Features Introduced in April 2021
New Features Introduced in 21.4.2
New Features
FEATURE | DESCRIPTION |
|---|---|
External ID Enhancement for Amazon SQS Integration | When you add a new Amazon SQS integration on Prisma
Cloud, the External ID associated with the IAM role must be a UUID in
a 128-bit format, and not any random string. For your convenience,
the UUID is automatically generated on the Prisma Cloud web console.
You must manually create one if you’re using the Prisma Cloud API. Any
existing integrations will continue to work. If you modify an existing
Amazon SQS integration, you must replace the external ID to complete
the validation check and save your changes. |
Update Amazon SQS Integration | Prisma Cloud now supports Amazon SQS Integration
for Alibaba Cloud in the Mainland China regions. |
API Ingestion | Amazon ECS aws-ecs-container-instance Additional
permissions required:
The
Security Audit role includes these permissions. |
Amazon EKS aws-eks-fargate-profile Additional
permissions required:
These
permissions are included in the PrismaCloud-IAM-ReadOnly-Policy-Config
policy. | |
Azure Active Directory azure-active-directory-enforcement-policy Additional
permissions required:
Grant
these permissions to the Prisma Cloud app that is registered on Azure
Active Directory. azure-active-directory-group-settings Additional
permissions required:
Grant
these permissions to the Prisma Cloud app that is registered on Azure
Active Directory. | |
Google Resource Manager gcloud-organization-folder Additional
permissions required:
These
permissions are included in the Resource Manager role. | |
Update Azure Authorization | azure-role-definition and azure-role-assignment APIs
are modified to ingest dataActions and notDataActions JSON metadata.These
additional metadata are ingested using the permissions in the Reader
role. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
|---|---|
New Policies | AWS EC2 instance not configured
with Instance Metadata Service v2 (IMDSv2) Identifies
EC2 instances that are not configured with Instance Metadata Service
v2 (IMDSv2) to ensure that every request is protected by session
authentication.
|
AWS Application Load Balancer (ALB)
not configured with AWS Web Application Firewall v2 (AWS WAFv2) Identifies
AWS Application Load Balancers (ALBs) that are not configured with
AWS Web Application Firewall v2 (AWS WAFv2) to protect against application-layer
attacks.
| |
AWS Security Group allows all traffic
on ICMP (Ping) protocol Identifies Security groups
that allow all traffic on ICMP (Ping) protocol. As a best practice,
restrict ICMP solely to known static IP addresses and limit the
access list to include known hosts, services, or specific employees
only.
| |
Azure Network Security Group allows
all traffic on ports which are not commonly used Checks
for Azure Network Security Groups (NSGs) that allows all traffic
on ports which are not commonly used. As a best practice, restrict
ports solely to known static IP addresses and limit the access list
to include known hosts, services, or specific employees only.
| |
GCP VM instance template with IP forwarding
enabled Identifies VM instance templates that have
IP forwarding enabled and thereby can open unintended and undesirable
communication paths and allow VM instances to send and receive packets
with the non-matching destination or source IP addresses.
| |
GCP Pub/Sub topic is not encrypted
using a customer-managed encryption key Identifies
GCP Pub/Sub topics that are not encrypted using a customer-managed
encryption key.
