Features Introduced in March 2021
New Features Introduced in 21.3.2
New Features
FEATURE | DESCRIPTION |
---|---|
API Ingestion | Azure Active Directory azure-active-directory-credential-user-registration-details Additional
permissions required:
azure-active-directory-group-members Additional
permissions required:
Grant
these permissions to the Prisma Cloud app that is registered on
Azure Active Directory. |
Amazon ECS aws-ecs-cluster Additional
permissions required:
These
permissions are included in the Security Audit role. | |
AWS VPC aws-vpc-transit-gateway-attachment Additional
permissions required:
These
permissions are included in the Security Audit role. | |
Update API Ingestion—Kubernetes
Audit Logs for GKE Clusters | Prisma Cloud no longer ingests audit log events
for GKE clusters. If you have an RQL query to find all events for
Kubernetes audit logs such as:
Prisma
Cloud will no longer display results on the Investigate page. |
Permissions Update for Account Group
Read Only | An administrator with a role associated with
the Account Group Read Only permission group
can save RQL search queries they use on the Investigate page
as well as create new compliance reports for the designated accounts
within the context of their role. Additionally they can view, edit,
and delete their own saved RQL queries and compliance reports and
ones belonging to other administrators with the same role. |
New Policies and Policy Updates
POLICY NAME | DESCRIPTION |
---|---|
New Policies | GCP Log bucket retention policy
is not configured using bucket lock —Identifies GCP log
buckets for which the retention policy is not configured using bucket
lock.
|
GCP Log bucket retention policy
not enabled —Identifies GCP log buckets for which retention
policy is not enabled to store the activity logs for forensics and
security investigations.
| |
GCP firewall rule logging disabled —Identifies
GCP firewall rules that are not configured with firewall rule logging
to enable auditing with a connection record to log each time the
rule allows or denies traffic.
| |
Policy Updates—RQL and Metadata | AWS Elastic Load Balancer v2 (ELBv2)
listener that allows connection requests over HTTP The
Policy RQL has been updated to exclude HTTP listeners that redirect
traffic to HTTPS listeners. Updated RQL —The updated RQL
is:
Impact —Previously generated
alerts for ELBs configured with redirection to HTTPS listeners will
be resolved as Policy_Updated. |
The following four policies have been updated: Instances
exposed to network traffic from the Internet Updated description —Identifies
network traffic coming from the Internet to sensitive cloud workloads. Updated
RQL —The updated RQL is:
Impact —Alerts
generated for Azure and GCP ELBs will be resolved as 'Policy_Updated'.DB
ports exposed to network traffic from the Internet Updated description —Identifies
network traffic coming from the Internet to sensitive DB Servers.Updated
RQL —The updated RQL is:
Impact —Alerts
generated for Azure and GCP ELBs will be resolved as Policy_Updated.Instance
is communicating with ports known to mine Ethereum Updated description —Identifies
network traffic on ports 8545 and 30303 from internal workloads
to Internet IPs that are known to mine Ethereum. Unless this traffic
is part of authorized applications and processes, your instances
may have been compromised.Updated RQL —The updated RQL
is:
Impact —Alerts
generated for Azure/GCP ELBs will be resolved as Policy_Updated.Instance
is communicating with ports known to mine Bitcoin Updated description —Identifies
network traffic from internal workloads to internet IPs on ports 8332
and 8333 that are known to mine Bitcoins. Unless this traffic is
part of authorized applications and processes, your instances may have
been compromised.Updated RQL —The updated RQL is:
Impact —Alerts
generated for Azure/GCP ELBs will be resolved as Policy_Updated. | |
AWS Network ACLs allow ingress traffic
to server administration ports The policy description
is updated. Impact —No impact on alerts. | |
OCI File Storage File System Export
is publicly accessible The policy name is updated
to remove the extra space at the end. Impact —No impact
on alerts. | |
Policy Deletion | AWS KMS sensitive delete configuration
updates This policy is deleted to eliminate potential
performance issues based on your resource configuration. Impact —All
alerts generated for this policy will be resolved as Policy_Deleted. This
change may have a high impact on number of resolved alerts. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
---|---|
General Personal Data Protection Act (LGPD) | Prisma Cloud provides compliance support
for the General Personal Data Protection Act (LGPD) on AWS, GCP,
and Azure. LGPD is Brazil's data protection law that contains over
40 different statutes that govern the use of personal data, both
online and offline. |
Support for CIS Alibaba Benchmark v.1.0.0 | The Alibaba Cloud services in scope for CIS Alibaba
Benchmark v.1.0.0 include:
|
CIS Azure Benchmark v.1.3.0 | The CIS Azure Benchmark v.1.3.0 is updated
to map the following Policy IDs to the relevant sections:
|
MITRE ATT&CK v8.2 Cloud Matrix for
Enterprise | The MITRE ATT&CK framework in Prisma Cloud
is updated to support the MITRE ATT&CK v8.2 version of the framework. Prisma
Cloud adds the new sub-techniques supported on the framework and
more policies mappings for improved coverage. Updated The
currently supported MITRE ATT&CK framework that was released
as a beta is renamed MITRE ATT&CK v6.3. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
A Data Security Inventory API returns additional
