Features Introduced in April 2021

New Features Introduced in 21.4.2

New Features

FEATURE
DESCRIPTION
External ID Enhancement for Amazon SQS Integration
When you add a new Amazon SQS integration on Prisma Cloud, the External ID associated with the IAM role must be a UUID in a 128-bit format, and not any random string.
For your convenience, the UUID is automatically generated on the Prisma Cloud web console. You must manually create one if you’re using the Prisma Cloud API.
Any existing integrations will continue to work. If you modify an existing Amazon SQS integration, you must replace the external ID to complete the validation check and save your changes.
Update
Amazon SQS Integration
Prisma Cloud now supports Amazon SQS Integration for Alibaba Cloud in the Mainland China regions.
API Ingestion
Amazon ECS
aws-ecs-container-instance
Additional permissions required:
ecs:DescribeContainerInstances
ecs:ListContainerInstances
The Security Audit role includes these permissions.
Amazon EKS
aws-eks-fargate-profile
Additional permissions required:
eks:ListFargateProfiles
eks:DescribeFargateProfile
These permissions are included in the PrismaCloud-IAM-ReadOnly-Policy-Config policy.
Azure Active Directory
azure-active-directory-enforcement-policy
Additional permissions required:
Policy.Read.All
Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.
azure-active-directory-group-settings
Additional permissions required:
Directory.Read.All
Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.
Google Resource Manager
gcloud-organization-folder
Additional permissions required:
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
These permissions are included in the Resource Manager role.
Update
Azure Authorization
azure-role-definition
and
azure-role-assignment
APIs are modified to ingest dataActions and notDataActions JSON metadata.
These additional metadata are ingested using the permissions in the Reader role.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Identifies EC2 instances that are not configured with Instance Metadata Service v2 (IMDSv2) to ensure that every request is protected by session authentication.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = state contains running and metadataOptions.httpEndpoint equals enabled and metadataOptions.httpTokens does not contain required
AWS Application Load Balancer (ALB) not configured with AWS Web Application Firewall v2 (AWS WAFv2)
Identifies AWS Application Load Balancers (ALBs) that are not configured with AWS Web Application Firewall v2 (AWS WAFv2) to protect against application-layer attacks.
config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = resources.applicationLoadBalancer[*] exists as X; config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = scheme equals internet-facing and type equals application as Y; filter 'X.resources.applicationLoadBalancer[*] does not contain $.Y.loadBalancerArn'; show Y;
AWS Security Group allows all traffic on ICMP (Ping) protocol
Identifies Security groups that allow all traffic on ICMP (Ping) protocol. As a best practice, restrict ICMP solely to known static IP addresses and limit the access list to include known hosts, services, or specific employees only.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[?any((ipProtocol equals icmp or ipProtocol equals icmpv6) and (ipRanges[*] contains 0.0.0.0/0 or ipv6Ranges[*].cidrIpv6 contains ::/0))] exists)
Azure Network Security Group allows all traffic on ports which are not commonly used
Checks for Azure Network Security Groups (NSGs) that allows all traffic on ports which are not commonly used. As a best practice, restrict ports solely to known static IP addresses and limit the access list to include known hosts, services, or specific employees only.
config from cloud.resource where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals Udp or protocol equals Icmp or protocol equals *) and (destinationPortRange is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *) or destinationPortRanges[*] is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *) ))] exists
GCP VM instance template with IP forwarding enabled
Identifies VM instance templates that have IP forwarding enabled and thereby can open unintended and undesirable communication paths and allow VM instances to send and receive packets with the non-matching destination or source IP addresses.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instance-template' AND json.rule = properties.canIpForward is true and (name does not start with "gke-" or (name starts with "gke-" and properties.disks[*].initializeParams.labels does not exist) )
GCP Pub/Sub topic is not encrypted using a customer-managed encryption key
Identifies GCP Pub/Sub topics that are not encrypted using a customer-managed encryption key.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-pubsub-topic' AND json.rule = kmsKeyName does not exist
Policy Updates—RQL and Metadata
AWS Elastic Load Balancer (ELB) with ACM certificate expiring in 90 days
This policy is renamed as
AWS Elastic Load Balancer (ELB) with ACM certificate expired or expiring in 90 days
.
Impact
— Open alerts generated against the older policy name will be resolved as Policy_Updated.
Azure Security Center 'Standard pricing tier' is not selected
The recommendation steps have been updated for the 'Azure Security Center 'Standard pricing tier' is not selected' policy to reflect the changes in the Azure portal UI.
Impact
—No impact on alerts.
  • AWS Redshift Cluster not encrypted using Customer Managed Key
  • AWS Redshift instances are not encrypted
The recommendation steps have been updated for both policies according to the new changes introduced by AWS.
Impact
—No impact on alerts.
Event Policies includes cloud.type in search_manager table
cloud.type
has been updated to include
all
for the following five policies in the
search_manager
table:
  • GCP Load balancer sensitive configuration updates
  • Sensitive permission exposed for website configuration updates of S3 Buckets
  • AWS S3 configuration updates invoked from Kali Linux machine
  • AWS S3 configuration updates invoked from Parrot Security Linux machine
  • AWS S3 configuration updates invoked from Pentoo Linux machine
Impact
—No impact on alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
NIST 800-172
NIST Special Publication 800-172 is now available on Prisma Cloud for Alibaba Cloud, AWS, Azure, GCP, and OCI.
Motion Picture Association of America Compliance
Support for Motion Picture Association of America (MPAA) is available on Alibaba Cloud, AWS, Azure, GCP, and OCI.

