Features Introduced in October 2020

Learn what’s new on Prisma™ Cloud in October 2020.

Features Introduced in 20.10.2

New Features

Feature
Description
Support for CIS GKE v.1.1.0
Compliance support for
CIS Google Kubernetes Engine Foundation Benchmark v.1.1.0
is added to include checks for services such as Control Plane Components/Configuration, Worker Nodes Policies, and Managed Services.
Support for NIST 800-53 Rev 5
Prisma Cloud has updated the mappings and controls for the National Institute of Standards and Technology (NIST) 800-53 revision 5 for Alibaba, AWS, Azure, and GCP clouds.
Updates to NIST 800-53 Rev 4
The NIST 800-53 Rev 4 is updated to add support for Alibaba Cloud and includes over 300 policies to check for compliance against the framework.
Support for Multi Level Protection Scheme v2.0
Prisma Cloud adds the compliance checks for Multi Level Protection Scheme (MLPS) v2.0 that network operators in Mainland China must follow to fulfil the cybersecurity obligations laid out by the Chinese Ministry of Public Security (MPS). This framework includes policies to verify compliance on AWS, Azure, and Alibaba Cloud resources deployed in Mainland China regions.
ServiceNow Integration Support for Paris
Prisma Cloud supports the ServiceNow integration with the Paris release.
Adjustable Scan Quota for Prisma Cloud Data Security
The scan quota for data stored on AWS S3 buckets is set to 10TB per tenant. If you have a large volume of data stored in AWS buckets that are monitored using Prisma Cloud, this limit allows you to manage how many Prisma Cloud credits you want to use for data security.
If you want to change the scan quota for your Prisma Cloud tenant, please contact Prisma Cloud customer support.
prisma-cloud-data-security-scan-cap.png
Enhancements for Prisma Cloud IaC Scan
The Prisma Cloud IaC scan service has API version 2 that enables you to scan templates against policies and display scan results asynchronously, for a better user experience.
All existing plugins will be updated to support the IaC Scan API v2. IaC Scan API v1 is being deprecated and will continue to work until January 31, 2021. For more information, see REST API Updates.
API Ingestion
AWS WAF
aws-waf-classic-global-web-acl-resource
Additional permissions required:
"waf:ListWebACLs"
is included with the Security Audit policy
And you must add the following permissions to a custom role:
"waf:GetWebACL"
"waf:ListTagsForResource"
"waf:waf:GetLoggingConfiguration"
Azure SQL Database
azure-sql-server-list
Updated the API to include more properties for
firewallRules
Google Compute Engine
gcloud-compute-vpn-tunnel
Additional permissions required:
compute.vpnTunnels.list
These permissions are included in the predefined Compute Network Viewer role.
Google Cloud Spanner
gcloud-cloud-spanner-instance-config
Additional permissions required:
spanner.instanceConfigs.list
These permissions are included in the predefined Compute Security Admin and Cloud Spanner Viewer role.
Update
For Google Compute Engine APIs, Prisma Cloud now retrieves data on the
action
that allows or denies traffic to your VM instances based on VPC firewall rules.This information is displayed on the Resource Explorer.
Update
Investigate Link for Configuration Alerts is Removed
For alerts generated against configuration policies that identify access to cloud resources based on unrestricted access or unattached security group configuration, the
Investigate
button is removed.
Update
Labels Used in Azure Account Onboarding
When you add an Azure account on Prisma Cloud, the labels in the onboarding flow have been updated as follows:
  • Application ID
    is
    Application (Client) ID
  • Application Key
    is
    Application Client Secret
  • Service Principle Object ID
    is
    Enterprise Application Object ID
  • Tenant ID
    for your Azure Active Directory is
    Directory (Tenant) ID