data | The response object for the following API now
includes resource RRN and object RRN:
|
Notification Template API requests to add or
update a notification template have request parameter restrictions | Notification template names do not support
special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’), and
the total length of the name can be 99 characters. These restrictions
affect request parameters for the following APIs:
If you use the
unsupported characters, the error message in the Prisma Cloud management
console and API indicate that the template name is invalid. |
New Features Introduced in 21.3.1
New Features
Feature | Description |
---|---|
Suppress Anomaly Alerts for Trusted Ports | Add one or more ports to the Anomaly Trusted
list and suppress alerts generated for the specified ports. To
add a new port, select Settings Anomaly Settings Anomaly Trusted
List +Add New Port |
New Table Format | Enjoy the new table view on the Investigate page. The
classic table view is no longer available. |
API Ingestion | Azure Active Directory azure-active-directory-authorization-policy Additional
permissions required:
|
Google Access Context Manager gcloud-access-policy Additional
permission required:
This
permission is part of the Project Viewer role, and is required to
reduce the error rate for this API on GCP. | |
Google Web Security Scanner gcloud-web-security-scan-config Additional
permission required:
This
permission is a part of the Web Security Scanner Viewer role. | |
Google Compute Engine gcloud-compute-addresses Additional
permission required: This permission is part of the Viewer role. | |
Update Permission Update for
Google Cloud SCC Integration | For the
Google Cloud SCC integration, the service account that you use to
onboard the GCP organization must include the following permission:
|
New Compliance Benchmarks and Updates
Compliance Benchmark | Description |
---|---|
New CIS Azure v.1.3.0 New Compliance | The CIS Microsoft Azure Foundations Benchmark
v.1.3.0 includes the following Azure services:
|
New Cybersecurity Maturity
Model Certification (CMMC) | Prisma Cloud adds support for the Cybersecurity
Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity
across the Defense Industrial Base (DIB), AWS, Azure and GCP. The
model framework organizes these processes and practices into a set
of domains and maps them across five levels.
|
CIS Oracle Cloud Infrastructure Foundations
Benchmark v1.0.0 | The CIS Oracle Cloud Infrastructure Foundations
Benchmark v1.0.0 includes the following OCI services:
|
CIS Amazon Web Services Foundations Benchmark
V.1.3.0 | The CIS Benchmark has been updated to map
default policies to the relevant sections. The detailed information
is as follows:
|
CIS Google Cloud Platform Foundation Benchmark
V.1.1.0 | The CIS Benchmark has been updated to map
default policies to the relevant sections. The detailed information
is as follows:
|
CIS Google Kubernetes Engine (GKE) Benchmark
V.1.1.0 | The CIS Benchmark has been updated to map
default policies to the relevant sections. The detailed information
is as follows:
|
New Policies and Policy Updates
New Policies and Policy Updates | |
---|---|
New Policies | Azure Container registries Public
access to All networks is enabled Identifies Azure
Container registries that are enabled for Public access to all networks.
|
Azure Function App authentication
is off Identifies Azure Function Apps that have authentication
disabled.
| |
Azure Function App client certificate
is disabled Identifies Azure Function Apps on which client
certificates are disabled.
| |
Azure Function App doesn't have
a Managed Service Identity Identifies Azure Function
Apps which do not have a Managed Service Identity.
| |
Azure Function App doesn't use HTTP
2.0 Identifies Azure Function Apps which does not
use HTTP 2.0.
| |
Azure Function App doesn't use latest
TLS version Identifies Azure Function Apps which do not
use the latest TLS version.
| |
Azure Function App doesn't redirect
HTTP to HTTPS Identifies Azure Function Apps which
do not redirect HTTP to HTTPS.
| |
New Kubernetes policies used for scanning
IaC templates:
| |
Policy Updates—RQL and Metadata | AWS Default Security Group does
not restrict all traffic This policy description
has been updated. Impact —None. Does not affect any
existing alerts for the policy. |
The following Azure App Service policies have
updated RQL that monitors the Azure webapp only, and excludes Azure
Function apps: Impact —All open alerts for Azure Function
apps that were triggered by these policies will marked as Resolved .
| |
| |
The following policies have been updated to
remove the em dash — in the description or
recommendation because it caused encoding issues when viewing the
CSV file in some text editors.
Impact —None.
Does not affect any existing alerts for the policy. | |
The following Kubernetes policies have been
updated:
| |
The following policies have updated RQL:
These
policies should not alert for the GKE instances. Since there is
no provision to configure the remediation steps for GKE instances,
a fix is the filter out the GKE instances with updated RQL. Impact Resolved . | |
Deleted Policies | The following policies will be deleted because
the gcloud-api-key has been removed
on the Google Cloud Platform.
Impact Resolved . |
The following Kubernetes policy has been deleted:
|
REST API Updates
Change | Description |
---|---|
Anomaly Trusted List types | The anomaly trusted list now supports a new
trusted list type: port . |
Recommended For You
Recommended Videos
Recommended videos not found.