REST API Updates

CHANGE
DESCRIPTION
Update
REST APIs for IaC Scan Version 1
The following IaC Scan version 1 REST APIs are no longer supported:
  • POST /iac/tf/v1/scan
  • POST /iac/cft/v1/scan
  • POST /iac/k8s/v1/scan
  • POST /iac_scan

New Features Introduced in 21.4.1

New Features

FEATURE
DESCRIPTION
GCP Folders Hierarchy Mapping to Prisma Cloud Account Groups
To enable you to maintain the segregation of resources or business units based on your GCP resource heirarchy, you can now choose to automatically create account groups to match the folder structure when you onboard a GCP Organization on Prisma Cloud.
You can choose how one of two options to automatically map projects to account groups:
Auto Map
to automatically create an account group with the same name as the top-level folder that contains the project. This allows you to map a project to an account group with the same name as the top-level folder.
Recurse Hierarchy
to create an account group for each folder within your GCP folder structure. This allows you to map each folder to an account group of the same name, even if the folder does not include projects, at the time you add the GCP account to Prisma Cloud.
All automatically created account groups are labeled as
auto-created
by the Prisma Cloud System Admin, and you cannot modify these account groups.
Richer Visualization to Summarize Prisma Cloud Policy Usage
To help you assess your coverage and utilization of policies that help you monitor and manage the security and compliance posture of your cloud resources and protect against potential risks or misconfigurations, Prisma Cloud has created new visualizations on the
Polices
page.
Use the graphs to learn how many policies are enabled as a number or as a percentage of the total, review the split across different policy types, how many policies of high or medium severity are identified in your infrastructure, and gain greater context on the policy category and Prisma Cloud versus custom policies that are generating alerts.
Time Range Type Filter for Alerts
To help you easily find alerts that were either opened or the status was updated within a given time range, on the
Alerts
page the following new filters are now available:
Alert Opened - Filter on alerts based on when they were opened.
Alert Status Updated - Filter on alerts based on when the alert status last changed from one state to another.
Alert Updated - Filter on alerts based on when a resource update was observed but the alert status was not changed.
Prisma Cloud is rolling out a new alert subsystem. On all environments that have been upgraded, you can see the new Time Range Type filter. If you do not see it on your tenant, it will be available to you soon.
API Ingestion
azure-container-registry
A new
repositories
field will be ingested for the existing
azure-container-registry
API resources that contain repositories. This is an update to ingest additional information to the existing
azure-container-registry
API.
Additional permissions not required.
The existing
Reader
role includes the permissions.