| |
Policy Updates—RQL and Metadata | AWS Elastic Load Balancer (ELB)
with ACM certificate expiring in 90 days This policy
is renamed as AWS Elastic Load Balancer (ELB) with ACM
certificate expired or expiring in 90 days .Impact —
Open alerts generated against the older policy name will be resolved
as Policy_Updated. |
Azure Security Center 'Standard
pricing tier' is not selected The recommendation steps
have been updated for the 'Azure Security Center 'Standard pricing
tier' is not selected' policy to reflect the changes in the Azure
portal UI. Impact —No impact on alerts. | |
The
recommendation steps have been updated for both policies according
to the new changes introduced by AWS. Impact —No impact
on alerts. | |
Event Policies includes cloud.type
in search_manager table cloud.type has
been updated to include all for the
following five policies in the search_manager table:
Impact —No
impact on alerts. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
|---|---|
NIST 800-172 | NIST Special Publication 800-172 is now available
on Prisma Cloud for Alibaba Cloud, AWS, Azure, GCP, and OCI. |
Motion Picture Association of America
Compliance | Support for Motion Picture Association of America
(MPAA) is available on Alibaba Cloud, AWS, Azure, GCP, and OCI. |
REST API Updates
CHANGE | DESCRIPTION |
|---|---|
Update REST APIs for IaC Scan Version
1 | The following IaC Scan version 1 REST APIs
are no longer supported:
|
New Features Introduced in 21.4.1
New Features
FEATURE | DESCRIPTION |
|---|---|
GCP Folders Hierarchy Mapping to Prisma
Cloud Account Groups | To enable you to maintain the segregation
of resources or business units based on your GCP resource heirarchy,
you can now choose to automatically create account groups to match
the folder structure when you onboard a GCP Organization on
Prisma Cloud. You can choose how one of two options to automatically
map projects to account groups: Auto Map to
automatically create an account group with the same name as the
top-level folder that contains the project. This allows you to map
a project to an account group with the same name as the top-level
folder.Recurse Hierarchy to create
an account group for each folder within your GCP folder structure.
This allows you to map each folder to an account group of the same
name, even if the folder does not include projects, at the time
you add the GCP account to Prisma Cloud.All automatically
created account groups are labeled as auto-created by
the Prisma Cloud System Admin, and you cannot modify these account
groups.  |
Richer Visualization to Summarize Prisma
Cloud Policy Usage | To help you assess your coverage and utilization
of policies that help you monitor and manage the security and compliance
posture of your cloud resources and protect against potential risks
or misconfigurations, Prisma Cloud has created new visualizations
on the Polices page. Use the graphs to
learn how many policies are enabled as a number or as a percentage
of the total, review the split across different policy types, how
many policies of high or medium severity are identified in your infrastructure,
and gain greater context on the policy category and Prisma Cloud
versus custom policies that are generating alerts.  |
Time Range Type Filter for Alerts | To help you easily find alerts that were either
opened or the status was updated within a given time range, on the Alerts page
the following new filters are now available:  Alert Opened
- Filter on alerts based on when they were opened. Alert Status
Updated - Filter on alerts based on when the alert status last changed
from one state to another. Alert Updated - Filter on alerts
based on when a resource update was observed but the alert status
was not changed. Prisma Cloud is rolling out a new alert
subsystem. On all environments that have been upgraded, you can
see the new Time Range Type filter. If you do not see it on your
tenant, it will be available to you soon. |
API Ingestion | azure-container-registry A
new repositories field will be ingested
for the existing azure-container-registry API
resources that contain repositories. This is an update to ingest
additional information to the existing azure-container-registry API.Additional
permissions not required. The existing Reader role
includes the permissions. |
New Policies and Policy Updates
POLICY NAME | DESCRIPTION |
|---|---|
New Policies | AWS SNS topic policy overly permissive
for publishing Identifies AWS SNS topics that have
SNS policy overly permissive for publishing. When a message is published,
Amazon SNS attempts to deliver the message to the subscribed endpoints.
To protect these messages from attackers and unauthorized usage,
permissions should be given only to authorized users.
|
AWS SNS topic policy overly permissive
for subscription Identifies AWS SNS topics that have
SNS policy overly permissive for the subscription. When you subscribe
an endpoint to a topic, the endpoint begins to receive messages
published to the associated topic. To protect these messages from
attackers and unauthorized usage, permissions should be given only
to authorized users.
| |
Azure Key Vault Firewall is not enabled Identifies
Azure Key Vaults which have the Firewall disabled. Enabling the
Azure Key Vault Firewall feature prevents unauthorized traffic from
reaching your key vault. It is a best practice to enable the Azure
Key Vault Firewall which provides an additional layer of protection for
your secrets.
