Features Introduced in January 2021
Learn about the new features introduced on Prisma Cloud
in January 2021.
New Features Introduced in 21.1.2
New Features
Feature | Description |
---|---|
Limited GA | Prisma Cloud IAM Security automatically
calculates effective permissions across cloud service providers,
detects overly permissive access and suggests corrections to reach
least privilege entitlements. It includes out-of-the-box policies that
govern IAM best practices to help you identify risky permissions
and get to the ideal set of privileges for your deployment. If
you use Okta as your IdP, enable the Okta integration to federate
user identity easily. Prisma Cloud ingests single sign-on (SSO)
data for an effective permissions calculation and lists the effective
permissions of Okta users across cloud accounts. You can then leverage
RQL and query for identity-related entitlements and events to investigate
and address issues to gain control over your cloud entitlements. |
Suppression of Anomaly Alerts for Trusted
Resources | The Anomaly Trusted List includes support
for more resources for which you can suppress alerts. You can
now specify a Machine Image ID, Tag associated with a cloud resource,
Cloud Service name, or a Resource identifier for supported cloud providers,
and list the anomaly policies against which you do not want to generate
alerts. For example, if the JSON metadata for your VM on Azure
has the following tag:
You must provide the key and the value from the JSON element as the Key and
the Value when you add the tag to the Anomaly
Trusted list.![]() |
Support for APRA CPS 234 Compliance Standard | Prisma Cloud adds support for the Australian
Prudential Regulation Authority's (APRA) Prudential Standard CPS
234 regulatory standard. This Prudential Standard aims to ensure
that an APRA-regulated entity takes measures to be resilient against
information security incidents (including cyberattacks) by maintaining
an information security capability commensurate with information
security vulnerabilities and threats. The Prisma Cloud default policies
that are mapped to this standard enable continuous monitoring of
your organisation’s cyber risk profile. |
Custom Data Patterns and Data Profiles for Prisma
Cloud Data Security | Prisma Cloud Data Security is GA now! Beyond the
predefined data patterns and profiles, you now can define a data pattern from scratch,
and also create a data profile with a collection
of data patterns that meet your content scanning needs on Settings Data ![]() |
RQL Function—_IPAddress.areAllInCIDRRange() | RQL introduces a new function _IPAddress.areAllInCIDRRange() that confirms
whether all the IP addresses assigned to a resource are within
a specified CIDR block. It provides a yes or no answer to your question,
“Do my databases have all IP addresses in the 10.0.0.0/24 IP address
range?“.This differs slightly from the existing _IPAddress.inCIDRRange()
function, which returns true if at least one of the given IP addresses
fall within the specified CIDR range.The function takes two
arguments _IPAddress.areAllInCIDRRange(Resource,CIDR) .
The first argument allows you to specify the metadata within the
resource configuration where you want to look that contains the
IP address(es) and the second argument is a CIDR block to match.
For example:returns a list of network interfaces that have private IP addresses that all fall entirely within the 172.31.67.71/24 CIDR block. |
Permission Group Enhancement for Access
to Prisma Cloud Compute Only | When assigning administrative permissions
on Prisma Cloud, you can now grant granular access for Prisma Cloud Compute
capabilities only, and restrict access to the rest of the Prisma
Cloud administrator console. For the Account and Cloud Provisioning Admin,
Account Group Admin, and Account Group Read Only roles, you can
enable the Only for Compute capabilities option
to allow access to the Compute and Settings Access Keys ![]() |
API Ingestion | Azure Cloud Delivery Network
(CDN)
Additional
permissions required are:
The
Reader role includes the permissions |
Google Compute Engine gcloud-compute-target-ssl-proxy Additional
permissions required are:
Both
the Project Viewer role and Compute Network Viewer role include
the permission. | |
Google Cloud Load Balancing gcloud-compute-regional-forwarding-rule |
New Policies and Policy Updates
See Look Ahead—Planned Updates on
Prisma Cloud to learn what’s coming soon.
Policy Name | Description |
---|---|
New Policies | AWS Application Load Balancer (ALB)
is not using the latest predefined security policy Identifies
Application Load Balancers (ALBs) that are not using the latest
predefined security policy. It is a best practice to use the latest
predefined security policy which uses only secured protocol and
ciphers.
|
AWS Database Migration Service (DMS)
has expired certificates Identifies expired certificates
that are in the AWS Database Migration Service (DMS). It is a best
practice to delete expired certificates.
| |
AWS Glue connection do not have
SSL configured Identifies Glue connections that are
not configured with SSL to encrypt connections. It is a best practice
to use a SSL connection with hostname matching enforced for the
DB connection on a client; enforcing SSL connections protect against
'man in the middle' attacks by encrypting the data stream between connections.
