1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2021
    7. Features Introduced in March 2021

    Features Introduced in March 2021

    New Features

    FEATURE
    DESCRIPTION
    API Ingestion
    Azure Active Directory
    azure-active-directory-credential-user-registration-details
    Additional permissions required:
    Reports.Read.All
    azure-active-directory-group-members
    Additional permissions required: 
    GroupMember.Read.All
    Group.Read.All
    Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.
    Amazon ECS
    aws-ecs-cluster
    Additional permissions required:
    ecs:describeCluster
    These permissions are included in the Security Audit role.
    AWS VPC
    aws-vpc-transit-gateway-attachment
    Additional permissions required:
    ec2:DescribeTransitGatewayAttachments
    These permissions are included in the Security Audit role.
    Update
    API Ingestion—Kubernetes Audit Logs for GKE Clusters
    Prisma Cloud no longer ingests audit log events for GKE clusters. If you have an RQL query to find all events for Kubernetes audit logs such as:
    event from cloud-audit_logs where cloud.type= 'gcp' AND cloud.service = 'k8s.io'
    Prisma Cloud will no longer display results on the Investigate page.
    Permissions Update for Account Group Read Only
    An administrator with a role associated with the
    Account Group Read Only
     permission group can save RQL search queries they use on the
    Investigate
     page as well as create new compliance reports for the designated accounts within the context of their role. Additionally they can view, edit, and delete their own saved RQL queries and compliance reports and ones belonging to other administrators with the same role.

    New Policies and Policy Updates

    POLICY NAME
    DESCRIPTION
    New Policies
    GCP Log bucket retention policy is not configured using bucket lock
    —Identifies GCP log buckets for which the retention policy is not configured using bucket lock.
    config from cloud.resource where api.name = 'gcloud-logging-sinks-list' AND json.rule = 'destination.bucket exists' as X; config from cloud.resource where api.name = 'gcloud-storage-buckets-list' AND json.rule = (retentionPolicy.isLocked does not exist or retentionPolicy.isLocked is false) as Y; filter '($.X.destination.bucket contains $.Y.name)'; show Y;
    GCP Log bucket retention policy not enabled
    —Identifies GCP log buckets for which retention policy is not enabled to store the activity logs for forensics and security investigations.
    config from cloud.resource where api.name = 'gcloud-logging-sinks-list' AND json.rule = 'destination.bucket exists' as X; config from cloud.resource where api.name = 'gcloud-storage-buckets-list' AND json.rule = (retentionPolicy does not exist ) as Y; filter '($.X.destination.bucket contains $.Y.name)'; show Y;
    GCP firewall rule logging disabled
    —Identifies GCP firewall rules that are not configured with firewall rule logging to enable auditing with a connection record to log each time the rule allows or denies traffic.
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = logConfig.enable is false
    Policy Updates—RQL and Metadata
    AWS Elastic Load Balancer v2 (ELBv2) listener that allows connection requests over HTTP
    The Policy RQL has been updated to exclude HTTP listeners that redirect traffic to HTTPS listeners.
    Updated RQL
    —The updated RQL is:
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = listeners[?any(protocol equals HTTP and defaultActions[?any(type equals redirect and redirectConfig.protocol equals HTTPS)] does not exist )] exists
    Impact
    —Previously generated alerts for ELBs configured with redirection to HTTPS listeners will be resolved as Policy_Updated.
    The following four policies have been updated:
    Instances exposed to network traffic from the Internet
    Updated description
    —Identifies network traffic coming from the Internet to sensitive cloud workloads.
    Updated RQL
    —The updated RQL is:
    network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB', 'AZURE ELB', 'GCP ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) AND accepted.bytes > 0
    Impact
    —Alerts generated for Azure and GCP ELBs will be resolved as 'Policy_Updated'.
    DB ports exposed to network traffic from the Internet
    Updated description
    —Identifies network traffic coming from the Internet to sensitive DB Servers.
    Updated RQL
    —The updated RQL is:
    network from vpc.flow_record where src.publicnetwork in ('Suspicious IPs','Internet IPs') and dest.port in (1433, 1521, 3306, 5000, 5432, 5984, 6379, 6380, 8080, 9042, 11211, 27017, 28015, 29015, 50000) AND dest.resource IN ( resource where role not in ( 'AWS ELB', 'AWS NAT Gateway', 'AZURE ELB', 'GCP ELB' )) AND accepted.bytes > 0
    Impact
    —Alerts generated for Azure and GCP ELBs will be resolved as Policy_Updated.
    Instance is communicating with ports known to mine Ethereum
    Updated description
    —Identifies network traffic on ports 8545 and 30303 from internal workloads to Internet IPs that are known to mine Ethereum. Unless this traffic is part of authorized applications and processes, your instances may have been compromised.
    Updated RQL
    —The updated RQL is:
    network from vpc.flow_record where dest.port IN (8545,30303) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and src.resource IN ( resource where role not in ( 'AWS NAT Gateway', 'AWS ELB', 'AZURE ELB', 'GCP ELB')) AND accepted.bytes > 0
    Impact
    —Alerts generated for Azure/GCP ELBs will be resolved as Policy_Updated.
    Instance is communicating with ports known to mine Bitcoin
    Updated description
    —Identifies network traffic from internal workloads to internet IPs on ports 8332 and 8333 that are known to mine Bitcoins. Unless this traffic is part of authorized applications and processes, your instances may have been compromised.
    Updated RQL
    —The updated RQL is:
    network from vpc.flow_record where dest.port IN (8332,8333) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and src.resource IN ( resource where role not in ( 'AWS NAT Gateway', 'AWS ELB', 'AZURE ELB', 'GCP ELB')) AND accepted.bytes > 0
    Impact
    —Alerts generated for Azure/GCP ELBs will be resolved as Policy_Updated.
    AWS Network ACLs allow ingress traffic to server administration ports
    The policy description is updated.
    Impact
    —No impact on alerts.
    OCI File Storage File System Export is publicly accessible
    The policy name is updated to remove the extra space at the end.
    Impact
    —No impact on alerts.
    Policy Deletion
    AWS KMS sensitive delete configuration updates
    This policy is deleted to eliminate potential performance issues based on your resource configuration.
    Impact
    —All alerts generated for this policy will be resolved as Policy_Deleted. This change may have a high impact on number of resolved alerts.

