Features Introduced in March 2021

New Features

FEATURE
DESCRIPTION
API Ingestion
Azure Active Directory
azure-active-directory-credential-user-registration-details
Additional permissions required:
Reports.Read.All
azure-active-directory-group-members
Additional permissions required:
GroupMember.Read.All
Group.Read.All
Grant these permissions to the Prisma Cloud app that is registered on Azure Active Directory.
Amazon ECS
aws-ecs-cluster
Additional permissions required:
ecs:describeCluster
These permissions are included in the Security Audit role.
AWS VPC
aws-vpc-transit-gateway-attachment
Additional permissions required:
ec2:DescribeTransitGatewayAttachments
These permissions are included in the Security Audit role.
Update
API Ingestion—Kubernetes Audit Logs for GKE Clusters
Prisma Cloud no longer ingests audit log events for GKE clusters. If you have an RQL query to find all events for Kubernetes audit logs such as:
event from cloud-audit_logs where cloud.type= 'gcp' AND cloud.service = 'k8s.io'
Prisma Cloud will no longer display results on the Investigate page.
Permissions Update for Account Group Read Only
An administrator with a role associated with the
Account Group Read Only
permission group can save RQL search queries they use on the
Investigate
page as well as create new compliance reports for the designated accounts within the context of their role. Additionally they can view, edit, and delete their own saved RQL queries and compliance reports and ones belonging to other administrators with the same role.