| |
AWS EBS snapshot is not encrypted Identifies
Elastic Block Store (EBS) snapshots which are not encrypted. As
a best practice implement encryption to protect sensitive information
from unauthorized access.
| |
AWS Elastic Load Balancer v2 (ELBv2)
with invalid security groups Identifies ELBv2 load
balancers that do not have security groups with a valid inbound or
outbound rule. ELBv2 security groups should have at least one inbound
or outbound rule, as ELBs will deny all incoming/outgoing traffic
to or from any resources configured behind that ELBv2 rendering
it ineffective.
| |
AWS Network Load Balancer (NLB)
is not using the latest predefined security policy Identifies
Network Load Balancers (NLBs) that are not using the latest predefined
security policy. It is a best practice to use the latest predefined
security policy which uses only secured protocol and ciphers.
| |
AWS SQS queue access policy is overly
permissive Identifies Simple Queue Service (SQS) queues
that have an overly permissive access policy. It is a best practice
to have the least privileged access policy to protect the SQS queue
from data leakage and unauthorized access.
| |
Azure PostgreSQL Database Server
Firewall rule allow access to all IPV4 address Identifies
Azure PostgreSQL Database Server which has Firewall rule that allow
access to all IPV4 addresses.
| |
Azure Security Center Defender set
to Off for App Service Identifies that the Defender
setting for Azure SQL database server is set to off in Azure Security
Center.
| |
Azure Security Center Defender set
to Off for Key Vault Identifies that the Defender
setting for Key Vault is set to Off in Azure Security Center.
| |
Azure Security Center Defender set
to Off for Kubernetes Identifies that the Defender
setting for Kubernetes is set to Off in Azure Security Center.
| |
Azure Security Center Defender set
to Off for Servers Identifies that the Defender setting
for Servers is set to Off in Azure Security Center.
| |
Azure Security Center Defender set
to Off for Storage Identifies that the Defender setting
for Storage is set to Off in Azure Security Center.
| |
Azure Security Center Defender set
to On for Azure SQL database servers Identifies that
the Defender setting for Azure SQL database servers is set to Off
in Azure Security Center.
| |
Azure SQL Servers Firewall rule allow
access to all IPV4 addresses Identifies Azure SQL
Servers which has firewall rule that allow access to all IPV4 address.
Having a firewall rule with start IP being 0.0.0.0, and end IP being 255.255.255.255,
would allow access to the SQL server from any host on the Internet.
It is a best practice not to use this type of firewall rule on any
SQL server.
| |
Azure Virtual machine NIC has IP
forwarding enabled Identifies Azure Virtual machine
NICs which have IP forwarding enabled.
| |
GCP GCR Container Vulnerability
Scanning is disabled Identifies GCP accounts where
GCR Container Vulnerability Scanning is not enabled. It is a best
practice to enable vulnerability scanning for images stored in Google
Container Registry.
| |
GCP Kubernetes cluster shielded
GKE node with Integrity Monitoring disabled Identifies
GCP Kubernetes cluster shielded GKE nodes that are not enabled with Integrity
Monitoring. Integrity Monitoring provides active alerting for Shielded
GKE nodes which allows administrators to respond to integrity failures
and prevent compromised nodes from being deployed into the cluster.
| |
GCP Kubernetes cluster shielded
GKE node with Secure Boot disabled Identifies GCP
shielded GKE nodes with Secure Boot disabled. This allows attackers
to alter boot components to persist malware or root kits during
system initialization. As a best practice, enable Secure Boot for
Shielded GKE Nodes to verify the digital signature of node boot
components.
| |
GCP Kubernetes Engine cluster not
using Release Channel for version management Identifies
GCP Kubernetes Engine clusters that are not using Release Channel
for version management. Subscribing to a specific release channel
reduces version management complexity.
| |
GCP Kubernetes Engine cluster workload
identity is disabled Identifies GCP Kubernetes Engine clusters
for which workload identity is disabled. Manual approaches for authenticating Kubernetes
workloads violates the principle of least privilege on a multi-tenanted
node when one pod needs to have access to a service, but every other
pod on the node that uses the service account does not. Enabling
Workload Identity manages the distribution and rotation of Service
account keys for the workloads to use.
