permissive to all traffic
Identifies SageMaker notebook instances with IAM policies that are overly permissive to all traffic, and does not restrict access to authorized users and applications only.
GCP Kubernetes cluster node auto-upgrade configuration disabled
Identifies GCP Kubernetes cluster nodes where the auto-repair configuration disabled, and therefore the nodes in your cluster are not up-to-date with the cluster master version when your master is updated.
GCP Kubernetes cluster node auto-repair configuration disabled
Identifies GCP Kubernetes cluster nodes where the auto-upgrade configuration is disabled and prevents periodic checks on the health state of each node in your cluster.
GCP Kubernetes Cluster Shielded GKE Nodes feature disabled
Identifies Kubernetes clusters for which Shielded GKE nodes is not enabled to harden the underlying node and protect against a host of attacks against boot and root-kits.
Policy Updates—Recommendation
AWS Default Security Group does not restrict all traffic
Updated Recommendation—The recommendation is updated to meet the revised CIS guideline for the policy.
Policy Updates—RQL and Metadata
AWS Elasticsearch IAM policy allows internet traffic
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action anyStartWith es:)] exists
With this change, the policy is enhanced to check for the IPv6 default route ::/0..
Azure Security Center email notification for subscription owner is not set
Updated Metadata—Displays the timestamp for the
lastModifiedOn
attribute to indicate when the last change was made in Azure Security Center.
Azure Monitor log profile does not capture all activities
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.categories[] does not contain Write or properties.categories[] does not contain Delete or properties.categories[*] does not contain Action)'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
Azure log profile not capturing activity logs for all regions
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and properties.isCapturingLogsForAllRegions is false'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
Activity Log Retention should not be set to less than 365 days
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))'
With this change, the azure-monitor-log-profiles-list API also checks whether diagnostics settings are enabled to export activity logs, and any open alerts will be resolved.
Azure SQL Database with Auditing Retention less than 90 days
Updated RQL—The RQL has been updated to
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = (serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90)) as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y;
With this change, the policy checks the audit policy configured for the SQL server. Some alerts may be reopened due this additional check.

REST API Updates

Change
Description
Resource List APIs
A new set of APIs enables you to create and manage Resource Lists in Prisma Cloud.
Update
Deprecated Prisma Cloud Licensing APIs have been removed
The following deprected APIs have been removed:
  • POST /usage/{cloud_type}
  • POST /timeline/usage
  • POST /v2/usage

Features Introduced in 20.11.1

New Features

Feature
Description
Data Profiles for Prisma Cloud Data Security
To provide control over which data profiles you use to discover sensitive content in your S3 buckets, you can now enable and disable data profiles.
For example, if you want Prisma Cloud to generate alerts for violations that pertain to PII and Intellectual Property only, you can disable the other data profiles. Doing so allows you reduce the number of alerts and focus on data security issues that you care about the most.
dlp-disable-profile.png
Scan Status in Data Inventory
If you have enabled the Prisma Cloud Data Security subscription, you can review the scan status on the Data Inventory table on
Inventory
Data
.
dlp-scan-status.png
The states are:
  • Scanning
    —Object is submitted successfully.
  • Failed
    —Object could not be submitted for scanning.
  • Not Sensitive
    —The object does not contain sensitive information for the data profiles and data patterns used to scan.
  • Not Supported
    —File type is not supported for scanning.
  • Too Large
    —File size is greater than 20MB.
Serverless Remediation Scripts for AWS
For auto-remediation of alerts generated against resources deployed on AWS, Prisma Cloud provides scripts that use AWS Lambda. The Prisma Cloud platform sends alert messages to an AWS SQS Queue, which in turn invokes a lambda function
index_prisma.py
. The function then calls the appropriate runbook script to remediate the alert(s).To use AWS Lambda for automatic remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts, and is an alternative way for you to try remediation for violating resources. Get the scripts from the GitHub repository.
There are 46 runbooks currently, and these are available to you at no cost. Please use the runbooks and flaunt your expertise by contributing to the community, if you have a good way to solve a security concern.
RQL Attribute
azure.resource.group
A new Config queryRQL attribute
azure.resource.group
enables you to search for the configuration of the resources that are hosted within a specific Azure Resource Group.
For example:
config where resource.status = Active AND azure.resource.group IN ( 'Azureprod1' , 'Azureprod-2' )
rql-azure-resource-group.png
API Ingestion
Azure Compute
azure-virtual-machine-scale-set-vm
Additional permissions required:
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
Google Cloud Spanner
gcloud-cloud-spanner-database
Additional permissions required:
spanner.databases.list
Optional
spanner.databases.getIamPolicy
These permissions are included in the predefined Project Viewer role.
AWS Cloud Formation
aws-cloudformation-describe-stacks
Updated the API to now retrieve metadata on
enableTerminationProtection
.
Amazon S3 Glacier
aws-glacier-vault
Additional permissions required:
glacier:ListTagsForVault
glacier:ListVaults
are included with the Security Audit policy

