Features Introduced in December 2021

Learn what’s new on Prisma™ Cloud in December 2021.

New Features Introduced in 21.12.1

New Features

FEATURE
DESCRIPTION
Custom Payload for Webhook Integration
If you are using a Webhook integration to send Prisma Cloud alerts, you can now customize the alert payload. When you enable the option to configure a custom payload, you have a new JSON editor in the Webhook integration (
Settings
Integrations
). This editor allows you to modify the format for the attributes or tokens included in the alert payload. For your convenience, it also provides a brief description of each attribute.
The error messages are also improved to help you confirm that the integrations is set up successfully or identify any misconfiguration.
Limited GA
True Network Exposure of Cloud Assets
The cloud network analyzer engine on Prisma Cloud helps you determine the true network exposure of your cloud assets and take action to secure them from network threats with an end-to-end network path analysis between the source and destination resource.
Using the new RQL query
config from network where
on the
Investigate
page, you can understand the reachability of your cloud assets and also validate if someone exploited the overly permissive network access. This is currently supported only on AWS.
If you’re interested, please contact Prisma Cloud customer support to enable this feature on your tenant.
Ability to Reference External Variables within the Scope of a Nested Rule
Nested Rules using the
?any
quantifier limited the conditions you could write on the elements of an array. For RQL policies that use nested rules, you can now add a condition referencing an external JSON path inside the nested rule.
This is also useful when a Join operator is expressed among two different paths in a JSON specimen, which requires the nested rules to check on values outside the scope of the quantifier.
The following operators are supported with a variable path ($.path) on the right-hand side:
  • contains
  • does not contain
  • equals
  • does not equal
Prisma Cloud Data Security- ‘Sensitive Data and Malware in Publicly Exposed Objects’ Scan Option
You can now scan for
Sensitive Data and Malware in Publicly Exposed Objects
while configuring data security scan settings. On selecting this option, Prisma Cloud scans all objects for public exposure first and then scans only the publicly exposed objects for sensitive data and malware.
On clicking Apply, you can see the selected scan option under the
Scan Capability
column and the corresponding line under the
Configuration Status
column shows as Recently configured.
Prisma Cloud Data Security- Simplified ‘Forward Scan’ Setup
Prisma Cloud now provides a simplified way to set up Forward Scan that reduces the number of manual steps that were required during onboarding. You can choose either an existing CloudTrail or create a new one with an associated SNS Topic.
A script file is generated based on the information you provide, which you can execute on CloudShell that sets up all of the configuration required for a successful Forward Scan.
Setting up a simplified
Forward Scan
prevents manual errors and you can validate the setup before proceeding with the rest of the onboarding.
API Ingestions
AWS Shield
aws-shield-protection-groups
Additional permissions required:
shield:GetSubscriptionState
shield:ListProtectionGroups
shield:ListResourcesInProtectionGroup
shield:ListTagsForResource
AWS Shield
aws-shield-protections
Additional permissions required:
shield:GetSubscriptionState
shield:ListProtections
shield:ListTagsForResource
AWS Glue
aws-glue-datacatalog
Additional permissions required:
glue:GetDataCatalogEncryptionSettings
AWS Athena
aws-athena-workgroup
Additional permissions required:
  • athena:ListWorkGroups
  • athena:GetWorkGroup
Amazon MSK
aws-msk-cluster
Additional permissions required:
kafka:ListClusters
Amazon RDS
aws-rds-option-group
Additional permissions required:
  • rds:ListTagsForResource
  • rds:DescribeOptionGroups
Azure Spring Cloud
azure-spring-cloud-app
Additional permissions required:
Microsoft.AppPlatform/Spring/apps/read
Azure Spring Cloud
azure-spring-cloud-service
Additional permissions required:
Microsoft.AppPlatform/Spring/read
Azure SignalR Service
azure-signalr
Additional permissions required:
Microsoft.SignalRService/SignalR/read
Azure Front Door
azure-frontdoor
Additional permissions required:
Microsoft.Network/frontDoors/read
Google Container Analysis
gcloud-container-analysis-vulnerability-summary
Additional permissions required:
containeranalysis.occurrences.list
Google AI Platform
gcloud-ai-platform-job
Additional permissions required:
ml.jobs.getIamPolicy
ml.jobs.list
Google API Gateway
gcloud-apigateway-gateway
Additional permissions required:
apigateway.gateways.getIamPolicy
apigateway.gateways.list
Google AI Platform Model
gcloud-ai-platform-model
Additional permissions required:
  • ml.models.list
  • ml.models.getIamPolicy