| |
Azure Key Vault Purge protection
is not enabled Identifies checks for Azure Key Vault which
have the Purge protection disabled. This could impact alerts being
generated for all Azure Key Vaults which have not enabled the Purge
protection settings.
| |
IAM Security | The following new policies have been added
for IAM Security on Prisma Cloud:
|
Policy Updates—RQL and Metadata | AWS IAM policy allows assume role
permission across all services The Policy RQL has
been updated to exclude the Deny policy statements from the policy
reportings. Updated RQL —The updated RQL is:
Impact —Alerts
raised for Deny policy statements are resolved as 'Policy_Updated'. |
Azure Application Gateway does not
have the Web application firewall (WAF) enabled The
RQL was not considering when the Azure Application Gateway resources
were attached with the WAF policy through WAF service and was therefore
creating false positives. The RQL policy has been updated to resolve
the FPs. Updated RQL —The updated RQL is:
Impact —Alerts
raised for Application Gateway which has the WAF policy enabled
through WAF service will be resolved with reason as Policy_Updated. | |
Policy Updates— Remediation | Azure Security Center web application
firewall monitoring is set to disabled The policy
has been removed because the setting to Disable / Audit has been deprecated
by Azure in the Security Center recommendations. Impact —All
alerts generated for this policy will be resolved with reason Policy_Delected.Threat
Detection on SQL databases is set to Off The policy
recommendation has been updated to reflect the UI changes made on Azure. Impact —No
impact on alerts. |
The following GCP policies have been updated
to match the recommendation steps of the policies with the GCP web
interface.
Impact —No
impact on alerts. | |
Policy Update for Improved Accuracy | To ensure better accuracy with alerts the following
out-of-box policies have a RQL change to address a Config RQL query
issue when the filter part of a join contains a negation (the `not
()` surrounding the filter clause) AND at least one of the variables ( X , Y, or Z )
is empty at evaluation:
For
example, if X is defined as: You will always get no results if you currently have no VPCs in your cloud account, even if Y and/or Z were non-empty.Impact —With
this update, you may have new alerts generated against the policies
listed above. Additionally, if you have used such a negated filter
clause in a custom policy with an API that is likely to be empty sometimes,
Prisma Cloud may generate alerts that were not triggered for the
same policy previously. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
|---|---|
NIST 800-171 rev 2 | NIST Special Publication 800-171 Revision
2 is now available on Prisma Cloud for AWS, GCP, Azure, Alibaba,
and OCI. |
PCI DSS 3.2.1 | Support for Payment Card Industry Data Security
Standard version 3.2.1 is available on AWS, GCP, Azure, Alibaba,
and OCI. |
REST API Updates
CHANGE | DESCRIPTION |
|---|---|
Breaking Change Anomaly Settings
APIs have changed | The valid values for the Anomaly Settings attributes alertDisposition and trainingModelThreshold have
changed. The new valid values for alertDisposition are: Aggressive , Moderate , Conservative . The
new valid values for trainingModelThreshold are: Low , Medium , High .These
attributes are included in the following API endpoints:
|
A new optional parameter exists for GCP Org
Cloud Account APIs | The following GCP cloud account APIs have
a new optional request body parameter accountGroupCreationMode
|
A new Cloud Account API, which uses POST,
is available to list cloud names | You can now use the following new API to list
cloud account names:
Note
that GET /cloud/name is still also available |
Valid request parameters to add or update
an Amazon SQS integration have changed | When you add or update an Amazon SQS integration
with the IAM role associated with Prisma Cloud, your request body
parameter integrationConfig.externalId must now
be a unique 128-bit UUID |
Alert filter suggestion includes a new attribute timeRange.type | The response object for the following API includes
a new attribute timeRange.type
|
Anomaly Trusted List entries support a new
attribute subject | The response objects for the following APIs
include a new attribute subject :
|
The response object for some Cloud Account
APIs have a new attribute deploymentType | The response objects for the following APIs
include a new attribute deploymentType :
|
A request body parameter that was required
for some Data Security Settings APIs is now optional | The request body parameter description was
required but is now optional for the following APIs:
|