New Policies and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
POLICY NAME
DESCRIPTION
New Policies
GCP Log bucket retention policy is not configured using bucket lock
—Identifies GCP log buckets for which the retention policy is not configured using bucket lock.
config from cloud.resource where api.name = 'gcloud-logging-sinks-list' AND json.rule = 'destination.bucket exists' as X; config from cloud.resource where api.name = 'gcloud-storage-buckets-list' AND json.rule = (retentionPolicy.isLocked does not exist or retentionPolicy.isLocked is false) as Y; filter '($.X.destination.bucket contains $.Y.name)'; show Y;
GCP Log bucket retention policy not enabled
—Identifies GCP log buckets for which retention policy is not enabled to store the activity logs for forensics and security investigations.
config from cloud.resource where api.name = 'gcloud-logging-sinks-list' AND json.rule = 'destination.bucket exists' as X; config from cloud.resource where api.name = 'gcloud-storage-buckets-list' AND json.rule = (retentionPolicy does not exist ) as Y; filter '($.X.destination.bucket contains $.Y.name)'; show Y;
GCP firewall rule logging disabled
—Identifies GCP firewall rules that are not configured with firewall rule logging to enable auditing with a connection record to log each time the rule allows or denies traffic.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = logConfig.enable is false
Policy Updates—RQL and Metadata
AWS Elastic Load Balancer v2 (ELBv2) listener that allows connection requests over HTTP
The Policy RQL has been updated to exclude HTTP listeners that redirect traffic to HTTPS listeners.
Updated RQL
—The updated RQL is:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = listeners[?any(protocol equals HTTP and defaultActions[?any(type equals redirect and redirectConfig.protocol equals HTTPS)] does not exist )] exists
Impact
—Previously generated alerts for ELBs configured with redirection to HTTPS listeners will be resolved as Policy_Updated.
The following four policies have been updated:
Instances exposed to network traffic from the Internet
Updated description
—Identifies network traffic coming from the Internet to sensitive cloud workloads.
Updated RQL
—The updated RQL is:
network from vpc.flow_record where src.publicnetwork IN ('Suspicious IPs','Internet IPs') AND dest.resource IN ( resource where role not in ( 'AWS NAT Gateway' , 'AWS ELB', 'AZURE ELB', 'GCP ELB' ) ) and protocol not in ( 'ICMP' , 'ICMP6' ) AND accepted.bytes > 0
Impact
—Alerts generated for Azure and GCP ELBs will be resolved as 'Policy_Updated'.
DB ports exposed to network traffic from the Internet
Updated description
—Identifies network traffic coming from the Internet to sensitive DB Servers.
Updated RQL
—The updated RQL is:
network from vpc.flow_record where src.publicnetwork in ('Suspicious IPs','Internet IPs') and dest.port in (1433, 1521, 3306, 5000, 5432, 5984, 6379, 6380, 8080, 9042, 11211, 27017, 28015, 29015, 50000) AND dest.resource IN ( resource where role not in ( 'AWS ELB', 'AWS NAT Gateway', 'AZURE ELB', 'GCP ELB' )) AND accepted.bytes > 0
Impact
—Alerts generated for Azure and GCP ELBs will be resolved as Policy_Updated.
Instance is communicating with ports known to mine Ethereum
Updated description
—Identifies network traffic on ports 8545 and 30303 from internal workloads to Internet IPs that are known to mine Ethereum. Unless this traffic is part of authorized applications and processes, your instances may have been compromised.
Updated RQL
—The updated RQL is:
network from vpc.flow_record where dest.port IN (8545,30303) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and src.resource IN ( resource where role not in ( 'AWS NAT Gateway', 'AWS ELB', 'AZURE ELB', 'GCP ELB')) AND accepted.bytes > 0
Impact
—Alerts generated for Azure/GCP ELBs will be resolved as Policy_Updated.
Instance is communicating with ports known to mine Bitcoin
Updated description
—Identifies network traffic from internal workloads to internet IPs on ports 8332 and 8333 that are known to mine Bitcoins. Unless this traffic is part of authorized applications and processes, your instances may have been compromised.
Updated RQL
—The updated RQL is:
network from vpc.flow_record where dest.port IN (8332,8333) and dest.publicnetwork IN ('Internet IPs' , 'Suspicious IPs' ) and src.resource IN ( resource where role not in ( 'AWS NAT Gateway', 'AWS ELB', 'AZURE ELB', 'GCP ELB')) AND accepted.bytes > 0
Impact
—Alerts generated for Azure/GCP ELBs will be resolved as Policy_Updated.
AWS Network ACLs allow ingress traffic to server administration ports
The policy description is updated.
Impact
—No impact on alerts.
OCI File Storage File System Export is publicly accessible
The policy name is updated to remove the extra space at the end.
Impact
—No impact on alerts.
Policy Deletion
AWS KMS sensitive delete configuration updates
This policy is deleted to eliminate potential performance issues based on your resource configuration.
Impact
—All alerts generated for this policy will be resolved as Policy_Deleted. This change may have a high impact on number of resolved alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
General Personal Data Protection Act (LGPD)
Prisma Cloud provides compliance support for the General Personal Data Protection Act (LGPD) on AWS, GCP, and Azure. LGPD is Brazil's data protection law that contains over 40 different statutes that govern the use of personal data, both online and offline.
Support for CIS Alibaba Benchmark v.1.0.0
The Alibaba Cloud services in scope for CIS Alibaba Benchmark v.1.0.0 include:
  1. Identity and Access Management
  2. Logging and Monitoring
  3. Networking
  4. Virtual Machines
  5. Storage
  6. Relational Database Services
  7. Kubernetes Engine
  8. Security Center
CIS Azure Benchmark v.1.3.0
The CIS Azure Benchmark v.1.3.0 is updated to map the following Policy IDs to the relevant sections:
  • Requirement—2.9
  • Section—Azure Security Center WDATP integration Disabled
  • Policy—b7a63b07-551a-4813-82f5-f47b8428e0b3
  • Requirement—2.10
  • Section—Azure Security Center MCAS integration Disabled
  • Policy—470796d2-3ed6-40a3-b26a-e882afce4090
  • Requirement—3.8
  • Section—Azure Storage accounts soft delete is disabled
  • Policy—f5a29936-659e-48a8-8110-783411bf6a9c
  • Requirement—4.2.2
  • Section—Azure SQL Server ADS Vulnerability Assessment is disabled
  • Policy—b805e5f2-8479-4197-82ce-9d8fcdf38a44
  • Requirement—4.2.3
  • Section—Azure SQL Server ADS Vulnerability Assessment Periodic recurring scans is disabled
  • Policy—aa62cb1d-2bcb-478b-af5c-62462f8a6cba
  • Requirement—4.2.4
  • Section—Azure SQL Server ADS Vulnerability Assessment 'Send scan reports to' is not configured
  • Policy—bfff252d-3f21-4115-978d-e1a48d8ae19c
  • Requirement—4.2.5
  • Section—Azure SQL Server ADS Vulnerability Assessment 'Also send email notifications to admins and subscription owners' is disabled
  • Policy—2d9ff413-f69f-484e-ba55-22ab6333c249
  • Requirement—5.1.1
  • Section—Azure Monitoring log profile is not configured to export activity logs
  • Policy—ebdba5a4-af9e-4015-a024-e8eb650e3be3
  • Requirement—5.1.3
  • Section—Azure Storage account container storing activity logs is publicly accessible
  • Policy—8a2315b0-70b9-477b-bd5c-41cb92a7b726
  • Requirement—5.1.4
  • Section—Azure Storage Account Container with Activity log has BYOK encryption disabled
  • Policy—217f8556-ccdb-4746-b4b7-2237298c81f1
  • Requirement—5.1.5
  • Section—Azure Key Vault audit logging is disabled
  • Policy—56bfe7bb-ef47-4252-a335-9751a4826609
  • Requirement—6.6
  • Section—Azure Network Security Group having Inbound rule overly permissive to all traffic on UDP protocol
  • Policy—d979e854-a50d-11e8-98d0-529269fb1459
MITRE ATT&CK v8.2 Cloud Matrix for Enterprise
The MITRE ATT&CK framework in Prisma Cloud is updated to support the MITRE ATT&CK v8.2 version of the framework.
Prisma Cloud adds the new sub-techniques supported on the framework and more policies mappings for improved coverage.
Updated
The currently supported MITRE ATT&CK framework that was released as a beta is renamed MITRE ATT&CK v6.3.