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
Instance affected by Apache Log4j vulnerability is exposed to network traffic from the internet [CVE-2021-44228]
Identifies instances installed with Apache Log4j (<2.16.0) version vulnerable for arbitrary code execution (CVE-2021-44228) and exposed to network traffic from the internet. As a best practice, upgrade the Apache Log4j version to the latest version and limit exposure to the internet.
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability' ) AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
GCP Cloud Function not enabled with VPC connector
Identifies GCP Cloud Functions that are not configured with a VPC connector. VPC connector helps functions to connect to a resource inside a VPC in the same project.
Setting up the VPC connector enables you to set up a secure perimeter to guard against data exfiltration and prevent functions from accidentally sending any data to unwanted destinations. As a best practice, configure the GCP Cloud Function with a VPC connector.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and vpcConnector does not exist
Limited GA
True Network Exposure Policies
The following five policies are being released in limited GA for a set of beta customers:
AWS EC2 instance is exposed to the internet
Identifies EC2 instances that are exposed to inbound traffic from the Internet. Exposure to the Internet may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and effective.action = 'Allowed' and protocol.ports in ( 'tcp/0:79', 'tcp/81:442', 'tcp/444:65535' )
AWS EC2 instance allows outbound access to the internet
Identifies EC2 instances that allow outbound traffic to the Internet. As a best practice, restrict outbound traffic and limit access to known hosts or services.
config from network where source.resource.type = 'Instance' and source.cloud.type = 'AWS' and dest.network = UNTRUST_INTERNET
AWS RDS instances exposed to internet
Identifies network interfaces attached to RDS instance that are exposed to inbound traffic from the Internet. RDS instances exposed to the Internet are prone to external security threats. As a best practice, restrict network interfaces which are attached to the RDS instance to known hosts or services only.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.network.interface.owner in ( 'amazon-rds')
AWS Redshift instances exposed to internet
Identifies network interfaces attached to Redshift cluster that are exposed to inbound traffic from the internet. Redshift clusters exposed to the internet are prone to external security threats. As a best practice, restrict network interfaces which are attached to the Redshift cluster to known hosts or services only
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.network.interface.owner in ( 'amazon-redshift' )
AWS EC2 instance reachable from untrust internet source on SSH/RDP port (TCP)
Identifies EC2 instances that are reachable from internet on SSH or RDP ports. The SSH or RDP port exposed to the internet may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and protocol.ports in ( 'tcp/22' , 'tcp/3389' )
Policy Updates—Metadata
SQL Instances with network authorization exposing them to the Internet
Changes
—The policy metadata and RQL have been updated to cover IPv6 CIDR. The policy name has also been updated.
Current name
SQL Instances with network authorization exposing them to the Internet
Updated to
GCP SQL instance configured with overly permissive authorized networks
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = settings.ipConfiguration.authorizedNetworks[?any(value contains 0.0.0.0/0 or value contains ::/0)] exists
Policy Updates—RQL
The policy name has been updated according to the policy naming standards.
Current policy name
AWS S3 CloudTrail buckets for which access logging is disabled
Updated policy name
AWS S3 CloudTrail bucket for which access logging is disabled
The RQL syntax has been updated for performance improvement.
Current
config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as X; config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' as Y; filter '$.X.s3BucketName equals $.Y.bucketName and $.Y.loggingConfiguration.targetBucket !exists' ; show Y;
Updated to
config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as X; config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' AND json.rule = loggingConfiguration.targetBucket does not exist as Y; filter '$.X.s3BucketName equals $.Y.bucketName'; show Y;
AWS Elastic File System (EFS) not encrypted using Customer Managed Key
Current RQL
config from cloud.resource where api.name = 'aws-describe-mount-targets' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '$.X.fileSystemDescription.encrypted is true and $.X.fileSystemDescription.kmsKeyId equals $.Y.key.keyArn and $.Y.keyMetadata.keyManager contains AWS'; show X;
Updated to
config from cloud.resource where api.name = 'aws-describe-mount-targets' AND json.rule = fileSystemDescription.encrypted is true as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyManager does not equal CUSTOMER or (keyMetadata.keyManager equals CUSTOMER and keyMetadata.keyState equals Disabled) as Y; filter '$.X.fileSystemDescription.kmsKeyId equals $.Y.key.keyArn'; show X;
The RQL has been enhanced with a new grammar for performance improvement.
Impact
—No impact on alerts.
Azure SQL database auditing is disabled