| |
Policy Updates—RQL and Metadata | AWS Application Load Balancer (ALB)
listener that allow connection requests over HTTP Policy
RQL has been updated with new nested RQL grammar to leverage the advantage
of RQL optimization. The policy name and recommendation steps have
been updated to make it generic to various ELBv2 types instead of
ALB only. Impact —No impact on alerts. |
AWS Elastic Load Balancer v2 (ELBv2)
Application Load Balancer (ALB) with access log disabled Policy
name and recommendation steps have been updated to make it generic
to various ELBv2 types instead of ALB only. Impact —No
impact on alerts. | |
AWS IAM policy allows full administrative
privileges The RQL is updated with new nested RQL grammar
and is optimized to evaluate multiple entries of policy statements
for more accuracy.Policy recommendation steps are also updated. Updated
RQL —The updated RQL is:
Impact —With
this change, open alerts that are no longer identified as policy
violations will be resolved as Policy_Updated. | |
GCP IAM primitive roles are in use Identifies
GCP IAM users with primitive roles. Primitive roles (owner/editor)
existed prior to GCP IAM and provides broader access to resources
making them prone to attacks. Predefined roles provide more granular
controls and should therefore be used. Updated RQL —The
updated RQL is:
Impact —With
this change, default service and Google managed service accounts
will now be excluded from alerts. | |
Internet exposed instances policy
name has been updated The policy name has been updated
to 'Instances exposed to network traffic from the internet.' The
policy name has been updated to differentiate Risk from Incident
type policies. | |
Publicly exposed DB Ports policy
name has been updated The policy name has been updated
to 'DB ports exposed to network traffic from the internet.' The
policy name has been updated to differentiate Risk from Incident
type policies. |
Rest API Updates
Change | Description |
---|---|
Anomaly Trusted List APIs | The Anomaly Trusted List APIs support the
following new trusted list types:
As a result,
the response objects for the following APIs include some new attributes:
And the request
object for the following APIs include some new optional body parameters:
The new attributes/parameters
are in a nested object that describes the network anomaly trusted
list entry. This nested object includes the following new attributes/parameters:
|
New attributes for some Cloud Account and
Account Group API response objects | The response objects for the following APIs
currently include some new attributes:
The new attributes
are in a nested object that describes the account group info. This nested
object includes two new attributes:
|
New Features Introduced in 21.1.1
New Features
Feature | Description |
---|---|
Support for CIS Microsoft Azure Foundations
Benchmark v.1.2.0 | Prisma Cloud adds support for CIS Microsoft Azure
Foundations Benchmark v.1.2.0, which includes policy checks for
the following Azure services—Identity and Access Management, Security
Center, Storage Accounts, Database Services, Logging and Monitoring,
Networking, Virtual Machines, Other Security Considerations, and
AppService. |
Expanded Scope for Anomaly Trusted List | For a resource that is identified as the trigger
or violating resource in an Anomaly alert, you can now suppress
alerts for all traffic where the IP address of the resource is involved
as the source or the destination for the associated network flows.With
this enhancement, when you add an IP address to the Anomalies
Trusted List and specify the anomaly policies for which
to suppress alerts, Prisma Cloud will not generate alerts for any
network flow where the IP address is identified as the source or
destination host.For example, anomaly policies that identify unusual
activities which use an unusual port or protocol, previously allowed
you to suppress alerts for the first targeted host (destination)
only. The details for the first targeted host was displayed as the Resource
Name associated with the Anomaly alert. If the same
IP address was the client that originated the flow (or source host)
and not the destination, the alert was not suppressed. With this
enhancement, all alerts for the policy are suppressed regardless
of whether the IP address (resource name identified in the Anomaly
alert) is the client (source) or target (destination) host.![]() ![]() |
Bitbucket Server Plugin for Scanning IaC Templates | Try the new Bitbucket Server plugin to
perform IaC scans on Bitbucket pull requests and check them against
Prisma Cloud default policies, or the custom policies that you define;
this allows you to mitigate security or compliance risks in your
DevOps processes and provides visibility on the scan results on
the Inventory DevOps The
Bitbucket Server plugin performs a full repository scan for the
branch that the pull request was made on, and if policy violations exceed
the severity-based criteria that you defined, then the pull request
will be blocked. |
AWS CodePipelines IaC Scan Plugin Update | The AWS CodePipelines plugin
is updated to support the IaC Scan v2 API, and it replaces custom
actions with a simplified docker-based CodeBuild solution. Custom
actions are no longer supported. |
API Ingestion | AWS Direct Connect aws-direct-connect-interface Additional
permission required is:
The
Security Audit role includes the permission. |
AWS Glue aws-glue-connection | |
Azure SQL Database azure-sql-server-list Additional
permissions required are:
The
Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will
be updated to include the permissions. | |
Azure Security Center azure-security-center-settings Additional
permissions required are:
The
Reader role includes the permission, and the azure_prisma_cloud_read_only_role.json will
be updated to include the permissions. | |
Azure Storage azure-storage-account-list No
new permissions, the Reader role includes the required permissions. |
Updates to Existing Behavior
Feature | Description |
---|---|
Skip Ingestion of high Volume Audit Event Metadata
from Azure | Owing to the amount of data generated for Azure activity
logs—for the RQL query event from cloud.audit_logs where cloud.type = 'azure' —
the following event metadata will no longer be ingested on Prisma
Cloud:
|
New Policies and Policy Updates
Policy Name | Description |
---|---|
New Policies | AWS Elastic Load Balancer v2 (ELBv2)
SSL negotiation policy configured with weak ciphers Identifies
Elastic Load Balancers v2 (ELBv2) which are configured for SSL negotiation
with weak ciphers. As a best practice, use only the ciphers recommended
in the AWS documentation.
