Features Introduced in June 2021

New Features

FEATURE
DESCRIPTION
Condition support for IAM Security
The IAM Security module now supports conditions which enable you to apply conditions when you use the
config from iam where
query.
For example, you can look for a specific condition within the JSON metadata:
config from iam where source.public = true AND grantedby.cloud.policy.condition('aws:SourceIp', 'IpAddress') exists
A range of RQL operators are supported to filter results.
Support for Onboarding Azure Resource Hierarchy
You can now build a flexible structure of management groups and subscriptions to organize your resources into a hierarchy.
Prisma Cloud supports the ability to onboard all or a subset of cloud resources based on how they are grouped under management groups and subscriptions.
This capability is available across all Azure Commercial, Government, and China regions.
Addition of Non-Onboarded Account IDs to an Account Group
If you have an Alibaba, AWS, Azure, or GCP account that is not being monitored on Prisma Cloud, you can manually add the Account IDs as a string to an existing account group or to a new account group. These accounts, called
Non-Onboarded Account IDs
, are then available for users who have access to the
Compute
tab. You can assign these accounts to roles and enable granular access to data and configuration on the Compute tab.
Granular RBAC for Prisma Cloud Roles
For the existing Prisma Cloud administrator roles, the following enhancements are now available:
  • Ability to select account groups for Cloud Provisioning Admin.
  • Ability to assign resource lists (or Collections) for Account and Cloud Provisioning Admin, Account Group Admin, Account Group Read Only, and Build and Deploy Security.
  • Ability to view data collected from Prisma Cloud Defenders deployed
    On-prem/Other cloud providers
    . This includes cloud environments other than AWS, Azure, GCP, and Alibaba clouds for the Account and Cloud Provisioning Admin and the Account Group Admin roles.
Resource List for Compute Access Group
The
Compute Access Group
resource list provides you the ability to enable granular access to a specified list of Compute workloads or resources such as images, code repositories, or hosts instead of granting access to all resources within an account. When you create a resource list on Prisma Cloud (
Settings
Resource Lists
, you can assign it to a role. The workloads you include in the list match criteria are within scope and accessible to the user who is assigned to the role.
On Prisma Cloud Compute, this resource list is referred to as an assigned collection that allows the user to view data on the resources to which you assigned access.
The resource list is automatically added to the list of Collections (
Manage
Collections and Tags
Collections
). Although the Resource List for Compute Access Group is included in the list of collections, you cannot edit it on the Compute tab or use it when you add or edit rules for enforcing security checks on your resources.
Limited GA
Alert Notifications for All States
Prisma Cloud can now send notifications to external integrations for all states—Open, Dismissed,Resolved, Snoozed—when the status of an alert changes.
This feature requires the alerts version 2.0 subsystem and is in
Limited GA
; You can reach out to Prisma Cloud Customer Success if you want to try it on your Prisma Cloud instance.
All integrations except Jira and Cortex XSOAR support notifications for all states.
Update
Alert Notifications to External Integrations
If you have configured Prisma Cloud to send alert notifications to any external integration such as email or Splunk, the link in the URL is formatted differently. The link includes the selected filters as an array, instead of as a string, in the query. For example:
Behavior was—
alerts/overview#alert.status=open&policy.name=${value}
New Behavior:
alerts/overview#alert.status[]=open&policy.name[]=${value}
With this change, all links from notifications that were sent previously will no longer work.
API Ingestion
Amazon S3
aws-s3-access-point
Additional permissions required:
s3:GetAccessPoint
s3:GetAccessPointPolicyStatus
s3:GetAccessPointPolicy
The Security Audit role includes these permissions.
Azure Active Directory Domains
azure-active-directory-custom-domain
Additional permission required:
Domain.Read.All
Support for AWS Milan
Prisma Cloud can now ingest data for the AWS Milan region.
To review a list of supported regions, select
Inventory
Assets
Cloud Region.

Change in Default Behavior

Feature
Change in Behavior
Automated Remediation
As announced in the 21.5.1 release notes, Prisma Cloud is rolling out Alerts 2.0, and the automated remediationbehavior is different, depending on whether you are on the alert subsystem version 1.0 or 2.0:
  • Alerts 2.0—When you enable auto-remediation on version 2.0, all applicable open alerts regardless of when they were generated are fixed, and the alert status is updated as
    Resolved
    .
  • Alerts 1.0—When you enable auto-remediation on version 1.0, the CLI commands are only executed for resources where alerts were generated or updated in the last 24 hours. Alerts that were generated before the 24-hour period will not be auto remediated.
To identify the alerts subsystem version, check
Alerts
Overview
. If the
Version: 2
label displays on the top right above the Search box, you are not on version 1.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS IAM configuration updates invoked from Pentoo Linux machine
Identifies AWS IAM configuration updates invoked from the Pentoo Linux machine. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in unpatched instances. Attackers might use this tool to find configuration weaknesses and gain unauthorized access to your AWS environment.
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND json.rule = $.userAgent contains 'pentoo'
AWS IAM configuration updates invoked from Parrot Security Linux machine
Identifies AWS IAM configuration updates invoked from the Parrot Security Linux machine. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in unpatched instances. Attackers might use this tool to find configuration weaknesses and gain unauthorized access to your AWS environment.
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND json.rule = $.userAgent contains 'parrot'
AWS IAM configuration updates invoked from Kali Linux machine
Identifies AWS IAM configuration updates invoked from the Kali Linux machine. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in unpatched instances. Attackers might use this tool to find configuration weaknesses and gain unauthorized access to your AWS environment.
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND json.rule = $.userAgent contains 'kali'
Policy Updates—RQL and Metadata
AWS Lambda Environment Variables not encrypted at-rest using CMK
Recommendation update
—The policy recommendation has been updated according to the new changes introduced by AWS.
Impact
—No impact on alerts.
AWS Elastic Load Balancer (Classic) with access log disabled
Recommendation update
—The policy recommendation has been updated according to the new changes introduced by AWS.
Impact
—No impact on alerts.
AWS Lambda Function is not assigned to access within VPC
Recommendation update
—The policy recommendation has been updated according to the new changes introduced by AWS.
Impact
—No impact on alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for CIS GCP v.1.2.0
Prisma Cloud supports CIS Google Cloud Platform Foundation Benchmark v.1.2.0, which includes policy checks for the following GCP services:
  1. Identity and Access Management
  2. Logging and Monitoring
  3. Networking
  4. Virtual Machines
  5. Storage
  6. Cloud SQL Database Services
  7. BigQuery
Impact
—v.1.2.0 supersedes version 1.1.0; v1.1.0 is deprecated and support will be removed in a future release.

REST API Updates

CHANGE
DESCRIPTION
Prisma Cloud API Endpoints for Azure Management Groups
New Prisma Cloud API endpoints are available to help you visualize the management group hierarchy of your onboarded Azure tenant.
The following endpoint lists the Azure management groups and subscriptions under a given parent:
  • POST /cloud-accounts-manager/v1/cloudAccounts/azureAccounts/{parent_id}/children
The following endpoint lists the ancestors of a given list of Azure management groups and/or subscriptions:
  • POST /cloud-accounts-manager/v1/cloudAccounts/azureAccounts/{account_id}/ancestors
Update
Cloud Workload Protection Platform (CWPP) API
Starting on June 14, 2021, the API reference for Compute (CWPP capabilities on Prisma Cloud) will include only stable endpoints.

Recommended For You