The RQL syntax has been updated for performance improvement.
Current
config from cloud.resource where api.name = 'azure-sql-db-list' as X; config from cloud.resource where api.name = 'azure-sql-server-list' as Y; filter "($.X.blobAuditPolicy.properties.state equals Disabled or $.X.blobAuditPolicy does not exist or $.X.blobAuditPolicy.[*] is empty) and ($.X.blobAuditPolicy.id contains $.Y.sqlServer.name and $.Y.serverBlobAuditingPolicy.properties.state equals Disabled or $.Y.serverBlobAuditingPolicy does not exist or $.Y.serverBlobAuditingPolicy is empty)"; show X;
Updated to
config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = blobAuditPolicy.properties.state equals Disabled or blobAuditPolicy does not exist or blobAuditPolicy is empty as X; config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show X;
Azure SQL Database with Auditing Retention less than 90 days
The RQL has been updated with filter comparison so that correct alerts will be triggered.
Current
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = '(serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90))' as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.X.blobAuditPolicy.id contains $.Y.sqlServer.name'; show Y;
Updated to
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = '(serverBlobAuditingPolicy does not exist or serverBlobAuditingPolicy is empty or serverBlobAuditingPolicy.properties.state equals Disabled or serverBlobAuditingPolicy.properties.retentionDays does not exist or (serverBlobAuditingPolicy.properties.state equals Enabled and serverBlobAuditingPolicy.properties.retentionDays does not equal 0 and serverBlobAuditingPolicy.properties.retentionDays less than 90))' as X; config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule = 'blobAuditPolicy does not exist or blobAuditPolicy is empty or blobAuditPolicy.properties.retentionDays does not exist or (blobAuditPolicy.properties.state equals Enabled and blobAuditPolicy.properties.retentionDays does not equal 0 and blobAuditPolicy.properties.retentionDays less than 90)' as Y; filter '$.Y.blobAuditPolicy.id contains $.X.sqlServer.name'; show Y;
Impact
—Some new alerts will be triggered based on configuration.
Azure Virtual Machine Boot Diagnostics Disabled
Identifies Azure virtual machines which have Boot Diagnostic setting disabled. In RQL, the Databricks virtual machines (Azure-managed solutions) will be excluded in reporting. The policy description and recommendation have been updated accordingly.
Current
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState contains running and ['properties.diagnosticsProfile'].['bootDiagnostics'].['enabled'] is false
Updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState contains running and ['properties.diagnosticsProfile'].['bootDiagnostics'].['enabled'] is false and tags.Vendor does not equal Databricks
Impact
—Previously generated alerts for Databricks virtual machines will be resolved as Policy_Updated.
GCP Kubernetes Engine cluster workload identity is disabled
The modified RQL will filter alerts generated for composer clusters, which resolves alerts created for composer clusters. The recommendation has been updated to support the latest UI changes.
Current
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = (workloadIdentityConfig[*] does not exist and nodePools[?any(config.workloadMetadataConfig does not exist )] exists) or (workloadIdentityConfig[*] exists and (nodePools[?any(config.workloadMetadataConfig does not contain GKE_METADATA)] exists))
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule =status equals "RUNNING" and resourceLabels.goog-composer-version does not start with "composer-1" and ((workloadIdentityConfig[*] does not exist and nodePools[?any(config.workloadMetadataConfig does not exist )] exists) or (workloadIdentityConfig[*] exists and (nodePools[?any(config.workloadMetadataConfig does not contain GKE_METADATA)] exists)))
Impact
—Previously generated alerts for composer clusters will be resolved as Policy_Updated.
GCP VPC Flow logs for the subnet is set to Off
The modified RQL will filter alerts generated for proxy subnets, which resolves alerts created for proxy subnets. The policy description and recommendation have also been updated.
Current
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-networks-subnets-list' AND json.rule = 'enableFlowLogs is false or enableFlowLogs does not exist'
Updated to
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-networks-subnets-list' AND json.rule = purpose does not contain INTERNAL_HTTPS_LOAD_BALANCER and (enableFlowLogs is false or enableFlowLogs does not exist)
Impact
—Previously generated alerts for proxy subnets will be resolved as Policy_Updated.
GCP Kubernetes Engine Clusters have binary authorization disabled
Changes
—Support for auto-remediation in the CLI has been added.
Impact
—If auto-remediation is enabled for the policy, alerts will be resolved as Remediated.
GCP Kubernetes cluster intra-node visibility disabled
Changes
—Support for auto-remediation in the CLI has been added.
Impact
—If auto-remediation is enabled for the policy, alerts will be resolved as Remediated.
OCI IAM local (non-federated) user account does not have a valid and current email address
Changes
—The recommendation steps have been updated to remove a special character to avoid a parsing issue when downloading all policies.
Impact
—No impact on alerts.