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
Policy Name
Description
New Policies
36 new Anomaly policies for Network Sub Type that are based on the AutoFocus threat feed information. These policies correspond to 18 AutoFocus threat tag groups, such as Worm, and Botnet. Each threat tag group introduces two policies— external and internal— to detect malicious activities that are initiated from a internal source on your network or from anexternal source.
Policy Updates—RQL and Metadata
The following policies are updated:
GCP VM instances have block project-wide SSH keys feature disabled
Updated RQL—The RQL has been updated to
config where api.name = 'gcloud-compute-project-info' AND json.rule = commonInstanceMetadata.kind equals "compute#metadata" and commonInstanceMetadata.items[?any(key contains "block-project-ssh-keys" and (value contains "true" or value contains "TRUE" or value contains "1"))] does not exist as X; config where api.name = 'gcloud-compute-instances-list' AND json.rule = metadata.items[*].key does not exist or metadata.items[?any(key does not contain "block-project-ssh-keys")] exists as Y; filter ' $.Y.zone contains $.X.name'; show Y;
With this change, this policy will identify Google Compute Engine instances that allows the use of project-wide SSH keys, instead of requiring instance-level SSH keys.
Azure Network Security Group allows FTP (TCP Port 21)
Updated Name—
Azure Network Security Group allows all traffic on FTP (TCP Port 21)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals ) and (destinationPortRange contains _Port.inRange(21,21) or destinationPortRanges[*] contains _Port.inRange(21,21) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group (NSG) allows SSH traffic from 'internet' source service tag on port 22
Updated Name—
Azure Network Security Group allows all traffic on SSH port 22
Updated RQL—Updated RQL is
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationPortRange contains _Port.inRange(22,22) or destinationPortRanges[*] contains _Port.inRange(22,22) ))] exists
Azure Network Security Group allows Telnet (TCP Port 23)
Updated Name:
Azure Network Security Group allows all traffic on Telnet (TCP Port 23)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(23,23) or destinationPortRanges[*] contains _Port.inRange(23,23) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allows SMTP (TCP Port 25)
Updated Name—
Azure Network Security Group allows all traffic on SMTP (TCP Port 25)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(25,25) or destinationPortRanges[*] contains _Port.inRange(25,25) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allows DNS (UDP Port 53)
Updated Name—
Azure Network Security Group allow all traffic on DNS (UDP Port 53)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(53,53) or destinationPortRanges[*] contains _Port.inRange(53,53) ))] exists
Azure Network Security Group allows DNS (TCP Port 53)
Updated Name—
Azure Network Security Group allow all traffic on NetBios DNS (TCP Port 53)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(53,53) or destinationPortRanges[*] contains _Port.inRange(53,53) ))] exists
Azure Network Security Group allows Windows RPC (TCP Port 135)
Updated Name—
Azure Network Security Group allows all traffic on Windows RPC (TCP Port 135)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(135,135) or destinationPortRanges[*] contains _Port.inRange(135,135) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allows NetBIOS (UDP Port 137)
Updated Name—
Azure Network Security Group allows all traffic on NetBIOS (UDP Port 137)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(137,137) or destinationPortRanges[*] contains _Port.inRange(137,137) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allows NetBIOS (UDP Port 138)
Updated Name—
Azure Network Security Group allow all traffic on NetBIOS (UDP Port 138)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(138,138) or destinationPortRanges[*] contains _Port.inRange(138,138) ))] exists
Azure Network Security Group allows Windows SMB (TCP Port 445)
Updated Name—
Azure Network Security Group allow all traffic on Windows SMB (TCP Port 445)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(445,445) or destinationPortRanges[*] contains _Port.inRange(445,445) ))] exists
Azure Network Security Group allows CIFS (UDP Port 445)
Updated Name—
Azure Network Security Group allow all traffic on CIFS (UDP Port 445)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(445,445) or destinationPortRanges[*] contains _Port.inRange(445,445) ))] exists
Azure Network Security Group allows SQL Server (TCP Port 1433)
Updated Name—
Azure Network Security Group allows all traffic on SQL Server (TCP Port 1433)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(1433,1433) or destinationPortRanges[*] contains _Port.inRange(1433,1433) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allowing SQLServer (UDP Port 1434) traffic from 'any' source or with 'Internet' source service tag
Updated Name—
Azure Network Security Group allow all traffic on SQL Server (UDP Port 1434)
RQL Update—Updated RQL is
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Udp or protocol equals *) and (destinationPortRange contains _Port.inRange(1434,1434) or destinationPortRanges[*] contains _Port.inRange(1434,1434) ))] exists
Azure Network Security Group allows MySQL (TCP Port 3306)
Updated Name—
Azure Network Security Group allows all traffic on MySQL (TCP Port 3306)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(3306,3306) or destinationPortRanges[*] contains _Port.inRange(3306,3306) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group (NSG) allows traffic from internet on port 3389
Updated Name—