New Policies and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
POLICY NAME
DESCRIPTION
New Policies
AWS SNS topic policy overly permissive for publishing
Identifies AWS SNS topics that have SNS policy overly permissive for publishing. When a message is published, Amazon SNS attempts to deliver the message to the subscribed endpoints. To protect these messages from attackers and unauthorized usage, permissions should be given only to authorized users.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and (Action contains SNS:Publish or Action contains sns:Publish) and Condition does not exist)] exists
AWS SNS topic policy overly permissive for subscription
Identifies AWS SNS topics that have SNS policy overly permissive for the subscription. When you subscribe an endpoint to a topic, the endpoint begins to receive messages published to the associated topic. To protect these messages from attackers and unauthorized usage, permissions should be given only to authorized users.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[?any(Effect equals Allow and (Principal.AWS equals * or Principal equals *) and (Action contains SNS:Subscribe or Action contains sns:Subscribe or Action contains SNS:Receive or Action contains sns:Receive) and Condition does not exist)] exists
Azure Key Vault Firewall is not enabled
Identifies Azure Key Vaults which have the Firewall disabled. Enabling the Azure Key Vault Firewall feature prevents unauthorized traffic from reaching your key vault. It is a best practice to enable the Azure Key Vault Firewall which provides an additional layer of protection for your secrets.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = properties.networkAcls.ipRules[*].value does not exist
Azure Key Vault Purge protection is not enabled
Identifies checks for Azure Key Vault which have the Purge protection disabled. This could impact alerts being generated for all Azure Key Vaults which have not enabled the Purge protection settings.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' AND json.rule = properties.enablePurgeProtection is false
IAM Security
The following new policies have been added for IAM Security on Prisma Cloud:
  • AWS IAM effective permissions are over-privileged (7 days)
  • AWS IAM effective permissions are over-privileged (90 days)
  • AWS cross-account resource access through IAM policies
  • AWS effective permissions granting wildcard resource access
  • AWS entities with risky permissions
  • AWS resources that are publicly accessible through IAM policies
  • Okta user with effective permissions to create AWS IAM users
Policy Updates—RQL and Metadata
AWS IAM policy allows assume role permission across all services
The Policy RQL has been updated to exclude the Deny policy statements from the policy reportings.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any( Effect equals Allow and Action contains sts:AssumeRole and Resource equals * and Condition does not exist)] exists
Impact
—Alerts raised for Deny policy statements are resolved as 'Policy_Updated'.
Azure Application Gateway does not have the Web application firewall (WAF) enabled
The RQL was not considering when the Azure Application Gateway resources were attached with the WAF policy through WAF service and was therefore creating false positives. The RQL policy has been updated to resolve the FPs.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = (['properties.webApplicationFirewallConfiguration'] does not exist and ['properties.firewallPolicy'] does not exist) or (['properties.webApplicationFirewallConfiguration'].enabled is false and ['properties.firewallPolicy'] does not exist)
Impact
—Alerts raised for Application Gateway which has the WAF policy enabled through WAF service will be resolved with reason as Policy_Updated.
Policy Updates— Remediation
Azure Security Center web application firewall monitoring is set to disabled
The policy has been removed because the setting to Disable / Audit has been deprecated by Azure in the Security Center recommendations.
Impact
—All alerts generated for this policy will be resolved with reason Policy_Delected.
Threat Detection on SQL databases is set to Off
The policy recommendation has been updated to reflect the UI changes made on Azure.
Impact
—No impact on alerts.
The following GCP policies have been updated to match the recommendation steps of the policies with the GCP web interface.
  • GCP Log metric filter and alert does not exist for VPC network route changes
  • GCP Log metric filter and alert does not exist for Project Ownership assignments/changes
  • GCP Log metric filter and alert does not exist for IAM custom role changes
  • GCP Log metric filter and alert does not exist for Audit Configuration Changes
  • GCP Log metric filter and alert does not exist for VPC Network Firewall rule changes
  • GCP Log metric filter and alert does not exist for VPC network changes
  • GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes
  • GCP Log metric filter and alert does not exist for SQL instance configuration changes
Impact
—No impact on alerts.
Policy Update for Improved Accuracy
To ensure better accuracy with alerts the following out-of-box policies have a RQL change to address a Config RQL query issue when the filter part of a join contains a negation (the `not ()` surrounding the filter clause) AND at least one of the variables (
X
,
Y,
or
Z
) is empty at evaluation:
  • AWS VPC has flow logs disabled
  • AWS VPC not in use
  • OCI Block Storage Block is not restorable
For example, if
X
is defined as:
`config from cloud.resource where api.name = 'aws-ec2-describe-vpcs' as X`
You will always get no results if you currently have no VPCs in your cloud account, even if
Y
and/or
Z
were non-empty.
Impact
—With this update, you may have new alerts generated against the policies listed above. Additionally, if you have used such a negated filter clause in a custom policy with an API that is likely to be empty sometimes, Prisma Cloud may generate alerts that were not triggered for the same policy previously.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
NIST 800-171 rev 2
NIST Special Publication 800-171 Revision 2 is now available on Prisma Cloud for AWS, GCP, Azure, Alibaba, and OCI.
PCI DSS 3.2.1
Support for Payment Card Industry Data Security Standard version 3.2.1 is available on AWS, GCP, Azure, Alibaba, and OCI.