New Compliance Benchmarks and Updates

See the look ahead updates for planned features and policy updates for 22.1.1.
COMPLIANCE BENCHMARK
DESCRIPTION
AWS well architected framework
Prisma Cloud adds support for the
AWS Well-Architected Framework
, which describes the main concepts, design principles, and architectural best practices for designing and running workloads on AWS.
New Zealand Information Security Manual (NZISM)
New Zealand Information Security Manual (NZISM)
lists processes and controls that are essential for the protection of all New Zealand Government information and systems. Controls and processes which represents good practice are also provided to enhance the essential, baseline controls. Baseline controls are classified as minimum acceptable levels of controls, and essential controls are described as systems hygiene.
AWS Foundational Security Best Practices standard
AWS Foundational Security Best Practices standard
are a set of controls that detect when your accounts and resources that are deployed on AWS do not conform to AWS security best practices.
China CyberSecurity Law
Prisma Cloud now supports the
China CyberSecurity Law
. This standard created by the National People’s Congress, aims to increase data protection, data localization, and cybersecurity in the interest of national security.
CIS AWS 3 Tier Arch v1.0.0
CIS AWS 3 Tier Arch v1.0.0
is a benchmark that covers the necessary AWS configurations to establish ongoing operations of a three-tier web architecture.
ISO/IEC 27002:2013
ISO/IEC 27002:2013
provides guidelines for organizational informational security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment.
It is designed to be used by organizations that intend to:
  • Select controls within the process of implementing an Information Security Management System.
  • Implement commonly accepted information security controls.
  • Develop their own information security management guidelines.
ISO/IEC 27018:2019
ISO/IEC 27018
is a code of practice that focuses on protecting personal data in the cloud. It is based on the ISO/IEC security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).
In addition, it provides a set of controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.
ISO/IEC 27017:2015
ISO/IEC 27017:2015
provides guidelines for information security controls that are applicable to the provision and use of cloud services by providing:
  • Additional implementation guidance for relevant controls specified in ISO/IEC 27002.
  • Additional controls with implementation guidance that specifically relate to cloud services.
This recommendation and international standard provides controls and implementation guidance for both cloud service providers and customers.
MITRE ATT&CK v10
Prisma Cloud has updated the MITRE ATT&CK framework to support
MITRE ATT&CK v10
—release includes updates for Techniques, Groups, and Software for Enterprise, Mobile, and ICS.
Updates for
Multi Level Protection Scheme (MLPS) v2.0
The
Multi Level Protection Scheme (MLPS) v2.0
compliance standard has been updated with restructured sections and mappings.
ISO 27001:2013
ISO 27001:2013
defines the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. In addition, it includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
The requirements for
ISO 27001:2013
are generic and intended to be applicable to all organizations, regardless of type, size, or nature.

REST API Updates

CHANGE
DESCRIPTION
Prisma Cloud CSPM Integrations API Endpoint Removal
The following CSPM Integration API endpoint has been removed:
  • GET /integration/type
Prisma Cloud Data Security API Resource Change
The Data Security API resource
StorageResource
has undergone the following changes:
  • Removal of property
    isConfigurable
  • Removal of property
    isSystemBucket
  • Addition of property
    configurationStatus
The first two changes are breaking changes for the following API endpoints:
  • PUT /dlp/api/config/v2/resource
    Properties
    resources.isConfigurable
    and
    resources.isSystemBucket
    were optional request body parameters.
  • GET /dlp/api/v1/resource-inventory/resources
    Properties
    resources.isConfigurable
    and
    resources.isSystemBucket
    were response properties.
New Response Attribute for Some Prisma Cloud CSPM Alerts API Endpoints
The schema
CloudResourceModel
includes a new property
cloudServiceName
, which identifies the cloud service. As a result, the response object for each of the following API endpoints will include a new attribute
resource.cloudServiceName
for alerts that have such data available:
  • GET /alert
  • POST /alert
  • GET /v2/alert
    The new attribute is
    items[].resource.cloudServiceName
  • POST /v2/alert
    The new attribute is
    items[].resource.cloudServiceName

Recommended For You