REST API Updates

CHANGE
DESCRIPTION
A Data Security Inventory API returns additional data
The response object for the following API now includes resource RRN and object RRN:
  • POST /dlp/api/v1/inventory/objects/aggregate
Notification Template API requests to add or update a notification template have request parameter restrictions
Notification template names do not support special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’), and the total length of the name can be 99 characters. These restrictions affect request parameters for the following APIs:
  • POST /notification/template
  • PUT /notification/template/{id}
If you use the unsupported characters, the error message in the Prisma Cloud management console and API indicate that the template name is invalid.

New Features

Feature
Description
Suppress Anomaly Alerts for Trusted Ports
Add one or more ports to the Anomaly Trusted list and suppress alerts generated for the specified ports.
To add a new port, select
Settings
Anomaly Settings
Anomaly Trusted List
+Add New
Port
.
New Table Format
Enjoy the new table view on the
Investigate
page. The classic table view is no longer available.
API Ingestion
Azure Active Directory
azure-active-directory-authorization-policy
Additional permissions required:
Policy.Read.All
Google Access Context Manager
gcloud-access-policy
Additional permission required:
accesscontextmanager.policies.list
This permission is part of the Project Viewer role, and is required to reduce the error rate for this API on GCP.
Google Web Security Scanner
gcloud-web-security-scan-config
Additional permission required:
cloudsecurityscanner.scans.list
This permission is a part of the Web Security Scanner Viewer role.
Google Compute Engine
gcloud-compute-addresses
Additional permission required:
compute.addresses.list
This permission is part of the Viewer role.
Update
Permission Update for Google Cloud SCC Integration
For the Google Cloud SCC integration, the service account that you use to onboard the GCP organization must include the following permission:
iam.serviceAccounts.signJwt