    New Compliance Benchmarks and Updates

    COMPLIANCE BENCHMARK
    DESCRIPTION
    General Personal Data Protection Act (LGPD)
    Prisma Cloud provides compliance support for the General Personal Data Protection Act (LGPD) on AWS, GCP, and Azure. LGPD is Brazil's data protection law that contains over 40 different statutes that govern the use of personal data, both online and offline.
    Support for CIS Alibaba Benchmark v.1.0.0
    The Alibaba Cloud services in scope for CIS Alibaba Benchmark v.1.0.0 include:
    1. Identity and Access Management
    2. Logging and Monitoring
    3. Networking
    4. Virtual Machines
    5. Storage
    6. Relational Database Services
    7. Kubernetes Engine
    8. Security Center
    CIS Azure Benchmark v.1.3.0
    The CIS Azure Benchmark v.1.3.0 is updated to map the following Policy IDs to the relevant sections:
    • Requirement—2.9
    • Section—Azure Security Center WDATP integration Disabled
    • Policy—b7a63b07-551a-4813-82f5-f47b8428e0b3
    • Requirement—2.10
    • Section—Azure Security Center MCAS integration Disabled
    • Policy—470796d2-3ed6-40a3-b26a-e882afce4090
    • Requirement—3.8
    • Section—Azure Storage accounts soft delete is disabled
    • Policy—f5a29936-659e-48a8-8110-783411bf6a9c
    • Requirement—4.2.2
    • Section—Azure SQL Server ADS Vulnerability Assessment is disabled
    • Policy—b805e5f2-8479-4197-82ce-9d8fcdf38a44
    • Requirement—4.2.3
    • Section—Azure SQL Server ADS Vulnerability Assessment Periodic recurring scans is disabled
    • Policy—aa62cb1d-2bcb-478b-af5c-62462f8a6cba
    • Requirement—4.2.4
    • Section—Azure SQL Server ADS Vulnerability Assessment 'Send scan reports to' is not configured
    • Policy—bfff252d-3f21-4115-978d-e1a48d8ae19c
    • Requirement—4.2.5
    • Section—Azure SQL Server ADS Vulnerability Assessment 'Also send email notifications to admins and subscription owners' is disabled
    • Policy—2d9ff413-f69f-484e-ba55-22ab6333c249
    • Requirement—5.1.1
    • Section—Azure Monitoring log profile is not configured to export activity logs
    • Policy—ebdba5a4-af9e-4015-a024-e8eb650e3be3
    • Requirement—5.1.3
    • Section—Azure Storage account container storing activity logs is publicly accessible
    • Policy—8a2315b0-70b9-477b-bd5c-41cb92a7b726
    • Requirement—5.1.4
    • Section—Azure Storage Account Container with Activity log has BYOK encryption disabled
    • Policy—217f8556-ccdb-4746-b4b7-2237298c81f1
    • Requirement—5.1.5
    • Section—Azure Key Vault audit logging is disabled
    • Policy—56bfe7bb-ef47-4252-a335-9751a4826609
    • Requirement—6.6
    • Section—Azure Network Security Group having Inbound rule overly permissive to all traffic on UDP protocol
    • Policy—d979e854-a50d-11e8-98d0-529269fb1459
    MITRE ATT&CK v8.2 Cloud Matrix for Enterprise
    The MITRE ATT&CK framework in Prisma Cloud is updated to support the MITRE ATT&CK v8.2 version of the framework.
    Prisma Cloud adds the new sub-techniques supported on the framework and more policies mappings for improved coverage.
    Updated
     The currently supported MITRE ATT&CK framework that was released as a beta is renamed MITRE ATT&CK v6.3.