REST API Updates

CHANGE
DESCRIPTION
Breaking Change
Anomaly Settings APIs have changed
The valid values for the Anomaly Settings attributes
alertDisposition
and
trainingModelThreshold
have changed.
The new valid values for
alertDisposition
are:
Aggressive
,
Moderate
,
Conservative
.
The new valid values for
trainingModelThreshold
are:
Low
,
Medium
,
High
.
These attributes are included in the following API endpoints:
  • POST /anomalies/settings/{policyid}
    —within the request body parameters
  • GET /anomalies/settings
    —within the response object
  • GET /anomalies/settings/{policyid}
    —within the response object
A new optional parameter exists for GCP Org Cloud Account APIs
The following GCP cloud account APIs have a new optional request body parameter
accountGroupCreationMode
  • POST /cloud/gcp
  • PUT /cloud/gcp
A new Cloud Account API, which uses POST, is available to list cloud names
You can now use the following new API to list cloud account names:
  • POST /cloud/name
Note that GET /cloud/name is still also available
Valid request parameters to add or update an Amazon SQS integration have changed
When you add or update an Amazon SQS integration with the IAM role associated with Prisma Cloud, your request body parameter
integrationConfig.externalId
must now be a unique 128-bit UUID
Alert filter suggestion includes a new attribute
timeRange.type
The response object for the following API includes a new attribute
timeRange.type
  • GET /filter/alert/suggest
Anomaly Trusted List entries support a new attribute
subject
The response objects for the following APIs include a new attribute
subject
:
  • GET /anomalies/trusted_list
  • GET /anomalies/trusted_list/{id}
The response object for some Cloud Account APIs have a new attribute
deploymentType
The response objects for the following APIs include a new attribute
deploymentType
:
  • GET /cloud
  • GET /cloud/{cloud_type}/{id}
A request body parameter that was required for some Data Security Settings APIs is now optional
The request body parameter description was required but is now optional for the following APIs:
  • POST /dlp/api/v1/dss-api/data-profile
  • PUT /dlp/api/v1/dss-api/data-profile/id/{profileId}

Recommended For You