|
AWS Elastic Load Balancer v2 (ELBv2)
with deletion protection feature disabled Identifies
Elastic Load Balancers v2 (ELBv2) which are configured with the
deletion protection feature disabled. Enabling delete protection
for these ELBs prevents irreversible data loss resulting from accidental
or malicious operations.
| |
AWS IAM role/user with unused CloudTrail
delete or full permission Identifies IAM roles/users
that have unused CloudTrail delete permission or CloudTrail full
permissions. As a best practice grant the least privilege access
to perform a task and limit unintended access to your critical CloudTrail
infrastructure.
| |
AWS S3 buckets with overly permissive
to VPC endpoints policy Identifies S3 buckets that
have the bucket policy overly permissive to VPC endpoints. As a
best practice, follow the principle of least privileges to ensure
that the VPC endpoints have only the necessary permissions instead
of full permission on S3 operations.
| |
Azure App Services FTP deployment
is all allowed Identifies Azure app services which
has FTP deployment setting as 'all allowed' because it increases
risk of attackers gaining full control of the app or service. As
a best practice, use FTPS if FTP deployment for workflow is essential,
otherwise, disable the FTP deployment for Azure App Services.
| |
Azure custom role administering
resource locks not assigned Identifies Azure Custom
Role Administering Resource Locks that are not assigned to any user.
As a best practice, create a custom role for Resource Locks and
assign to appropriate user.
| |
Azure Key Vault diagnostics logs
are disabled Identifies Azure Key Vault that have
not enabled diagnostics logs.
| |
Azure PostgreSQL database server
‘Allow access to Azure services’ enabled Identifies
Azure PostgreSQL database servers that have the 'Allow access to
Azure services' settings enabled and accepts connections from all
Azure resources including resources in other subscriptions. As a
best practice, use firewall rules or VNET rules to allow access
from specific network ranges or virtual networks.
| |
Azure Storage account encryption
customer managed keys disabled Identifies Azure Storage
accounts that are not enabled for encryption using customer managed
keys. By default, all data at rest in Azure Storage account is encrypted
using Microsoft Managed Keys. As a best practice, use customer managed
keys to encrypt data in Azure Storage accounts.
| |
Azure Virtual Machines are not utilizing
Managed Disks Identifies Azure Virtual Machines which are
not utilizing Managed Disks. This impacts alerts for virtual machines
where traditional BLOB based VHDs are used.
| |
Azure Virtual Machine scale sets
are not utilizing managed disks Identifies Azure Virtual
Machines scale sets that are not utilizing Managed Disks. This policy
will generate alerts for all virtual machines that use traditional
BLOB-based Virtual Hard Disks (VHDs).
| |
Policy Updates—RQL and Metadata | Internet connectivity via TCP over
insecure port
Updated RQL —The
updated RQL is
Impact —Alerts generated
for Azure and GCP ELB resources will be resolved as Policy_Updated. |
AWS default security group does
not restrict all traffic The policy description and recommendation
steps have been updated to remove the word internet .Impact —No impact
to existing alerts. | |
AWS EKS cluster security group overly
permissive to all traffic
Impact —No impact
to existing alerts. | |
AWS Security Group overly permissive
to all traffic
Impact —Existing
open alerts will be resolved as Policy_Updated for protocol -1(all),
and new alerts will be generated using the revised query. | |
AWS Security Group allows all traffic
on ports which are not commonly used
Impact —No impact
to existing alerts. | |
AWS security groups with inbound
rule overly permissive to all traffic
Impact —No impact
to existing alerts. |
Rest API Updates
Change | Description |
---|---|
Infrastructure-As-Code (IaC) Scan APIs Version
2 | Two new IaC Scan APIs are available:
|
New query parameters for some Cloud Account
and Account Group APIs | The following APIs have new query parameters
to offer more control over API performance:
In support of these
options, the response object for GET /cloud/group/{id} includes
new attributes related to the cloud accounts with which the requested
account group is associated. |
Recommended For You
Recommended Videos
Recommended videos not found.