    REST API Updates

    CHANGE
    DESCRIPTION
    A Data Security Inventory API returns additional data
    The response object for the following API now includes resource RRN and object RRN:
    • POST /dlp/api/v1/inventory/objects/aggregate
    Notification Template API requests to add or update a notification template have request parameter restrictions
    Notification template names do not support special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’), and the total length of the name can be 99 characters. These restrictions affect request parameters for the following APIs:
    • POST /notification/template
    • PUT /notification/template/{id}
    If you use the unsupported characters, the error message in the Prisma Cloud management console and API indicate that the template name is invalid.

    New Features

    Feature
    Description
    Suppress Anomaly Alerts for Trusted Ports
    Add one or more ports to the Anomaly Trusted list and suppress alerts generated for the specified ports.
    To add a new port, select
    Settings
    Anomaly Settings
    Anomaly Trusted List
    +Add New
    Port
    .
    New Table Format
    Enjoy the new table view on the
    Investigate
     page. The classic table view is no longer available.
    API Ingestion
    Azure Active Directory
    azure-active-directory-authorization-policy
    Additional permissions required: 
    Policy.Read.All
    Google Access Context Manager
    gcloud-access-policy
    Additional permission required:
    accesscontextmanager.policies.list
    This permission is part of the Project Viewer role, and is required to reduce the error rate for this API on GCP.
    Google Web Security Scanner
    gcloud-web-security-scan-config
    Additional permission required:
    cloudsecurityscanner.scans.list
    This permission is a part of the Web Security Scanner Viewer role.
    Google Compute Engine
    gcloud-compute-addresses
    Additional permission required:
    compute.addresses.list
    This permission is part of the Viewer role.
    Update
     Permission Update for Google Cloud SCC Integration
    For the Google Cloud SCC integration, the service account that you use to onboard the GCP organization must include the following permission: 
    iam.serviceAccounts.signJwt