New Compliance Benchmarks and Updates

Compliance Benchmark
Description
New
CIS Azure v.1.3.0 New Compliance
The CIS Microsoft Azure Foundations Benchmark v.1.3.0 includes the following Azure services:
  1. Identity and Access Management
  2. Security Center
  3. Storage Accounts
  4. Database Services
  5. Logging and Monitoring
  6. Networking
  7. Virtual Machines
  8. Other Security Considerations
  9. AppService
New
Cybersecurity Maturity Model Certification (CMMC)
Prisma Cloud adds support for the Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), AWS, Azure and GCP.
The model framework organizes these processes and practices into a set of domains and maps them across five levels.
  • Level 1 : Safeguard Federal Contract Information (FCI)
  • Level 2 : Serve as transition step in cybersecurity maturity progression to protect CUI
  • Level 3 : Protect Controlled Unclassified Information (CUI)
  • Level 4-5 : Protect CUI and reduce risk of Advance Persistent Threats (APTs)
CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0.0
The CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0.0 includes the following OCI services:
  1. Identity and Access Management
  2. Networking
  3. Logging and Monitoring
CIS Amazon Web Services Foundations Benchmark V.1.3.0
The CIS Benchmark has been updated to map default policies to the relevant sections. The detailed information is as follows:
  • Requirement—1.15
    Section—Identity and Access Management
    Policy ID—2b7e07ba-56c8-42db-8db4-a4b65f5066c4
  • Requirement—1.20
    Section—Identity and Access Management
    Policy ID—34064d53-1fd1-42e6-b075-45dce495caca
  • Requirement—2.1.1
    Section—Storage
    Policy ID—7913fcbf-b679-5aac-d979-1b6817becb22
  • Requirement—5.1
    Section—Networking
    Policy ID—b92edf01-d2c8-4f46-944d-e81b734d7600
CIS Google Cloud Platform Foundation Benchmark V.1.1.0
The CIS Benchmark has been updated to map default policies to the relevant sections. The detailed information is as follows:
  • Requirement—Virtual Machines
    Section—4.1
    Policy ID—68ab0618-0716-11eb-adc1-0242ac120002
  • Requirement—Virtual Machines
    Section—4.8
    Policy ID—17ad5166-9858-47e8-85ea-e42575a2112e
  • Requirement—Virtual Machines
    Section—4.9
    Policy ID—fb8d5eca-45b1-4a6a-855b-b517ab10d71d
  • Requirement—Storage
    Section—5.2
    Policy ID—f0e09192-0716-11eb-adc1-0242ac120002
  • Requirement—PostgreSQL Database
    Section—6.2.5
    Policy ID—86150e32-f69c-400b-9bc2-444b03795545
  • Requirement—PostgreSQL Database
    Section—6.2.6
    Policy ID—2b9b082c-7e83-4695-92ab-8eca4c5dd4fd
  • Requirement—PostgreSQL Database
    Section—6.2.7
    Policy ID—45f30dc1-4253-4afb-987a-b09e26bfc166
  • Requirement—SQL Server
    Section—6.3.1
    Policy ID—fc6634c3-7ab9-4a84-a447-09499b1e418c
  • Requirement—SQL Server
    Section—6.3.2
    Policy ID—7e105686-9939-48e8-8e76-bfdf42b75ef6
  • Requirement—Cloud SQL Database Services
    Section—6.6
    Policy ID—4e58f169-5632-4b3c-9f8a-74348cf93957
  • Requirement—Cloud SQL Database Services
    Section—6.7
    Policy ID—9ec88ff0-3383-4e9c-a4a7-24f5be6fb8f3
  • Requirement—BigQuery
    Section—7.1
    Policy ID—181a00f7-9ca4-45a7-9e2a-b8ebd12223ff
CIS Google Kubernetes Engine (GKE) Benchmark V.1.1.0
The CIS Benchmark has been updated to map default policies to the relevant sections. The detailed information is as follows:
  • Requirement—Managed Services
    Section—5.1.4
    Policy ID—50d5ec3b-1710-4ff7-bb09-061c30deef96
  • Requirement—Managed Services
    Section—5.2.1
    Policy ID—d4a28b1f-9a9b-4a40-874d-9da7f9d4e8a6
  • Requirement—Managed Services
    Section—5.2.2
    Policy ID—c696cf7d-c397-4be8-9183-62676d2afde1
  • Requirement—Managed Services
    Section—5.3.1
    Policy ID—a667d66e-899d-4b15-ab02-9de69c73dd8c
  • Requirement—Managed Services
    Section—5.4.2
    Policy ID—c696cf7d-c397-4be8-9183-62676d2afde1
  • Requirement—Managed Services
    Section—5.5.2
    Policy ID—0e72ff6d-9d6e-4fa1-8c3b-b815b9e4d459
  • Requirement—Managed Services
    Section—5.5.3
    Policy ID—f70918b1-7c19-4de6-b851-967bea5648ba
  • Requirement—Managed Services
    Section—5.5.4
    Policy ID—a6b65e730-d5bf-400c-9a08-9721d6ccdf4