Azure Network Security Group allow all traffic on RDP Port 3389
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationPortRange contains _Port.inRange(3389,3389) or destinationPortRanges[*] contains _Port.inRange(3389,3389) ))] exists
Azure Network Security Group allows MSQL (TCP Port 4333)
Updated Name—
Azure Network Security Group allows all traffic on MSQL (TCP Port 4333)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(4333,4333) or destinationPortRanges[*] contains _Port.inRange(4333,4333) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group (NSG) allows traffic from internet on port 3389
Updated Name—
Azure Network Security Group allow all traffic on RDP Port 3389
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationPortRange contains _Port.inRange(3389,3389) or destinationPortRanges[*] contains _Port.inRange(3389,3389) ))] exists
Azure Network Security Group allows MSQL (TCP Port 4333)
Updated Name—
Azure Network Security Group allows all traffic on MSQL (TCP Port 4333)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(4333,4333) or destinationPortRanges[*] contains _Port.inRange(4333,4333) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allows PostgreSQL (TCP Port 5432)
Updated Name—
Azure Network Security Group allows all traffic on PostgreSQL (TCP Port 5432)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(5432,5432) or destinationPortRanges[*] contains _Port.inRange(5432,5432) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group allows VNC Listener (TCP Port 5500)
Updated Name—
Azure Network Security Group allow all traffic on VNC Listener (TCP Port 5500)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(5500,5500) or destinationPortRanges[*] contains _Port.inRange(5500,5500) ))] exists
Azure Network Security Group allows VNC Server (TCP Port 5900)
Updated Name—
Azure Network Security Group allows all traffic on VNC Server (TCP Port 5900)
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals *) and (destinationPortRange contains _Port.inRange(5900,5900) or destinationPortRanges[*] contains _Port.inRange(5900,5900) ))] exists
With this change, some alerts may be resolved with resolution reason as policy updated and some alerts may be reopened based on the resource configuration.
Azure Network Security Group (NSG) with Inbound rule overly permissive to 'Internet' source service tag on TCP protocol
Updated Name—
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic on TCP protocol
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and protocol equals Tcp and access equals Allow and direction equals Inbound and destinationPortRange contains *)] exists
Azure Network Security Group allow ICMP (Ping)
Updated Name—
Azure Network Security Group allow all traffic on ICMP (Ping)
Updated RQL—Updated RQL is
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Icmp or protocol equals *) and access equals Allow and direction equals Inbound and destinationPortRange contains *)] exists
Azure Network Security Group with Outbound rule to allow all traffic to any source
Updated Name—
Azure Network Security Group with overly permissive outbound rule.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Outbound and (sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (destinationAddressPrefix equals * or destinationAddressPrefix equals Internet))] exists
With this update, the policy will now check for Network Security Groups with outbound rules that allow traffic to the internet. Because the check is for outbound rules, the number of alerts generated might increase.
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on any protocol
Updated Name—
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic on any protocol
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and protocol equals * and access equals Allow and destinationPortRange contains * and direction equals Inbound)] exists
With this update, the policy will now check for Network Security Groups with inbound rules that allow traffic from the internet to the resources in your Azure VNET.
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on UDP protocol
Updated Name—
Azure Network Security Group (NSG) having Inbound rule overly permissive to all traffic from Internet on UDP protocol
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any((sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and protocol equals Udp and access equals Allow and direction equals Inbound and destinationPortRange contains *)] exists
Azure storage accounts has blob container with public access
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = totalPublicContainers > 0 and (properties.allowBlobPublicAccess is true or properties.allowBlobPublicAccess does not exist)
With this change,the policy now checks for public access setting of the Azure storage account and the blob container.
Azure Storage account container storing activity logs is publicly accessible
Updated RQL—The RQL has been updated to
config where api.name = 'azure-storage-account-list' AND json.rule= publicContainersList[*] contains insights-operational-logs and (properties.allowBlobPublicAccess is true or properties.allowBlobPublicAccess does not exist) as X; config where api.name = 'azure-monitor-log-profiles-list' as Y; filter'$.X.id contains $.Y.properties.storageAccountId'; show X;
With this change, the policy now checks for public access setting of the Azure storage account and the activity logs.
Policy Deletions
  • Azure Network Security Group (NSG) having Inbound rule overly permissive to all TCP traffic from any source
  • Azure Network Security Group (NSG) having Inbound rule overly permissive to all UDP traffic from any source
  • Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol

REST API Updates

Change
Description
Infrastructure-As-Code (IaC) Scan API Version 2
A new set of Prisma Cloud IaC scan APIs enables you to scan templates to check against policies asynchronously. The new asynchronous APIs solve timeout issues, increase the file size limit to 300MB, and include support for Terraform version 0.13.
New Licensing APIs
A new set of Licensing APIs that offers improved performance and scalability is available.

Features Introduced in 20.10.1

New Features

Feature
Description
Role-Based Authentication on Amazon SQS Integration
When integrating Prisma Cloud with Amazon SQS, you now have the flexibility to specify an IAM Role to enable alert notifications to SQS. If you use Assume Role for cross-account access to AWS resources, you can provide the Role ARN and External ID associated with the IAM Role on Prisma Cloud.
sqs-integration-iam-role.png
Support for CIS v1.1.0 on GCP and CIS v1.3.0 on AWS
The CIS compliance standard on Prisma Cloud is updated to include policy updates that check for compliance with the requirements and sections in the benchmark as outlined in v1.1.0 on GCP and v1.3.0 on AWS. For example, requirements and sections are updated on GCP to add support for BigQuery, IAM, and AWS adds IAM, SNS, S3. Refer to the CIS benchmarks for details on all the services that are in scope for the update.
cis-gcp-aws-20-10-1.png
Trusted Source Exclusion for UEBA Anomaly Policies
To exclude internal or external IP addresses, such as addresses that belong to system administrators or those you use for testing access to new instances or services, you can now add in a CIDR format on
Settings
Anomaly Settings
Anomaly Trusted List
. Any addresses included in this list will not generate alerts against the specified Prisma Cloud Anomaly Policies.
anomaly-policies-trusted-ip-list.png
If you had previously specified these IP addresses on
Settings
Trusted IP Addresses
Trusted Alert IP Addresses
, use this enhancement to delete the existing configuration and re-add the addresses to the Anomaly Trusted List. When you add the CIDR block to the
Anomaly Trusted List
you can specify a specific cloud account or VPC with which the addresses are associated.
API Ingestion
AWS Glue
aws-glue-connection
Additional permissions required:
Permission: glue:GetConnection
Azure Virtual Network
is updated to include information on
loadBalancerBackendAddressPools
for:
azure-network-lb-list
azure-network-nic-list
Azure Event Hub
azure-event-hub
Additional permissions required:
"Microsoft.EventHub/namespaces/eventhubs/read"
"Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read"
If you use the Terraform templates that Prisma Cloud provides for onboarding, the permission is added to the azure_prisma_cloud_read_only_role.json.
Google Cloud Spanner
gcloud-cloud-spanner-instance
Additional permissions required:
spanner.instances.list
These permissions are included in the predefined Project Viewer role.
Update
Risk Rating is Removed
Prisma Cloud has removed Risk rating from the following places:
  • On
    Dashboard
    SecOps
    , the
    Risk Rating By Scanned Accounts
    widget.
  • On the
    Cloud Security Assessment
    report, the Scanned Resources by Risk Rating chart.
  • On
    Alerts
    Overview
    , the filter for Risk Grade.
  • In the
    Rating
    column on the Alerts details page.
  • Rating
    column in the .csv file, when you download alerts or receive an attachment as a scheduled alert email.
The deprecation notice was published starting 20.8.2.