New Policy and Policy Updates

Policy Name
Description
New Policies
The following new policies are being added:
AWS Database Migration Service endpoint do not have SSL configured
Identifies Database Migration Service (DMS) endpoints that are not configured with SSL to encrypt connections between source and target endpoints.
AWS SageMaker notebook instance not configured with data encryption at rest using KMS key
Identifies SageMaker notebook instances that are not configured with data encryption at rest using the AWS Managed KMS key.
AWS SageMaker notebook instance configured with direct internet access
Identifies SageMaker notebook instances that are configured with direct internet access and allow unrestricted access from any source outside the VPC to establish a connection to the notebook instance.
Azure Application gateways listener that allow connection requests over HTTP
Identifies Azure application gateways that accept connection requests over HTTP, instead of using HTTPS for encrypted communication between application clients and gateways.
GCP cloud storage bucket with uniform bucket-level access disabled
Identifies the storage buckets not configured with uniform bucket-level access. This will help support uniform permission system by allowing access only through cloud IAM.
GCP VM instance configured with default service account
Identifies the GCP VM instances configured with the default service account, which increases the risk of privilege escalations if your VM is compromised.
Policy Updates—Description
AWS IAM policy attached to users
Updated Description—This policy identifies IAM policies attached to users. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users.
Policy Updates—RQL and Metadata
Azure Security Center contact phone number not set
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
With this change, new alerts will be generated.
Updated Recommendation—Includes the CLI command to create new contact with phone number.
AWS Inactive users for more than 30 days
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = 'user does not equal <root_account> and _DateTime.ageInDays(user_creation_time) > 30 and (password_last_used equals N/A or password_last_used equals no_information or _DateTime.ageInDays(password_last_used) > 30) and ((access_key_1_last_used_date equals N/A or _DateTime.ageInDays(access_key_1_last_used_date) > 30) and (access_key_2_last_used_date equals N/A or _DateTime.ageInDays(access_key_2_last_used_date) > 30))'
With this change, the policy will exclude root users who are inactive for more than 30 days. Alerts generated for root users will be resolved and reason being is POLICY UPDATED.
AWS CloudTrail bucket is publicly accessible
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = "((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))))" as X; config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as Y; filter'$.X.bucketName equals $.Y.s3BucketName'; show X;
With this change, the policy checks for AWS S3 account level public block access setting and any open alerts for S3 buckets that are configured to block access at the account level will be resolved.
And the remediation CLI is removed, so this policy is no longer a
Remediable
policy that includes the automatic remediation for the violating resource.

REST API Updates

Change
Description
Cloud Account APIs
A new, optional request query parameter
skipStatusChecks
enables you to skip account status checks to reduce the response time for the following APIs:
  • POST /cloud/{cloud_type}
  • PUT /cloud/{cloud_type}/{id}
IaC Scan V2 APIs
The response object for GET /iac/v2/scans/{scanId}/results includes a new attribute
data.attributes.docUrl
, which provides a URL to policy documentation relevant to a violation the IaC scan identifies.

Recommended For You