New Policies and Policy Updates

See Look Ahead—Planned Updates on Prisma Cloud to learn what’s coming soon.
New Policies and Policy Updates
New Policies
Azure Container registries Public access to All networks is enabled
Identifies Azure Container registries that are enabled for Public access to all networks.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-container-registry' AND json.rule = ((properties.publicNetworkAccess equals Enabled and properties.networkRuleSet does not exist) or (properties.publicNetworkAccess equals Enabled and properties.networkRuleSet exists and properties.networkRuleSet.defaultAction equals Allow))
Azure Function App authentication is off
Identifies Azure Function Apps that have authentication disabled.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.siteAuthEnabled equals false'
Azure Function App client certificate is disabled
Identifies Azure Function Apps on which client certificates are disabled.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.clientCertEnabled equals false'
Azure Function App doesn't have a Managed Service Identity
Identifies Azure Function Apps which do not have a Managed Service Identity.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)'
Azure Function App doesn't use HTTP 2.0
Identifies Azure Function Apps which does not use HTTP 2.0.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.http20Enabled equals false'
Azure Function App doesn't use latest TLS version
Identifies Azure Function Apps which do not use the latest TLS version.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and config.minTlsVersion does not equal 1.2'
Azure Function App doesn't redirect HTTP to HTTPS
Identifies Azure Function Apps which do not redirect HTTP to HTTPS.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind contains functionapp and properties.httpsOnly equals false'
New Kubernetes policies used for scanning IaC templates:
  • Docker Socket mount configured
  • CAP_SYS_ADMIN capability not restricted
  • Service is configured with externalIPs
  • Container configured to use the default set of capabilities
  • Container configured to allow privilege escalation
  • Host device path mounts should be avoided
  • Ingress configuration does not restrict sources
  • Memory limits not configured
  • CPU limits not configued
  • Use high UID for containers
  • Container configured with custom hosts
  • Use high UID for containers
  • Container configured with custom hosts
  • Container configured with custom SELinux options
  • SSH port exposed by service
  • Do not use shared mount propagation
  • Liveness probe not configured
  • Readiness probe not configured
  • Container could run using outdated docker image
Policy Updates—RQL and Metadata
AWS Default Security Group does not restrict all traffic
This policy description has been updated.
Impact
—None. Does not affect any existing alerts for the policy.
The following Azure App Service policies have updated RQL that monitors the Azure webapp only, and excludes Azure Function apps:
Impact
—All open alerts for Azure Function apps that were triggered by these policies will marked as
Resolved
.
  • Azure App Service Web app authentication is off
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.siteAuthEnabled equals false'
  • Azure App Service Web app doesn't use latest TLS version
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.minTlsVersion does not equal 1.2'
  • Azure App Service Web app client certificate is disabled
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.clientCertEnabled equals false'
  • Azure App Service Web app doesn't have a Managed Service Identity
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and (identity.type does not exist or identity.type does not equal SystemAssigned or identity.principalId is empty)
  • Azure App Service Web app doesn't redirect HTTP to HTTPS
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and properties.httpsOnly equals false'
  • Azure App Service Web app doesn't use HTTP 2.0
    Updated RQL
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'kind starts with app and config.http20Enabled equals false'
The following policies have been updated to remove the em dash
in the description or recommendation because it caused encoding issues when viewing the CSV file in some text editors.
  • Azure Load Balancer diagnostics logs are disabled
  • Azure SQL Server advanced data security does not send alerts to service and co-administrators
  • AWS RDS database not encrypted using Customer Managed Key
Impact
—None. Does not affect any existing alerts for the policy.
The following Kubernetes policies have been updated:
  • Container configured to run as root user
  • Root filesystem is writable
The following policies have updated RQL:
  • GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)
  • GCP VM instances with excessive service account permissions
  • GCP VM instances have IP Forwarding enabled
These policies should not alert for the GKE instances. Since there is no provision to configure the remediation steps for GKE instances, a fix is the filter out the GKE instances with updated RQL.
Impact
—All open alerts for GKE instances that were triggered by these policies will marked as
Resolved
.
Deleted Policies
The following policies will be deleted because the
gcloud-api-key
has been removed on the Google Cloud Platform.
  • GCP API key not rotating in every 90 days
  • GCP API key not restricting any specific API
Impact
—All open alerts triggered by these policies will be marked as
Resolved
.
The following Kubernetes policy has been deleted:
  • Do not run containers as root

REST API Updates

Change
Description
Anomaly Trusted List types
The anomaly trusted list now supports a new trusted list type:
port
.

Recommended For You