    New Compliance Benchmarks and Updates

    Compliance Benchmark
    Description
    New
    CIS Azure v.1.3.0 New Compliance
    The CIS Microsoft Azure Foundations Benchmark v.1.3.0 includes the following Azure services:
    1. Identity and Access Management
    2. Security Center
    3. Storage Accounts
    4. Database Services
    5. Logging and Monitoring
    6. Networking
    7. Virtual Machines
    8. Other Security Considerations
    9. AppService
    New
    Cybersecurity Maturity Model Certification (CMMC)
    Prisma Cloud adds support for the Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), AWS, Azure and GCP.
    The model framework organizes these processes and practices into a set of domains and maps them across five levels.
    • Level 1 : Safeguard Federal Contract Information (FCI)
    • Level 2 : Serve as transition step in cybersecurity maturity progression to protect CUI
    • Level 3 : Protect Controlled Unclassified Information (CUI)
    • Level 4-5 : Protect CUI and reduce risk of Advance Persistent Threats (APTs)
    CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0.0
    The CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0.0 includes the following OCI services:
    1. Identity and Access Management
    2. Networking
    3. Logging and Monitoring
    CIS Amazon Web Services Foundations Benchmark V.1.3.0
    The CIS Benchmark has been updated to map default policies to the relevant sections. The detailed information is as follows:
    • Requirement—1.15
      Section—Identity and Access Management
      Policy ID—2b7e07ba-56c8-42db-8db4-a4b65f5066c4
    • Requirement—1.20
      Section—Identity and Access Management
      Policy ID—34064d53-1fd1-42e6-b075-45dce495caca
    • Requirement—2.1.1
      Section—Storage
      Policy ID—7913fcbf-b679-5aac-d979-1b6817becb22
    • Requirement—5.1
      Section—Networking
      Policy ID—b92edf01-d2c8-4f46-944d-e81b734d7600
    CIS Google Cloud Platform Foundation Benchmark V.1.1.0
    The CIS Benchmark has been updated to map default policies to the relevant sections. The detailed information is as follows:
    • Requirement—Virtual Machines
      Section—4.1
      Policy ID—68ab0618-0716-11eb-adc1-0242ac120002
    • Requirement—Virtual Machines
      Section—4.8
      Policy ID—17ad5166-9858-47e8-85ea-e42575a2112e
    • Requirement—Virtual Machines
      Section—4.9
      Policy ID—fb8d5eca-45b1-4a6a-855b-b517ab10d71d
    • Requirement—Storage
      Section—5.2
      Policy ID—f0e09192-0716-11eb-adc1-0242ac120002
    • Requirement—PostgreSQL Database
      Section—6.2.5
      Policy ID—86150e32-f69c-400b-9bc2-444b03795545
    • Requirement—PostgreSQL Database
      Section—6.2.6
      Policy ID—2b9b082c-7e83-4695-92ab-8eca4c5dd4fd
    • Requirement—PostgreSQL Database
      Section—6.2.7
      Policy ID—45f30dc1-4253-4afb-987a-b09e26bfc166
    • Requirement—SQL Server
      Section—6.3.1
      Policy ID—fc6634c3-7ab9-4a84-a447-09499b1e418c
    • Requirement—SQL Server
      Section—6.3.2
      Policy ID—7e105686-9939-48e8-8e76-bfdf42b75ef6
    • Requirement—Cloud SQL Database Services
      Section—6.6
      Policy ID—4e58f169-5632-4b3c-9f8a-74348cf93957
    • Requirement—Cloud SQL Database Services
      Section—6.7
      Policy ID—9ec88ff0-3383-4e9c-a4a7-24f5be6fb8f3
    • Requirement—BigQuery
      Section—7.1
      Policy ID—181a00f7-9ca4-45a7-9e2a-b8ebd12223ff
    CIS Google Kubernetes Engine (GKE) Benchmark V.1.1.0
    The CIS Benchmark has been updated to map default policies to the relevant sections. The detailed information is as follows:
    • Requirement—Managed Services
      Section—5.1.4
      Policy ID—50d5ec3b-1710-4ff7-bb09-061c30deef96
    • Requirement—Managed Services
      Section—5.2.1
      Policy ID—d4a28b1f-9a9b-4a40-874d-9da7f9d4e8a6
    • Requirement—Managed Services
      Section—5.2.2
      Policy ID—c696cf7d-c397-4be8-9183-62676d2afde1
    • Requirement—Managed Services
      Section—5.3.1
      Policy ID—a667d66e-899d-4b15-ab02-9de69c73dd8c
    • Requirement—Managed Services
      Section—5.4.2
      Policy ID—c696cf7d-c397-4be8-9183-62676d2afde1
    • Requirement—Managed Services
      Section—5.5.2
      Policy ID—0e72ff6d-9d6e-4fa1-8c3b-b815b9e4d459
    • Requirement—Managed Services
      Section—5.5.3
      Policy ID—f70918b1-7c19-4de6-b851-967bea5648ba
    • Requirement—Managed Services
      Section—5.5.4
      Policy ID—a6b65e730-d5bf-400c-9a08-9721d6ccdf4