New Policy and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
Policy Name
Description
New Policies
GCP SQL database is assigned with public IP
—Identifies GCP SQL databases that are assigned a public IP address, which increases application latency and network risks.
GCP VM instance with the external IP address
—Identifies VM instances that are accessible using an external or public IP address. To reduce your attack surface, VM instances should not have public/external IP address and should be configured behind load balancers, to minimize the risks associated with direct exposure to the internet.
GCP VM instance with Shielded VM features disabled
—Identifies VM instances on which the Shielded VM features are disabled. Shielded VMs are VMs on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
GCP SQL database instance is not configured with automated backups
—Identifies the GCP SQL database instances that are not configured with automated backups to protect against loss or damage.
AWS Network ACLs allow ingress traffic to server administration ports
—Identifies AWS Network Access Control List (NACL) that include rules to allow ingress traffic on server administration ports.
Policy Updates—RQL and Metadata
The following policies are updated:
Azure disk is unattached and not encrypted
Policy Name Updated—
Azure disk is unattached and is encrypted with the default encryption key instead of ADE/CMK
.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' AND json.rule = '(managedBy does not exist or managedBy is empty) and (encryptionSettings does not exist or encryptionSettings.enabled is false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are unattached and not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].
Azure Data disk is not encrypted
Policy Name Updated—
Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK
.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType does not exist and managedBy exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK] or Customer Managed Key [SSE with CMK].
Azure disk for VM operating system is not encrypted at rest using ADE
Policy Name Updated—
Azure VM OS disk is encrypted with the default encryption key instead of ADE/CMK
.
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-disk-list' and json.rule = 'osType exists and (encryptionSettings does not exist or encryptionSettings.enabled == false) and encryption.type does not equal EncryptionAtRestWithCustomerKey'
With this change this policy will identify Azure disks that are not encrypted with Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK].
SQL Instances do not have SSL configured
Updated RQL—The RQL has been updated to
config where cloud.type = 'gcp' AND api.name='gcloud-sql-instances-list' and json.rule = "(settings.ipConfiguration.requireSsl is true and _DateTime.ageInDays(serverCaCert.expirationTime) > -1) or not (settings.ipConfiguration.requireSsl is true)"
With this change, the policy identifies SQL instances with expired SSL certificates in addition to instances on which SSL is not enabled.

REST API Updates

Change
Description
Update
Deprecated Prisma Cloud Public REST APIs for IP Allow List have been removed
The following APIs have been removed:
  • GET /whitelist/network
  • POST /whitelist/network
  • GET /whitelist/network/{uuid}
  • PUT /whitelist/network/{uuid}
  • POST /whitelist/network/{uuid}/cidr
  • PUT /whitelist/network/{uuid}/cidr/{cidrUuid}
  • DELETE /whitelist/network/{uuid}/cidr/{cidrUuid}
  • GET /ip_whitelist_login
  • POST /ip_whitelist_login
  • GET /ip_whitelist_login/{id}
  • PUT /ip_whitelist_login/{id}
  • DELETE /ip_whitelist_login/{id}
  • GET /ip_whitelist_login/status
  • PATCH /ip_whitelist_login/status
  • GET /ip_whitelist_login/tab
Update
Deprecated Prisma Cloud Public REST API fields for Enterprise Settings have been removed
The enterprise settings model fields
anomalyTrainingModelThreshold
and
anomalyAlertDisposition
have been removed. These fields are no longer in:
  • The response object for
    GET /settings/enterprise
  • The request body parameters for
    POST /settings/enterprise
Amazon SQS integration
The request body for the Prisma Cloud APIs to add, update, or test an Amazon SQS integration includes two new parameters for IAM role support. The new parameters are:
  • integrationConfig.roleArn
  • integrationConfig.externalId
The APIs that include these new request body parameters are:
  • POST /integration/test
  • POST /integration
  • PUT /integration/{id}
Resource RRN
The object model for the Prisma Cloud Restricted Resource Name (RRN) includes a new read-only property
idmapId
. The response object for each of the following APIs includes this new property:
  • GET /resource
  • GET /resource/raw

Recommended For You