    New Policies and Policy Updates

    New Policies and Policy Updates
    New Policies
    Azure Container registries Public access to All networks is enabled
    Identifies Azure Container registries that are enabled for Public access to all networks.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-registry' AND json.rule = ((properties.publicNetworkAccess equals Enabled and properties.networkRuleSet does not exist) or (properties.publicNetworkAccess equals Enabled and properties.networkRuleSet exists and properties.networkRuleSet.defaultAction equals Allow))
    Azure Function App authentication is off
    Identifies Azure Function Apps that have authentication disabled.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.siteAuthEnabled equals false'
    Azure Function App client certificate is disabled
    Identifies Azure Function Apps on which client certificates are disabled. 
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.clientCertEnabled equals false'
    Azure Function App doesn't have a Managed Service Identity
    Identifies Azure Function Apps which do not have a Managed Service Identity.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)'
    Azure Function App doesn't use HTTP 2.0
    Identifies Azure Function Apps which does not use HTTP 2.0. 
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.http20Enabled equals false'
    Azure Function App doesn't use latest TLS version
    Identifies Azure Function Apps which do not use the latest TLS version.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.minTlsVersion does not equal 1.2'
    Azure Function App doesn't redirect HTTP to HTTPS
    Identifies Azure Function Apps which do not redirect HTTP to HTTPS.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.httpsOnly equals false'
    New Kubernetes policies used for scanning IaC templates:
    • Docker Socket mount configured
    • CAP_SYS_ADMIN capability not restricted
    • Service is configured with externalIPs
    • Container configured to use the default set of capabilities
    • Container configured to allow privilege escalation
    • Host device path mounts should be avoided
    • Ingress configuration does not restrict sources
    • Memory limits not configured
    • CPU limits not configued
    • Use high UID for containers
    • Container configured with custom hosts
    • Use high UID for containers
    • Container configured with custom hosts
    • Container configured with custom SELinux options
    • SSH port exposed by service
    • Do not use shared mount propagation
    • Liveness probe not configured
    • Readiness probe not configured
    • Container could run using outdated docker image
    Policy Updates—RQL and Metadata
    AWS Default Security Group does not restrict all traffic
    This policy description has been updated.
    Impact
    —None. Does not affect any existing alerts for the policy.
    The following Azure App Service policies have updated RQL that monitors the Azure webapp only, and excludes Azure Function apps:
    Impact
    —All open alerts for Azure Function apps that were triggered by these policies will marked as
    Resolved
    .
    • Azure App Service Web app authentication is off
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.siteAuthEnabled equals false'
    • Azure App Service Web app doesn't use latest TLS version
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.minTlsVersion does not equal 1.2'
    • Azure App Service Web app client certificate is disabled
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.clientCertEnabled equals false'
    • Azure App Service Web app doesn't have a Managed Service Identity
      Updated RQL
      config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)
    • Azure App Service Web app doesn't redirect HTTP to HTTPS
      Updated RQL
      config from cloud.resource where cloud.type
= 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind
starts with app and properties.httpsOnly equals false'
    • Azure App Service Web app doesn't use HTTP 2.0
      Updated RQL
      
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.http20Enabled equals false'
    The following policies have been updated to remove the em dash
     in the description or recommendation because it caused encoding issues when viewing the CSV file in some text editors.
    • Azure Load Balancer diagnostics logs are disabled
    • Azure SQL Server advanced data security does not send alerts to service and co-administrators
    • AWS RDS database not encrypted using Customer Managed Key
    Impact
    —None. Does not affect any existing alerts for the policy.
    The following Kubernetes policies have been updated:
    • Container configured to run as root user
    • Root filesystem is writable
    The following policies have updated RQL:
    • GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)
    • GCP VM instances with excessive service account permissions
    • GCP VM instances have IP Forwarding enabled
    These policies should not alert for the GKE instances. Since there is no provision to configure the remediation steps for GKE instances, a fix is the filter out the GKE instances with updated RQL.
    Impact
    —All open alerts for GKE instances that were triggered by these policies will marked as
    Resolved
    .
    Deleted Policies
    The following policies will be deleted because the
    gcloud-api-key
     has been removed on the Google Cloud Platform.
    • GCP API key not rotating in every 90 days
    • GCP API key not restricting any specific API
    Impact
    —All open alerts triggered by these policies will be marked as
    Resolved
    .
    The following Kubernetes policy has been deleted:
    • Do not run containers as root

    REST API Updates

    Change
    Description
    Anomaly Trusted List types
    The anomaly trusted list now supports a new trusted list type:
    port
    .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo